Actually you can take away the ability for any user to run ldap search by taking about the capability "list_settings" from their role. Though maybe that might have other consequences that won't work for you... ... View more

@afret2007 see ontkanin's answer which I believe to be the true workaround without admin_all_objects ... View more

There was a 5.1.2 released, and the release notes say fixes "2017-08-22 ADDON-13413 Tenable input stops pulling vulnerability data" but even after installing that, I am still having issues with the latest version... I'm thinking I'm gonna have to open a support ticket but maybe 5.1.2 will work for you. ... View more

Sorry, I guess I don't understand the issue. One thing to think of if you think it is a permissions issue is that lookup table files can have permissions set to private as well. Probably worth a look > Settings > Lookups > Lookup table files ... View more

My guess is that you need to rename User to user (fieldnames are case sensitive) and probably should use format so: index=winendpoint EventCode=4732 Group_Name="Administrators" [|inputlookup ITSD.csv | fields User|rename User AS user|format] ... View more

Seems puzzling, I do see that Security_ID gets used as a source key several times in transforms.conf in the TA, I wonder if that causes any overhead. Maybe try specifying EventCode=4624 so that it isn't searching through all fields looking for 4624. ... View more

Now that this is at Version 1.2, will it now work on a universal forwarder? I have tried unsuccessfully to install it on a UF, but just wanted to make sure that it should or should not work. ... View more

Actually I'm not sure that the stats count will be the right count, you may instead before the where statement do an eval: |eval count = mvcount(EndPointMatchedProfile) ... View more

updated it to add the breached SLA value ... View more

In the new Add-on for JIRA 2.2.1, these values also come through when using the normal |jira jqlsearch "<your_jql_query>" command. However out of the box the output is very ugly and difficult to deal with, please see https://answers.splunk.com/answers/560281/add-on-for-jira-221-and-220-not-parsing-jira-field.html?childToView=561751#answer-561751 for how I modified one of the commands to get better output. In it I chose to have the SLA values come back as 4 subfields of each SLA (elapsedTime, remainingTime, goalDuration, and breached) since there are really more than one thing you would want to know about the SLA than just elapsed time (the value is in milliseconds). ... View more

I suppose this will be one of the times I get to answer my own question at least until someone either updates the app or incorporates the following changes into it (I would have just done a pull request but there is no current repo on GitHub and again not sure who is supporting this). Either way I can now move on with my obsessive compulsive life. Note: I chose to deal with SLA fields by creating 4 subfields instead (relates to https://answers.splunk.com/answers/302052/how-to-get-sla-values-of-jira-in-splunk-events-aft.html) and if you want to see the previous way it was outputting, just add debug=True to the parse_value function call parse_value(v, field, row, debug=True) on the new line 261. I made the following changes to the Add-on for JIRA 2.2.1, specifically in $SPLUNK_HOME/etc/apps/jira/bin/jira_rest.py (I don't know if there are issues with any of the other commands it offers I was only concerned with the | jira jqlsearch "<query>" command. Maybe there is a way to get JIRA's API to respond more consistently but I haven't found a way, so I essentially had to make rules for all the various ways the fields come back and grab what was deemed important and remove what was not. Add library import import ast Original lines 256-259: elif isinstance(v, basestring) == True: row[field] = v else: row[field] = json.dumps(v) Change to (will now start on line 257): elif isinstance(v, basestring) == True: if '{}' not in v: row[field] = v elif isinstance(v, (int, long, float, complex)) == True: row[field] = v else: parse_value(v, field, row) Add the following 2 functions into the code: def parse_value(v, field, row, debug=False): outputSelector = [ {'value':'completedCycles'}, {'value':'outwardIssue', 'output': lambda vDict: vDict['outwardIssue']['key']}, {'value':'key', 'output': lambda vDict: vDict['key']}, {'value':'name', 'output': lambda vDict: vDict['name']}, {'value':'value', 'output': lambda vDict: vDict['value']}, {'value':'watchCount', 'output': lambda vDict: vDict['watchCount']}, {'value':'progress', 'output': lambda vDict: vDict['progress']}, {'value':'requestType', 'output': lambda vDict: vDict['requestType']['name']} ] if debug == True: row[field] = json.dumps(v) elif v != None: if isinstance(v, dict) == True: vDict = ast.literal_eval(str(v)) if vDict: if outputSelector: for i in outputSelector: if i['value'] in vDict: if i['value'] == 'completedCycles': #for SLA incomplete fields if 'ongoingCycle' in vDict: slaFieldCreate(vDict['ongoingCycle'], row, field) break #for SLA complete fields else: if isinstance(vDict['completedCycles'], collections.Iterable) == True: fList = ast.literal_eval(str(vDict['completedCycles'])) if fList: for i in fList: if isinstance(i, dict) == True: if i: slaFieldCreate(i, row, field) break break else: row[field] = i['output'](vDict) break elif field.lower() in vDict: row[field] = vDict[field.lower()] else: row[field] = vDict elif isinstance(v, collections.Iterable) == True: vList = ast.literal_eval(str(v)) if vList: outputlist = [] for i in vList: if isinstance(i, dict) == True: iDict = ast.literal_eval(str(i)) if iDict: for item in outputSelector: if item['value'] in iDict: outputlist.append(item['output'](iDict)) break #for Sprint names elif 'name=' in i: match = re.search('name=([^,]+)', i) outputlist.append(match.group(1)) else: outputlist.append(i) row[field] = outputlist def slaFieldCreate(value, row, field): slaValues = ['elapsedTime','remainingTime','goalDuration','breached'] for slaType in slaValues: if slaType in value: if slaType == 'breached': row[field + " " + slaType] = value[slaType] else: row[field + " " + slaType] = value[slaType]['millis'] ... View more

Thanks, I did get it working again in 6.6 still using this workaround but I had to give the users a capability that they previously did not have--"list_settings". Before I gave them that they were getting the error "External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1111 : HTTP 403 Forbidden – insufficient permission to access this resource" ". Glad it is working though. ... View more

I was using this workaround but just upgraded from 6.5.3 to 6.6.1 and seems to no longer work. @ontkanin know if this workaround still works in 6.6? ... View more

Oops, sorry I should not of had that SSL stanza, those options should be directly under the splunktcp-ssl:9998 stanza, I will edit ... View more

Just use the deployment server to send out a new app to a select group of forwarders that will cause them to connect using a new cert. Though you may want to open up a new listening port on the forwarder or indexer (whichever you are using) so you know that it is working and won't run into conflicts, like 9998. In the app provide an /etc/auth folder with your new certificate and CA, then provide an outputs.conf file in the app something similar to this: [tcpout] defaultGroup = splunkssl [tcpout:splunkssl] server = your_receiving_server:9998 compressed = true sslCertPath = $SPLUNK_HOME/etc/apps/your_app_name/etc/auth/your_cert_name.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/your_app_name/etc/auth/your_CA_cert.pem sslPassword = <your_cert_password> sslVerifyServerCert = true I use this for all new UFs coming in, I simply make sure the admins give the UF a deployment.conf file pointed at the deployment server and then have the deployment server hand this app out to all UFs, once it is setup it makes it very easy to change the cert using the deployment server. As I mentioned your receiving forwarder or indexer will need an new listening port, in inputs.conf : [splunktcp-ssl:9998] compressed = true connection_host = ip rootCA = $SPLUNK_HOME/etc/auth/your_CA_cert.pem serverCert = $SPLUNK_HOME/etc/auth/your_cert_name.pem sslPassword = your_cert_password requireClientCert = false ... View more

Oh right, looks we are running an older version of the app (at the time of original posting was the latest). Version 5.0.0 ... View more

Here are the lines on our heavy forwarder in the TA app on the file: $SPLUNK_HOME/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py 135 136 if response.get('set-cookie') is not None: 137 self._cookie = response.get('set-cookie') 138 self._cookie = self._cookie[74:] 139 return result['response'] 140 ... View more

@jbailey's provided fix worked for 5.4 ... View more

I was having the same issue and I opened a support ticket with Splunk. iframe does work in 6.5.x but in the example (which has an extra ">") it is using http://www.splunk.com in which Splunk's support informed me prevents anyone from embedding their website inside an iframe (google does the same as well). There is a useful site to help see if a site allows being embedded in an iframe (which is related to "X-Frame-Options" header but apparently not the only way to stop it): http://www.tinywebgallery.com/blog/advanced-iframe/free-iframe-checker Try this code instead: <dashboard> <row> <panel> <title>Test iframe</title> <html> <iframe src="https://www.cloudera.com" width="100%" height="300" style="border:none;"></iframe> </html> </panel> </row> </dashboard> ... View more

When I said "I know you could send a slack per result" I was referring to "For each result". But as I mentioned that would really look ugly in Slack and not communicate as well what a table can say. ... View more

I opened a support ticket with Splunk. The issue of the "This request contains an invalid token" in my case is because we are using Security Center 5.4. Splunk informed me that in 5.4, Tenable changed their set-cookie format (which was that it returns 2 cookies, one of which is valid). Splunk knows of the issue and is planning on adding support for 5.4 in a future version, but could not provide a timeline. ... View more