Hi @harishlnu  One of the ways is using Rest API - /rest/health of SOAR - status field contains all the daemons health information and additional info on resource utilization. https://docs.splunk.com/Documentation/SOAR/current/PlatformAPI/RESTInfo#.2Frest.2Fhealth To monitor I would run an external script or if you are using Splunk Enterprise - by using | restsoar command you can call the above Rest API and create an alert.  You should install official  https://splunkbase.splunk.com/app/6361 Splunk App for SOAR to use  | restsoar command. -------- Srikanth Yarlagadda   ... View more

Hi @VK18 , If the notable is new and not being worked on by analysts/concerned team then you would find empty results. Check for notable that has been changed from New to other status such as 'In progress' or closed. You should be able to find the history. ----- Srikanth Yarlagadda     ... View more

Hi @Devi13 perhaps you could try with trigger condition inside a search as a workaround? As @ITWhisperer  said, cron is not a possible and you have to schedule it for first 5 business days. Inside search you could put couple of conditions to check the week of the day is either Saturday/Sunday (Depends on in your Locale) and another check is if the day in holiday list using this add-on (specific to your country, location ) - https://splunkbase.splunk.com/app/4853. Final Trigger condition:   if it is not a weekend and not a holiday then let the report run and do the necessary action. Having said that though cron is scheduled to run every day in first 5 days of month the trigger condition check will only let report fire the action on business day. Hope this helps! ---------------------------- Srikanth Yarlagadda. ... View more

Hi @prashant5847 , Splunk is good at auto extracting the JSON event if it is well formatted. Did you search it on Search head and saw the fields not being extracted correctly? Choose search mode - Smart/Verbose. If you still can not find it, you don't need to extract it on Heavy forwarder. Search head will do the extractions for you. Either you could use spath command - Example  <your search return json event> | spath  - This is inline search. Or update source type settings (props.conf) on search head to include following config- [<sourcetype-name-of-json-events>] AUTO_KV_JSON = true KV_MODE = json Hope this helps! ------------------------------ Srikanth Yarlagadda. ... View more

Hi @Murali  If you can't find Type/ OS in Windows Security Event logs that are ingested to Splunk, that is likely due to the source windows machines do not have such information exist in event logs. You could talk to Windows Administrator to include the desired details on Windows machine that you wanted for Splunk to collect and ingest. Hope this helps!  ------------------------- Srikanth Yarlagadda. ... View more

Hi @CS_  By looking at the Crowdstrike OAuth API code - https://github.com/splunk-soar-connectors/crowdstrikeoauth/blob/next/crowdstrikeoauthapi_consts.py CROWDSTRIKE_GET_DEVICE_DETAILS_ENDPOINT = "/devices/entities/devices/v2" Latest 4.0.0 version is updated to v2 API from v1 that you mentioned in original post.    ... View more

Congratulations to everyone! It's great to be part of a team of like-minded individuals through the MVP program. ... View more

@sensitive-thug  It would be nice to have results break-down by Major countries where Splunk having decent foot print in the region. Overall report is pretty neat, as the Career paths and Jobs market is different by region/country individual numbers gives more confidence in candidates willing to switch or make Splunk as their primary skill. ... View more

https://experience.splunk.com   is redirecting to splunk.com and a sub module link is working ok.  For example - https://experience.splunk.com/security is fine, Good to land on home page to see what this site offers. ... View more

Hi @mark-jones  https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/FormateventsforHTTPEventCollector#Event_metadata You could take a look at this link and there are examples deep links to follow inside. -- Hope it helps! ... View more

@fajri1203  Try search-time approach, UF is a universal forwarder not applicable for your case. I wonder Add-on Microsoft Cloud Services don't have the extraction by default.  You have to configure props.conf, and transforms.conf on search-head (SH) under $SPLUNK_HOME/etc/<app_name>/local OR  $SPLUNK_HOME/etc/system/local. If you are having SH cluster and using SH deployer you must know how to bundle push or contact your splunk admin.  In standalone splunk SH the restart is required post changes. [mscs:storage:blob] REPORT-extract-csv-fields = extract-csv-fields [extract-csv-fields] DELIMS="," FIELDS = "pluginid","alertRef","alert","name","riskcode","confidence","riskdesc","confidencedesc","desc","instances","count","solution","otherinfo","reference","cweid","wascid","sourceid" ... View more

@gordenkem  you need to elaborate a bit more, extractions can be done both at index and search-time. the extractions are set at spec level with combination of props & transforms (optional in some cases). the spec you could set is source, host, sourcetype... if you have them common across the said index, sourcetype yes it is otherwise you have to clone the config. https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Propsconf#GLOBAL_SETTINGS - Read <spec> For example - I have index= a , index = b they both having a sourcetype = web:logs, if you set extraction to [web:logs] that applies to both indexes. if both indexes having common sources [source::/log/webserver/logs/web.log], then setting extraction at source level apply to both indexes... you have to me mindful about source, sourcetype and host combo while setting. As long as the data follow same structure that should be fine otherwise you will end-up seeing inconsistent values in extracted fields. ... View more

Hi @fajri1203  You don't need a regex you could do it two ways if .csv is being forwarded from UF then set inside props.conf [sourcetypename] INDEXED_EXTRACTIONS = csv At search-time, on search-head you shall do following https://www.splunk.com/en_us/blog/tips-and-tricks/quick-n-dirty-delimited-data-sourcetypes-and-you.html?301=/blog/2013/03/11/quick-n-dirty-delimited-data-sourcetypes-and-you.html&_gl=1*1q6w3af*_ga*NDMxNjgzMDU4LjE2Mjc2MDY0MDg.*_gid*NDUyOTcwODc3LjE2NjM1NDI5NDI.&_ga=2.10800753.452970877.1663542942-431683058.1627606408&locale=en_us ... View more

@rockzers you might need to install this add-on and enable required inputs, follow the instructions - https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows --- Srikanth Yarlagadda ... View more

@cybersej  Another great place to find AWS use cases - https://research.splunk.com/ , search AWS you will find already curated security detection details!   --- Srikanth Yarlagadda   ... View more

@cybersej  Perhaps you could start with this list to get an understanding! - https://docs.splunk.com/Documentation/AddOns/released/AWS/DataTypes If you are not going to use AWS add-on for ingestion of logs the will be different. -- Srikanth Yarlagadda ... View more

@jason0  - https://community.splunk.com/t5/Deployment-Architecture/Using-Deployment-Server-as-Search-Head-Deployer/m-p/345844  You can certainly do it, SH requires deploymentclient.conf file pointing to (deployment server)DS.  I never tested after the first-time deployment of apps  from DS --> SH, the subsequent changes to the apps done locally by user will stay on SH.. however if you push the same app once again from  DS might get override the app on SH which might remove the local changes. Where as with SH deployer they get merged with local changes! ... View more

@euddy  - https://www.splunk.com/pdfs/training/Exam-Registration-Tutorial.pdf the process is explained here. ... View more

Hi @VijaySrrie  You shall elaborate it for better understanding.  What is the source? What do you want to achieve? What is OCI? ... View more

Did you check forwarders are active? There must be at least one active forwarder (aka indexer from HF).   ./splunk list forward-server    restarting should clear the queues temporarily they may get blocked again if indexers are busy receiving data. https://wiki.splunk.com/Community:TroubleshootingBlockedQueues Make sure your forwarders are monitoring correctly and connected to HF.  (HF must be under active forwarder list when you execute same command on UF) ... View more

tstats only for indexed fields. rex is a search-time. Refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Configureindex-timefieldextraction after successful creation you can use the field in tstats. -- Hope it helps! ... View more

Your TIME_PREFIX = ^ that means starting of the event, what you have highlighted is not being considered as _time for that reason. When you set TIME_PREFIX alone, starting of the event is 4/5/2022 9:02 PM assuming line_breaking is fine. you should look at TIME_FORMAT and set the TIME_PREFIX correctly for the timestamp you want to consider for _time. The screenshot and events pasted looks completely different. ... View more

Hi @loloffs  You can try setting up Splunk add-on for salesforce - https://docs.splunk.com/Documentation/AddOns/released/Salesforce/Sourcetypes -- Hope this helps! ... View more

if the event doesn't have the bytes associated to the file splunk can not provide that detail. for example if the event is, file: temp.txt, 45 bytes, created today, file closed. Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created. What we need to retrieve in this case bytes must exist in 'events' / _raw data. Hope this clarifies. ... View more