all, I was able to get the results I wanted in my search but I need to convert this into a props.conf config file. vendor=f5 sourcetype=linux_messages_syslog | head 1 | rex field=_raw "dest_dvc=(?.*) jira=" | makemv dest_dvc | rex mode=sed field=dest_dvc "s/,//g" How do I get makemv and that sed into props.conf? thanks -Daniel ... View more

All, I am not able to get collectD metrics to appear on my Splunk stand alone instance. I am setting up CollectD in my lab as recommended by our support engineer to replace Splunk for Nix eventually in prod. COMPLETELY new to this. I stole this config from the Splunk configuring collectd guide: http://docs.splunk.com/Documentation/Splunk/7.2.0/Metrics/GetMetricsInCollectd#Configure_collectd I have one box with everything on it including HEC. LoadPlugin write_http <Plugin write_http> <Node "node1"> URL "https://localhost:8088/services/collector/raw" Header "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d" Format "JSON" VerifyPeer false VerifyHost false Metrics true StoreRates true </Node> </Plugin> LoadPlugin cpu <Plugin cpu> ReportByCpu true </Plugin> LoadPlugin interface LoadPlugin syslog LoadPlugin load <Plugin load> ReportRelative true </Plugin> <Plugin logfile> LogLevel info File "/var/log/collectd.log" Timestamp true PrintSeverity false </Plugin> Include "/etc/collectd.d" I don't think it's my HEC configuration as I can use this bash script I found to post collectD metrics to my metrics index without issue. curl -k https://localhost:8088/services/collector/raw?sourcetype=collectd_http \ -H "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d" \ -d '[{"values":[164.9196798931339196],"dstypes":["derive"],"dsnames":["value"],"time":1541268208.894,"interval":10.000,"host":"collectd","plugin":"protocols","plugin_instance":"IpExt","type":"protocol_counter","type_instance":"InOctets"}]' So I think I must be doing something wrong with my collectd.conf file. But everything looks good as far as I know. Anything jumping out as a problem here to anyone? EDIT - I just noticed that when I restart collectd, I get this message: [root@splunkes administrator]# systemctl status collectd ● collectd.service - Collectd statistics daemon Loaded: loaded (/usr/lib/systemd/system/collectd.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2018-11-03 22:47:20 UTC; 2s ago Docs: man:collectd(1) man:collectd.conf(5) Main PID: 14295 (collectd) CGroup: /system.slice/collectd.service └─14295 /usr/sbin/collectd Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none] [root@splunkes administrator]# date Sat Nov 3 22:47:29 UTC 2018 [root@splunkes administrator]# ... View more

All, I have 4 reference servers behind a load balancer receiving less than 20gigs a day from an application source. So it's major overkill. I want to enable collectD from about 3000 Linux hosts. I'd like to just use the same setup, so I am not wasting hardware. Any reason why this would be a bad idea? Is there a best practice? Part of me was thinking I should create another HEC instance on another port to separate things. But I shouldn't need to do that right? I can just just use props.conf? thanks -Daniel ... View more

all, I am running this search to collect exceptions by host. I am bucketing into 1min intervals. However when I go back with mstats or the metrics work bench - data is being time stamped at the point of the summary job run rather than at the _time of the bucket itself. tag=java host=mydc* priority=error OR priority=warning OR priority=fatal java_exception=* role=* host=*abc* | rex field=host (?<pod>\w\w\w\w\d\d) | bin _time span=1m | stats first(_time) as _time count by pod,role,java_exception, priority | rename count as _value | eval metric_name="dpw3.toyrus.java.exceptions.count" | mcollect index=testmetrics The results table LOOKS fine. But the final product has the wrong time. ... View more

All , Looks like the links are dead for older Splunk Confs, 2014 specifically I am looking for. Did the link change? Any chance I can get these somewhere? ... View more

All, So I have frozenTimePeriodInSecs=10368000 in my indexes.conf. That is 120 days old. Yet i have data going back more than 120 days. When does Splunk run its process to purge this data? Guess I assumed a nightly job checked for old data and dumped it. ... View more

All, I am no developer and burned a couple hours on the making custom commands docs and conf sessions and feel like I am no closer. So hoping someone can give me a basic template to wrap this in? Basically I have this script (works on python 2 and 3 unchanged). I'd like to pass my custom command a value which is a securitycode and return the value from my script. How can I get this done? Anyone have a template? #!/usr/bin/env python3.5 import sys hsh = [ (1 , 'Known Violators'), (2 , 'Blocked Country'), (4 , 'Browser Integrity Check'), (8 , 'Known Violator User Agent'), (16 , 'Rate Limited'), (32 , 'Known Violator Honeypot Access'), (64 , 'Referrer Block'), (128 , 'Session Length Exceeded'), (256 , 'Pages Per Session Exceeded'), (512 , 'Bad User Agents'), (1024 , 'Aggregator User Agents'), (2048 , 'Filtered IP'), (4096 , 'JavaScript Not Loaded'), (8192 , 'JavaScript Check Failed'), (16384 , 'Identifier Validation Error'), (32768 , 'Known Violator Automation Tool'), (65536 , 'Form Spam Submission'), (131072 , 'Unverified Signature'), (262144 , 'IP Pinning Failure'), (524288 , 'Invalid JavaScript Test Results'), (1048576 , 'Organization Block'), (2097152 , 'Known Violator Data Center'), (4194304 , 'ACL User Agent'), (8388608 , 'ACL ID'), (16777216 , 'ACL Header'), (134217728 , 'ACL Extension'), (268435456 , 'Missing Unique ID'), (536870912 , 'Requests Per Minute') ] def help(): print("threat_extract.py threat_number") if __name__ == '__main__': if len(sys.argv) != 2: help() exit() threat_number = int(sys.argv[1]) print(','.join([v for k, v in hsh if k & threat_number])) ... View more

All, We're just getting going with auditd. We're Looking to trace back user activities and file changes. thanks -Daniel ... View more

All, I have a data set that I need in indexclusterA as index=distil. HOW EVER I need that same data in indexclusterB as index=web. Data all flow through a Heavy forwarder. Any idea how I would do this? ... View more

All, I am troubleshooting the built in notable "Anomalous New Process" that comes with Splunk ES on version 5.1.1. Basically, the alert is spamming us non-stop with processes that are far from anomalous and actually quite common. I believe the issue is with this lookup table, which is not being built/updated correctly, but I cannot find the documentation telling me how this table is constructed. As we can see here | from inputlookup:"localprocesses_tracker" dest firstTime lastTime process AWINDOWSHOST 1539049271 1539049271 LogonUI.exe Clearly this isn't the first time LogonUI.exe has ever run since stood up Splunk_TA_Windows. So I am working under the impression that the lookup table isn't being appended often enough. Any idea how I can troubleshoot and fine tune this? ... View more

All, I want to send a monthly report basically saying how many months until a date hits. some meta code, looking for this | eval timeinmonthsmonths = "1/1/2020" - now() thanks -Daniel ... View more

All, Is there a lookup table for mac addresses in Splunk ES ? Any formal way or tackling this if not? ... View more

All, I am playing with metricbeat and I am happy camper with it. I was wondering if there was a way to pull the metricbeat logs in directly as a metric rather than as a log? Example logs 2017-12-17T18:54:16.241-0500 INFO logp/core_test.go:13 unnamed global logger 2017-12-17T18:54:16.242-0500 INFO [example] logp/core_test.go:16 some message 2017-12-17T18:54:16.242-0500 INFO [example] logp/core_test.go:19 some message {"x": 1} ... View more

All, So normally with iplocation and geostat I can lookup State, City etc for heatmaps. How ever with the log I have now I don't have the IP. How ever the log does have long/lat in it already. Anyway to do iplocation info backwards? ... View more

all, I am setting up the Splunk app for Windows Infrastructure. Dashboards I expect to work are working. HOW EVER I am not seeing: Group Audit >> Full Group Membership dashboard is throwing this error. External search command 'ldapgroup' returned error code 1. Script output = "error_message=Missing required value for alternatedomain in ldap/default. " So far no other dashboards are having problems. I reviewed my SA-ldapsearch apps here is my ldap.conf config #ldap.conf [somedomain.com] alternatedomain = SOMEDOMANI basedn = DC=somedomain,DC=com binddn = somedomain\SvcSplunkLDAP port = 389 server = awesomeserver01 ssl = 0 Any ideas here? ... View more

All, My Windows Event Log items are coming in as sourcetype=WinEventLog and not sourcetype=WinEventLog:Security as it set in my inputs.conf # inputs.conf [WinEventLog://Security] source = WinEventLog:Security sourcetype=WinEventLog:Security disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" index = wineventlog renderXml=false On my intermediate servers I have a props.conf file [source::WinEventLog:Security] sourcetype=WinEventLog:Security TRANSFORMS-winsourceeventlogsecurity = route_stubhinfo_to_es [WinEventLog:Security] TRANSFORMS-wineventlogsecurity = route_stubhinfo_to_es #props.conf [route_stubhinfo_to_es] REGEX=.* DEST_KEY=_TCP_ROUTING FORMAT=lvssplunkes My indexers do not have any props.conf settings. My search heads do not have search time sourcetype renaming enabled. Any idea where I might be messing up? How I can troubleshoot this farther? ... View more