We are gathering logs from various devices that contain security, performance, and availability-related information. These logs are all being sent to Splunk. We utilize both Splunk core and the ES App. Since we have to pay separately for both core and the ES App based on ingestion, we are exploring options to minimize costs. Is there a mechanism available for selecting which logs can be sent to the ES App for processing? If such an option exists, we would only need to send security-specific logs to the ES App, significantly reducing our Splunk ES App licensing costs. Splunk Enterprise Security ... View more

Hi, I have a few adaptive responses (AR) which are tagged to run on correlation rule triggering. These Adaptive responses are working fine and getting the data. Now I want to save this AR data to a KVstore and tagged with an associated notable event ID. My intention is to fetch this data later using the notable event ID field. However, I can't find any way to access/get the notable event ID from within the adaptive response code. I tried using the helper.get_events() but it doesn't have a notable event ID field. Please let me know if anyone has done this before. Regards, Ramesh ... View more

Hello, I have a requirement in new app being build using add-on builder create a input parameter called choose index. This parameter should show the list of avalable indexes from which an user selects one index. I don't see this option in Splunk Add-on builder helper functions. However, Splunk doc does show such option in a picture just above the section called Pass values from data input parameters https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/ConfigureDataCollectionAdvanced Another pic from an add-on which have this feature Can anyone help me on this please? ... View more

Hi, I see two (probably) new endpoints under server control. I'm using Splunk Enterprise 7.0.2 <link href="/services/server/control/restart_webui_async" rel="restart_webui_async"/> <link href="/services/server/control/restart_webui_polite" rel="restart_webui_polite"/> However couldn't find any documentation on the above two endpoints in Splunk docs http://docs.splunk.com/Documentation/Splunk/7.0.2/RESTREF/RESTsystem#server.2Fcontrol Would appreciate if anyone can share some insight into this. ... View more

Hello, We require your help implementing a part of solution for an app deployed in our Splunk SH cluster. The app is pushed to all the SH members using a deployer. The App contains a script which downloads IoCs and deposits in the location “$SPLUNK_HOME/etc/apps/app_name/appserver/static“ so that our other Security solutions can access it via HTTP(S). The App is designed to download only in SH captain. This part works very well. However we need a logic to copy/replicate the IOC files in /app_name/appserver/static (in captain) to other member servers too. The files in this location are CSV and JSON. Our goal is to access these files from remote location via web, If these files are kept updated in all peers then we can access it from any member server irrespective of which one is the actual captain node. Is there a way we can achieve this using Splunk only? We know this can be done using scp/share folder but client wants to do this within Splunk. Any help is appreciated. ... View more

Hello, I'm trying out a Adaptive response action of VirusTotal which i created by following this site http://dev.splunk.com/view/addon-builder/SP-CAAAFBQ. The following screnarios are working Running the Adaptive response on ad-hoc mode where in I have to provide a complete url (like http://www.google.com)as parameter. Running the Adaptive response from correlation search using Adaptive Response Actions where in I provide a complete url (like http://www.google.com) as parameter. However on the same correlation search If I try to pass on the parameter as $url$ it fails to execute and I get failure under Notable events details. The correlation search query is basic one which reads data from a lookup table which contains only one column called url. It returns the URL Correlation Search query | inputlookup demoARdata | where isnotnull(url) Adaptive response action Error Message in log file VirusTotal_modalert.log 2017-11-27 19:16:38,641 INFO pid=16371 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO 2017-11-27 19:16:38,642 ERROR pid=16371 tid=MainThread file=cim_actions.py:message:271 | sendmodaction - signature="url is a mandatory parameter, but its value is None." action_name="VirusTotal" search_name="Threat - Splunk alert $url$ - Rule" sid="scheduler_adminSplunkEnterpriseSecuritySuite_RMD5839fb9bced15ebfc_at_1511790360_253" rid="0" app="SplunkEnterpriseSecuritySuite" user="admin" action_mode="saved" action_status="failure" Not sure where I went wrong? 😞 ... View more