Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About pfabrizi
pfabrizi
Path Finder
Member since:
02-15-2017
06-05-2020
Community Statistics
| Posts | 208 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 9 |
| Member Since | 02-15-2017 |
Activity Feed
- Got Karma for How does DUO authentication for SPLUNK work?. 01-06-2026 08:03 AM
- Got Karma for How do I configure email settings on a search head (SH) cluster?. 06-18-2025 10:46 AM
- Got Karma for Re: How to create an If Statement in Props.conf?. 06-05-2020 12:49 AM
- Got Karma for Re: Universal forwarder deprecated for Windows 2008 on Splunk 7.0.0?. 06-05-2020 12:49 AM
- Got Karma for What is considered a full back up of Search Head?. 06-05-2020 12:49 AM
- Got Karma for LookUp Functionalility. 06-05-2020 12:49 AM
- Got Karma for Re: Universal forwarder is listening to the wrong port for the splunkd process. 06-05-2020 12:49 AM
- Got Karma for SSL certificate for Splunk Web process -- can you verify these steps I'm taking?. 06-05-2020 12:49 AM
- Got Karma for How would you use an internal signed certificate with a Search Head (SH) cluster?. 06-05-2020 12:49 AM
- Posted Why is our alarm not launching all tasks? on Reporting. 12-13-2018 09:33 AM
- Posted Can I tab delimit a report file on Splunk Search. 12-03-2018 11:56 AM
- Posted SPLUNK will Not Start on All Apps and Add-ons. 11-28-2018 02:33 PM
- Posted Can you help me with the following query using the coalesce command? on Splunk Search. 11-26-2018 12:53 PM
- Posted Re: Lookup File Lookup in props\transform on All Apps and Add-ons. 11-19-2018 08:23 AM
- Posted Lookup File Lookup in props\transform on All Apps and Add-ons. 11-15-2018 05:48 AM
- Posted How does a LOOKUP and Report command work in a PROPS.CONF ? on Getting Data In. 10-19-2018 09:19 AM
- Posted Why aren't lookups replicating on search head (SH) cluster? on Deployment Architecture. 10-04-2018 09:28 AM
- Posted Re: How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:55 AM
- Posted How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:17 AM
- Tagged How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
01-02-2018
07:16 AM
We are rolling out the UF to our windows servers, no apps yet, just the UF. The deploymentclient.conf only has the deployment server:
targetUri = xxx.xxx.xxx.xxx:8089.
this is causing some issues with another instance of SPLUNK our business folks have running.
How do I change the port that the deployment server listens on
How do I push this change to all the UF if they are not in a server class or have applications?
Thanks!
... View more
12-22-2017
09:54 AM
I using CURL to return a list of clients reporting to my deployment server:
curl -k -u admin:changeme https://deploymentserver:8089/services/deployment/server/clients
I get back a list of 30 but under forwarder management I see 900+
Is there parameter I should be using?
... View more
12-14-2017
05:54 AM
I had this code working and now I am getting a 404 not found error.
I see this in the message:
bundle=serverclass stanza=serverClass:Test The sourceApp=system doesn't equal callerApp=search
services/deployment/server/serverclasses/server-class
args: whitelist.0= host1
Thanks!
... View more
- Tags:
- splunk-enterprise
12-05-2017
05:35 AM
I am on Linux, I ran 'p's looking for splunkd and nothing running. I believe they did restart the server last night. I just checked and my root volume is out of space (at 99% used). Can that be the issue?
... View more
12-05-2017
04:56 AM
I have been having space issue on one of my indexes running SPLUNK 6.5.1. The box appears to crash from time to time. Typically I have to restart SPLUNK, but today I am unable to control SPLUNKD. I get this when I issue a splunk command:
Stopping splunk helpers...
couldn't send SIGTERM to pid 2972: Operation not permitted
Couldn't send SIGTERM to some splunk helpers. [FAILED]
Error: Unable to stop splunk helpers.
What process\task is running this, I am guessing I can kill this?
Thanks!
... View more
- Tags:
- splunk-enterprise
11-14-2017
05:08 AM
I have users creating alerts in our DEV space and I was wondering if those are stored in .CONF stanza that I can pickup and use to migrate to production?
If they are where are they stored and is the stanza name?
Thanks!
... View more
- Tags:
- splunk-enterprise
11-09-2017
03:41 AM
I did this, but not sure this is the best approach.
"search index=_audit action=alert_fired earliest=startingDate latest=endingDate | map search=" |loadjob sid"
I use a starting and ending date so I am only searching on a time frame when the alert happened and not the entire time frame.
I am using the C# SDK, but is what you listed above a more efficient method?
Thanks!
... View more
11-08-2017
04:12 AM
I run this search: index=_audit action=fired_alert
I get back this which looks like properties of the alert.
Audit:[timestamp=11-08-2017 06:52:57.231, id=35143213, user=admin, action=alert_fired, ss_user="nobody", ss_app="search", ss_name="RDP by GenericID Prod", sid="rt_scheduler_adminsearch_RMD5cf6dac5adc7385e1_at_1510141830_38328.0", alert_actions="email,notable,resilient", severity=3, trigger_time=1510141971, expiration=1510228377, digest_mode=0, triggered_alerts=1][OhxQLHMR0bgxLAaqfsIRoIsoknIp5H1APZ24P4Hm/9FDp8O0VT46WEsP+yLAPbuHYNBkjd8X2/Lu4tVXmqLy+d738KZDjCqFTCu9WcwwILDA97uAfDes/bqw0KamiumItENPlXSQkZIGLfuULHuVoBWOdWrIDF5MMp2y19XsXps=]
The search for the alert looks like this:
index="wineventlog" EventCode=4648 Logon_ID=0x3e7 Process_Name="C:\Windows\System32\winlogon.exe" [ | inputlookup serts-prod.csv | rename genid as user_identity | table user_identity] | eval discovered_date=ceil(_time) * 1000| fields host, user, Account_Domain, discovered_date
How do I get values in the field statement? it should be my username, my workstation and my logon domain.
Thanks!
... View more
- Tags:
- splunk-enterprise
10-30-2017
07:13 AM
1 Karma
Thank You!
... View more
10-26-2017
02:31 PM
so I can continue to use the 6.6.2 UF on my windows 2008 r1 and r2 servers even though release notes for SPLUNK 7.0 indicate support is removed?
... View more
10-26-2017
05:41 AM
is backing up the full installation making a copy of $splunk_home/etc and all sub folders or does this include everything under $splunk_Home?
... View more
10-26-2017
03:59 AM
we are in the process of rolling SPLUNK to production very soon and we going with SPLUNK Enterprise 6.6.3 as we stood up some of the infrastructure before 7.0 release. Looking at the deprecated features support for Windows 2008 is removed.
What is the alternative?
Our process for deploying to endpoints has 45 day lead times, so a January deployment had a mid October deadline for submission. This is why we went with 6.6.2 UF.
Windows 8 x86_64: Enterprise and Free/Trial support is removed. Universal Forwarder support is deprecated and might be removed entirely in a future release.
• Windows 8 x86_32: All support (Enterprise, Free/Trial, and Universal Forwarder) is removed.
• Windows Server 2008 R2 SP1 x86_64: Enterprise and Free/Trial support is removed. Universal Forwarder support is deprecated and might be removed entirely in a future release.
... View more
10-25-2017
04:30 AM
I am trying to install the 6.6.2 version of the universal forwarder and I am getting an error indicating that the minimum requirements have not been met to install.
What are the minimum requirements ( can't seem to find them)
Should I be running earlier version?
... View more
10-24-2017
07:51 AM
What is the best approach for upgrading SPLUNK? 1 DP 1 SH 1 F 2 ID running 6.5.1 on link rehl 6
download 6.63, copy to each device and then untar or is there an upgrade from the UI?
Do I need to worry about backing up custom stanzas?
Thanks!
... View more
Labels
- Labels:
-
indexer
-
search head
-
upgrade
10-17-2017
03:12 PM
should this be done before I create the image or can it done as part of the install script?
... View more
10-17-2017
12:09 PM
I have only a deployment server at the current time and to get ahead of the game we going to roll the UF to our windows servers as this can take months. My deployment server has no apps, so it is just the client reporting. I currently have configured 2 client but only 1 shows up at a time. If one is showing and I bounce the other client splunk service it will show but the other client disappears?
... View more
10-07-2017
12:43 AM
I am using a light forwarder to send the log to the indexer, so I am guessing that is a intermediary?
[hostoverride]
REGEX = host=([a-zA-Z0-9.-_]+)
DEST_KEY = MetaData:Host
FORMAT = host::$1
[netwitness-extractions]
REGEX = CEF:\d+|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|([^|])|
FORMAT = nullQueue
sample Event:
CEF: 1|RSA|Netwitness|10.6|severity=2|Executables|sessionid=94463671599|host=support.content.office.microsoft.com,support.content.office.microsoft.com|src=10.51.0.139|spt=59014|dst=23.36.68.96|dport=80|fname=AF102430631.wat,AF102430631.wat|dorg=Akamai Technologies|client=Microsoft ULS 15.0,Microsoft ULS 15.0 (Windows NT 6.1; Microsoft ULS 15.0.4669)|extension=wat,wat|server=Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0|service=80|threat=|username=|content=application/octet-stream,application/octet-stream|action=get,GET|zone=internet,internet|analysis.service=http1.1 without accept header,http1.1 without referer header,ssl certificate self-signed|analysis.session=0,ratio low transmitted,watchlist port,first carve,long connection,session size 10-50k,first carve not dns|analysis.file=exe filetype,exe two sections,exe filetype but not exe extension,small executable extension mismatch,small executable|filetype=windows executable,x86 pe,windows dll,signed executable|office=|device.host=|ioc=|boc=|eoc=|icf.category=|
... View more
10-06-2017
08:15 AM
I need to install my deployment server \License server that will be part of our Splunk Enterprise deployment. I didn't install our POC environment, so I am not sure what download I need for this. I think I need to have the 'SPLUNK' ID created as well?
Thanks!
... View more
10-06-2017
04:34 AM
I fixed the missing 'a'. I also checked my regex in regex101 and found that was not correct, I validated my regex finds the value. It is still not giving me host as I want it.
2 questions:
1. I do the transforms at the forwarder and not the indexer?
2. I have 2 transforms. First is the host over ride and the second is to parse the event as it is a custom CEF formatted string. Below is my props.conf for this index.
[netwitness]
FIELDALIAS-severity_as_id = severity as severity_id
FIELDALIAS-dst_as_dest = dst as dest
EVAL-app = netwitness
EXTRACT-subject = CEF:\s+\d(?:|[^|]+){4}|(?[^|]+)
EXTRACT-shost = CEF:\s+\d(?:|[^|]+){6}|+host=(?[a-zA-Z0-9.-_]+)
TRANSFORMS-ho=hostoverride
TRANSFORMS = netwitness-extractions
... View more
10-05-2017
12:41 PM
I get this stanza error:
Undocumented key used in transforms.conf; stanza='hostoverride' setting='DEST_KEY' key='MetData:Host'
Here is my transforms:
[hostoverride]
DEST_KEY = MetData:Host
REGEX = CEF:\s+\d(?:|[^|]+)(6)|+host=([a-zA-Z0-9.-_]+)
FORMAT = host::$1
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
