How to identify an elusive process? (Help with investigating an IOC)
Hello Splunkers, I'm hoping to get some help investigating a potential IOC. Here is the situation, my Infosec app for Splunk (https://splunkbase.splunk.com/app/4240/) dashboard has flagged a system for...
View ArticleQueries for an API user getting queued
We have a Splunk cluster that is shared by multiple users/teams. We've set up an API user that makes calls to Splunk at a constant rate. Most of the time everything works fine, but every once in a...
View ArticleDeployment Splunk Universal Forwader
Hello, I would like to deploy the Splunk Universal Forwarder to a batch of servers (150). I will use SCCM, What is the best practice to do so: 1. by a command line through the deployment of...
View ArticleSA-Eventgen and Splunk SPL Examples
Hello community, I've installed SA-Eventgen and SPL Examples as directed in the following .conf talk: https://conf.splunk.com/files/2017/recordings/creating-your-own-splunk-learning-environment.mp4...
View ArticleForward Events to Multiple Seperate Indexers
Guys, I wish to collect all events from my windows server security log and send to my main Splunk enterprise instance but also send a subset of events to my test instance. At the forwarder, how could I...
View ArticleDetailed Reporting on License Costs per Event
Guys, is it possible to break down licnse impact on the following: - Per Index - Per SourceType - Per Source - **Per Event in index i.e. all events with EventCode=302** ??
View ArticleHow do I get new users acquainted with the basic anatomy of how Splunk...
I'm putting together materials for new users to our Splunk Enterprise environment. Can you point me toward some resources to get new users acquainted with Splunk Enterprise basic anatomy and function?
View ArticleDeployment Splunk Universal Forwarder
Hello, I would like to deploy the Splunk Universal Forwarder to a batch of servers (150). I will use SCCM, What is the best practice to do so: 1. by a command line through the deployment of...
View ArticleHow to configure the azure devops addon and get logs to splunk
Hi i have installed the azure devops add on one of the heavyforwarder and i have configured the inputs and account in the addon but not seeing logs from tfs to splunk. Can any one help how to proceed...
View ArticleHow to troubleshoot why the search server processdown
_ZN35DistributedBundleReplicationManager18triggerReplicationERKSt3mapI14SchemeHostPort3StrSt4lessIS1_ESaISt4pairIKS1_S2_EEE23BundleReplicationReason8Interval + 89 (splunkd + 0x1D43279)...
View Articlehow to lookup with statement/string contain whitespace in the lookup table
Hi Guys, I have this query to inputlookup to a lookup table (csv) which contain statement/ string with whitespace (e.g I am a human). So what I have tested. If I put full statement (I am a human), no...
View Articlewhat is meant by Next Schedule Time and Display View are none on Searches,...
I am seeing few of the alerts and reports on my Splunk that "**Next Schedule Time**" and "**Display View**" are **none** on Searches, Reports, and Alerts settings. Does it mean they are not working...
View ArticleIs there any search query to find all alerts and last triggered date and time...
Is there any search query to find all alerts and last triggered date and time for each of the alert ?
View ArticleTrying to get total count till selected year from multiselect input
Hi All, I am trying to display total active users count till selected year. I could achieve this , if I select only one year at a time, but if i try to select more that 1 year , I am getting error ....
View ArticleWhat is the expected indexing rate with high-performance specification
Splunk has the high-performance specification of reference hardware with 48 cores but still the following page still shows 300GB/indexer as the indexing rate....
View ArticleHosting external libraries in splunk and instantiating them in an HTML dashboard
Is it possible to host and use 3rd party javascript libraries for HTML dashboards and what is the best practice for doing this? more specifically, in my case I'm attempting to use Vue JS for a simple...
View ArticleWhen will ad-hoc search artifacts/results be deleted?
Hi, I am wondering when my search artifacts/shown results will be deleted. Default ttl for ad-hoc searches is 10min. I would expect the results of my opened & completed search to disappear after...
View ArticleWhere can I see the fetched data from salesforce in "splunk add-on for...
I have installed "splunk add-on for salesforce" and "splunk app for salesforce". I have done the configuration. But I tried to retrieve events by using index. I couldn't able to see the results. It is...
View ArticleR with SPLUNK
1) How do i setup & use R from within SPlunk. 2) How do i use an R-function/model (final built model) as a function within SPlunk directly. We say python-add ons but we do not see R-add ons on the...
View ArticleIndexer VM corrupt
we have 6 indexers in indexer cluster setup. one of the indexer server, the splunk mount point goes corrupt due to disk space issue. now we mount the new point and install the splunk package on that...
View Article