Please share some raw anonymised events so we can see what you are dealing with so we can try and help you further. Please use the code block </> above to preserve the format of the events so that we...
See more...
Please share some raw anonymised events so we can see what you are dealing with so we can try and help you further. Please use the code block </> above to preserve the format of the events so that we can suggest the correct field extractions for you.
I am trying to write an spl query to detect an event of a single source IP address or a user fails multiple time to login to multiple accounts. can anyone help me write it.
@corti77 Just curious, have you set up the API calls to Netapp using the Splunk_TA_ontap and SA-Hydra app? We are setting it up currently and have been running into an issue we can't resolve and can ...
See more...
@corti77 Just curious, have you set up the API calls to Netapp using the Splunk_TA_ontap and SA-Hydra app? We are setting it up currently and have been running into an issue we can't resolve and can not find much help online.
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping. ...
See more...
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping.
I am trying to write an spl query to detect an event of a single source IP address or user a fail multiple time to login to mutiple account. can anyone help me write it.
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it. Stopping service, renaming file and restar...
See more...
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it. Stopping service, renaming file and restarting service does not recreate it. How do you renew this certificate?
Assuming your data is in the _raw field | eval parts=split(_raw, " ")
| mvexpand parts
| eval name=mvindex(split(parts,":"),0)
| eval value=mvjoin(mvindex(split(parts,":"),1,2),":")
| eval {name}=va...
See more...
Assuming your data is in the _raw field | eval parts=split(_raw, " ")
| mvexpand parts
| eval name=mvindex(split(parts,":"),0)
| eval value=mvjoin(mvindex(split(parts,":"),1,2),":")
| eval {name}=value
https://docs.splunk.com/Documentation/CIM/6.0.0/User/Install There is still one outstanding index defined in the app as of the most recent install version. You will need the index defined on the in...
See more...
https://docs.splunk.com/Documentation/CIM/6.0.0/User/Install There is still one outstanding index defined in the app as of the most recent install version. You will need the index defined on the indexes, you can do this full app or custom app to the indexers.
fieldA:1:10 fieldB:1:3 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldC:1:1 I want to end up with a field called fieldA, fieldb, and fieldC where the field name is t...
See more...
fieldA:1:10 fieldB:1:3 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldC:1:1 I want to end up with a field called fieldA, fieldb, and fieldC where the field name is the actual text found in the string as i cant predict which event will contain which combination
Hi @corti77 , you have to configure your netapp to send syslogs using a protocolo (TCP or UDP) on a port. At the same time, on rsyslog (or syslog-ng) you have configure receiving followinf the inst...
See more...
Hi @corti77 , you have to configure your netapp to send syslogs using a protocolo (TCP or UDP) on a port. At the same time, on rsyslog (or syslog-ng) you have configure receiving followinf the instructions at https://www.rsyslog.com/doc/index.html and writing logs in a file with a path (usually containing hostname) and a filename. then in the Forwarder, you have to add the add-one for Netapp ( https://splunkbase.splunk.com/app/3418 ) to the Forwarder adding an inputs.conf in local folder. In this inputs.conf, use the batch command that reads and deletes logs instead of monitor, the instructions about how to take logs, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/Usingforwardingagents Ciao. Giuseppe
I like this idea but I've always inserted an extra step. Run a query on the data in Splunk for the Source but then used the SourceType value to search the inputs. Helps to avoid any issues with wil...
See more...
I like this idea but I've always inserted an extra step. Run a query on the data in Splunk for the Source but then used the SourceType value to search the inputs. Helps to avoid any issues with wildcards or regex in the log path and filename. To each their own and whatever works is always the best solution.
Thanks for your reply @gcusello , my question was more on how to build the solution. I found some information about configuring netapp https://storageexorcist.wordpress.com/2020/06/03/ontap-native...
See more...
Thanks for your reply @gcusello , my question was more on how to build the solution. I found some information about configuring netapp https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/ So maybe it is a matter of configuring it like that and sending those logs via syslog to splunk?