How can I create a query to separate every session by host based on specific...
Hi all, i'm trying to record all RD session on my server, i've write this query: index=server source="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" EventCode=24 OR...
View ArticleWindows & Redhat: How to create an alert to grab auditable events, logs from...
Mixed environment about 20 servers - 70 percent Redhat and the rest its Windows OS. I'd like to know how to create an alert that grabs all audit log, other auditable events such as log failures,...
View ArticleGetting exponential values in line chart when using IE browser
I have a line chart in one of my dashboards and I am using chrome and IE. When I hover over the values in the line chart they all show as percentage. but when I do it in IE some of the value show up as...
View ArticleHow to replace master node with ldap- reconfig required?
I am trying to move master node to a different node. 1. Setup a new node. 2. configured as master node. 3. Modified server.conf similar to old master node for params except ssh key. 4. Copied _cluster...
View ArticleHow to get exponential values in line chart when using IE browser?
I have a line chart in one of my dashboards and I am using chrome and IE. When I hover over the values in the line chart they all show as a percentage. but when I do it in IE some of the value show up...
View ArticleGuide for creating Add-ons to deploy to (Universal)Forwarders?
Our department needs to collect the serial numbers of all physical drives connected to all machines within our network. Since there are over 1000 hosts, we would like to be able to collect this...
View ArticleWhy do the indexes disappear in Settings>Indexes after upgrade to v7.0.2 from...
Currently being hosted on Win2012 R2. Splunk is installed on C:\ and E:\, with splunk-launch.conf pointing to E:\.. However once I complete the upgrade, the indexes disappear from the Webpage Splunk...
View ArticleNot receiving logs from Syslog Server
I have set up a universal forwarder to read logs from kiwi syslog server. Universal Forwarder is set to forward logs to the Indexer via Heavy Forwarder. I have also set up the Heavy Forwarder as...
View ArticleWhat is the recommendations for a HEC?
All, What are my hardware recommendations for a HEC? How many instances would I need for say 24gigs of logs a day? Didn't seem like much so I am thinking 2 VMs at 12CPU/12gigss ram? Thoughts? Any docs...
View Articleライセンスが切れるとどうなりますか?
データの取り込みは継続しますが、検索、アラート、ダッシュボード表示は警告文が出て表示がとまり、最終超過日から30日たつと復活します。 ライセンス違反期間中は: Splunk ソフトウェアはデータのインデックス作成処理を中断しません。 Splunk Enterprise 6.5.0 以前のライセンスを使⽤している場合は、違反中、サーチが阻⽌されます。...
View ArticleGet user's search history
Is there a way to get the user search activity excluding the searches given the dashboards Thanks N
View ArticleIs there way to customize the Payload when Splunk calls webhook?
I am calling webhook when certain alert triggers in splunk, I want to exact payload by looking at the alert result so that I can better program the JAVA rest API.
View ArticleAdd time in search string
Hi All, i want to add time in search string. My data is showing time 26-02-2018T02:00:00.000+0000, but while searching i want to add 11 hour , means it should create filter for time...
View ArticleCustom Trigger Condition (Percent increase)
If I wanted to add a "custom" trigger condition to an alert that would trigger the alert only if the search results increase by x percent over 1 hour. How would I go about doing this?
View ArticleCreate Distinct Records from stats
I have a question where in I have inputs as below in a file f1.csv JOB NAME Start_Time End_Time Job1 S11 Job2 S2 Job3 S3 Job1 S12 Job4 S4 Job1 E11 Job2 E3 Job3 E3 Job1 E12 Job4 E4 and when i run the...
View ArticleWhen we are running SA-SPLICE using mongodb, the disk usage(RAM) and current...
We installed SA-SPLICE application (and mongodb ) on our Splunk enterprise. We have configured threat intelligence using URL "http://hailataxii.com". The diskand current load utilization is shooting to...
View Articlesplunk db connect
just installed splunk db connect. Splunk has restarted. The first time it always points to the ip:8000 / en-US / app / splunk_app_db_connect / ftr # / welcome? _k = g5kod7 Most likely on a demo video....
View ArticleUnable to schedule the dashboard
Hi All, We have Splunk environment running on 6.5.2 version with Indexer, Search Head cluster enabled. It is a multisite deployment. Recently, I have come across a problem while scheduling a dashboard....
View ArticleBrute Force Attck - Passwords Used by Attackers
Morning I have been reading this article https://www.splunk.com/blog/2017/06/16/detecting-brute-force-attacks-with-splunk.html I wondered if there was anyway of finding out what passwords the attackers...
View ArticleHow to configure File/Directory Information Input
Hi all, we have deployed the file_meta_data app on one of our universal forwarders running on windows 2012R2 because we want to monitor the file size for a specific file. The inputs.conf looks like...
View Article