Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Tom_Lundie
Tom_Lundie
Contributor
Member since:
10-07-2020
08-08-2024
Community Statistics
| Posts | 116 |
| Solutions | 25 |
| Karma Given | 43 |
| Karma Received | 37 |
| Member Since | 10-07-2020 |
Activity Feed
- Posted Re: Creating and installing TLS Certificates on Windows 2022 Server on Installation. 08-08-2024 03:26 AM
- Posted Re: Content Pack for Windows Dashboards and Reports data not showing on All Apps and Add-ons. 08-08-2024 02:36 AM
- Posted Re: Splunk SOAR- Crowdstrike sandbox download report on Splunk SOAR. 07-24-2024 04:25 AM
- Posted Re: Addig data input on Getting Data In. 07-24-2024 04:18 AM
- Posted Re: Splunk SOAR- Crowdstrike sandbox download report on Splunk SOAR. 07-24-2024 03:39 AM
- Posted Re: Content Pack for Windows Dashboards and Reports data not showing on All Apps and Add-ons. 07-24-2024 03:30 AM
- Posted Re: Distributing APP from the deployment server to the index server on Splunk Enterprise. 07-19-2024 01:57 AM
- Got Karma for Re: Distributing APP from the deployment server to the index server. 07-18-2024 07:33 PM
- Karma Re: Extract field value from json string with different spath and group by for ITWhisperer. 07-17-2024 04:08 AM
- Posted Re: Login failed due to client tls version being less than minimal tls version allowed by the server on Installation. 07-17-2024 03:33 AM
- Posted Re: Multisite indexer cluster : Why is data from other sites retrieved? on Getting Data In. 07-17-2024 02:23 AM
- Posted Re: Having Syslog logs into SPLUNK on Splunk Enterprise. 07-16-2024 07:54 PM
- Posted Re: Distributing APP from the deployment server to the index server on Splunk Enterprise. 07-16-2024 07:49 PM
- Posted Re: Skipped searches on Knowledge Management. 07-16-2024 07:37 PM
- Posted Re: Multisite indexer cluster : Why is data from other sites retrieved? on Getting Data In. 07-16-2024 07:22 PM
- Posted Re: Having Syslog logs into SPLUNK on Splunk Enterprise. 07-16-2024 06:47 PM
- Got Karma for Re: Evaluate difference between 2 (string) dates in the same event.. 07-16-2024 06:37 PM
- Posted Re: Login failed due to client tls version being less than minimal tls version allowed by the server on Installation. 07-16-2024 06:33 PM
- Posted Re: Evaluate difference between 2 (string) dates in the same event. on Splunk Search. 07-16-2024 06:25 PM
- Posted Re: Ingesting Palo Alto Threat logs with log_subtype=URL into Splunk on Splunk Search. 07-16-2024 06:14 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
08-08-2024
03:26 AM
The %SPLUNK_HOME% variable that you noted in this documentation is not defined outside of the Splunk process by default. %SPLUNK_HOME% refers to the Splunk installation folder on Windows. Typically: C:\Program Files\Splunk You can run all of those commands as the user running Splunk by either setting the environment variable or replacing it manually first. To permanently set the environment variable you can use: setx SPLUNK_HOME "C:\Program Files\Splunk" Read more here.
... View more
08-08-2024
02:36 AM
I think I can see the issue here: [wineventlog_index_windows]
definition= index=wineventlog OR index=main This should be: [wineventlog_index_windows]
search = index=wineventlog OR index=main Note the "search" directive instead of "definition". Definition is used in macros.conf. Let me know how you get on 🙂
... View more
07-24-2024
04:25 AM
Hi, If you are facing a specific error then please post it here. Otherwise if you just need general guidance then I would start with the documentation: Create a new playbook in Splunk SOAR (Cloud) - Splunk Documentation
... View more
07-24-2024
04:18 AM
Hi, This is by design, the problem with running modular inputs on the SHC layer is that if all of the nodes in the cluster attempt to run the input you would get duplicated data and all sorts of problems. Splunk seem to be actively developing a solution for this but do not officially support at the time of writing. That being said, a handful of apps do have official support (e.g. Splunk DB Connect). These seem to rely on the run_only_one directive in inputs.conf to ensure they only run on the captain node to prevent duplication. Unless your TA has official support for a deployment on a SHC, I would recommend using a separate, dedicated instance for input collection such as a Heavy Forwarder.
... View more
07-24-2024
03:39 AM
Hi Harisha, There is an add-on on Splunkbase for this: CrowdStrike OAuth API | Splunkbase This SOAR Add-on allows you to download the reports. It might already be installed on your SOAR instance so feel free to check. The first thing you will need to do is configure an asset with the correct API credentials within the Crowdstrike app. Once you have the app configured you can then implement actions within a playbook to do whatever you need. If you have any specific questions along the way then feel free to ask away!
... View more
07-24-2024
03:30 AM
Hello, With these sorts of issues it's best to work your way down to eliminate the possible causes. Take an exemplar broken search from the dashboard and try to run it manually: eventtype=msad-successful-user-logons If that doesn't work try to run the definition manually: eventtype=wineventlog_index_windows eventtype=wineventlog_security EventCode=4624 user!="*$" If that works, make sure the msad-successful-user-logons definition is correct and shared properly. If not, try expanding your index eventtype: (index=msad OR index=main) eventtype=wineventlog_security EventCode=4624 user!="*$" If that works, make sure your definition is correct and shared properly. If not, try expanding the wineventlog_security eventtype: (index=msad OR index=main) (search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security) EventCode=4624 user!="*$" If that works, make sure Splunk_TA_windows is installed the wineventlog_security eventtype is working. If that doesn't work then your problem is not with the eventtype definitions, but rather with the data itself. Things to try: Do you have Splunk_TA_windows installed on your indexers/search heads? Are the source's renamed correctly as per TA_Windows ta-windows-fix-xml-source definition and the requirements of the wineventlog_security eventtype? Are your indexes correct and populated within the search timeframe? Finally, if you still can't get results, try stripping of key values from the search to check if the search is working: (index=msad OR index=main) (search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security) If you get results, the problem is with the field extractions: EventCode=4624 user!="*$" check that Splunk_TA_windows is working as expected, check your inputs, props and transforms are all aligned. Good luck!
... View more
07-19-2024
01:57 AM
If you want to dynamically deploy the app to either the manager-apps or apps directory, you can use serverclass.conf on the deployment server to do this. Note that this is quite a complex deployment structure, make sure you keep your serverclass.conf well documented. Firstly, restore the CM's deploymentclient.conf's repository settings to default to enable the serverClass to control the target repository: [deployment-client]
repositoryLocation = $SPLUNK_HOME/etc/apps
serverRepositoryLocationPolicy = acceptSplunkHome Then on the DS you can then dynamically set the repositoryLocation using the targetRepositoryLocation directive within serverclass.conf at the serverClass level: For example you could have something like this: [serverClass:CM_Deploy_to_Apps]
whitelist.0 = cm.yourcompany.com
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
stateOnClient = enabled
[serverClass:CM_Deploy_to_Apps:app:example_app_1]
restartSplunkd = true
[serverClass:CM_Deploy_to_Apps:app:example_app_2]
issueReload=true
restartIfNeeded=true
[serverClass:CM_Deploy_to_Manager_Apps]
whitelist.0 = cm.yourcompany.com
targetRepositoryLocation = $SPLUNK_HOME/etc/manager-apps
stateOnClient = noop
[serverClass:CM_Deploy_to_Apps:app:example_manager_app_1]
[serverClass:CM_Deploy_to_Apps:app:example_manager_app_2]
... View more
07-17-2024
03:33 AM
Depending on your deployment, it might be worth considering switching to the Microsoft JDBC driver which is suggested in Splunk's documentation. However JTDS might still work. By default, JTDS does not use SSL for the connection which is causing this error. Append the following to the JDBC URL in the connection configuration page: ;ssl=require; Feel free to share your connection string, redacted as appropriate.
... View more
07-17-2024
02:23 AM
Okay, everything should be working then...
You can check which search peers returned the event data using the following search:
index=* | stats values(splunk_server) by index
So long as your search factor is met, the values of splunk_server should be the local peer names depending on the SH that you run that from.
You can also check the search logs in the Job Inspector.
What is your overall goal here? As I say, search affinity is not a security control and is only designed to make searches more efficient. All data in site1 is replicated to site2 and vice-versa anyway according to your config.
... View more
07-16-2024
07:54 PM
I'm not sure what you're stuck with. Ideally, would need to see your current configurations and error messages to support. What configuration file(s) are you stuck with? Are your _internal logs reaching the Indexers? Are you getting any errors?
... View more
07-16-2024
07:49 PM
1 Karma
Hi, Have a look at these docs. On the DS make sure you've included noop for the CM serverclass.conf entry: [serverClass:<serverClassName>]
stateOnClient = noop Also, ensure you're not overriding it on the app-level too. If you've already got this covered, can you share the error message please?
... View more
07-16-2024
07:37 PM
Hi, The wording is quite tricky but I will do my best to explain: 1) The maximum number of concurrent historical scheduled searches on this cluster has been reached: Platform-level. Essentially, the Splunk platform has reached its concurrent search limit as defined by the concurrency settings in limits.conf. For example, if the limit is five, you might have six different searches all scheduled at once, triggering this error. 2) The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached This is defined on a per-search level under max_concurrent within savedsearches.conf (advanced search settings). It is one by default. This means that one particular search has been scheduled whilst previous instances of that same search is still running. So for example, you schedule a particular search to run every two minutes but it takes six minutes to run. Splunk starts it, and two minutes later, goes to schedule it for a second time but its still running, throwing the error. As a tip, 1) is typically caused by incorrectly scheduled searches all scheduled for the same time. Whereas 2) is caused by a particular search being scheduled too frequently or running for longer than expected, causing it to overlap with itself.
... View more
07-16-2024
07:22 PM
Hi, Quoting the docs: If the cluster is not in a valid state and the local site does not have a full complement of primaries (typically, because some peers on the site are down), remote peers also participate in the search, providing results from any primaries missing from peers local to the site. Looking at your diagram and search, am I correct in thinking that index=site01_* is only configured on site01 and index=site02_* is only configured on site02? If so, firstly this is a misconfiguration and bad practice. However, it makes sense that your search affinity is not working because you would not have a copy of the data in both sites. Only site02 would have data in site02_* and therefore index=site0* would return data from both sites! You should be managing your indexes via the cluster manager so that it's consistent. If you want different indexes per site, then you should be using a multi-cluster deployment. If you want to restrict access between sites and search heads then you can use RBAC and search filters. Search affinity is not designed to be a security control and should not be treated as such.
... View more
07-16-2024
06:47 PM
Hi, It sounds like you've made great progress, nice one. There are multiple designs and opinions out there regarding getting syslog into Splunk. It's up to you to decide what's best. To get you started there are tools such as Splunk Connect For Syslog which provides an "all in one" feel, you can also use a syslog service such as rsyslog or syslog-ng to listen for your logs and cache them to disk and then forward them via a monitor stanza in inputs.conf. However, if you want Splunk to listen directly, here is an example inputs.conf that you can tweak for your deployment: [udp://10514]
disabled = false
connection_host = ip
sourcetype = <<firewall_product>>
index = main For sourcetype, look on Splunkbase for your firewall vendor to check if there is an appropriate TA that you can use for field extractions. For example palo-alto firewall would be pan_log. For index, pick an appropriate index to suit your needs. Finally, inputs.conf can either be deployed within an app (recommended) or directly under /opt/splunk/etc/system/local/ Also, make sure that 10514 is permitted on the local firewall.
... View more
07-16-2024
06:33 PM
What type of DB are you trying to connect to? Can you share your connection string and other configuration (redacted as appropriate) please?
... View more
07-16-2024
06:25 PM
1 Karma
Hi, You can do that with an eval command. | eval firstSeenTS = strptime(firstSeen, "%b %d, %Y %H:%M:%S %Z"),
lastSeenTS = strptime(lastSeen, "%b %d, %Y %H:%M:%S %Z"),
firstLastDiff = (lastSeenTS - firstSeenTS)/86400,
firstNowDiff = (now() - firstSeenTS)/86400 If you want to round your days down to whole numbers you can use floor()
... View more
07-16-2024
06:14 PM
Hi CW, Assuming you haven't made any modifications to the Palo Alto TA (and subsequent sourcetypes). There is no reason why Splunk would be dropping the URL log_subtype. Check for a filter on the Palo Alto logging policy to not include the URL subtype? Otherwise can you confirm the PanOS version and TA version that you have deployed as there has been some issues with this sourcetype before. Cheers!
... View more
07-16-2024
05:29 PM
Hi, There could be a few things going on here. I would hazard a guess that you're running Splunk as a non-root user trying to bind to port 443 which is a privileged-port. Check if Splunk is listening on 443/TCP: ss -tlp Also, check for web related messages under: $SPLUNK_HOME/bin/splunk status And UiHttpListener entries in /opt/splunk/var/log/splunk/splunkd.log. If this is indeed your problem, I suggest that you use different port such as 8443. You could also try to allow Splunk to bind to the system ports, you will need to research how to do this securely for your environment. If Splunk is listening on 443, start working your way out: Are there any error entries in splunkd.log. Can you curl it via local host curl -kv https://localhost Are you dropping connections on the local FW? firewall-cmd --list-all Is there a routing issue / network firewall between your client browser and Splunk instance? Is there an issue with client machine / browser? Feel free to upload any relevant Splunkd.log entries, redacted appropriately to help troubleshooting.
... View more
04-06-2023
07:09 PM
The issue was actually the "case_sensitive_match" transforms.conf entry. The case_sensitive_match entry requires the kvstore contents to be lower case. If you don't drop the case on your kvstore contents then the | lookup command will stop matching, even if the case matches! This is one for my notebook...
... View more
04-06-2023
06:20 PM
A newly created KVStore collection is not returning matches for a lookup command, despite the fact it's populated. For example: | inputlookup my_kvstore Returns the following results: field_1 field_2 field_3 Abc Def Hij Therefore, I would expect to be able to lookup field_1 and get the same results. | makeresults
| eval field_1 = "Abc"
| fields - _time
| lookup my_kvstore field_1 Instead, I get: field_1 field_2 field_3 Abc To rule out any typos, I even tried: | inputlookup my_kvstore
| table field_1
| lookup my_kvstore field1 OUTPUT field_1 AS new_field But that returns: field_1 new_field Abc As for the configuration: ## collections.conf ## [my_kvstore] field.field_1= string field.field_2= string field.field_3 = string replicate = true disabled = 0 ## transforms.conf ## [my_kvstore] collection = my_kvstore external_type = kvstore fields_list = field_1,field_2,field_3 case_sensitive_match = 0 I'm at a loss, but before I go down the support route, I'd appreciate any hel
... View more
Labels
- Labels:
-
lookup
03-30-2023
01:33 PM
curl -k -u username:password https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/abc/acl The servicesNS API (services namespace) explicitly uses user/app contexts (namespaces) to fetch results. servicesNS/<<user>>/<<app>> In order for the abc search to be shown, it must be visible to that <<user>> in that <<app>>. You can use the servicesNS/-/-/ endpoint to return all namespace contexts e.g: curl -k -u username:password https://127.0.0.1:8089/servicesNS/-/-/saved/searches/abc/acl
... View more
03-29-2023
02:36 PM
Hi @klim, Unfortunately, not. | rest can only be used to perform GET requests. You cannot use any other HTTP method. If you want to do this with a Splunk search (and not a different program like curl) then I would consider a custom command / alert action. There is some old stuff kicking around on Splunkbase that might be able to help but I haven't seen anything that is supported on Splunk 9.x.
... View more
03-29-2023
07:01 AM
I'll do some testing and get back to you later.
... View more
03-29-2023
06:57 AM
Sure no problem. This validation error pertains to the fact some of your files outside of the bin directory have execute permissions set. The way to fix this is to remove the execute permissions for any file that does not need to be executed. WARNING: This command will change file permissions so make sure that you only run this in your app directory (do not run this command elsewhere on your OS), firstly lets find all of the non-bin files in the app because these will not need to have execute permissions. cd my_app
find -type f -not -path "./bin/*" Once you're happy that this is finding the correct files, we can then add the permission change: find -type f -not -path "./bin/*" -exec chmod 644 {} + Then we'll need to deal with the bin directory, if your bin is entirely Python based, then because Python is an interpreted language (e.g. the Python binary executes and reads the Python scripts) we can remove the execution permissions from the bin contents too: find -type f -path "./bin/*" -exec chmod 644 {} + The only thing in your bin that will need execution permissions are shell scripts and other executables. You can explicitly set these individually with a chmod (e.g. allow all users to execute and read my_executable): chmod 755 ./bin/my_executable
... View more
03-28-2023
08:43 PM
Your metrics indicate that your events are arriving, it's peculiar that you can't see them. @yeahnah calling out _time extraction is a great shout. Definitely explore those ideas. Could your events be older than your frozenTimePeriodInSecs? Queue routing is defined in transforms.conf and applied via props.conf. I'd check what props.conf apply to your sourcetype, host:: or source:: and make sure that there are no TRANSFORMS calls modifying the queue or index names. TCP routing is defined in inputs.conf but your post has ruled out those issues. The disabled/deleted index message is an actual warning presented within the Splunk GUI (not logged), look for a blue circle with a number in at the top of the GUI. Another thing to check is: have you blown your license for today? Seems trivial but its worth checking off. Finally, does your user have permissions to read that index? If nothing turns up, I would also suggest a restart of Splunk Enterprise just to rule it out.
... View more
