How to identify unauthorized access to crontab in a Splunk search?
Hello (again) I am doing the following Linux command testing who has access to crontab. For a non privileged user, I do the following under the user name "unauth": mysearchhead> crontab -l and...
View ArticleIs there a best practice for creating a multivalue field instead of writing a...
I need to search through my email logs to determine who sends emails to personal accounts (e.g. gmail, yahoo, etc). Right now my search looks like this: index=exchange_logs recipient_domain="yahoo.com"...
View ArticleDoes scripted authentication require external user management system on can...
Using splunk Enterprise 6.3.1 (soon to upgrade to 6.4.1). I have splunk sitting behind a proxy which does authentication and passes the username (splunk SSO) and some other information to splunk in the...
View ArticleHow to export a report in Splunk and open it in Excel automatically?
I wanted to click export in Splunk and open the report in Excel automatically. It is possible? Thank you!!
View ArticleHow to group multiselect drop-down values?
I have a multi-select dropdown which is dynamically populated. I want to show only one option to the user to choose for a group of options and if the user selects then I should search for all the...
View ArticleHow to get the sum of multiple rows based on a different column?
I have a CSV with 3 columns; Username, AD group, Logins (Logins being total number of logins for that user). I want to sum the number of total logins per Active Directory group. I started with:...
View ArticleHow to troubleshoot why accounts and objects are not replicating in our...
Hi, We are finding that numerous objects and accounts are not replicating across our Search Head Cluster. Are there any troubleshooting steps? Log entries to look at?
View ArticleWhy is universal forwarder installation failing with error "Could not bind to...
Installing universal forwarder is failing because it cannot bind to TCP 8089. My understanding of TCP communications is this: Client reaches out to destination server via a dynamic TCP Port to a...
View ArticleWeb configuration page for Splunk Support for Active Directory 2.1.3 is not...
The app is enabled and the configuration page lets me fill the information, but it does not do anything when I try save or test connection. It also does not let me add any domain (+ option on the left...
View ArticleHow to pass one value at a time to a search from a subsearch?
I am looking to run anomaly detection on failed and successful logons per user per host over a given time frame (7 days with a span of 1 day). My hope is that the search will provide the results of...
View ArticleHow to troubleshoot why the wrong timestamps are being parsed for a...
I'm trying to read in a dhcpd.leases file, but some of my entries are getting the wrong timestamp, and I'm not sure how to debug it. When I first load the file, the parser recognizes the correct time...
View ArticleHow to count number of times words occur in a field in Splunk?
I have a search in the form of: index=mail sourcetype=a_mail | stats count by subject | sort -count This displays the subject lines of all emails in the past, let's say, 1 week. The subject lines are...
View ArticleCan the scrub command be used to scrub only the driver license field from...
I need to pass log data to another applications, but because of security concerns, I need to scrub only the driver license from the results. Can the scrub command be used to only scrub the driver...
View ArticleTimewrap showing incorrect week labels
Hi there, I just started to use Timewrap and I am having an issue with the displayed week label. I am trying to show the time chart for today and the same day last week only. In date terms, I want to...
View ArticleSwitching to Free license also switches to Hunk
I've just installed Splunk Enterprise 6.4.1 (from the latest RPM on the website) on a new Fedora machine. After switching my license group from "Enterprise Trial" to "Free" and restarting, Splunk seems...
View ArticleASA Add ons Setup
hello after I upload Splunk add on for Cisco ASA the setup button dos not appear. I checked both version Windows and Linux, also download add on again. how can I fix this problem?
View ArticleCan data compression of indexed data be switched off
I would like to know if data compression can be switched of entirely for indexers, when writing data to storage. I am also interested in what the CPU load improvement for switching compression off...
View Articlenormalizing events with multiple keys
I have a couple of fields, Node and NodeID, which will both have a number, Then I have NodeName which is of the format "Node001" so to make sure they all have a NodeName I did this eval...
View ArticleHelp with a regular expression,Create a Regular Expression handling these...
Hi, I have the following 4 kind of text in logs - single file. I want to extract the string - Customer Num (starting with number followed by alphabets) . I wish to write 1 single reggae query which can...
View ArticleTwo factor authentication parser ?
Hi , Need to build a parser for two factor authentication what are the basic field i need to parse and what would my dashboard contain i.e fileds. Thanks
View Article