Transforming Field Value with Rex/Regex?
Hey! So I have this field: "user1 user2 user3 user4 user5 user6 (.....)" and I wanted it to look like "(account="user1" OR account="user2" OR account="user3" OR (.....))" without using format or...
View ArticleSplunk Forwarder SSL unsupported certificate purpose?
Running Splunk 6.5.2 & 6.5.3, We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA. I've been having a hard time getting our heavy forwarders to...
View ArticleHow do you detect WannaCry by Splunk Enterprise Security Content Updates?
It's impossible to detect WannaCry by app **ES Content Updates**? Someone have experience in this? app: https://splunkbase.splunk.com/app/3449/
View ArticleUsing Splunk HF - Filter data before TCP routing
Hi, I'm using a Splunk Heavy Forwarder with props.conf, transforms.conf and outputs.conf to selectively send events to different splunk Indexers based on the sourcetype. That works well. But now I have...
View ArticleSplunk Universal Forwarder installing additional roles?
I had installed the Universal Forwarder 6.5.1 a while back and set it to connect to a deployment server / Splunk instance. All I wanted it to do was be a forwarder. However, upon a Nessus scan of the...
View ArticleSearchManager (JS) with doubl quotas in query
Hello all, I am using the object SearchManager for the below query, however it is not returning anything. Executing the same query directly in SEARCH, we can find the results. Probably it is something...
View ArticleHow do I add a _meta field to monitored files
I am working with a heavy forwarder tier that is running syslog where network devices are sending data. For ease of tracking where each file is being monitored from, I would like to add some metadata...
View ArticleError message: "Search process did not exit cleanly, exit_code=255,...
I have deployed search head app from deployer to search head clustering environment.. but while querying any search inside the app.. it is showing error "Search process did not exit cleanly,...
View ArticleWget link fails to download Splunk ("Unable to establish SSL connection")
When I attempt to download Splunk on a Centos system using the wget link that Splunk.cim provides but this doesn't work and instead provides the following error: OpenSSL: error:14077410:SSL...
View ArticleWindows Stealth Firewall rule blocking Deployment traffic
I am seeing a firewall block by the Windows Firewall for traffic returning to my forwarders from the deployment server. The rule they are hitting on is :...
View ArticleCan I use data from two different metrics in the same dashboard?
I have two different metrics: one metric tells if a device is online. Another metric tells if a device has a process crash. How do I get average crashes per device installed? For example, I can get...
View Articlehow to filter out the list of hosts that are in the lookup but not in my...
I have a query as follows which displays the list of hosts and their host details as follows host field_A field_B field_C Now I have an excell sheet which I'm trying to use as a lookup "hosts_list.csv"...
View ArticleCount of counts by value by day...
I want to find/graph the count of (dc(X) as dc_X_count by Y) by day. In other words, I have some events in a basic search with two id's X and Y. There are 1 or more X values per Y. The max number of...
View ArticleBest way to filter out events within Enterprise Security Incident Review?
I am seeing a number of events for abnormally high number of HTTP POST requests in our enterprise security incident review, many of which are allowed communication between our systems. What would be...
View ArticleWhy are my users unable to change the permissions of a lookup?
I have the lookup editor deployed to my environment, and am finding that my users are not able to tweak the permissions of the lookups they created. Am i maybe missing a role?
View ArticleWill universal forwarder installs only work on specific OS versions?
I was told that it didn't matter what version of the Universal forwarder I installed on my servers. Does it matter that much? If I have Server 2003, 2008 or 2012, can they all use the same version of...
View ArticleSplunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to...
Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated to have the src_ip and dest_ip columns to allow me to define acceptable usage of a...
View ArticleHow to modify the results in required format?
I have a lookup query as follows | inputlookup hosts.csv | rename hostname as my_hostname | table my_hostname the results are follows abcd abcf.sjs.com GHK ghli.sjd.com How can I modify my query to...
View Articlekvstore restrict tls version 1.0
How is kvstore configured to not accepted tls version 1.0? Currently, server.conf has (excerpt): [sslconfig] sslVersions = tls1.1, tls1.2 Are any other settings required? Are there any other reasons...
View ArticleSplunk DB Connect compatibility: Can I connect to ERP, SAP, Gentrack, Oracle,...
Hi Splunk SME, I have a IT system landscape involving 3 to 4 different type of systems such as ERP (SAP, Gentrack or Oracle), MSI (Market System Interface), ITRON (Metering Data Management system) etc....
View Article