Hi,   I found a problem in Splunk DB connect when I tried to add a new input. I can add new connections and the current inputs are working. But when I try to add new input or try to use the “SQL Explorer” after choosing connection I get a “Cannot get schemas“ error message. In the _internal index I found this error message: „Unable to get schemas metadata java.sql.SQLException: Non supported character set (add orai18n.jar in your classpath): EE8ISO8859P2” After this I updated DB Connect and the Oracle JDBC drivers but it did not help. I consulted our DB admins. As it turned out these DBs really differ when it comes to character encoding (EE8ISO8859P2 vs. UTF8). Of course the orai18n.jar file is there with the driver. I found this in the documentation: https://docs.splunk.com/Documentation/DBX/3.14.1/DeployDBX/Troubleshooting#Unicode_decode_errors "Splunk DB Connect requires you to set up your database connection to return results encoded in UTF-8. Consult your database vendor's documentation for instructions about how to do this." Is it possible that DB Connect can only handle Oracle DB with UTF-8 encoding?   Thanks, László   ... View more

Hi, I havethe following search index="windows" source=WinEventLog:Security ([| inputlookup windows_group_change_events | where group_action like "member added" or group_action like "member removed" | fields EventCode ]) NOT src_user=portalsync | ldapfilter search="(&(objectClass=group)(cn=$Group_Name$))" attrs="distinguishedname,description, info" | eval _raw = json_object("time", _time, "action_by", src_user, "event_code", EventCode, "group", mvindex(Security_ID, 2), "member", mvindex(Security_ID, 1),"orig_sourcetype", sourcetype, "orig_host", host, "dn", distinguishedName, "desc", description, "info", info ) | fields _time, _raw | collect index=windows_ad_summary addtime=0 source="windows_group_management"   I try to save the group membership change events to a different index for long-term retention. I got the original idea from here: https://conf.splunk.com/files/2017/slides/using-splunk-enterprise-to-optimize-tailored-longterm-data-retention.pdf My problem is that this search always returns "no results". If I omit the "fields" and "collect" commands it returns results as intended. Also if I omit the "ldapfilter" command it works just fine. Do you have any idea what is the problem with the combination of "ldapfilter" and "fields"?   Thanks, Laszlo   Edit: I'm using Splunk 8.0.9 ... View more

Hi,   I have applications that log login events as multiple events. Example: [07B0:007E-19E8] 2021.03.17 11:59:01 Opened session for User Name/HEXP/HU (Release 8.0.2FP6) [07B0:007E-19E8] 2021.03.17 11:59:01 ATTEMPT TO ACCESS SERVER by User Name/HEXP/HU was denied [07B0:007E-1408] 2021.03.17 11:59:01 Closed session for User Name/HEXP/HU Databases accessed: 0 Documents read: 0 Documents written: 0 This is an unsuccessful login event. when the login is successful, only the first event is logged. I can connect these events with transaction, which is ok for some reporting purposes. But if I use transaction then I can't tag these events and I can't make the logs CIM compliant. Is there a way to handle these kind of situations?  Or it is not possible to tag these kind of events correctly?   Thanks, László   ... View more

Hi, I installed Splunk Security Essentials 3.1.1. The app runs just fine. But Data inventory doesn't work for me. The automated introspection never finishes and manually added sources keep disappearing. But there is no error message. Is there a way to debug this app? Does it generate logs? Thanks ... View more