Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-26-2023
03:42 PM
Hi @bowesmana , i tried the suggested query buts its not working.
- Tags:
- Splunk Enterprise
09-26-2023
02:47 PM
Hi Berfomet96, Can you try below line breaker regex: LINE_BREAKER = ([\r\n]+)\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2} Also your TIME_PREFIX and TIME_FORMAT do not seem to match as eventtime is an epo...
See more...
Hi Berfomet96, Can you try below line breaker regex: LINE_BREAKER = ([\r\n]+)\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2} Also your TIME_PREFIX and TIME_FORMAT do not seem to match as eventtime is an epoch timestamp.
09-26-2023
02:44 PM
1 Karma
I tried converting the _time field as suggested with help of one of solutions provided earlier by you (Solved: Re: convert date to epoch - Splunk Community). But no luck. Can you please help with...
See more...
I tried converting the _time field as suggested with help of one of solutions provided earlier by you (Solved: Re: convert date to epoch - Splunk Community). But no luck. Can you please help with the query? Did you consult Date and time format variables when you try that solution? The solution is provided for that particular format. In your case, it would be something like strptime(_time, "%FT%H:%M:%S.%Q%:z") _time field looks something like "2023-09-06T18:30:00.000+00:00" in the lookup CSV. Whereas in the results generated by the query it looks like "2023-09-06 18:30:00" If you have control over this lookup file, rename the _time field to something else like "time" instead. Splunk does some funny things when it sees _ as the first character of a field name. This causes more confusion than it is worth. In your case, Splunk is trying to interpret the field as an internal field and gives its best shot at presentation, but internally, it is still represented as string. This causes your chart command to not have time axis. It is best to reserve _fieldname for Splunk's internal use.
09-26-2023
01:37 PM
@bowesmana , I've created the tokens via Drilldown Editor. However when I try using the tokens in a panel, ie. | stats values($value2$), values($trellis_split$), values($trellis_value$), val...
See more...
@bowesmana , I've created the tokens via Drilldown Editor. However when I try using the tokens in a panel, ie. | stats values($value2$), values($trellis_split$), values($trellis_value$), values($row_axis_name$), values($row_fieldname$), values($d_trellis_split$), values($d_trellis_value$), values($d_trellis_name$), values($d_value1$), I'm only seeing name1 & trellis_name. Everything else is blanked.
09-26-2023
12:56 PM
hi Want to blacklist them on inputs as I left with only three blacklist space.
- Tags:
- regex
09-26-2023
12:38 PM
I would like help with creating the following. Search when account was created and return a list of users who have not authenticated 30 days after account was created. I have a search to show detai...
See more...
I would like help with creating the following. Search when account was created and return a list of users who have not authenticated 30 days after account was created. I have a search to show details for a particular user, but I would like to create a list of all users and set an alert if not authenticated after 30 days. index=duo object=<user1> OR username=<user1> | eval _time=strftime(_time,"%a, %m/%d/%Y %H:%M") | table _time, object, factor, action, actionlabel, new_enrollment, username | rename object AS "Modified User", username AS "Actioned By" | sort _time desc So if actionlabel="added user' exists, I would like to return new_enrollment=false Object(actionlabel=added user) = username(new_enrollment=false) Here's how the output I'm searching for User Created Authentications since created (After 31 days) Last Authentication user1 7/25/2023 0 user2 7/27/2023 3 8/19/2023
09-26-2023
11:59 AM
What about the 3rd dimension, risk? Seems fair to make 3 for urgency.
09-26-2023
11:58 AM
What do you mean by "exclude" here? You want to blacklist them on input or exclude them from search results? And why would you need a single regex to match dwo different patterns? You put this post ...
See more...
What do you mean by "exclude" here? You want to blacklist them on input or exclude them from search results? And why would you need a single regex to match dwo different patterns? You put this post in "deployment architecture" section when it has nothing to do with architecture and tagged it with "deployment server" which again it has nothing to do with. So what is it about?
09-26-2023
11:56 AM
Ok. So your whole environment is not supported anymore so if it works, it works but if it doesn't noone will officially help you. Having said that - any relatively modern (7.0+) forwarder should work...
See more...
Ok. So your whole environment is not supported anymore so if it works, it works but if it doesn't noone will officially help you. Having said that - any relatively modern (7.0+) forwarder should work. If you use 9.x forwarders you'll have to disable configtracker input because you don't have corresponding index on 8.x indexers and the events would generate warning and possibly go to your last resort index if you have one configured.
09-26-2023
11:44 AM
Hi All,
Can any one pls share a regex for the below events to exclude(text in red).
1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Wind...
See more...
Hi All,
Can any one pls share a regex for the below events to exclude(text in red).
1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{5484D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T18:27:56.545195800Z'/><EventRecordID>2371</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='18656'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x37</Data><Data Name='NewProcessId'>0x140</Data><Data Name='NewProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe</Data><Data Name='TokenElevationType'>%j1936</Data><Data Name='ProcessId'>0x3520</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
2. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{hh}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0000000</Keywords><TimeCreated SystemTime='2023-09-26T18:00:46.762007500Z'/><EventRecordID>146821602</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='24996'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>03e7</Data><Data Name='NewProcessId'>0511c</Data><Data Name='NewProcessName'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2010</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
Need a single regex to exclude 1& 2 events.
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T17:44:16.666598900Z'/><EventRecordID>146821089</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='2136'/><Channel>Security</Channel><Computer>secu</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SEC</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x51</Data><Data Name='NewProcessName'>C:\Windows\System32\conhost.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x3ec</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_worker.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{449'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T18:24:19.611633300Z'/><EventRecordID>146822267</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='19952'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x4a18</Data><Data Name='NewProcessName'>C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\get_proxy.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0xdd0</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
Thanks...
Labels
- Labels:
-
Windows
09-26-2023
11:41 AM
Apologies for the delay in reporting back on this issue. We raised a support ticket for this and were told there was a fix applied that should have resolved the problem. We can confirm that we again ...
See more...
Apologies for the delay in reporting back on this issue. We raised a support ticket for this and were told there was a fix applied that should have resolved the problem. We can confirm that we again able to download the appdynamics npm dependency (23.7) from the CDN as expected. npm install appdynamics Thanks! Jeff
09-26-2023
11:25 AM
1 Karma
You just search for events which have your file(s) as source field value. If they stopped being ingested at some point your blacklisting works. Unless of course you have some additional config overwr...
See more...
You just search for events which have your file(s) as source field value. If they stopped being ingested at some point your blacklisting works. Unless of course you have some additional config overwriting the source field but then it's up to you to find those events - we don't know your setup.
09-26-2023
11:19 AM
Got same results as you, try https not http
09-26-2023
10:52 AM
2 Karma
Yes, it has to do with a bad log format in Squid and no one updated the docs. I solved via Squid docs and process of elimination. I can't seem to get the ssl::sni to work at all but this is all of...
See more...
Yes, it has to do with a bad log format in Squid and no one updated the docs. I solved via Squid docs and process of elimination. I can't seem to get the ssl::sni to work at all but this is all of the options without ssl::sni. logformat splunk_recommended_squid %ts.%03tu logformat=splunk_recommended_squid duration=%tr src_ip=%>a src_port=%>p dest_ip=%<a dest_port=%<p user_ident="%ui" user="%un" local_time=[%tl] http_method=%rm request_method_from_client=%<rm request_method_to_server=%>rm url="%ru" http_referrer="%{Referer}>h" http_user_agent="%{User-Agent}>h" status=%>Hs vendor_action=%Ss dest_status=%Sh total_time_milliseconds=%<tt http_content_type="%mt" bytes=%st bytes_in=%>st bytes_out=%<st
09-26-2023
10:35 AM
Can you pls share the spl command.
09-26-2023
10:21 AM
1 Karma
If you no longer see data from the blocked data source then the denylist is working.
09-26-2023
10:03 AM
Hi Everyone, I've recently applied a blacklist file path regex to one of the apps inputs.conf in the serverclass on the host in DS. How can I determine it's working or not?
Labels
- Labels:
-
deployment server
09-26-2023
10:00 AM
Not sure if you are still looking into this, but I ran into a similar issue and aggregate several searches into Assets. Either the CMDB is missing items or some other agent has additional informatio...
See more...
Not sure if you are still looking into this, but I ran into a similar issue and aggregate several searches into Assets. Either the CMDB is missing items or some other agent has additional information for an asset. Very basic instructions: 1. Create search that returns info you want 2. https://docs.splunk.com/Documentation/ES/7.0.1/Admin/Formatassetoridentitylist for table in search. You may have to rename some fields to match 3. Save As - Report 4. Schedule it 5. Title and description 6. Settings-Lookups-lookup definitions 7. Create new definition 8. Dest App = SA-IdentityManagement 9. name it 10. File-based 11. Lookup file = name of the outputlookup csv you had in search. If it's not in the list manually re-run the saved search. 12. Open Enterprise security app 13. Configure-Data Enrichment-Asset&Identity 14. New Configuration 15. Choose source -- will be the lookup name 16 Save. You are correct in letting Asset and Identity Management manage the merge. You can set the rank of all of the sources on that page as well.
09-26-2023
09:59 AM
How and where did you create the index? It must be on the indexers and (optionally) on the search heads. If the index was added by editing indexes.conf then the Splunk instances must be restarted. ...
See more...
How and where did you create the index? It must be on the indexers and (optionally) on the search heads. If the index was added by editing indexes.conf then the Splunk instances must be restarted. Ensure the inputs.conf files use the *exact* same index name that was created. Also, be sure to use the right index name when searching for data. Check splunkd.log to see if the indexers are reporting errors writing to the new index.
09-26-2023
09:51 AM
Check out this post for a little more info: Solved: What's ops.json in etc/system/replication? - Splunk Community
