They are being issued. For me it took two weeks to arrive, so the time varies. ... View more

When you say "seen in Splunk as json data which is not searchable", do you mean the data is not at all appearing in Splunk, or it is possible to use search to retrieve the logs but they do not extract fields? Splunk handles JSON logs straightforwardly so if the logs do reach splunk in proper JSON format then it should have no problem indexing the logs and even automatically extracting fields. ... View more

Try adding the globallimit= field to geostats. As in: | geostats globallimit=93 latfield=Lat longfield=Long count by Country   ... View more

You can go to Searches, Reports, and Alerts, then set the App to be Splunk Security Essentials. If you set the Owner to All, you can then see all of the included Searches in the app. If one of them is scheduled, you can set its time range and schedule, so that it will onboard data from long ago in a single swoop. Did you do anything in the app interface to activate the "onboarding background search?" ... View more

There is a troubleshooting guide here: https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/ The guide describes how to to write the rawmsg to a file for both the working server and your non-working windows machine, to see if the messages are received the same. Once you confirm that the logs are being received the same, you can move to seeing why Splunk is not then indexing them.   ... View more

Are you sure it is supposed to go to the raw event collector at /services/collector/raw ? Unless I am mistaken, you need the export_raw option to be enabled to export raw data for that endpoint. Try running it with the endpoint set to: https://<host>:8088/services/collector ... View more

If I understand you correctly, you are exporting the results of a search, then importing it in another Splunk instance as new data? This would definitely alter the fields. The exporting of search results is not intended as a method to move data unchanged from one Splunk instance to another. Are you trying to import BOTS data or to package indexed data in a manner similar to the BOTS data? ... View more

We cannot tell what data is being stored in your "main" index. You'd have to describe what type of data it is, before asking the meaning of the field values. It would be helpful to have names of apps and reporting services, and then hopefully someone in the community will have experience with it. ... View more

You might find this blog post useful: https://www.splunk.com/en_us/blog/tips-and-tricks/protocol-data-inputs.html It describes the Protocol Data Inputs app (https://splunkbase.splunk.com/app/1901) that performs custom data handling and pre-processing of the received data before it gets indexed by Splunk. It should be possible with this app to write a custom data handler that will accept your ProtoBuf data. ... View more

Unfortunately this error does not give any reason _why_ the search head cannot connect to the manager node. If the stanza is exactly correct between the working search head and the non-working search head, then it could be a network connectivity issue or a firewall issue rather than a splunk issue. Do you see any errors in the _internal logs that may describe the reason why the search head was failing to connect? ... View more

Try setting it like this: [WinEventLog://Security] index = wineventlog sourcetype = WinEventLog:Security disabled = 0 whitelist = 0-6000 blacklist = 1,2,3,4 ... View more

The /export endpoint will dispatch a search and then retrieve the results when the search is completed. If the search takes a lot of time, then likely the request will time out. You can either make your search faster or you can use two endpoints, one where you dispatch the search and another endpoint where you later retrieve the results. To dispatch the search: curl -k -H 'Authorization: Splunk <your_token_here>' https://your_searchhead_here:8089/services/search/jobs -d search="search index=* | head 10 | table host" The above call will return you a search id (sid), which you'll need in the following call to retrieve the results: curl -k -H 'Authorization: Splunk <your_token_here>' https://your_searchhead_here:8089/services/search/<yoursidhere>/results Ref: https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches ... View more

You could start by integrating your Splunk with LDAP so that your dashboard searches the AD data using LDAP queries. This app should help: SA-ldapsearch - https://splunkbase.splunk.com/app/1151 ... View more

Can you double-check that the configuration is correct on the deployment client? Using btool: $SPLUNKHOME$/bin/splunk btool deploymentclient list ... View more

Try modifying this CURL request to your needs (adjust the endpoint, search, and token) curl -k -H 'Authorization: Splunk <your_token_here>' https://your_searchhead_here:8089/services/search/v2/jobs/export -d search="search index=* | head 10 | table host"   ... View more

Certainly, you can edit the app code by cloning the app into a draft and then editing the carbonblack_connector.py file. ... View more

Unfortunately not. The configure_db_maintenance settings do not have that level of granularity. It applies to all containers. ... View more

You could hit the REST endpoint for approvals. (https://docs.splunk.com/Documentation/SOARonprem/6.2.1/PlatformAPI/RESTApproval) Unfortunately the docs do not include the POST requests for actually approving the task, so you'll have to do an approval in the web interface and then log the POST request using your browser dev tools. Then you can use that POST request to approve tasks without having to log into SOAR. You will need to provide authentication credentials or a token though. ... View more

An important thing to keep in mind with this configuration is that each transform will be applied to the events, so the first transform can change the destination index, but then the second transform can change the destination index again. If events are going to index2 but should be going to index1, it indicates that the regex for the rewrite_index_adm transform is matching on the events that should go to index1. Check your regexes and make sure that the regex for rewrite_ad_group_management ONLY applies to logs with EventCode 4728 or 4729, while the regex for rewrite_index_adm ONLY applies to the Eventcodes 4624,4634,4625 and for admin users. ... View more

Can you split your query into a set of smaller queries that index those rows into a summary index? ... View more

This error would indicate an authentication problem. You should double-check your SMTP settings to ensure that they contain authentication settings for a valid account that can send email through your email provider. ... View more

You also need the list_all_users capability in your role, to list all users. For the alerts, your user needs permission to read the alert to fetch triggered alerts. ... View more

What happens if you manually use the sendemail command? | makeresults | sendemail to="it-security@durr.com" subject="Test mail" message="Test mail message"   ... View more

It seems that splunklib is trying to get the obsolete pycrypto library. Ideally you should configure it to use the Cryptography or pycrypodome library. There is an answer here how to change splunklib to use pycryptodome: https://stackoverflow.com/questions/59104347/how-do-i-install-splunklib-for-python-3-7-on-windows In case that link goes down, here are the instructions: by Chris Chris Dec 2 2019, 8:42: I finally found the way to install it: Uninstall pycrypto pip uninstall pycrypto Install pycryptodome as replacement of pycypto pip install pycryptodome Install splunklib without dependencies pip install splunklib --no-deps Edit "pythonlib"\splunklib-1.0.0.dist-info\METADATA and replace "Requires-Dist: pycrypto" with "Requires-Dist: pycryptodome" install splunk-sdk pip install splunk-sdk check that everything is ok pip install splunklib   ... View more

I can't think of a practical way to make an alert that will alert once per title, but also have many separate rows per title. You may be trying to do too much with one module. You could set up the alert to use multi-value fields as per my previous suggestion, but then include a link in the alert to a separate search where each title is separate. ... View more