Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About mikaelbje
mikaelbje
Motivator
Member since:
09-05-2012
06-05-2020
Community Statistics
| Posts | 443 |
| Solutions | 40 |
| Karma Given | 216 |
| Karma Received | 153 |
| Member Since | 09-05-2012 |
Activity Feed
- Got Karma for Re: Is there a way to specify the Splunk search Schedule Window defaults?. 03-10-2023 03:23 AM
- Got Karma for Re: How can I change the location of accelerated data model summary data?. 12-01-2022 01:31 AM
- Got Karma for Re: Indexer Cluster and Search Head Cluster with Datamodel Acceleration. 07-20-2022 09:18 AM
- Got Karma for Re: Why would the source type cisco:ios not be getting created? Can I add it manually?. 02-13-2022 06:35 PM
- Got Karma for Re: Forwarding logs from Windows Event Collector. 08-29-2020 02:56 AM
- Got Karma for Re: How would one correctly configure DATETIME_CONFIG for an app that could be installed in either an indexer cluster or standalone splunk?. 07-21-2020 01:47 AM
- Karma Re: Syslog events not matching IOS XR regex to transform for rphillips_splk. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco ESA Combine logs. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco ESA Combine logs. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco Firepower Systems (FTD) . Any ready made addons/TA available?. 06-05-2020 12:49 AM
- Karma Is there a Splunk App or Add-on that will help read and comprehend ADFS 3.0 authentication logs? for mgrulke. 06-05-2020 12:48 AM
- Karma Update of Splunk WSA Plugin to support WSA 10.x for tmayer. 06-05-2020 12:48 AM
- Karma How to set a token with eval? for jamesmarlowww. 06-05-2020 12:48 AM
- Karma Getting Cisco Ironport ESA data into the Common Information Model for kalifehj. 06-05-2020 12:48 AM
- Karma Re: Getting Cisco Ironport ESA data into the Common Information Model for kalifehj. 06-05-2020 12:48 AM
- Karma Why are searches stuck at "finalizing job" after upgrade to 6.5.0? for varad_joshi. 06-05-2020 12:48 AM
- Karma Re: Why are searches stuck at "finalizing job" after upgrade to 6.5.0? for sgarvin55. 06-05-2020 12:48 AM
- Karma Re: How to search for fields that cross correlate with a specified field? for jeffland. 06-05-2020 12:48 AM
- Karma Is it possible to do a "dry-run" of a serverclass configuration to see how it will actually deploy? for reedmohn. 06-05-2020 12:48 AM
- Karma Re: How to use my LDAP strategy to add all users in a domain to Splunk? for DalJeanis. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
03-17-2017
12:20 AM
In case anyone else is looking for this, I can happily confirm that upgrading FMC and Firepower appliances to 6.2.0 resolves the issue with user IDs (CSCuz95008). We now have correct user IDs populated in the events.
... View more
03-03-2017
05:46 AM
No, no time to open a support case. Since the solution that used to work is not referenced in the props.conf documentation and is possibly only a workaround, I doubt Support will spend much time on this.
Feel free to open a case if required and reference this thread.
... View more
03-03-2017
03:50 AM
2 Karma
Could not get this to work on 6.5.2. I know it used to work in earlier Versions.
My previous config was the following:
[cisco:ise:syslog]
DATETIME_CONFIG = ./default/datetime_udp.xml
But resulted in no indexed events from this sourcetype:
03-02-2017 16:18:13.956 +0100 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "./default/datetime_udp.xml": No such file or directory - data_source="/data/logs/cisco_ise/acs11.example.com/syslog-2017030216", data_host="acs11.example.com", data_sourcetype="cisco:ise:syslog"
I had to change it to the following to make it work:
[cisco:ise:syslog]
DATETIME_CONFIG = /etc/slave-apps/Splunk_TA_cisco-ise/default/datetime_udp.xml
... View more
02-23-2017
01:33 PM
Hi!
What you are seeing is by intent. The message text is just saying "this is the format these events look like". This is looked up in a CSV file for enrichment. This dashboard used to display the actual message text including the values, but since these values change so rapidly doing a count by actual message text would create a large stats table with a count of 1 for each row due to the uniqueness of each event.
So instead of using this to look at the actual event, look at the count. If you see rows with a high count (indicating values are changing or many events of this type are received) you can drill down to see the actual events and troubleshoot from there.
Mikael
... View more
02-15-2017
01:47 AM
Instead of recreating this by yourself, I believe the following add-on already does what you're trying to achieve: https://splunkbase.splunk.com/app/3377/
It's even CIM compliant, meaning the fields are normalized.
... View more
02-10-2017
04:19 AM
And you can always test from your Cisco device by doing: "telnet 1.1.1.1 8089" if the connection really works. Anything you write on this socket will end up in Splunk.
... View more
02-10-2017
04:18 AM
Make sure you have the TA-cisco_ios add-on installed on your Heavy Forwarder to correctly handle line breaks. Maybe that helps?
... View more
01-25-2017
10:28 AM
There's an app on Splunkbase which I believe correctly cleans up the DNS debug logs in case you don't want to go down the Stream route:
https://splunkbase.splunk.com/app/3377/
... View more
01-24-2017
02:08 AM
1 Karma
Ok, thanks for checking that out.
What Splunk version are you on?
Regarding the partially indexed events - are you sure these are not just the headers or the #Fields line from the beginning of the file?
You may also try to use MonitorNoHandle:// instead of monitor://
In this case you must specify a single file, not a path nor wildcards.
You may also test the "time_before_close" parameter in your inputs.conf: https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf
There are probably a few other things to try as well. Maybe someone else will chime in with some tips.
... View more
01-24-2017
01:34 AM
Hi,
I haven't seen this before.
Did you push the TA-Microsoft_Forefront_TMG add-on to the Forwarder in question?
Did you install the TA-Microsoft_Forefront_TMG add-on on your Indexers?
Both are a requirement.
... View more
01-12-2017
04:14 AM
Do you have the Splunk Add-on for Microsoft Windows ( https://splunkbase.splunk.com/app/742 ) installed on your Search Head?
It defines the following sourcetype stanza in props.conf which I believe should auto extract this for you (given that your sourcetype is "XmlWinEventLog:*"):
[(?::){0}XmlWinEventLog:*]
If this doesn't work out of the box with the add-on, could you try adding the following to Splunk_TA_windows?
local/transforms.conf:
[userdata_props_xml_kv]
# Extracts anything in the form of <tag>value</tag> as tag::value
SOURCE_KEY = UserData_Xml
REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = 1
local/props.conf:
[(?::){0}XmlWinEventLog:*]
REPORT-1xml_kv_extract = userdata_props_xml_kv
This is untested in Splunk but I tested the regex in an online regex tool and I could see the fields extracted
... View more
01-11-2017
12:06 PM
I now have a multi tenant version of the app ready. It's not free of charge. Contact me if you are interested.
The multi tenant version will also lift the license terms for the Cisco Networks app and let you use it commercially, but not resell it.
... View more
01-05-2017
04:26 AM
Someone please file a feature request. I see many situations where this is needed, i.e. outsourcing forensics/detection/SoCaaS while having your own infrastructute but where your partner supplies its own SH connected to other detection systems/engines
... View more
12-19-2016
09:08 PM
If you have logrotate set up, are you sure it's not doing something funky during the rotate?
... View more
12-15-2016
01:05 AM
Hi!
You can pull the add-on from https://github.com/inspired/TA-cisco-esa-extras
It groups email transactions into a summary index once an hour. Copy default/macros.conf to local/macros.conf and modify the file to change the index where you want your summary data stored. The default in the app is "esa_summary", but you can replace that with "summary" to use the built-in summary index in Splunk.
When you get it to work you can tweak the run interval of the saved search.
Please note that this add-on requires that you also have the Splunk_TA_cisco-esa add-on installed and that your data goes into the right sourcetype as defined by that add-on.
... View more
12-13-2016
09:13 PM
All the commands required on the devices are also stated in the Help page of the Cisco Networks app
... View more
12-13-2016
12:04 PM
1 Karma
Foe switches and routers, check the Cisco Networks app and Add-on. They're available at apps.splunk.com and will give you the field extractions necessary to set up this kind of alerting or dashboard.
Cisco ASA add-on for your firewall.
... View more
12-11-2016
09:31 PM
You won't be able to do this. AFAIK there is also no guarantee that a new mail conversation won't show up in the middle of that conversation, so you can't really frame it. What you can do is work with this after indexing and feed it to a summary index. I have an app that does this which I intend to release if you want to test.
... View more
12-07-2016
06:13 AM
Yours is accepted. It would be great if you could edit it with the correct syntax as described in my Answer below.
... View more
12-07-2016
06:10 AM
1 Karma
BINGO! The following works:
<search>
<query>| makeresults | eval token=replace(replace($old_style_filter|s$,"index=","")," OR ",",") | table token</query>
<done>
<set token="pivot_filter">$result.token$</set>
</done>
</search>
Note the singular "result", not plural "results". The latter would not work.
Thank you!
... View more
12-07-2016
05:55 AM
Great tip, however the only values I end up in my testing are:
$pivot_filter$ (indicating the token isn't set)
$results.token$
I cannot get it to actually do the replacement. I've tested with $result.token$, $results.token$, 'result.token', 'results.token' as well as a hard coded "index=foo OR index=bar" inside the replace function.
Your example provided an extra ) so I removed that as well to get the right syntax
I'm on Splunk 6.5.1
... View more
12-07-2016
01:19 AM
1 Karma
Hi,
I have a lot of dashboards currently using standard search or tstats with a WHERE filter. The token for the filter is populated by a multi-select that sets the value to something like index=foo OR index=bla . However, in the same dashboard I have | pivot panels as well, and these use a different FILTER syntax, but I want the same filter from the token applied to both search/tstats and pivot style searches.
Pivot would require the following syntax:
FILTER index inList (foo,bar)
I've tried the following to get this to work:
In the multi-select
<change><eval token="pivot_style_filter">replace(replace(old_style_filter,"index=", "")," OR ",",")</eval></change>
However this only replaces the last entered value of the multi-select (last checked item)
I've also tried doing this with a macro in-line in the | pivot search, but the macro isn't expanded in this syntax:
| pivot ... FILTER index inList (`replace_old_style_filter`).
The backticks and everything is passed into the search log sent to the indexers.
Does anyone have an excellent solution to this matter? I don't really get why pivot can't accept the WHERE style filtering as well as FILTER style filtering.
My temporary workaround was to hack out the generated tstats command out of the search job inspector and use that for the searches, but this breaks drilldowns and prevents real-time searches from being done. It is also more work to maintain since you cannot simply reverse a tstats search back to a pivot search just like that.
... View more
11-29-2016
06:18 AM
Did you get this to work? My eval token is only replacing the first occurence too. On 6.5.1 with the following where I try to change:
index=bla OR index=foo
To
bla,foo
by using:
<input type="multiselect" token="tenant_indexes" depends="$multi_tenancy$">
<change>
<eval token="tenant_indexes_filter">replace(replace(tenant_indexes,"index=","")," OR ",",")</eval>
</change>
<label>Tenant</label>
<fieldForLabel>tenant_name</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| `get_tenants_for_user_role($env:user$)`</query>
</search>
<default>index=*</default>
<delimiter> OR </delimiter>
<choice value="index=*">All</choice>
</input>
... View more
11-25-2016
04:43 AM
I'd also love to hear how this can be solved in a proper way.
... View more
11-22-2016
04:50 AM
Tried hacking in support for this in the code but wasn't successful (we also have to cater for SSL inspection). There are no parameters in the "Add Inputs" setup page to add proxy or other CA certs, unfortunately.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
