Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About So76
So76
Explorer
Member since:
11-11-2021
06-01-2023
Community Statistics
| Posts | 20 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 11-11-2021 |
Activity Feed
- Posted Is there a way to investigate why the data ingest has changed dramatically? on Getting Data In. 09-22-2022 12:59 PM
- Posted Re: Is there an SPL query to know the last date UFs phoned in to a specific DS? on Splunk Search. 07-20-2022 06:07 AM
- Karma Re: Is there an SPL query to know the last date UFs phoned in to a specific DS? for gcusello. 07-19-2022 08:24 AM
- Posted Re: Is there an SPL query to know the last date UFs phoned in to a specific DS? on Splunk Search. 07-19-2022 06:12 AM
- Posted Is there an SPL query to know the last date UFs phoned in to a specific DS? on Splunk Search. 07-18-2022 03:14 PM
- Posted Re: Troubleshooting search on Splunk Search. 04-27-2022 05:53 AM
- Posted Troubleshooting search on Splunk Search. 04-26-2022 03:54 PM
- Posted Re: Windows log going to the wrong sourcetype on Getting Data In. 04-25-2022 07:20 AM
- Tagged Re: Windows log going to the wrong sourcetype on Getting Data In. 04-25-2022 07:20 AM
- Posted Re: Windows log going to the wrong sourcetype on Getting Data In. 04-25-2022 06:10 AM
- Posted Re: Windows log going to the wrong sourcetype on Getting Data In. 04-25-2022 06:02 AM
- Posted Re: Windows log going to the wrong sourcetype on Getting Data In. 04-25-2022 05:57 AM
- Posted Why is windows log going to the wrong sourcetype? on Getting Data In. 04-24-2022 05:48 AM
- Posted Re: Alert not pick the correct sourcetype on Splunk Cloud Platform. 03-25-2022 08:28 AM
- Posted Why is my alert not picking the correct sourcetype on Splunk Cloud Platform. 03-25-2022 07:49 AM
- Karma Re: Alert not loading for tshah-splunk. 02-28-2022 06:07 AM
- Posted Re: Alert not loading on Alerting. 02-28-2022 06:06 AM
- Posted Alert not loading- what does this mean? on Alerting. 02-22-2022 01:38 PM
- Posted How to change permissions from root to Splunk user? on Security. 02-17-2022 11:25 AM
- Posted Stop logs forwarding logs from the universal forwarder to an indexer on Knowledge Management. 01-26-2022 01:59 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-22-2022
12:59 PM
The pan logs ingested decreased significantly and nothing should have changed from the syslog point of view. Is there a way to investigate why the data ingest has changed dramatically? Attached is a screen of prior and after the drop in pan logs ingestion
I ran this command
| tstats prestats=t count WHERE index=pan by host _time span=1h | timechart partial=f span=1h count by host limit=0
Prior to drop in pan log ingestion
After the drop in pan log ingsetion
Can anyone help with a solution to this sudden drop in pan log ingestion. Since the it hasn't come up to the previous level. Solution will be appreciated
... View more
Labels
- Labels:
-
heavy forwarder
07-19-2022
06:12 AM
Thanks for you prompt response. Can it be narrowed to a specific DS? We've multiple DS
... View more
07-18-2022
03:14 PM
Is there an SPL query to know the last date UFs phoned in to a specific DS. We've many DS in our company
... View more
Labels
- Labels:
-
other
04-27-2022
05:53 AM
How do I resolve these issues below? c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed ERROR PipelineComponent [6004 CallbackRunnerThread] - Monotonic time source didn't increase; is it stuck? Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:13.173 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] Thanks
... View more
04-26-2022
03:54 PM
I ran this search on splunk cloud web and I got the results below. Can anyone help on how to resolve
index=_internal source=*/splunkforwarder/var/log/splunk/splunkd.log OR source=*SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log log_level=ERROR | transaction host component
1) 04-26-2022 13:27:26.944 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:26.944 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=1031 msec 04-26-2022 13:27:27.959 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:29.090 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:29.715 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722)
2) 04-26-2022 09:38:13.402 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:38:43.312 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:13.173 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:43.118 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:40:12.952 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed
3) 04-26-2022 08:27:54.691 -0700 ERROR PipelineComponent [6004 CallbackRunnerThread] - Monotonic time source didn't increase; is it stuck?
... View more
Labels
- Labels:
-
other
04-25-2022
05:57 AM
Below is the config in TA_windows. No props or transforms. I did not configure it [WinEventLog://Application] disabled=0 index=***** [WinEventLog://Security] disabled=0 index=rhr_windows blacklist=4674,5156 [WinEventLog://System] disabled=0 index=***** [WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index=***** renderXml=false [WinEventLog://Microsoft-Windows-AppLocker/MSI and Script] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index=***** renderXml=false [WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Deployment] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index=***** renderXml=false [WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Execution] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index=*****
... View more
04-24-2022
05:48 AM
Logs are going to source= WinEventLog:Application and sourcetype="WinEventLog" instead of source="WinEventLog:Security" sourcetype="WinEventLog:Security"
Ran this search
index=*** sourcetype="*wineventlog*" rha***s-wds EventCode=517 signature="The audit log was cleared"
... View more
- Tags:
- sourcetype
- windows
Labels
- Labels:
-
other
03-25-2022
07:49 AM
I find that the logs are not pointing to the right source/sourcetype. Logs are going to source= WinEventLog:Application and sourcetype="WinEventLog" instead of source="WinEventLog:Security" sourcetype="WinEventLog:Security".
Can someone help me fix this to get the right source/sourcetype
index=*_windows
(sourcetype="WinEventLog:Security" OR source="WinEventLog:Security") EventCode=1102 OR EventCode=517 Message="The audit log was cleared*"
| bucket span=1h _time
| stats count by _time, user, ComputerName, signature, index
| eval index=case(index="***_appliances","***_appliances",index="***_windows","***_windows",index="***_linux","***_linux",1=1,index)
| eval AF="0007"
| lookup ****_Thresholds.csv index AF OUTPUT Threshold ID Sev
| fillnull value="UNKNOWN" ID
| fillnull value=9999999 Threshold
| where count>Threshold
| fields - index AF
... View more
Labels
- Labels:
-
troubleshooting
02-22-2022
01:38 PM
I am new to splunk. So I got this message that is attached when I click a link
(|loadjob scheduler__hgt2_c3BsdW5rX2ludGVybmFsX21ldHJpY3M__RMD5c1adf444890fb9a1_at_1645171200_579 | head 1 | tail 1)
index=*** sourcetype=***:channel:threats* tag=malware threatInfo.analystVerdict=undefined threatInfo.incidentStatus=unresolved threatInfo.mitigationStatus=mitigated | table _time action dest user signature file_name version description
Saved Search [Detections Handled by SentinelOne]: number of events (1)
I get the attached message.
Can anyone explain how to resolve this?
... View more
Labels
- Labels:
-
alert action
02-17-2022
11:25 AM
Hey,
Need help. Have a client that have been running splunk for a while as root but now whats to run splunk as splunk, and there's no splunk as a user. It's a linux server
Can anyone help with steps to proceed without running into permission error issues
Should I
useradd splunk
chown -R splunk:splunk /opt/splunk
and restart splunk
Will appreciate suggestions
... View more
Labels
- Labels:
-
permissions
01-26-2022
01:59 PM
How do I stop my indexer consuming logs from a universal forwarder that was decommissioned. We did not remove the UF from the host before we gave the device away. It is no more connecting to the Deployment Server. Can null queue work? Host = frontwave source=WinEventLog:Security, WinEventLog:Application index=winder
... View more
Labels
- Labels:
-
other
01-20-2022
07:41 AM
What app and add-on can best work with logs from imprivata.? Can Cisco Networks Add-on for Splunk Enterprise work? Has anyone with experience on this? [syslog/imprivata/*] host=imprivata sourcetype=imprivata index=imprivata disabled = false # ignoreOlderThan = 30 Read below "I need some help making sure we are getting logs from the Cisco AP and we need indexes created HF and SH. Also an parsing app for the Cisco AP logs. "
... View more
Labels
- Labels:
-
configuration
12-31-2021
07:11 AM
Need help on enterprise security. Is there a way to create a standard TAXII Parser that can do correlation searches of logs coming from Maritime Transportation System ISAC & logs coming from Stash. New to ES and have no idea what's all about. See the issue below, If it'll help. Please advise and help, on what's needed to be done. I am very new to ES. Thanks "A shipping company that gets Intelligence feeds/reports from MTS-ISAC (Maritime Transportation System ISAC) The MTS-ISAC provides proactive cyber threat intelligence, alerts, warnings, and vulnerability information cultivated from maritime stakeholders and public and private sector shares, open-source intelligence, and cybersecurity news So it's just a matter of parsing that information so Matson can do correlation searches (correlate it with logs) that are currently coming from Stash"
... View more
Labels
11-11-2021
09:15 AM
1 Karma
Hey, has anyone created a search that merges an ipadd from threat intel and ipadd from azure so it'll trigger an alert if there's a match. Don't know if it's possible. Thanks, will appreciate any help or advise. I am new to ES
... View more
Labels
- Labels:
-
using Enterprise Security
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-01-2023
01:46 PM
|
