@donaldwayne1976 - Ideally it should be part of message trace data.  https://splunkbase.splunk.com/app/4055 (Office 365 Add-on) has input for Message Trace data. (Though I'm not sure if that has what you need, but that might be your best bet)   If this does not work, you can build a custom App to fetch the data you need as far as Microsoft provides necessary API to get the data you need.   I hope this helps!!! ... View more

This could be related to perpetual license, it might not follow the rules defined in the Doc, which I guess is for a regular Splunk license. But you can still reach out to Splunk support and ask for a reset key. ... View more

That's right, if you have the  sc_admin role on Splunk, you should be able to read the logs: index=_internal source=*splunkd.log* index=_internal source=*ta_rapid7_insightvm_insightvm_asset_import*   If you are not a Splunk admin, then ask a Splunk Admin in your team.   ... View more

Right,   If you have full control of the sender and you can modify the sender to send the data along with the correct time value as a request parameter called "time" with services/collector/event endpoint. OR If you don't have any control over which parameter gets sent, you can change the endpoint to use services/collector/raw and then write props.conf to extract the timestamp correctly.   ... View more

@kn450 - If all events are reaching meaning, there are no connectivity issues. As the events are reaching after 8 minutes, which means it cannot also be a latency issue, as 8 minutes is too long for any default timeout settings.   So the only thing I could see is a "timestamp" (_time) of the event, which may differ from when the event arrives in Splunk. This usually refers to when the event occurs on the source system. Everything in Splunk uses this timestamp.   I hope this helps!!! ... View more

@ringo227 - Only way currently available on Splunkbase to collect the email logs is with Office 365 Add-on. https://splunk.github.io/splunk-add-on-for-microsoft-office-365/ConfigureMessageTraceInput/ https://splunkbase.splunk.com/app/4055    I hope this helps!!! ... View more

@TheBravoSierra - It should delete the App from SH members as well with your steps. Only one thing document which could affect it is that when App is disabled, SHC member will not remove the App.  ... View more

@MakszimM - Look at your outputs.conf as I mentioned in my answer. This is the issue I think you are having. ... View more

@NullZero - Splunk Docs are the proof: When you are using distributed environment, indexer's knowledge objects will not be used https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.2/knowledge-bundle-replication/what-search-heads-send-to-search-peers https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.2/knowledge-bundle-replication/knowledge-bundle-replication-overview  KVstore are generally not by default replicated to Indexers But if replicate=true is set for KVstore lookups then also, the replication happen from Search Head to Indexer in a CSV formatted files inside the knowledge bundle https://splunk.my.site.com/customer/s/article/indexer-name-Could-not-load-lookup-LOOKUP-automatic-lookup-name  https://splunk.my.site.com/customer/s/article/KV-Store-lookups-occupying-4-5-Gigs-of-bundle-size    And regarding lets say if you have some data from the past inside KVstore lookups, which might need to recover in the future, you can always re-enable the kvstore and get it back.   I hope this helps!!! ... View more

@dm1 - This App should help. IPInfo App for Splunk - https://splunkbase.splunk.com/app/4070   Kindly upvote and accept the answer if this help !! ... View more

@NullZero - Simple answer is you do not need KVstore on Indexer. Unless you run search manually on the Indexer, and you are running the search from Search Head Kvstore lookups on Indexer will never gets utilized. Actually nothing on Indexer config will be utilized for searches run by users.   So regardless of what you have on the Indexer, it is currently not being utilized. So you are safe to disable it unless you are using Indexers in unconventional way directly.   I hope this helps!!! ... View more

@MakszimM - Do you see other UFs connected to Forwarder Management UI?? If no UFs and HF is visible then you need to fix this: (outputs.conf selective forwarding missing issue) Data not appearing in forwarder management UI  https://help.splunk.com/en/splunk-enterprise/administer/update-your-deployment/9.4/configure-the-deployment-system/upgrade-pre-9.2-deployment-servers   If the issue is only with HF then it might be Network connectivity related. From HF to DS on 8089 port   I hope this helps!!! Kindly upvote if it does!! ... View more

@tag-osrour - I have not use MLTK to implement this, but I've used regular Splunk lookup to implement what you need. You need two scheduled searches: Scheduled Report to generate Usual Country activities | tstats count, values(Authentication.org_country) as org_country from datamodel=Authentication where AND Authentication.user!="unknown" by Authentication.app, Authentication.user, Authentication.src, _time span=1d | `drop_dm_object_name(Authentication)` | iplocation src | eval Country = if(isnotnull(org_country), org_country, Country) | inputlookup authentication_usual_location.csv append=true | where _time > relative_time(now(), "-12w@w") | dedup user, app, Country, _time | outputlookup authentication_usual_location.csv​ Scheduled Alert to alert when user's login is from an unusual country | tstats count from datamodel=Authentication by Authentication.app, Authentication.action, Authentication.user, Authentication.src, Authentication.dest, _time | `drop_dm_object_name(Authentication)` | eval user = lower(user) | iplocation src | inputlookup authentication_usual_location.csv append=true | fillnull value=0 percentage_login_from_country | where percentage_login_from_country < 15 | eval reason = case(isnull(usual_login_location), "No login from this user", percentage_login_from_country=="0", "No login from this country", true(), "Low historical login from this country") | table _time user dest src app count City Region Country percentage_login_from_country reason usual_login_location​   These are not full queries, but they give idea on how you can implement it in your environment with your data with Splunk lookups.   I hope this helps!!! Kindly upvote if it does. ... View more

@KSparks - Try restarting the Splunk service. I have seen this error sometimes as a temporary issue (401 call not authenticated). ... View more

@sankardevarajan  - Just search for Heavy Forwarder's internal logs in Splunk Cloud: index=_internal host="<HF's Host Name>"   Splunk Cloud would only accept data if SSL is properly validated.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@KeithH - Possible that it might support Splunk v10, but App is archived on Splunkbase as it is not updated since long.   So, whether the app works or not depends on the App's content. But more importantly, the reason Splunk prefers people to update the App is to fix Security issues. * So you can either contact the App developer (https://splunkbase.splunk.com/app/4155 Not public Info on Splunkbase) and ask them to upload an updated version. * Or you can validate App issues and security issues yourself and use the App anyway.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@T_Uchida - Please reach out Akamai team to find the answer to your question: * dl-appsec-siem-sme@akamai.com    I hope this helps!!! Kindly upvote!!! ... View more

@maheshnc - Search for internal logs to understand and troubleshoot the issue further. index=_internal NOT source=*_access* "<title of the alert>"   And see what logs tell you.   I hope this helps!!! Kindly upvote!!! ... View more

@smakwana - I don't think the given information is enough to understand the issue, given the complexity and variety in AWS inputs. Please provide more details. * Are you using SQS-based S3 input? * What are your input settings? * Is your SQS configured correctly? * etc ... View more

@hl - This document describe many detection that would apply to Palo Alto data or Firewall data in general. https://research.splunk.com/detections/categories/network/   I hope this helps!!! Kindly upvote if it does!!! ... View more

@sankar_admin - This document below should help. But in general, you have two options: SOAR on Cloud and SOAR On-prem. https://help.splunk.com/en/splunk-soar   Regarding compatibility matrixs with other ventors there are many SOAR Connectors available on Splunkbase. - https://splunkbase.splunk.com/apps?page=1&sortBy=popular&product=soar    I hope this helps!!! Kindly upvote if it does!!! ... View more

@Bosv0id - Basically, this feature helps automatically resolve the on Jira as well when the issue seems to be resolved from the alert side. So, you need to have logic in your alert query which gives you following fields/information Auto close key value pair Whether the issue is there or resolved (concept is well described in this App - https://splunkbase.splunk.com/app/7016) When this key value pair is found in the result, it means it is a resolved alert and not a trigger alert  Auto close issue number field name In case of a Jira ticket to be resolved, you need to provide the Jira ticket number to be resolved. This needs to be present in the results as a field. This field would be empty in case the issue is triggered (not resolved) Auto close status transition value What is the close status of Jira in your project Auto-close comment If you want to add a comment while closing the ticket.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@yachtbum - This is true in some environments. I notice so many of these warnings. Not sure exact root cause. Although you cannot currently configure the reconnect retry timeout in Splunk.  But you can configure the normal connection timeout setting in outputs.conf on the forwarder if that is what you need for your environment.   I hope this helps!!! Kindly upvote if it does!! ... View more