How to make filter for Windows Security Events with Logon Type:3
Hi I want to drop all Windows Security Events (4624,4625 etc) with Logon Type:3 My first idea is to make filter on my Heavy Forvarder: -------props.conf [WinEventLog:Security] TRANSFORMS-windows_events...
View ArticleHow to restric users to only specifc ap
Hi Experts, I given access to one client by creating specifc index and APPs. But when he login he some times navigate to Search & reporting tab and creates some lookups. I want to restrict users...
View ArticleTraffic Light not showing up
Hi All I'm trying to implement Traffic Light on a customer. They are using a SHC: 3 SH, 2 IDX. On a stand alone machine, I downloaded the TrafficLight App, installed and it worked fine. Later, I've...
View ArticleSplunk Add-on for Nessus: How to configure the 'Nessus Server URL' field to...
My organization utilizes Nessus Cloud for scanning with four configured remote scanners that are local on our network. I am configuring the Data Input Parameters in Splunk Enterprise and I'm not sure...
View ArticleSplunk Enterprise Security: After a WinEventLog service shutdown, why is no...
Hi Splunkers! I've been re-writing a correlation search from Splunk Enterprise Security, "Anomalous Audit Trail Activity Detected". I wrote my version to take OS restarts and shutdowns into account,...
View ArticleWhat is _indextime, really?
We have had several examples recently where scheduled searches appear to run in the _internal log, complete successfully, and find no results when results were available. Using _indextime vs _time to...
View ArticleWhy would 1 of 3 search heads in a search head cluster not show any results...
I have three search heads in a search head cluster and they are all listed in my Distributed Management Console as search heads. Only 2 of the 3 instances are showing data when viewing in the DMC...
View ArticleSplunk Add-on for IBM WebSphere Application Server: Why is filtering events...
I have reviewed and tried most ever suggestion that I have seen on this site but still no luck. I am trying to filter out, pre-index, all java stack traces containing lines like robots.txt,...
View ArticleHow to set up multiple conditions for our cron scheduled alert?
I have an alert scheduled to run on CRON. I wanted to trigger an alert when the number of results are less than X number with an attachment having the results. At the same time, I wanted to have the...
View ArticleHow to combine results of two table searches?
I've combed through a plethora of the posts here with regards to using subsearches and other various "solutions" to what must be a very common issue: combining results from two searches. Let me start...
View ArticleHow to replace a value in a multivalue field?
I am trying to report on user web activity to a particular category as well as list the URLs in that category. I have the following so far. Search... | eval MB = bytes_to_server/1024/1024 |stats...
View ArticleIs it possible to turn a multivalued field with an arbitrary number of...
I have a search that generates two fields -- host and application. Application is a multivalued field with varying numbers of results. Assume the field is comma delimited in the example below. It looks...
View ArticleDisplay comparison between last week vs this week data in 2 rows and...
I don't know if this is possible. I am trying to compare last week data vs this week data and displayed in such a way as shown: LastWeekDate (12Feb-12:00) LastweekData [ 200K] ChangeIn% ThisWeekDate...
View ArticleAssets,csv nt_host
All, Building my Assets.csv file for ES. Just curious about the nt_host field. Is this required? For example with my Linux hosts so I need to go ahead and still fill it out with the Linux server name?...
View ArticleIndexer cluster autoscaling, how to configure universal forwarders with the...
We are using a splunk indexer cluster in AWS using autoscaling to increase the cluster size. Universal forwarders are configured with the indexers IPs. When a new indexer gets launched how to update...
View ArticleHow to resend lost data between two splunk servers?
Hi all, consider the following scenario: there are two splunk infrastructures. The first (A) collects data from several forwarders and forwards a subset of this data to a second indexer (B). When B...
View ArticleHow do I apply leftouter join into two diffetent search
I needs to apply left outer join or NOT IN condition on two different search search 1 : index=abc host="*xxx*" sourcetype=access_combined_wcookie NOT (sessionId="-" OR isnull(sessionId)) method=GET...
View ArticleOn startup, Splunk reports issues with the default prefs.conf file (invalid...
When I startup Splunk (v6.3.0 for Linux), I've notices warning message when Splunk is Checking conf files for problems. It finds several issues with the default prefs.conf file, telling me several...
View ArticleHow do I manually identify excess buckets in a multisite cluster?
Hello, When trying to remove all excess buckets via the Cluster Master in a multisite indexer clustered environment, we don't see all excess buckets being removed, only some. Is it possible that the...
View Articlehow to delete uploaded csv file
Hello Team, I added an csv file using add data, I do not know how to delete it, could some help on this. and where this normally sits .i.e the path e.g opt/splunk..
View Article