Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About splunkcol
splunkcol
Builder
Member since:
07-15-2020
02-06-2025
Community Statistics
| Posts | 196 |
| Solutions | 13 |
| Karma Given | 92 |
| Karma Received | 14 |
| Member Since | 07-15-2020 |
Activity Feed
- Posted Re: Expired key microsoft 365 app on Getting Data In. 01-20-2024 08:11 PM
- Karma Re: Copy windows logs in raw mode for dtburrows3. 01-04-2024 12:57 PM
- Posted Copy windows logs in raw mode on Splunk Search. 01-04-2024 10:09 AM
- Posted Re: Expired key microsoft 365 app on Getting Data In. 12-13-2023 10:16 AM
- Karma Re: Expired key microsoft 365 app for isoutamo. 12-13-2023 10:16 AM
- Posted Expired key microsoft 365 app on Getting Data In. 12-13-2023 08:32 AM
- Got Karma for Re: Alien Vault Check OTX. 11-25-2023 08:17 PM
- Posted Re: Alien Vault Check OTX on Splunk Search. 11-25-2023 08:15 PM
- Karma Re: Alien Vault Check OTX for tscroggins. 11-25-2023 08:11 PM
- Posted Alien Vault Check OTX on Splunk Search. 11-25-2023 04:03 PM
- Posted Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Tagged Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Tagged Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Posted Re: How do I Download and Setup DB Connect? on Getting Data In. 09-05-2023 01:46 PM
- Got Karma for Re: The maximum number of concurrent historical searches on this instance has been reached.. 08-02-2023 07:04 AM
- Got Karma for Re: The maximum number of concurrent historical searches on this instance has been reached.. 08-02-2023 07:04 AM
- Posted How do I Download and Setup DB Connect? on Getting Data In. 07-20-2023 12:45 PM
- Posted How to show 2 eventcode fields? on Splunk Search. 07-07-2023 04:10 PM
- Karma Re: Upgrading Splunk 8.0.x to 9.0.x for gcusello. 05-19-2023 06:11 AM
- Posted Upgrading Splunk 8.0.x to 9.0.x on Splunk Search. 05-18-2023 08:33 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-11-2021
09:11 AM
Yes, that is what I need but it is not very clear to me, I need support from someone who can guide me since the documentation is not very clear at this moment I know that I must enter the tab "Data on Boarding" but it is not clear to me that I must fill out the form
... View more
02-11-2021
05:56 AM
Hi, has anyone worked with Assets and identity from Splunk Enterprise Security? I already have the App "Splunk Supporting Add-on for Active Directory" installed From the app I do connection tests and they are successful but when I enter Splunk ES I do not see Assets and Identity information What should I check?
... View more
Labels
- Labels:
-
configuration
02-10-2021
06:55 AM
Agents for old versions of windows. I have a client which has some devices with versions of windows 2012 and 2008 On the agent download splunk page there is a link where previous versions can be found When I enter this link I see that there are some agents for these versions of windows My question is why the first column shows a version of splunk, and I don't know if that agent only works for that version of splunk enterprise?
... View more
Labels
- Labels:
-
universal forwarder
02-05-2021
07:44 AM
1. enter CMD as administrator 2. write the WMIC command 3. type the PRODUCT GET NAME command 4. you will see a list of all the programs installed in the operating system where the name of the Universal forwarder is "UniversalForwarder" 5. If you want to see general information about the program, you can execute the command PRODUCT WHERE NAME = "UniversalForwarder" 6. Now to uninstall the Universal forwarder use the command PRODUCT WHERE NAME = "UniversalForwarder" call uninstall (when a message appears press Y to confirm the uninstallation) this video helped me https://www.youtube.com/watch?v=dX2usQvNUeM
... View more
01-21-2021
06:34 AM
My client asked to inform him if outside the agent another method can be used. He even mentioned that the agent's technical requirements seemed very high.
... View more
01-20-2021
02:01 PM
To get logs from either Windows or Linux path, is there a different way to use a Universal forwarder? or is it the only way? I don't know how stupid the question is but it's better to make sure
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
-
Windows
01-20-2021
01:53 PM
When an administrator asks me what are the requirements for the Universal forlwarder, I proceed to consult the documentation and find this: Recommended Dual-core 1.5GHz+ processor, 1GB+ RAM Minimum 1.0Ghz processor, 512MB RAM, 5GB of free disk space The server administrator considers the requirements to be very high. Is there any more detailed information on agent consumption both at the machine and disk level?
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
-
Windows
01-12-2021
02:11 PM
1 Karma
Hi, I'm also new, I don't know if what I'm going to answer is helpful, I'll still try index=* |stats count by index sourcetype app |sort -count
... View more
01-12-2021
01:52 PM
When the indexes were created, they were created by default. Now that I needed to know how long a log went from hot to warm bucket and finally to frozen, I have the following question. 1. Is this query correct to know how long it is configured to go to frozen? | rest / services / data / indexes | fields title froz * | rename title as index 2. If I need it not to store the logs for 6 years, which is the value that I see by default, and I need it to store the logs for 6 months, understanding that when the log reaches 6 months it would go to a frozen state and splunk would begin to eliminate the older data. 3. I should create a file called indexes.conf in the "local" folder and set the value frozenTimePeriodInSecs = 15778800 b Should I go to the bin and restart the splunk service for it to take the changes? 4. Would this change immediately erase logs that are already 6 months old in seconds? or does it start from this moment?
... View more
12-30-2020
08:27 AM
The query is created and after obtaining the result it is saved as a report, given a name and saved. After saving, a pop-up window appears that allows programming at what time and how often to generate the file index=firewall | outputcsv [stats count | eval search=strftime(now(), "firewall-%y%m%d-%H%M%S.csv")]
... View more
12-28-2020
09:25 AM
I am using the APP "SA-cim_vladiator" and this message appears indicating that it has found unexpected values In this order of ideas it is only analyzing me and detecting the logs with the action = allowed field And those that in the value action = Accept or suscces or pass are not detecting them The same happens for blocked where drop or deny are not detected in the action field How can I solve this situation?
... View more
Labels
12-28-2020
07:39 AM
@richgalloway Last question, what is the correct way to normalize it in this case?
... View more
12-28-2020
07:20 AM
If someone is helpful, this only applies to Heavy forwarders In Universal forwarder there is no filtering capability through regular expressions
... View more
12-28-2020
06:41 AM
I have an index called firewall and sourcetypes of Palo Alto, Checkpoint and Fortinet routers The configuration was carried out according to the documentation recommendations regarding recommended sourcertype and Add-on according to the vendor The "action" type fields that are accepted have different names depending on the brand of the device Those that are accepted are: allowed accept Authorize pass Taking into account that "accept" and "allowed" mean the same thing, should I normalize them? or as they are already recognized by the correlation events that Splunk ES has created?
... View more
Labels
- Labels:
-
configuration
12-20-2020
06:04 PM
I have been asked to generate a csv with the indexed information of 1 index after 02:00 hours and that the name of the csv file that is generated has the name of the index and the date, I don't know if it can be concatenated name csv = index_date.csv I know the inputlookup command exists I think it would be something like this index = myindex | inputlookup file.csv but I don't know how to create the complete query in such a way that it generates the file with the name I need for example firewall_20122020 firewall_21122020 firewall_22122020 firewall_23122020
... View more
Labels
- Labels:
-
field extraction
12-14-2020
11:25 AM
Currently I have splunk cloud working without problems and I need to install an APP that allows me to view graphics from a mobile device. After finding an error message and submitting the ticket, they reply to me stating that the error message is due to it being only compatible with python 3 It scares me to request that they update to python 3 and the solution stops working. I would be grateful in simple words and if possible without share the update links since I have read it and it is not clear to me, if what I need is to know how a change from python 2 to python 3 would affect
... View more
Labels
12-04-2020
06:47 AM
1. I entered the bin folder and stopped the splunk service with the command ./splunk stop 2. I moved splunk from opt which is the default path to a new folder that I have created in the root 3. I entered the new folder where I have moved the splunk folder, I entered the bin folder and started the service again with ./splunk start In my case it worked 😃 Note: this process was under linux accessing by ssh
... View more
12-04-2020
05:58 AM
I need to reject or not index the logs that have the word "notice" inside the log
I understand that it is done using these two files
I have 2 doubts:
1. Is the regex ok? 2. If the path is constantly changing I can use a wildcard? [source::/folder/folder/logs/firewall-xxxxx/* ]
props.conf
[source::/folder/folder/logs/firewall-xxxxx/2020/12/4/local7.log] TRANSFORMS-null= setnull
transforms.conf
[setnull] REGEX = notice DEST_KEY = queue FORMAT = nullQueue
Sample Log
date=2019-05-10 time=11:37:47 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1557513467369913239 srcip=10.1.100.11 srcport=58012 srcintf="port12" srcintfrole="undefined" dstip=23.59.154.35 dstport=80 dstintf="port11" dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=105048 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Canada" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=58012 appid=34050 app="HTTP.BROWSER_Firefox" appcat="Web.Client" apprisk="elevated" applist="g-default" duration=116 sentbyte=1188 rcvdbyte=1224 sentpkt=17 rcvdpkt=16 utmaction="allow" countapp=1 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65500-742
... View more
Labels
12-03-2020
10:07 AM
I need that the "notice" type logs are not forwarded to the indexer I know I should add a line called "blacklist" but I'm not good with regular expressions Another question, why in some threads they talk about modifying the file "props.conf" and "transforms.conf" what is the difference between doing it from inputs.conf and the other way? inputs.log [monitor:///folder/folder/folder/ip_firewall] disabled = false host = namefirewall index = firewalls sourcetype = fgt_log Sample Log date=2019-05-10 time=11:37:47 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1557513467369913239 srcip=10.1.100.11 srcport=58012 srcintf="port12" srcintfrole="undefined" dstip=23.59.154.35 dstport=80 dstintf="port11" dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=105048 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Canada" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=58012 appid=34050 app="HTTP.BROWSER_Firefox" appcat="Web.Client" apprisk="elevated" applist="g-default" duration=116 sentbyte=1188 rcvdbyte=1224 sentpkt=17 rcvdpkt=16 utmaction="allow" countapp=1 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65500-742
... View more
Labels
12-01-2020
12:30 PM
You are absolutely right, I did the sourcetypes query of the index main and it returned results. When taking any sourcetype from any other index there are no results. In conclusion: It only brings information when consulting only with sourcetype but from index = main
... View more
12-01-2020
08:07 AM
where do I manage those indexes? I also need to be able to search only specifying the sourcetype only
... View more
12-01-2020
06:15 AM
I understand that I should obtain results if I also consult only specifying the sourcetype and the rest of the search criteria, but I don't know why it does not bring results, how could I solve it? there are results index = myindex sourcetype = my sourcetype no results sourcetype = my sourcetype
... View more
Labels
- Labels:
-
fields
11-26-2020
01:24 PM
1 Karma
Thank you very much for your answer, it helped me a lot. After working I remembered that I had configured the input.conf and output.conf files in two different paths, one in apps and the other in the system It has already been solved, thank you very much.
... View more
11-26-2020
11:52 AM
1 Karma
I have a route that has all the logs, but in it there are several types of logs, I only need some that start with a certain name. Apple banana mango dns.log dns_1123.log dns3_1.log if I need the log that starts with dns and ends in anything else I understand that I can use dns * [monitor:///folder1/folder2/folder3/folder/logs/dns*] disabled = false host = 10.10.10.10 index = myindex sourcetype = mysourcetype But when I check the logs that are being indexed, all the logs are arriving, even the ones that I don't need, how else can I make only the ones that start with dns arrive and not the other logs?
... View more
Labels
- Labels:
-
administration
-
configuration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-06-2025
10:36 AM
|
Karma from
Karma given to
