Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About TonyLeeVT
TonyLeeVT
Builder
Member since:
05-20-2014
01-18-2023
Community Statistics
| Posts | 149 |
| Solutions | 12 |
| Karma Given | 99 |
| Karma Received | 62 |
| Member Since | 05-20-2014 |
Activity Feed
- Got Karma for Re: How to configure my splunk app to get data over SSL ?. 10-25-2023 12:20 AM
- Posted Re: how to restrict access to specific rows? on Security. 01-18-2023 02:59 AM
- Karma Re: how to restrict access to specific rows? for joerglang. 01-18-2023 02:57 AM
- Karma How to restrict access to specific rows? for joerglang. 01-18-2023 02:56 AM
- Got Karma for Does Splunk have an echo command. 05-16-2022 06:39 AM
- Got Karma for Re: How to match an IP address from a lookup table of cidr ranges?. 02-11-2022 02:38 PM
- Got Karma for Is there any way to apply the dark theme dashboards per user?. 02-19-2021 12:16 PM
- Got Karma for Re: How to match an IP address from a lookup table of cidr ranges?. 02-12-2021 10:34 AM
- Got Karma for Re: How to get tcp-ssl input for Splunk 6.0 to work. 02-01-2021 03:19 AM
- Got Karma for Re: How to match an IP address from a lookup table of cidr ranges?. 01-22-2021 12:47 PM
- Got Karma for Re: How to match an IP address from a lookup table of cidr ranges?. 10-30-2020 02:23 AM
- Got Karma for Re: Is there an easy way to update a record in KV Store from the results of a Splunk search instead of bulk reloading a lookup table?. 10-05-2020 03:31 AM
- Got Karma for Re: width adjustable table. 09-25-2020 01:27 PM
- Got Karma for Re: How to match an IP address from a lookup table of cidr ranges?. 07-14-2020 02:59 PM
- Got Karma for Is there any way to apply the dark theme dashboards per user?. 06-05-2020 12:50 AM
- Got Karma for Is there any way to apply the dark theme dashboards per user?. 06-05-2020 12:50 AM
- Karma Where is my App Navigation Bar Color in Splunk 7.1? for adonio. 06-05-2020 12:49 AM
- Karma Re: Background color in navbar is gone in 7.1 and 7.2 for AzJimbo. 06-05-2020 12:49 AM
- Karma Re: Background color in navbar is gone in 7.1 and 7.2 for simpkins1958. 06-05-2020 12:49 AM
- Karma Re: Background color in navbar is gone in 7.1 and 7.2 for fk319. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 1 | |||
| 0 | |||
| 0 |
06-06-2016
03:04 PM
1 Karma
Figured out not just an answer, but a solution since the one provided does not scale to large enterprises. The solution is not to make Splunk adapt, but instead change the way data is sent to it. The Blue Coat app and TA require sending data in the bcreportermain_v1 format--which is an ELFF format. Then the app and TA try to parse this space separated data using the complex regex seen above. Instead of doing that, you can instruct Blue Coat to send the data in a different format such as key value pair--which Splunk likes and natively parses.
Have the Blue Coat admins define a custom log format with the following fields:
Bluecoat|date=$(date)|time=$(time)|duration=$(time-taken)|src_ip=$(c-ip)|user=$(cs-username)|cs_auth_group=$(cs-auth-group)| x_exception_id=$(x-exception-id)|filter_result=$(sc-filter-result)|category=$(cs-categories)|http_referrer=$(cs(Referer))|status=$(sc-status)|action=$(s-action)|http_method=$(cs-method)|http_content_type=$(rs(Content-Type))|cs_uri_scheme=$(cs-uri-scheme)|dest=$(cs-host)| uri_port=$(cs-uri-port)|uri_path=$(cs-uri-path)|uri_query=$(cs-uri-query)|uri_extension=$(cs-uri-extension)|http_user_agent=$(cs(User-Agent))|dest_ip=$(s-ip)|bytes_in=$(sc-bytes)|bytes_out=$(cs-bytes)|x_virus_id=$(x-virus-id)|x_bluecoat_application_name=$(x-bluecoat-application-name)|x_bluecoat_application_operation=$(x-bluecoat-application-operation)|target_ip=$(cs-ip)|proxy_name=$(x-bluecoat-appliance-name)|proxy_ip=$(x-bluecoat-proxy-primary-address)|$(x-bluecoat-special-crlf)
Since this data comes into Splunk as key=value pair now, Splunk parses it natively.
Remove the TAs from the indexer and replace it with a simpler props.conf file of this:
[bluecoat:proxysg:customclient]
SHOULD_LINEMERGE = false
This just turns off line merging which is on by default and makes the parsing even faster. Also remember to rename the props.conf and transforms.conf (ex: .bak files) included in the app if you have it installed on your search head--that contains the same complicated regex which will slow down data ingestion. By the way, by defining your own format, you can add other fields you care about--such as the target IP (cs-ip) which is not included in the default bcreportermain_v1 format for some reason. Hope this helps others than run into this situation.
... View more
05-27-2016
08:00 AM
First, ensure you have the following setup:
1) FireEye app only on the search head (https://splunkbase.splunk.com/app/1845/)
2) TA installed on the HF and indexers (not on the search head) (https://splunkbase.splunk.com/app/1904/)
Second, make sure the sourcetype is either syslog or fe_cef_syslog.
If the sourcetype is syslog, the props/transforms will change it to fe_cef_syslog.
Third, make sure rsyslog is not adding any additional headers to the content.
Transforms it looking for the following format for CEF syslog:
REGEX=.fenotify.:\sCEF:\d|FireEye|
If none of that solves the issue, send me a sample of your data via the Help -> Send Feedback menu in the app. Thanks.
... View more
05-17-2016
04:50 AM
Is there a reason you are running Splunk version 5.0.6? If you cannot upgrade to Splunk 6.x, then we recommend that you use the older FireEye Splunk app that works with version 5.x. I have posted links to both FireEye Splunk apps below.
App for Splunk version 5.x:
https://splunkbase.splunk.com/app/409/
App for Splunk version 6.x:
https://splunkbase.splunk.com/app/1845/
Hope that helps. If not, feel free to email me directly through the Splunkbase app download page.
... View more
05-10-2016
01:11 PM
1 Karma
This was a pretty slick solution: https://answers.splunk.com/answers/84053/how-to-set-max-column-length.html. But it seemed to slow down presenting the results.
Snippet:
"Easiest was to make it a multivalued field.
... | rex field=longfield max_match=0 "(?<longfield>.{0,50})"
that'll split longfield into lines of no more that 50 characters."
... View more
05-10-2016
01:09 PM
This is an awesome solution, but it seems to take a long time to "Finalize" the search results for a large number of returned values.
Can we think of anything that is faster? Otherwise, it would be ideal if Splunk could just provide column width control without going to .css.
... View more
05-03-2016
05:59 PM
2 Karma
Would really appreciate an example one-liner. Thanks!
... View more
04-27-2016
03:45 AM
I am having the same issue. Permissions are global read which is fine. The workflow is not private. It will work just fine using Splunk search and reporting, however when I place a raw event table in the dashboard and attempt to activate the work flow via the Event Actions button, the workflow option is not there.
... View more
04-12-2016
02:43 PM
I am having the same issue with the token based refresh not working.
... View more
03-15-2016
10:39 AM
2 Karma
The src_ip field in the Cisco ESA TA is not parsing correctly. I usually only get the last two digits of an IP address.
Original parser in stanza:
[src_dest_fields_for_cisco_esa]
REGEX = (?:DCID|ICID)\s+\d+\s+interface\s+.*[\s\(]*(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).*\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:\s+port\s+(\d+))?
FORMAT = src_ip::$1 dest_ip::$2 dest_port::$3
I think the issue is that a greedy match is used where a non-greedy match should be used:
.* = greedy
.*? = non-greedy
See the revision below with the non-greedy match: "interface\s+.*?[\s(]"
[src_dest_fields_for_cisco_esa]
REGEX = (?:DCID|ICID)\s+\d+\s+interface\s+.*?[\s\(]*(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).*\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:\s+port\s+(\d+))?
FORMAT = src_ip::$1 dest_ip::$2 dest_port::$3
Check out the regex101 link below to verify the non-greedy match:
https://regex101.com/r/tV6fJ5/1
... View more
03-15-2016
05:27 AM
I think you may mean: cisco:esa:textmail
Instead of what is written: cisco:esa:mailtext
Unless this has changed in the past year.
... View more
03-10-2016
05:46 AM
1 Karma
There is a very noisy warning generated from Cisco Networks Add-on found in splunkd.log
SearchResults - Corrupt csv header in /opt/splunk/etc/apps/TA-cisco_ios/lookups/cisco_ios_acl_excluded_ips.csv, contains empty value (col #2)
This is caused by a comma at the end of the file (/opt/splunk/etc/apps/TA-cisco_ios/lookups/cisco_ios_acl_excluded_ips.csv):
src_ip,
127.0.0.1,
This is probably a setup issue on our end, but is it possible to ship the TA without the commas at the end?
... View more
03-09-2016
09:12 AM
Would love to see an officially supported solution that does not involve keeping duplicate copies of dashboards. Duplicate copies just increases required effort and overhead when you want to make even a simple change. Ideally, just use the default input values and run the report. Not sure why this is complicated.
... View more
03-09-2016
04:36 AM
Even though Splunk can adapt, that may not be the most graceful solution. The Blue Coat app and TA require sending data in the bcreportermain_v1 format--which is an ELFF format (which includes the headers mentioned above). Instead of doing that, you can instruct Blue Coat to send the data in a different format such as key value pair which appears to get rid of those fields.
Have the Blue Coat admins define a custom log format... for example:
Bluecoat|date=$(date)|time=$(time)|duration=$(time-taken)|src_ip=$(c-ip)|user=$(cs-username)|cs_auth_group=$(cs-auth-group)| x_exception_id=$(x-exception-id)|filter_result=$(sc-filter-result)|category=$(cs-categories)|http_referrer=$(cs(Referer))|status=$(sc-status)|action=$(s-action)|http_method=$(cs-method)|http_content_type=$(rs(Content-Type))|cs_uri_scheme=$(cs-uri-scheme)|dest=$(cs-host)| uri_port=$(cs-uri-port)|uri_path=$(cs-uri-path)|uri_query=$(cs-uri-query)|uri_extension=$(cs-uri-extension)|http_user_agent=$(cs(User-Agent))|dest_ip=$(s-ip)|bytes_in=$(sc-bytes)|bytes_out=$(cs-bytes)|x_virus_id=$(x-virus-id)|x_bluecoat_application_name=$(x-bluecoat-application-name)|x_bluecoat_application_operation=$(x-bluecoat-application-operation)|target_ip=$(cs-ip)|proxy_name=$(x-bluecoat-appliance-name)|proxy_ip=$(x-bluecoat-proxy-primary-address)|$(x-bluecoat-special-crlf)
This should get rid of the headers and make ingesting data faster. See the following page for the rest of the solution:
https://answers.splunk.com/answers/376872/blue-coat-field-extractor-namecustom-client-events.html
... View more
03-09-2016
04:17 AM
Thank you for the solution. This is great information for any appliance in which you are stuck receiving junk data. Fortunately, it appears Blue Coat can be told to send data in a different format. See answer below.
... View more
03-09-2016
04:05 AM
Figured out a solution since the one provided does not scale to large enterprises. The solution is not to make Splunk adapt, but instead change the way data is sent to it. The Blue Coat app and TA require sending data in the bcreportermain_v1 format--which is an ELFF format. Then the app and TA try to parse this space separated data using the complex regex seen above. Instead of doing that, you can instruct Blue Coat to send the data in a different format such as key value pair--which Splunk likes and natively parses.
Have the Blue Coat admins define a custom log format with the following fields:
Bluecoat|date=$(date)|time=$(time)|duration=$(time-taken)|src_ip=$(c-ip)|user=$(cs-username)|cs_auth_group=$(cs-auth-group)| x_exception_id=$(x-exception-id)|filter_result=$(sc-filter-result)|category=$(cs-categories)|http_referrer=$(cs(Referer))|status=$(sc-status)|action=$(s-action)|http_method=$(cs-method)|http_content_type=$(rs(Content-Type))|cs_uri_scheme=$(cs-uri-scheme)|dest=$(cs-host)| uri_port=$(cs-uri-port)|uri_path=$(cs-uri-path)|uri_query=$(cs-uri-query)|uri_extension=$(cs-uri-extension)|http_user_agent=$(cs(User-Agent))|dest_ip=$(s-ip)|bytes_in=$(sc-bytes)|bytes_out=$(cs-bytes)|x_virus_id=$(x-virus-id)|x_bluecoat_application_name=$(x-bluecoat-application-name)|x_bluecoat_application_operation=$(x-bluecoat-application-operation)|target_ip=$(cs-ip)|proxy_name=$(x-bluecoat-appliance-name)|proxy_ip=$(x-bluecoat-proxy-primary-address)|$(x-bluecoat-special-crlf)
Since this data comes into Splunk as key=value pair now, Splunk parses it natively.
Remove the TAs from the indexer and replace it with a simpler props.conf file of this:
[bluecoat:proxysg:customclient]
SHOULD_LINEMERGE = false
This just turns off line merging which is on by default and makes the parsing even faster. Also remember to rename the props.conf and transforms.conf (ex: .bak files) included in the app if you have it installed on your search head--that contains the same complicated regex which will slow down data ingestion. By the way, by defining your own format, you can add other fields you care about--such as the target IP (cs-ip) which is not included in the default bcreportermain_v1 format for some reason. Hope this helps others than run into this situation.
... View more
03-07-2016
10:45 AM
We are running the Blue Coat ProxySG App for Splunk app (https://splunkbase.splunk.com/app/2815) and associated TA downloaded from the BTO site.
When running on a distributed environment with multiple indexers, we receive the following message:
Field extractor name=custom_client_events is unusually slow (max single event time=1146ms)
The transforms.conf contains:
[custom_client_events]
REGEX = (?<date>[^\s]+)\s+(?<time>[^\s]+)\s+(?<duration>[^\s]+)\s+(?<src_ip>[^\s]+)\s+(?<user>[^\s]+)\s+(?<cs_auth_group>[^\s]+)\s+(?<x_exception_id>[^\s]+)\s+(?<filter_result>[^\s]+)\s+\"(?<category>[^\"]+)\"\s+(?<http_referrer>[^\s]+)\s+(?<status>[^\s]+)\s+(?<action>[^\s]+)\s+(?<http_method>[^\s]+)\s+(?<http_content_type>[^\s]+)\s+(?<cs_uri_scheme>[^\s]+)\s+(?<dest>[^\s]+)\s+(?<uri_port>[^\s]+)\s+(?<uri_path>[^\s]+)\s+(?<uri_query>[^\s]+)\s+(?<uri_extension>[^\s]+)\s+\"(?<http_user_agent>[^\"]+)\"\s+(?<dest_ip>[^\s]+)\s+(?<bytes_in>[^\s]+)\s+(?<bytes_out>[^\s]+)\s+\"*(?<x_virus_id>[^\"]+)\"*\s+\"*(?<x_bluecoat_application_name>[^\"]+)\"*\s+\"*(?<x_bluecoat_application_operation>[^\"]+)
Is it possible to optimize this regex and get rid of the "unusually slow" error message? Thanks
... View more
03-07-2016
09:55 AM
The current Blue Coat app uses an event type called: bcproxysg_search
The content of the event type is the following:
sourcetype = bluecoat:proxysg:* NOT "#Fields:" NOT "#Version:" NOT "#Software:" NOT "#Date:"
This event type hides comments that are sent from the Blue Coat and do not appear to be used in the app.
Comment Examples:
#Date: ...
#Fields: ...
#Version: ...
#Software: ...
Unfortunately, the comments still count against the Splunk license and potentially misrepresent statistics generated from commands such as tstats. Is it possible to either prevent Blue Coat from sending these fields or have the TA prevent this data from being indexed? Thanks.
... View more
03-05-2016
06:55 AM
Interesting regex.... because it is better than a complete miss which is what occurs right now. I wonder if it would be possible to turn the results into an array using props/transforms. I have been experimenting with an spl solution and found:
rex field=_raw max_match=0
max_match
Syntax: max_match=
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields are multivalued fields.
Default: 1, use 0 to mean unlimited.
... View more
03-02-2016
10:57 AM
I have the same issue. Will post back if I find anything. Environment is distributed with three indexers and a fair amount of traffic. Thanks.
... View more
03-02-2016
07:33 AM
1 Karma
In the Splunk Add-on for Infoblox, the dest_ip field does not always parse correctly--especially instances in which there are multiple IP addresses or CNAME records returned. Here is an instance where the parsing works fine.
... query: www.amazon.com IN A + (54.239.25.200)
Due to this stanza in transforms.conf:
[infoblox_dns_extract_field_7]
REGEX = query:\s.+\sIN\s(\S+)\s\+\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\)
SOURCE_KEY = client_message
FORMAT = the_query_type::$1 dest_ip::$2
However, here is an instance where it does not work:
... query: download.cdn.mozilla.net IN A response: NOERROR + download.cdn.mozilla.net. 100 IN CNAME 2-01-2967-001b.cdx.cedexis.net.; 2-01-2967-001b.cdx.cedexis.net. 59 IN CNAME wildcard.cdn.mozilla.net.edgesuite.net.; wildcard.cdn.mozilla.net.edgesuite.net. 2490 IN CNAME a1284.g.akamai.net.; a1284.g.akamai.net. 9 IN A 23.15.7.155; a1284.g.akamai.net. 9 IN A 23.15.7.122;
This may be a little tough since the number of fields varies, but I am open to thoughts or an update to the TA.
... View more
02-29-2016
01:21 PM
The latest infoblox TA supports DHCP as a sourcetype:
sourcetype=infoblox:dhcp
eventtype=infoblox_dns
eventtype=infoblox_session_start
eventtype=infoblox_session_end
Check out the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/Sourcetypes
TA is available here: https://splunkbase.splunk.com/app/2934/#/overview
... View more
02-29-2016
01:18 PM
2 Karma
Splunk recently developed a TA for infoblox.
The TA is here: https://splunkbase.splunk.com/app/2934/#/overview
(The TA includes some panels for DNS and one for DHCP.)
Documentation is here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/About
... View more
02-29-2016
01:16 PM
The latest infoblox TA supports DHCP as a sourcetype:
sourcetype=infoblox:dhcp
eventtype=infoblox_dns
eventtype=infoblox_session_start
eventtype=infoblox_session_end
Check out the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/Sourcetypes
TA is available here: https://splunkbase.splunk.com/app/2934/#/overview
... View more
02-29-2016
01:13 PM
There appears to be an official TA from Splunk now:
TA: https://splunkbase.splunk.com/app/2934/#/overview
Documentation: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/About
... View more
02-29-2016
01:11 PM
1 Karma
The TA is here: https://splunkbase.splunk.com/app/2934/#/overview
(The TA includes some panels for DNS and one for DHCP.)
Documentation is here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/About
Enjoy!
... View more
