please help me I have 2 problems the first problem with sending alerts by email: in analysnat index= _internal "sendmail" it notifies me that it has a bad password problem but I am sure of entering my password the second problem with access to splunkbase via splunk portal: I can't access splunkbase via the splunk enterprise portal to download applications, (bad password too) however I can do that through URL is there a workaround because it is very important to send alert emails?? for app installation; I manage, I download from the site then I install it but I must have a solution for the problem of alert emails. ... View more

please i need some informations because i have some issues: 1- i'm using udp port to send logs from my antivirus server to splunk server, I noticed that the logs come after a delay of 2 and 3 hours, my question: is it advisable to switch to TCP instead of UDP to guarantee the reception of the logs??   2- I have a problem with sending alert emails, the configuration is correct, well I noticed that the saved password is different to my password (number of stars) assuming my password is 12345678 then I must have 8 stars (********) but when I check the configuration I find only 6 stars which indicates that it is not my password, I I erased all saved passwords but still the same problem note that the alert works perfectly (display on the console) but the email is not sent.     ... View more

helllo   I can't receive an email alert despite having configured it correctly the alert is launched on the portal indicating the outcome but the email is absent 1- mail serer configuration! smptm.gmail.com: 587 I added a gmail address with password 2-alert configuration: I put a destination address: I put an outlook address   please help me to fix it ... View more

Hi please I have 3 questions regarding the splunk enterprise solution (500 mega free log) infact I am a student and I want to master this solution 1/ after 3 quota overruns, what exactly happens? does splunk server stop receiving logs or what?? 2/ what is the difference between: Free license and Enterprise Trial license? 3/ in case I had 2 splunk servers and I want to put one of the 2 as slave because I will need it but I only need the logs that analyzed it, what happens technically? ... View more

  Good morning all please i'm in a big das that i can't solve it: i'm a student and i'm preparing my graduation project and it's my first time with splunk I want to know if my steps are correct or not I want to analyze the user accounts of my active directory: I want to work only on the information concerning the connection of the accounts (login, log off...) and also (creation, modification, deletion..) for that I installed on my splunk server the 3 apps: Splunk_TA_windows Splunk_TA_microsoft_ad SA-ldapsearch (I don't know why I can't save the domain password on this add on despite the connection being successful) after that I copied the 2 folders "Splunk_TA_windows" and "Splunk_TA_microsoft_ad" to my AD server in forrwadersplunk folder path after that I configured this input file and I copied it to a new "local" folder on the 2 servers ************************ ###### Monitor Inputs for Active Directory ###### [monitor://C:\debug\netlogon.log] sourcetype=MSAD:NT6:Netlogon disabled=0 renderXml=false index=main [WinEventLog://Security] disabled = 0 index=main start_from oldest current_only = 0 evt_resolve_ad_obj = 1 Interval checkpoint = 5 whitelist=4724,4725,4726,4624,4625,4720,4732,4722,4738,4742,4729,4715,4719,4768,4769 blacklist1 = EventCode="4662" Message="Object Type: (?!\s*group Policy Container)" blacklist2 = EventCode="566" Message="Object Type: (?!\s*group PolicyContainer)" renderXml=false [WinEventLog://Microsoft-windows-Terminalservices-LocalSessionManager/operational] disabled = 0 index=main renderXml=false ****************** Am I missing another step?? is the input file configuration correct?? can I have my needs with this configuration ??? thank you for answering me because I can not find the right answer on the net and I have a big problem: I find incomplete information on some users when I launch searches concerning their opening and closing of sessions. I apologize for this long message but I must explain all the details to you to have the best advice ... View more

I want to have a table of deleted accounts with the attributes time, adminstrator, user, message but the administrator and users fields still remain empty index = msad source=wineventlog:security EventCode=4726 | rex field=member_dn "(?<Administrator> S+)s+(?<User> S+)" | table _time Administrator User action signature and that I checked event raw, I noticed that the field membr_dn is empty have a solution? ... View more