Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
04-03-2024
05:17 AM
Have you checked splunkbase? There is a promising app at https://splunkbase.splunk.com/app/6762
04-03-2024
04:58 AM
Hi @jpillai you have only the option to switch the certificate at the same time on both ends (Splunk & IDP provider). Just for a certificate replacement you don't need the SPmetadata.xml if the ot...
See more...
Hi @jpillai you have only the option to switch the certificate at the same time on both ends (Splunk & IDP provider). Just for a certificate replacement you don't need the SPmetadata.xml if the other parameter won't be change. Create the certificate, hand over the certificate chain to the IDP colleagues, agree a time window for the renewal and then do it.
04-03-2024
04:55 AM
@gcusello , This is the exact and correct sourcetype and I have created a custom app and uploaded the App in our Search head. Since our Search head is hosted in Splunk Cloud managed by Support. So ...
See more...
@gcusello , This is the exact and correct sourcetype and I have created a custom app and uploaded the App in our Search head. Since our Search head is hosted in Splunk Cloud managed by Support. So I have uploaded the app in the upload app section and post vetting process completed i have installed the custom app into the Search head. This is the custom app i have created "abc_app" Under abc_app I have placed two folders "default" and "metadata" Under default I have created the app.conf and props.conf And under metadata I have created the default.metadata Refer screenshots for reference. So kindly let me know where i am missing since the lines are getting segregated as separate events whereas password masking is not getting applied to the events. Hence kindly help on the same.
04-03-2024
04:55 AM
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
04-03-2024
04:44 AM
You could try using spath rather than xpath as it handles JSON and XML
04-03-2024
04:39 AM
Hhmmm......here's my dilemma. My field called proctitle has the entire command in it. One example is where I have proctitle="/bin/chmod 440 /etc/sudoers" and I want to exclude the chmod term. I ...
See more...
Hhmmm......here's my dilemma. My field called proctitle has the entire command in it. One example is where I have proctitle="/bin/chmod 440 /etc/sudoers" and I want to exclude the chmod term. I have 32 such terms I need to exclude. I'll share with you that I am attempting to develop a Linux auditd detection for Account Manipulation per the Mitre Attack Framework https://attack.mitre.org/techniques/T1098/. This search will look for attempts to modify the sshd_config, passwd, groups, shadow and sudoer file. In examining existing data, I have determined there are legitimate processes (the 32 terms mentioned) in the proctitle field for the event data that will trigger this alert. (It was a tedious effort, but I traced through the parent process IDs to come justify this list.) If I eliminate these 32, my noise is 99% filtered out. Most of my terms are bounded by major breaks. The example I used is not, but if I use /bin/chmod instead of chmod, it would work. Let me try this and report back.
- Tags:
- filtering_noise
04-03-2024
04:11 AM
@ITWhisperer Can I use "| mvexpand description" I think description field is having multi value and cause the issue of the single count value from the error_description.
04-03-2024
03:58 AM
@ITWhisperer Actually below query was not giving the results that is why error field was not populated. | xpath outfield=MIS_Address "//MIS_Address" I have removed above query and replaced by "|...
See more...
@ITWhisperer Actually below query was not giving the results that is why error field was not populated. | xpath outfield=MIS_Address "//MIS_Address" I have removed above query and replaced by "| rex field=_raw "eqtext\:MIS_Address\>(?<error>.+)\<\/eqtext\:MIS_Address" and error field are now populating. But now I am seeing another issue. As per the below screenshot only one count is visible from "error_description" as error count is 11 or description count is 100+
04-03-2024
03:46 AM
Hi all, I am currently testing the Http Event Collector (HEC) with a Splunk Cloud trial account. All I do is post data to the HEC url, and It works perfectly for a local instance for an Enterprise a...
See more...
Hi all, I am currently testing the Http Event Collector (HEC) with a Splunk Cloud trial account. All I do is post data to the HEC url, and It works perfectly for a local instance for an Enterprise account at http://127.0.0.1:8088/services/collector/event A solution I saw on the community forum was to disable the SSL validation. However, this isn't the best option to use in production for security reasons. Another Solution I saw was to upload certificates but this option isn't suited for a SaaS solution with many different customers. Is it possible to solve this issue in a different way? And I would also like to ask if this problem would persist for normal production client accounts and along with a generic solution for it? Curl requests curl https://prd-p-xxxxx.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk token" -d '{"event": "hello world"}' Curl Response curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. Thank you for your time and assistance in addressing these inquiries.
- Tags:
- hec
04-03-2024
03:36 AM
Thanks for your response. I followed the documentation, but I have one question: When Tenable is running as a vulnerability management solution, which section of the documents should I follow step by...
See more...
Thanks for your response. I followed the documentation, but I have one question: When Tenable is running as a vulnerability management solution, which section of the documents should I follow step by step? Could you please help me with this?
04-03-2024
03:32 AM
I am sending logs from application to splunk server by Splunk logging for java using Http Event Collector with log4j2 configurations.
Actually logs are printed correctly in console but not getting ...
See more...
I am sending logs from application to splunk server by Splunk logging for java using Http Event Collector with log4j2 configurations.
Actually logs are printed correctly in console but not getting pushed to splunk server. And I am not evening getting any Error.
Below is my log4j2.xml configuration file
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="info" name="example" packages="org.example">
<Appenders>
<Console name="console" target="SYSTEM_OUT">
<PatternLayout
pattern="%style{%d{IS08661}} %highlight{%-5level }[%style{%t}{bright, blue}] %style{%C{10}}{bright,yellow): %msg%n%throwable" />
</Console>
<File name="MyFile" fileName="logs/app.log">
<PatternLayout>
<Pattern>%d %p %c{1.} [%t] %m%n</Pattern>
</PatternLayout>
</File>
<SplunkHttp name="httpconf"
url="http://localhost:8088"
token="b489e167-d96d-46ec-922f-6b25fc83f199"
host="localhost"
index="spring_dev"
source="source name"
sourcetype="log4j"
messageFormat="text"
disableCertificateValidation="true">
<PatternLayout pattern="%m" />
</SplunkHttp>
</Appenders>
<Loggers>
<Root level="info">
<AppenderRef ref="console" />
<AppenderRef ref="MyFile"/>
<AppenderRef ref="httpconf" />
</Root>
</Loggers>
</Configuration>
Labels
- Labels:
-
data
-
HTTP Event Collector
04-03-2024
03:23 AM
1 Karma
Try without the brackets around the concatenated strings | eval start_time=exact(coalesce(start_time,'_time')), description=coalesce(description,("Unknown text for error number " . error)), error_de...
See more...
Try without the brackets around the concatenated strings | eval start_time=exact(coalesce(start_time,'_time')), description=coalesce(description,("Unknown text for error number " . error)), error_description=error . "-" . description, group=isc_id . error . start_time
04-03-2024
03:22 AM
No. This is not the answer. This is the general idea of the answer. There are no specifics which would depend on the details which the OP hasn't provided.
04-03-2024
03:21 AM
Either your table is misaligned or you're trying to do something very non-obvious. I don't understand what is the relation beetween this: service errorNumber errortype Failed aaca 0 fail...
See more...
Either your table is misaligned or you're trying to do something very non-obvious. I don't understand what is the relation beetween this: service errorNumber errortype Failed aaca 0 fail 8 aaca 10 pass 1000 aaca 25 fail 290 aaca 120 fail 8 aaca 80 pass 800 aaca 200 fail 400 aaca 210 pass 22 aaca 500 fail 10 And this: service errorNumber errortype Failed aaca 0 fail 2538 10 pass 25 fail 120 fail 80 pass 200 fail 210 pass 500 fail Also remember that Splunk is not Excel so you can't merge cells
04-03-2024
03:19 AM
@RichfezThanks for the response, Rich. Since mvexpand/mkemv are basics when it comes to splitting a field value, I had given it a try and tried again now as well. Like you've mentioned, trying this o...
See more...
@RichfezThanks for the response, Rich. Since mvexpand/mkemv are basics when it comes to splitting a field value, I had given it a try and tried again now as well. Like you've mentioned, trying this on the example data gives me 13 rows output. But once I'm there, I do not know how to pick one pair of values for a row from the expanded list of values, spread across multiple rows. Time parameter value x a x1 x c x1 x b x1 x a x2 x c x2 x b x2 x a x3 x c x3 x b x3 y d y1 y e y1 y d y2 y e y2 After this, I'm unsure how to achieve the expected output: Time parameter value x a x1 x c x2 x b x3 y d y1 y e y2
04-03-2024
02:45 AM
It will work but extract with "#012 ".
04-03-2024
02:39 AM
Let me agree with your disagreement Do you agree with the answer though is the question - The 4 points mentioned initially to centrally get the events on a single server and monitor the same?
04-03-2024
02:35 AM
OK. Let me disagree here. The answer, typically for ChatGPT had completely no technical details (which is understandable since the question had almost none). And it was indeed copy-pasted. https:/...
See more...
OK. Let me disagree here. The answer, typically for ChatGPT had completely no technical details (which is understandable since the question had almost none). And it was indeed copy-pasted. https://chat.openai.com/share/0291a463-54f3-4fdb-97f7-c152ed1117f3 Anyone can put their question to so-called AI service and get an "answer". The power of this forum is that people can share their experience and expertise. Anyone can use a search engine.
04-03-2024
02:21 AM
Hi uthornander_spl, Did you ever find the answer or solution to this?
04-03-2024
02:11 AM
Sounds like a feature - trellis is probably sorting the display based on the first field
