Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About awurster
awurster
Contributor
Member since:
06-27-2011
06-05-2020
Community Statistics
| Posts | 96 |
| Solutions | 6 |
| Karma Given | 131 |
| Karma Received | 46 |
| Member Since | 06-27-2011 |
Activity Feed
- Got Karma for Re: How to efficiently calculate max events per second (eps) by hour over long timeranges, like 30 days?. 03-15-2022 05:03 AM
- Got Karma for Re: what do you put in your .gitignore file for a system backup?. 02-19-2021 02:13 AM
- Got Karma for Where did the download links for wget go on splunk.com?!. 10-23-2020 06:22 AM
- Got Karma for Re: Is there a way to determine how much disk space my sourcetype is taking up?. 10-09-2020 01:21 AM
- Karma Re: How to add to or subtract one hour to time tokens to be passed in a drilldown? for jeffland. 06-05-2020 12:48 AM
- Karma Splunk Add-on for Amazon Web Services 3.0: Why doesn't blacklist seem to be working for an S3 input? for muebel. 06-05-2020 12:48 AM
- Karma Installing Splunk 6.4.1 on OS X 10.11.5, why is the progress bar stuck on the "Verifying" window? for chasknell. 06-05-2020 12:48 AM
- Karma Re: looking for source repo for IMAP Mailbox for ragingwire. 06-05-2020 12:48 AM
- Karma How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance? for daniel_augustyn. 06-05-2020 12:48 AM
- Karma Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance? for ChrisBell04. 06-05-2020 12:48 AM
- Karma Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance? for ChrisBell04. 06-05-2020 12:48 AM
- Karma Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance? for ChrisBell04. 06-05-2020 12:48 AM
- Karma Re: So many lookups, so many errors : The lookup table `XXX` does not exist. for yannK. 06-05-2020 12:47 AM
- Karma Installing Enterprise Security on a Search Head Cluster / Index Cluster for harrymclaren. 06-05-2020 12:47 AM
- Karma Splunk search and indexer nodes health check url for dhavamanis. 06-05-2020 12:47 AM
- Karma Re: Why is heavy forwarder repeatedly getting "WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 600 seconds." for inters. 06-05-2020 12:47 AM
- Karma Re: Why is heavy forwarder repeatedly getting "WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 600 seconds." for masonmorales. 06-05-2020 12:47 AM
- Karma Is there a way to turn off internal splunk log rotation or archive off the internal logs for marvatwork. 06-05-2020 12:47 AM
- Karma Re: Is there a way to turn off internal splunk log rotation or archive off the internal logs for rsennett_splunk. 06-05-2020 12:47 AM
- Karma Why can't I delete kvstore collections using the REST API via Python? for pembleton. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 5 | |||
| 2 | |||
| 1 |
04-26-2015
06:10 PM
i guess this is the code we need to override from getKeywordsAndOptions() in ./lib/python2.7/site-packages/splunk/Intersplunk.py
else:
# handle case where arg is surrounded by quotes
# remove outter quotes and accept attr=<anything>
if arg.startswith('"') and arg.endswith('"'):
arg = arg[1:-1]
matches = re.findall('(?:^|\s+)([a-zA-Z0-9_-]+)\\s*(::|==|=)\\s*(.*)', arg)
else:
matches = re.findall('(?:^|\s+)([a-zA-Z0-9_-]+)\\s*(::|==|=)\\s*((?:[^"\\s]+)|(?:"[^"]*"))', arg)
... View more
04-26-2015
05:01 PM
cheers @dwaddle. yea maybe i'll have to pull that code out into my script and override the method. seems kind of... counterintuitive...
... View more
04-25-2015
10:28 PM
2 Karma
just checking if this is true.. given a custom command i write with a single argument:
... | mycommand arg1="this is value 1" arg2="foo"
i do not see the arg's value above returned correctly by intersplunk:
>>> args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
>>> print str(kwargs)
>>> {'arg2': 'foo', 'arg1': 'this'}
is this expected? any way to get around this with a custom search command? i'll be posting search data to a separate service, and need to set some values which of course have spaces in them and require quotes.
... View more
04-25-2015
09:52 PM
1 Karma
Previously, I was using CSV reader and alert scripts to process a saved search and export to a 3rd party tool (JIRA). The splunk "title" or "name" gets turned into an "issue summary".
My previous code looked like:
search_summary = sys.argv[4]
search_url = sys.argv[6]
Now, I'm trying to modify this into a search command using Intersplunk:
search_results, dummy_results, search_settings = splunk.Intersplunk.getOrganizedResults()
How can i retrieve the search's "name" and/or a URL pointing back to it?
... View more
04-16-2015
04:53 PM
absolutely brilliant. this sort of topic has been answered so many different times.. but this response is just so elegant, accurate and fresh.
... View more
04-14-2015
07:57 PM
hey @Damien Dallimore - similar question.. but this time for a django-based app. anyway we can easily save credentials in encrypted if using django?
the following example discussed masking the passwords to the end-user for display, but does not encrypt in-file.
http://dev.splunk.com/view/webframework-djangobindings/SP-CAAAETW
... View more
04-12-2015
06:32 PM
you're not really "slacking" per se - versus other splunk users - but since the mappings change fairly regularly in some parts of the world.. you'd potentially be using months-old, if not years-old data.
... View more
04-12-2015
06:30 PM
@hortonew - legend.
... View more
03-26-2015
04:12 PM
thanks hal. is it possible to combine this approach with modular inputs however?
i am using inputs.conf.spec and modinput.xml to control setup and config values, rather than the setup.xml you mentioned.
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsSpec
i have the following in my modinput.xml:
<element name="password" type="password" label="Password">
<view name="edit"/>
<view name="create"/>
<key name="exampleText">Password of the account to authenticate with (i.e. 'Abc123!'). This gets obfuscated using the built-in Splunk auth facilities. No Defaults.</key>
</element>
can i make it work with the modular inputs config approach??
... View more
03-25-2015
11:41 PM
Damien -
two follow up questions to this...
how do you encrypt the credentials in the first place (using python)?
i've got password (among other vars) stored in a local/input.conf in the clear which i'd like to encrypt using splunk's server key. i have my .xml setup page, custom input.conf.spec written, and modular input script all working - just need to encrypt the password now.
how do i force the "inputs.conf" to be written into my local app once created in modular inputs instead of going to the default search/local directory?
... View more
03-19-2015
10:09 PM
yea i dont know why i had https in there.. i may have just done "copy link URL" instead of the wget command.
i don't like how you have to "download" the actual package just to see the wget URL.. so i tried to avoid clicking it i guess.
... View more
03-10-2015
05:35 PM
PS - why can't splunk just host repos for debian and redhat package types? would make life much easier for sure.
... View more
03-10-2015
05:34 PM
hi all -
it seems sometime in the last few weeks, splunk has moved to cloudfront to host their downloads.
unfortunately, the download link i get from the downloads page i'm using is getting redirected (i think) and generating SSL warnings because the cert (for *.cloudfront.net) does not match the destination (splunk.com). this raises a concern when we build our deployment scripts for new forwarders, as i've had to remove certificate checking to get my scripts to work.
any insight? maybe i'm just using the wrong wget / curl URL, and the HTTP redirect comes from an unexpected source?
# wget -O splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=Linux&version=6.2.2&product=universalforwarder&filename=splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm&wget=true'
--2015-03-11 06:03:25-- https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=Linux&version=6.2.2&product=universalforwarder&filename=splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm&wget=true
Resolving www.splunk.com. 54.192.159.154, 54.230.159.145, 54.230.158.182, ...
Connecting to www.splunk.com|54.192.159.154|:443. connected.
ERROR: no certificate subject alternative name matches
requested host name “www.splunk.com”.
To connect to www.splunk.com insecurely, use ‘--no-check-certificate’.
curl -O "https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=Linux&version=6.2.2&product=universalforwarder&filename=splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm&wget=true"
curl: (51) SSL: certificate subject name '*.cloudfront.net' does not match target host name 'www.splunk.com'
... View more
02-15-2015
03:34 PM
we use many lookup tables here to check things like blacklists and other IP address lists. i'd like to create a dashboard that shows all the different lookup table files we have configured (within a given app), and then provide both a last modified date and number of entries/records for each.
this is to allow the users or investigation team to verify that they've got the most accurate data.
for example, i'd like to say "foo-list.csv" was modified on 16th Feb, and has 31,000 entries.
... View more
02-12-2015
10:15 PM
1 Karma
well this is what i use anyhow.
https://bitbucket.org/snippets/atlassian/TBXp
### exclude ###
#############
# default binaries
bin/*
# default configs #
etc/system/*
etc/apps/search/*
# key files and hashes #
etc/auth/
etc/passwd
# default apps #
etc/apps/search/*
etc/apps/sample_app/
etc/apps/launcher/
etc/apps/gettingstarted/
etc/apps/introspection_generator_addon/
etc/apps/framework
etc/apps/SplunkLightForwarder/
etc/apps/splunk-sdk-python-master/
# large lookup files #
etc/apps/sos/lookups/
etc/apps/secint/lookups/
# internals
etc/modules/
etc/anonymizer/
etc/myinstall/
etc/init.d/
etc/openldap/
etc/.?*
include/
lib/
openssl/
share/
var/
master.zip
/.?*
/*.txt
### include ###
#############
# custom scripts #
!bin/scripts/
# global configs #
!etc/system/local/
!etc/apps/search/local/
!etc/splunk-launch.conf
... View more
02-12-2015
08:43 PM
Splunkers - what do you all put in your gitignore files when doing a backup? primarily concerned with a Search Head in a distributed deployment, and backing up configs, apps, etc
... View more
02-10-2015
09:55 PM
8 Karma
I recently discovered (maybe even by reading this question) that Splunk does not automatically update their GeoIP data. It lead me down an interesting search into IP location databases and how accurate they are and how much they cost, etc... I also discovered that MaxMind recently released a new "2.0" version of their free Location DB called GeoLite2.
Here's how I solve this problem in our deployment using cron and shell scripts. Note that the cron has a weird trick to catch the GeoLite DB updates on the first Tuesday of every month.
In Splunk user's crontab:
~$ crontab -l
# MaxMind DB Update for Splunk #
################################
SPLUNK_HOME=/opt/splunk
OUTFILE=/tmp/cron.stdout.log
0 0 23 * * 3 [ $(date +\%d) -le 07 ] && $SPLUNK_HOME/bin/scripts/get_maxmind_db.sh >> $OUTFILE 2>&1
The shell script:
~$ cat $SPLUNK_HOME/bin/scripts/get_maxmind_db.sh
#!/bin/bash
# Author: Andrew Wurster
# Date: 13 Jan 2015
cd /opt/splunk/share
wget -O GeoLite2-City-Latest.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz || { echo 'Could not download MaxMind GeoIP DB, exiting.' ; exit 1; }
gunzip -f GeoLite2-City-Latest.mmdb.gz
chmod 644 GeoLite2-City-Latest.mmdb
In limits.conf
~$ cat etc/system/local/limits.conf
[iplocation]
db_path = /opt/splunk/share/GeoLite2-City-Latest.mmdb
#db_path = /opt/splunk/share/GeoIP2-City.mmdb
This is valid for MaxMinds new 2.0 format, and so far has not shown me any changes in lookup performance, etc.
FWITW I believe Splunk should make it more obvious where / how they are distributing this file (and the update frequency). A way to update it from the GUI or somewhere else convenient would be nice.
... View more
02-08-2015
05:39 PM
this is way better, as anything that requires the 3rd party app like SOS is not a clean one IMHO. i think more and more of these weird little tasks must be phased out and worked into core splunk (via REST API for instance or DMC moving forward.
... View more
01-22-2015
03:52 PM
what's the significance of the add forward-server statement?
splunk add forward-server <host>:<port> -auth <username>:<password>
i'm documenting the forwarder install for some admins to read, and we previously had this step in there for a standalone deployment. i think we'll remove it though with our new distributed deployment.
according to the Answers and Docs it's optional, and i believe i'm hardcoding all the indexer addresses anyways in a forwarder package so it's not needed. it's just difficult for me to follow some of the docs because terminologies are used interchangeably and it sometimes becomes unclear.
... View more
01-20-2015
04:24 PM
8 Karma
i used to be given nice auto-generated links to wget the splunk binaries. for example:
wget -O splunk-6.2.1-245427-linux-2.6-amd64.deb 'http://www.splunk.com/page/download_track?file=6.2.1/splunk/linux/splunk-6.2.1-245427-linux-2.6-amd64.deb&ac=test_modal_enterprise&wget=true&name=wget&platform=Linux&architecture=x86_64&version=6.2.1&product=splunk&typed=release'
now i can't... where'd they go?!
... View more
Labels
- Labels:
-
other
01-07-2015
06:29 PM
thanks lisa. i'm a bit surprised to hear that it's not something we can do well within splunk, but i see your points. thanks for the honesty about readiness of KV stores - much appreciated.
i know it's possible to create separate data stores like bmacias84 mentioned (and we are doing it for other things already) - but the overhead required to spin up and manage new databases and separate data stores seems to outweigh the overhead of owning and running splunk. (especially since we've already invested considerable resources cleaning data and tuning the splunk apps / searches to handle said data.)
as for summary indexing.. i've investigated this a fair bit, but not the newer si- commands, so i think i'll investigate those and have a re-read of the docs. but i just liked the concept of having separate stores for separate data and faster processing times. maybe i can use those commands in this case, maybe not. maybe it will become a giant lookup table chain, or maybe not.
... View more
01-07-2015
03:39 PM
i'm assuming the answer is in new 6.2 KV stores, but i'm keen to hear what others are doing.
right now for next month or so we're stuck on 6.1.. so maybe i'll end up going via lookup files and then switching back to KV stores at a later date.
... View more
01-07-2015
02:32 PM
1 Karma
hi all - we are starting to build our Splunk as our SIEM, and beginning to link and chain info together. we are setting up a few new indexes to store what i think should be collected or post processed data.
for instance - if i have a firewall event that has a new unseen public IP, i want to store some data from that event, as well as some new fields from lookups, iplocation command.
now if i use collect - it doesn't seem to do exactly what i want. i see collect saves the data, but it is in the original form - less any renames, evals, etc; ignoring the fields statement which outputs only select fields; and less any other implied things like CIM field aliases.
so my questions are?
1 - is using collect and a separate index the best to store this stuff? (we'd like to have one table of new / suspect IPs, 1 table of internal assets, etc) or is it best done into lookup tables / CSVs?
2 - should i expect the output of my commands piped into collect statement to match up mostly (excluded meta fields i understand) with the same output without the collect command?
... View more
01-05-2015
01:56 PM
2 Karma
i've added the following line to my props.conf to clean that event data from ACS logs. same trick i used from an old version of the ISE app. i'm fairly certain it's a bug / enhancement on the cisco side for both products.
[cisco:acs]
SEDCMD-clean_logs = s/\\\,/,/g
... View more
01-04-2015
07:51 PM
2 Karma
not so much a question... more of an answer.
i had a lot of log messages with slashes before the field separating commas. something like:
2015-01-05T14:47:25+00:00 acs02 CSCOacs_Passed_Authentications 0014607956 6 5 ExternalGroups=cn=my-group\,ou=Groups\,dc=my-org\,dc=com, ...
ACS version is acs-5.5.0.46-B.723. splunk 6.1.3 and TA for ACS is the latest.
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma from
Karma given to
