All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm by no means an rsyslog guru but ran into it recently.  There may be a better way to solve this but the quick fix was to turn off both supportOctetCountedFraming (input) and escapeControlCharacter... See more...
I'm by no means an rsyslog guru but ran into it recently.  There may be a better way to solve this but the quick fix was to turn off both supportOctetCountedFraming (input) and escapeControlCharacterTab (global).   $EscapeControlCharacterTab off [...other config...] input(type="imtcp" port="<port>" name="<name>" ruleset="<ruleset>" supportOctetCountedFraming="off")    
Hi @anandhalagaras1, what's the sourcetype to apply the masking? I suppose that sourcetype in the props.conf stanza header it's only for example and that in your installation you have the correct s... See more...
Hi @anandhalagaras1, what's the sourcetype to apply the masking? I suppose that sourcetype in the props.conf stanza header it's only for example and that in your installation you have the correct sourcetype to apply the transformation. ciao. Giuseppe
may i know the exact answer Please
Have you checked splunkbase?  There is a promising app at https://splunkbase.splunk.com/app/6762  
Hi @jpillai  you have only the option to switch the certificate at the same time on both ends (Splunk & IDP provider). Just for a certificate replacement you don't need the SPmetadata.xml if the ot... See more...
Hi @jpillai  you have only the option to switch the certificate at the same time on both ends (Splunk & IDP provider). Just for a certificate replacement you don't need the SPmetadata.xml if the other parameter won't be change. Create the certificate, hand over the certificate chain to the IDP colleagues, agree a time window for the renewal and then do it.
@gcusello , This is the exact and correct sourcetype and I have created a custom app and uploaded the App in our Search head. Since our Search head is hosted in Splunk Cloud managed by Support. So ... See more...
@gcusello , This is the exact and correct sourcetype and I have created a custom app and uploaded the App in our Search head. Since our Search head is hosted in Splunk Cloud managed by Support. So I have uploaded the app in the upload app section and post vetting process completed i have installed the custom app into the Search head. This is the custom app i have created "abc_app" Under abc_app I have placed two folders "default" and "metadata" Under default I have created the app.conf and props.conf And under metadata I have created the default.metadata  Refer screenshots for reference.   So kindly let me know where i am missing since the lines are getting segregated as separate events whereas password masking is not getting applied to the events. Hence kindly help on the same.      
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
You could try using spath rather than xpath as it handles JSON and XML
Hhmmm......here's my dilemma.   My field called proctitle has the entire command in it.  One example is where I have proctitle="/bin/chmod 440 /etc/sudoers" and I want to exclude the chmod term.   I ... See more...
Hhmmm......here's my dilemma.   My field called proctitle has the entire command in it.  One example is where I have proctitle="/bin/chmod 440 /etc/sudoers" and I want to exclude the chmod term.   I have 32 such terms I need to exclude. I'll share with you that I am attempting to develop a Linux auditd detection for Account Manipulation per the Mitre Attack Framework https://attack.mitre.org/techniques/T1098/.    This search will look for attempts to modify the sshd_config, passwd, groups, shadow and sudoer file.   In examining existing data, I have determined there are legitimate processes (the 32 terms mentioned) in the proctitle field for the event data that will trigger this alert.   (It was a tedious effort, but I traced through the parent process IDs to come justify this list.)  If I eliminate these 32, my noise is 99% filtered out. Most of my terms are bounded by major breaks.  The example I used is not, but if I use /bin/chmod instead of chmod, it would work.   Let me try this and report back.
@ITWhisperer Can I use "| mvexpand description" I think description field is having multi value and cause the issue of the single count value from the error_description.
@ITWhisperer  Actually below query was not giving the results that is why error field was not populated. | xpath outfield=MIS_Address "//MIS_Address"  I have removed above query and replaced by "|... See more...
@ITWhisperer  Actually below query was not giving the results that is why error field was not populated. | xpath outfield=MIS_Address "//MIS_Address"  I have removed above query and replaced by "| rex field=_raw "eqtext\:MIS_Address\>(?<error>.+)\<\/eqtext\:MIS_Address" and error field are now populating. But now I am seeing another issue. As per the below screenshot only one count is visible from "error_description"  as error count is 11 or description count is 100+          
Hi all, I am currently testing the Http Event Collector (HEC) with a Splunk Cloud trial account. All I do is post data to the HEC url, and It works perfectly for a local instance for an Enterprise a... See more...
Hi all, I am currently testing the Http Event Collector (HEC) with a Splunk Cloud trial account. All I do is post data to the HEC url, and It works perfectly for a local instance for an Enterprise account at http://127.0.0.1:8088/services/collector/event A solution I saw on the community forum was to disable the SSL validation. However, this isn't the best option to use in production for security reasons. Another Solution I saw was to upload certificates but this option isn't suited for a SaaS solution with many different customers. Is it possible to solve this issue in a different way? And I would also like to ask if this problem would persist for normal production client accounts and along with a generic solution for it?     Curl requests   curl https://prd-p-xxxxx.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk token" -d '{"event": "hello world"}'     Curl Response   curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.     Thank you for your time and assistance in addressing these inquiries. 
Thanks for your response. I followed the documentation, but I have one question: When Tenable is running as a vulnerability management solution, which section of the documents should I follow step by... See more...
Thanks for your response. I followed the documentation, but I have one question: When Tenable is running as a vulnerability management solution, which section of the documents should I follow step by step? Could you please help me with this?
I am sending logs from application to splunk server by Splunk logging for java using Http Event Collector with log4j2 configurations. Actually logs are printed correctly in console but not getting ... See more...
I am sending logs from application to splunk server by Splunk logging for java using Http Event Collector with log4j2 configurations. Actually logs are printed correctly in console but not getting pushed to splunk server. And I am not evening getting any Error. Below is my log4j2.xml configuration file <?xml version="1.0" encoding="UTF-8"?> <Configuration status="info" name="example" packages="org.example"> <Appenders> <Console name="console" target="SYSTEM_OUT"> <PatternLayout pattern="%style{%d{IS08661}} %highlight{%-5level }[%style{%t}{bright, blue}] %style{%C{10}}{bright,yellow): %msg%n%throwable" /> </Console> <File name="MyFile" fileName="logs/app.log"> <PatternLayout> <Pattern>%d %p %c{1.} [%t] %m%n</Pattern> </PatternLayout> </File> <SplunkHttp name="httpconf" url="http://localhost:8088" token="b489e167-d96d-46ec-922f-6b25fc83f199" host="localhost" index="spring_dev" source="source name" sourcetype="log4j" messageFormat="text" disableCertificateValidation="true"> <PatternLayout pattern="%m" /> </SplunkHttp> </Appenders> <Loggers> <Root level="info"> <AppenderRef ref="console" /> <AppenderRef ref="MyFile"/> <AppenderRef ref="httpconf" /> </Root> </Loggers> </Configuration>
Try without the brackets around the concatenated strings | eval start_time=exact(coalesce(start_time,'_time')), description=coalesce(description,("Unknown text for error number " . error)), error_de... See more...
Try without the brackets around the concatenated strings | eval start_time=exact(coalesce(start_time,'_time')), description=coalesce(description,("Unknown text for error number " . error)), error_description=error . "-" . description, group=isc_id . error . start_time
No. This is not the answer. This is the general idea of the answer. There are no specifics which would depend on the details which the OP hasn't provided.
Either your table is misaligned or you're trying to do something very non-obvious. I don't understand what is the relation beetween this: service errorNumber errortype Failed aaca 0 fail... See more...
Either your table is misaligned or you're trying to do something very non-obvious. I don't understand what is the relation beetween this: service errorNumber errortype Failed aaca 0 fail 8 aaca 10 pass 1000 aaca 25 fail 290 aaca 120 fail 8 aaca 80 pass 800 aaca 200 fail 400 aaca 210 pass 22 aaca 500 fail 10 And this: service errorNumber errortype Failed aaca 0 fail 2538 10 pass 25 fail 120 fail 80 pass 200 fail 210 pass 500 fail   Also remember that Splunk is not Excel so you can't merge cells
@RichfezThanks for the response, Rich. Since mvexpand/mkemv are basics when it comes to splitting a field value, I had given it a try and tried again now as well. Like you've mentioned, trying this o... See more...
@RichfezThanks for the response, Rich. Since mvexpand/mkemv are basics when it comes to splitting a field value, I had given it a try and tried again now as well. Like you've mentioned, trying this on the example data gives me 13 rows output. But once I'm there, I do not know how to pick one pair of values for a row from the expanded list of values, spread across multiple rows. Time parameter value x a x1 x c x1 x b x1 x a x2 x c x2 x b x2 x a x3 x c x3 x b x3 y d y1 y e y1 y d y2 y e y2   After this, I'm unsure how to achieve the expected output: Time parameter value x a x1 x c x2 x b x3 y d y1 y e y2  
It will work but extract with "#012 ".
Let me agree with your disagreement Do you agree with the answer though is the question - The 4 points mentioned initially to centrally get the events on a single server and monitor the same?