Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About wweiland
wweiland
Contributor
Member since:
02-07-2013
03-11-2024
Community Statistics
| Posts | 105 |
| Solutions | 9 |
| Karma Given | 11 |
| Karma Received | 17 |
| Member Since | 02-07-2013 |
Activity Feed
- Got Karma for Re: Why is cluster master stuck at "Bundle validation is in progress" indefinitely after configuration-bundle update?. 06-17-2020 04:56 PM
- Karma Re: Why is my timezone configuration in the app directory for my search head cluster being ignored? for ddrillic. 06-05-2020 12:48 AM
- Karma Re: How to compare search results from 2 dates without using subsearch? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to compare search results from 2 dates without using subsearch? for cmerriman. 06-05-2020 12:48 AM
- Karma Re: Question about the TA for Microsoft AD for gcusello. 06-05-2020 12:48 AM
- Got Karma for Re: Can Eventgen run on a Universal Forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Lookup File Editor App for Splunk Enterprise: Why do other users get error "Client is not authorized" trying to open my CSV Lookup?. 06-05-2020 12:48 AM
- Got Karma for Re: Lookup File Editor App for Splunk Enterprise: Why do other users get error "Client is not authorized" trying to open my CSV Lookup?. 06-05-2020 12:48 AM
- Got Karma for Re: Lookup File Editor App for Splunk Enterprise: Why do other users get error "Client is not authorized" trying to open my CSV Lookup?. 06-05-2020 12:48 AM
- Got Karma for Lookup File Editor App for Splunk Enterprise: Why do other users get error "Client is not authorized" trying to open my CSV Lookup?. 06-05-2020 12:48 AM
- Got Karma for Re: Slack Notification Setup Problems. 06-05-2020 12:48 AM
- Got Karma for Re: Slack Notification Setup Problems. 06-05-2020 12:48 AM
- Got Karma for Re: Can Eventgen run on a Universal Forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Can Eventgen run on a Universal Forwarder?. 06-05-2020 12:48 AM
- Karma Re: Dashboards slideshow for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Where should I check for python.log error messages about generating pdf of scheduled reports? for ronogle. 06-05-2020 12:47 AM
- Karma Re: How to compare a field to another field in a CSV file? for sundareshr. 06-05-2020 12:47 AM
- Got Karma for Dashboards slideshow. 06-05-2020 12:47 AM
- Got Karma for Re: Why is cluster master stuck at "Bundle validation is in progress" indefinitely after configuration-bundle update?. 06-05-2020 12:47 AM
- Got Karma for Import non native python libraries into Splunk. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-07-2016
07:42 AM
1 Karma
Hi,
We are using the Lookup File Editor App for Splunk Enterprise and when someone tries to open my csv via the app, they receive an error about not being able to load the details of the lookup file. I've set the permissions of the file to global and ensure the user had read/write access. When I set the file to be owned by nobody, they are able to open and edit. I did find the following in the log file.
2016-04-07 00:33:22,471 DEBUG [57060d42717f15c73b7bd0] _cplogging:55 - [07/Apr/2016:00:33:22] HTTP Traceback (most recent call last):
File "/opt/splunk/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 606, in respond
cherrypy.response.body = self.handler()
File "/opt/splunk/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 25, in __call__
return self.callable(*self.args, **self.kwargs)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 38, in rundecs
return fn(*a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 118, in check
return fn(self, *a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 167, in validate_ip
return fn(self, *a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 335, in preform_sso_check
return fn(self, *a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 387, in check_login
return fn(self, *a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 407, in handle_exceptions
return fn(self, *a, **kw)
File "", line 148, in get_lookup_info
File "", line 460, in resolve_lookup_filename
File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 548, in get
return SplunkRESTManager(cls, sessionKey=sessionKey).get(id)
File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 528, in get
entity = self._get_entity(id, host_path=host_path)
File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 444, in _get_entity
return self._fix_entity(splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=id))
File "/opt/splunk/lib/python2.7/site-packages/splunk/entity.py", line 249, in getEntity
serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 514, in simpleRequest
raise splunk.AuthorizationFailed(extendedMessages=uri)
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/myusername/search/data/lookup-table-files/mycsv.csv
Any suggestions?
Thank you,
Todd
... View more
03-24-2016
06:26 AM
Well, I feel like a goof. It looks like it is a heavy forwarder (has a outputs.conf). I don't understand why it looks like a search peer and showing up in SoS, but you learn something everyday. Thanks to everyone who took the time to respond.
... View more
03-24-2016
06:05 AM
It is up and running. I'm not sure if it has reported in the past as I'm new to this system. It is receiving 20% of the data. This was verified through the metrics.log and SoS.
... View more
03-23-2016
05:54 PM
There was a blacklist in another app that was finding its' way into this stanza.
... View more
03-23-2016
05:52 PM
I'm having a problem where I have 5 indexers and 1 search head. All 5 show up in the search peers under distributed search. I've verified through the metrics.log that the indexer is receiving data. When I perform a search however, I only see events from 4 of the indexers. I performed "index=* | stats count by splunk_server" and again only 4 indexers + the search head showed up. Has anyone seen this issue before? Thank you in advance for any help or direction that can be provided.
... View more
02-16-2016
07:01 AM
Still no joy. I've opened a ticket w/ Splunk and will hopefully post a fix in this thread.
... View more
02-12-2016
02:23 PM
No joy.
[monitor:///var/log/httpd]
_rcvbuf = 1572864
dedicatedIoThreads = 2
disabled = 0
enableSSL = 1
host = myhost
ignoreOlderThan = 14d
index = unix
maxSockets = 0
maxThreads = 0
port = 8088
recursive = true
sourcetype = access_combined
useDeploymentServer = 0
whitelist = (_log*$|\.log$|_log*\.gz$)
... View more
02-12-2016
12:51 PM
That didn't work.
pwd
/var/log/httpd
-rw-r----- 1 root root 3122398 Feb 12 14:48 access_log.abcd
I have many files.abcd with different extensions.
/opt/splunkforwarder/bin/splunk list monitor
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log
/var/log/clamav
/var/log/httpd
... View more
02-11-2016
02:13 PM
Hi,
I'm trying to monitor some Apache logs and I can't seem to get the statement correct.
I'm trying to monitor "access_log.*" , "error_log.*" , access_log, error_log, and the gzs to go with them.
[monitor:///var/log/httpd]
whitelist=(\_log*$|\.log$|\_log*\.gz$)
blacklist= (mod\_jk\.log$|\.gz|catalina\.out$)
recursive = true
sourcetype=access_combined
disabled = 0
index = unix
Can someone point out my error?
... View more
11-11-2015
05:27 PM
lookup tables with updater reports as suggested by Sundareshr.
... View more
11-11-2015
05:25 PM
Works way better than I had expected. Thank you!
... View more
11-11-2015
02:51 PM
I need to lookup the IP in a firewall log to a field in an inputcsv. The CSV file holds 50k results, so subsearches are limited. It's been recommended not to increase the subsearch event limit in limits.conf. I've thought about doing the lookup using a relational database, but I would like to do this in the Splunk environment if possible. Does anyone have any suggestions?
... View more
10-15-2015
09:18 AM
So the query works as written, but I ran into the problem that you suspected I would have. Trying to compare 50k threat domains to each record with a wildcard is taking 8 mins for a 15 min period. The only way I can think to resolve the problem would be to use a custom search command and drop it to python with dictionaries. Problem is, I don't control the Splunk back-end and can't add custom commands easily. Any suggestions on what I could do within native Splunk? Would lookup tables be faster than inputcsv?
... View more
10-14-2015
08:27 AM
It also occurred to me that I could output the threat data to outputcsv and then do the same query against inputcsv? Can I still do the eval if I do that?
... View more
10-12-2015
02:51 PM
Thank you kind sir. That works like a charm.
... View more
10-12-2015
01:53 PM
Can you think of a way I can write it so that if u_indicator is in any part of domain it would trigger? I was trying to think of how to use the if(match) but I can't seem to come up with the way.
... View more
10-12-2015
01:39 PM
Would this only trigger if the domain exactly matches the u_indicator?
... View more
10-12-2015
12:06 PM
I'm looking through DNS logs in one index. They are normal DNS logs, so they have the normal query containing the host+domain. I have threat data which just has the domain in another index.
index=main sourcetype=dns
| map search="index=sec u_type=domain u_status=Active earliest=0 latest=now u_indicator=$domain$"
above is what i've come up with so far, but it doesn't seem to work. Am I looking at this wrong? I want to make sure that if the domain in the threat data exist at all in the dns domain data, then I get a alert.
Any suggestions?
... View more
10-12-2015
09:03 AM
Nobody else has any suggestions?
... View more
10-08-2015
10:57 AM
I've worked with the ES app in the past. I haven't looked at the Ninjitsu app yet, but will do so. I'm hoping to get an idea from the community what they are using that may not be in ES or from those who don't have access to ES.
... View more
10-08-2015
10:23 AM
So I wanted to field this question out to the community. I'm looking to ensure that I'm covering as many attack vectors with my alerting as possible. I know that all environments differ in many ways, but has the community come up with a list of common attack vectors (queries) that all networks should be looking for?
Examples would be:
SSH brute force attempts
Inactive accounts being used
Brute force attempts that have 1 success
I would really like to know what others are doing. No suggestion is too simple or crazy. If this has been discussed in the past, can you point me in that direction?
... View more
04-01-2015
01:03 PM
Would I be doing this with the native python, or the splunk cmd python
... View more
04-01-2015
12:17 PM
Yeah, that's kinda what I set up. Works fine for a day or so of data, but get a couple of thousand records and the process time increases. 49 secs for 432 events. Seems very inefficient. I tried the python setup.py bdist_egg, but it appears that isn't a option in the setup file.
[root@watson aoslib-master]# python setup.py bdist_egg
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
or: setup.py --help [cmd1 cmd2 ...]
or: setup.py --help-commands
or: setup.py cmd --help
error: invalid command 'bdist_egg'
... View more
04-01-2015
10:58 AM
I had a problem with the egg. It looks like it would have worked if I could have worked out my issues. I was going to try and call a native python based script from within the splunk based script using os.popen.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-11-2024
12:06 PM
|
Karma given to
