Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About daniel333
daniel333
Builder
Member since:
09-08-2011
04-01-2025
Community Statistics
| Posts | 483 |
| Solutions | 8 |
| Karma Given | 5 |
| Karma Received | 57 |
| Member Since | 09-08-2011 |
Activity Feed
- Got Karma for Alert Manager Enterprise - Malware Detection vsw.exe. 04-03-2025 08:16 AM
- Posted Alert Manager Enterprise - Malware Detection vsw.exe on All Apps and Add-ons. 04-01-2025 03:44 PM
- Posted Missing Data in Office 365 App Input on All Apps and Add-ons. 05-02-2024 03:50 PM
- Got Karma for Event_breaker vs Line_breaker ?. 10-13-2022 01:49 AM
- Posted How do I map my group/roles with human readable claims with Azure? on Security. 07-12-2022 05:23 PM
- Got Karma for Re: How to post to Http Event Collector with PHP?. 02-01-2022 08:10 AM
- Got Karma for How to display a list of fields for an index?. 12-16-2021 07:26 AM
- Got Karma for Splunk SSL Error with Python. 03-08-2021 12:42 PM
- Posted Splunk needs a shell? on Security. 02-02-2021 02:39 PM
- Got Karma for Is there a recommended auditd configuration we can start with?. 11-20-2020 05:50 AM
- Got Karma for Re: Is there a recommended auditd configuration we can start with?. 11-20-2020 05:49 AM
- Posted Troubleshooting Stanza entry not found for data-type 'time-specifier error on Monitoring Splunk. 11-17-2020 05:44 PM
- Posted Re: Splunk_TA_Windows - script:installedapps timestamp issues? on Getting Data In. 11-16-2020 04:03 PM
- Posted Splunk_TA_Windows - script:installedapps timestamp issues? on Getting Data In. 11-16-2020 03:29 PM
- Posted Conditional Input.conf setting? on Getting Data In. 11-11-2020 12:36 PM
- Posted Any experience/practices with old buckets getting created with sourcetype config_file? on Knowledge Management. 10-28-2020 02:13 PM
- Got Karma for Estimating Cost By Sourcetype. 09-30-2020 05:07 PM
- Posted Estimating Cost By Sourcetype on Monitoring Splunk. 09-30-2020 05:01 PM
- Posted How can I send the same data to multiple indexers? on Getting Data In. 06-15-2020 01:48 PM
- Got Karma for Splunk 2fa with Google Authenticator?. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
05-18-2018
08:55 AM
All,
So I am receiving logs from another Splunk installation that is well cooked. How ever it's not correct, so I am looking to filter said data at a heavy forwarder before letting it into my network. How ever I am finding things like re-sourcetyping is not working. Is there a trick to enabling this?
... View more
- Tags:
- cooked
05-17-2018
02:55 PM
All,
I am using this command to read in my indexes.conf into Search. But for some reason it's not showing my index=os which I know is there. Is there a parameter in there I need to let the API see it? I need to be able in a dashboard report on my index retention settings to my auditors.
| rest splunk_server=myindexer.mydomain.com /services/configs/conf-indexes
Missing something?
... View more
- Tags:
- splunk-enterprise
05-17-2018
01:04 PM
All,
I need to create a dashboard and alert clearly saying who has "candelete" rights assigned to them and an alert to go with it. ANy idea how I can do that?
... View more
05-15-2018
08:53 PM
all,
How are you protecting your UFs from manipulation from Redteam/Hacker activities?
... View more
05-15-2018
03:04 PM
All,
I have a stock install of Splunk for Nix running on 3k hosts or so. What I want to do in reasonable speed is compare to see if any users have been added with login privs locall to the Linux boxes.
The base search is this
index=main sourcetype="userswithloginprivs"
I am just not sure how on a host by host basis compare the results of this search to find change.
Any help here?
... View more
05-10-2018
03:16 PM
Was there ever a fix to this? Seems like a weird problem to have other files are working great
... View more
05-07-2018
11:39 AM
All,
How long by default does it take for the old FSCHANGE type to notice a change?
thanks
-Daniel
... View more
05-06-2018
11:32 AM
All,
I have three eventtypes
[insecure_telnet]
app=telnet OR dest_port=23
[insecure_snmp]
app=snmp OR dest_port=1234
[insecure_rdp]
app=rdp OR dest_port=4321
I'd like the email alert I get to have the protocol I don't trust in the email header.
e.g.
ALert - insecure Service TELNET detected on HOST
Rather than write an alert for each insecure protocol I don't trust I was hoping just to bind all these together like
index=os eventtype=insecure_telnet OR eventtype=insecure_snmp
I figured I can stats by eventtype, but that doesnt' quite cut it since it includes other eventtypes. Is there maybe a way to use eventstats or a eval to create a field which states the insecure protocol?
... View more
05-02-2018
07:55 PM
1 Karma
All,
Just messing with GCP Stackdriver connecting to Splunk. I am not familiar with GCP at all and the Splunk docs assume a certain familiarity I don't have. Anyone have a walk through that can orient me ?
... View more
05-02-2018
05:38 PM
All,
First time doing a Python scripted input. For portabability should I be using the local Python on Splunk in my scripted input headers? Or the OS's Python install?
#!/opt/splunk/bin/python
print "hello world"
Or should I point to the specific version as well?
#!/opt/splunk/bin/python2.7
print "hello world"
~
... View more
05-01-2018
05:36 PM
Thank you for the reply. I don't seem to have that option when created an Notable Event as an Alert action. How can I find that from there?
... View more
05-01-2018
03:32 PM
All,
I have an alert, which creates a notable event in Splunk ES 5.0. Working pretty good, but I can't set the security_domain to something other than THREAT.
I thought I would just have to add a field to my search, but that didn't seem to work.
| eval security_domain="Network"
| fields dest, host, src, src_pci_domain, dest_pci_domain, package, user, pci_dss_req, notes, security_domain
| table dest, host, app, src, src_pci_domain, dest_pci_domain, package, user, pci_dss_req, notes, security_domain
... View more
04-26-2018
12:25 PM
1 Karma
All,
I though it would be nice for PCI guy to search the top right by PCI DSS req, say like "10.1" its working for views. But is there a way to put a DSS req number into an notable event to make it searchable other than the name of the alert itself?
... View more
04-23-2018
05:34 PM
All,
I have a legacy install of Splunk and a new Splunk ES stack. Transition is going to take a year. So far I just use a props/transforms to move logs from one stack to another at my Heavy/Intermediate forwarder tier. But I have a log source that must go to BOTH stacks while we're in transition? Can you point me to an example of how I could do this?
... View more
04-20-2018
09:47 PM
All,
I have a log file which produces a MD5sum every hour or so. I'd like to compare the most recent event, with the previous event. if the md5sum changed, then alert.
e.g.
5:00pm md5sum=Aaaaaaaaaaaaaaaaaaaaaaaaaa file=/etc/ssh/ssh_config
5:00pm md5sum=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx file=/someotherfile
6:00pm md5sum=Bbbbbbbbbbbbbbbbbbbbbbb file=/etc/ssh/ssh_config
Any easy trick to this?
... View more
04-20-2018
04:47 PM
All,
On the list of pretrained sourcetypes I see /var/log/messages as linux_messages_syslog (https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes) but in Splunk for Nix I see them setting it as syslog.
What is the prefered sourcetype here? I guess I should point out that I am looking for ideal interoperability with Splunk ES and additional apps down the road.
... View more
04-18-2018
05:58 PM
All,
Does anyone have a walk through on setting up the time center on Splunk ES for Linux (centOS 7 in this case) hosts? I have the time.sh input from SPlunk_TA_nix going but doesn't work out of the box. Other NTP app on splunkbase don't even have tags/eventtypes that I looked at. Any direction on here would be great.
... View more
04-16-2018
12:42 PM
Hi all,
I have a file that looks like this -
Added files:
added: /etc/addedthisfile
added: /etc/cron.daily/tripwire-check
added: /etc/tripwire
How can field extract added=*?
... View more
04-15-2018
03:36 PM
So I have Splunk ES and Splunk TA nix installed. Went ahead and enabled the default FTP account by enabling the shell and went around just poking around. Splunk picks up the logs, but doens't populate this dashboard. Did I need to enable a ":default users" identity list or something?
... View more
04-15-2018
02:24 PM
Thanks for the reply. Does Splunk for Nix and Splunk for WIndows pull the default account list? Or is this hardcoded somewhere?
... View more
04-13-2018
10:54 AM
So I was expecting the default time input from Splunk_TA_nix to have extractions and tags that work with SplunkES. Was I mistaken?
... View more
04-11-2018
07:02 PM
All,
I just enabled the time input for Splunk_TA_nix and I am getting data. But I don't see any extractions. I dug into the Splunk App and I dont see that there are any. was there another app I need to install for this? Can anyone tell me what my field extractions are for setting up the NTP dashboard in Splunk ES?
... View more
- Tags:
- splunk-enterprise
04-11-2018
04:52 PM
All,
I am looking at the default user account dashboard in Splunk ES. I sorta of assumed that it pulled a list of users out of /etc/shadow and /etc/passwd for allthe various stock user accounts that come with linux and watched for any activity with them? was i wrong?
I just read the doc and to be honest I am not sure what it does still.
Any help?
... View more
04-11-2018
03:35 PM
I actually need the entire event actually. But good call on the metadata command. Cool stuff.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-01-2025
07:08 PM
|
