I've been out of touch with Core Splunk for sometime, so just checking if there are options for below requirement Organisation is looking for RFP for various Big Data products and Organisation needs -  multi-cloud design for various applications. Application (and thus data) resides in AWS/Azure/GCP in multiple regions within Europe - Doesn't want to have lot of egress cost. So aggregating data into the cloud which Splunk was installed predominently is out of question. - The design is to have 'Data nodes' (Indexer clusters or Data clusters) in each of the application/data residing cloud providers - A Search Head cluster (Cross Cloud search) will be then spun in the main provider (eg AWS), which can then search ALL these remote 'Data nodes' Is this design feasible in Splunk? (I understand Mothership add-on, but my last encouter with it at enterprise scale was not that great) Looking for something like below with low latency ... View more

folks, we had to do summary indexing of alerts created by savedsearches. This has been accomplished by logevent (Though its NOT well documented in splunk docs). I've used https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTsearch to setup and the tokens are all working good. The settings are like below   logevent.param.index: test logevent.param.sourcetype: my_summary_index_st logevent.param.event: $name$ $result.*$   BUT , only the FIRST alert is captured by the $result.*$ token. Any idea how to ensure the entire events from the alert are captured?  (`$results.*$` is NOT working) PS: I've put a feedback to the docs team to update all the parameters, but the docs are lacking a lot compared to the alert functionalities ... View more

I had encoutered an interesting question from my client/security SME 1. Which one is better. To have Splunk Security Essentials or to retain Enterprise Security + Content updates? 2. Where are the detection rules kept in Splunk Security Essentials kept?   As far as I understand the Splunk ES content update is quite easy to understand and we can customise the savedsearches.conf (rules) to fit our environment. On other hand, Splunk security Essentials, we couldn't figure out where the rules exist and modify them. Any ideas how to get the detection rules of Splunk Essentials? Also what would be the future direction of these developments? wanted to stick to one of them if possible ... View more

I've almost created  a  framework to update  Splunk configuration  items for Search Heads   (transforms, props, savedsearches) etc and Create NEW apps via Splunk REST api. This works well in Standalone SH & SH cluster. Anyone  know if there are restrictions/capability  restrictions kept  in place for Splunk cloud offering? ie in Cloud offering - Can  I  create a  new App  via Rest api ? - Can i create/modify configuration items remotely? ... View more

As part  of  automation, we needed to insert entire "SavedSearches" file via API. We  have done manually/successfully by using the method: https://community.splunk.com/t5/Getting-Data-In/How-do-you-create-saved-search-using-REST-API-call/m-p/435876  But looking for a method so  that we can insert something the file as  such, not individual fields like..   curl -i -X POST https://${hostname}:8089/services/saved/searches \ --data-binary "@path/to/file"   Any idea how to do this? ===== Ideas I've tried, so far is to  => To split the savedsearches.conf into individual fields & then insert  via -d When I tried to  parse the "ini" file using simple  configParser,  it threw error like below. Seems the splunk conf is NOT purely a configParser compatible  😞   {"msg": "An unhandled exception occurred while running the lookup plugin 'ini'. Error was a <class 'configparser.DuplicateOptionError'>, original message: While reading from '<???>' [line 22]: option '| eval usage' in section 'test' already exists"}   The  sample i've used  is below   [test] alert.digest_mode = 1 alert.expires = 7d counttype = number of events alert.suppress = 1 alert.suppress.period = 4h alert.track = 1 action.email.sendresults = 1 action.email.inline = 1 cron_schedule = 3,33 * * * * description = You have used 80% of your disk capacity. disabled = 1 enableSched = 1 quantity = 0 relation = greater than search = | rest splunk_server_group=dmc_group_* /services/server/status/partitions-space \ | eval free = if(isnotnull(available), available, free) \ | eval usage = capacity - free \ | eval pct_usage = floor(usage / capacity * 100) \ | where pct_usage > 80 \ | stats first(fs_type) as fs_type first(capacity) AS capacity first(usage) AS usage first(pct_usage) AS pct_usage by splunk_server, mount_point \ | eval usage = round(usage / 1024, 2) \ | eval capacity = round(capacity / 1024, 2) \ | rename splunk_server AS Instance mount_point as "Mount Point", fs_type as "File System Type", usage as "Usage (GB)", capacity as "Capacity (GB)", pct_usage as "Usage (%)"         ... View more

As  part of Splunk automation, we are looking to see if we  can download Splunk automatically into the servers directly for  upgrade hands-free for Test machines The output I'm looking for is a simple lookup/details like below. Anyone aware of any links which expose below  details? splunk_release installer_id arch os pkg 6.6.3 e21ee54bc796 amd64 linux deb 8.1.4 17f862b42a7c x86_64 linux rpm ... View more

Our Infra architect is in process of reducing the agents on client systems and replace with minimal products. Hence just checking if there is a Plan to use Splunk Universal Forwarder for SOAR purposes? At end of the day if the Splunk UF is installed as "Administrator" in Windows (and provide relevant permissions in Linux et al), you could techically do ANYTHING.. i.e. SOAR responses would be similar to running a scripted inputs or triggering a software to do an action. There are quite lot of advantages of providing "Phantom agent" as a deployment app too? Not sure if this answer community is the correct place for feedback/ideas, but just checking if there is similar plans in motion? ... View more