Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About BunnyHop
BunnyHop
Contributor
Member since:
03-07-2010
06-05-2020
Community Statistics
| Posts | 129 |
| Solutions | 14 |
| Karma Given | 25 |
| Karma Received | 110 |
| Member Since | 03-07-2010 |
Activity Feed
- Karma Log files on Remote Windows Workstation for srich. 06-05-2020 12:45 AM
- Karma Re: New User - how to ask a follow-on question? for Justin_Grant. 06-05-2020 12:45 AM
- Karma Re: Search by file name? for chris. 06-05-2020 12:45 AM
- Karma Re: How is Splunk webserver hosted? for southeringtonp. 06-05-2020 12:45 AM
- Karma Re: Can you add a map (either AMMAP or GoogleMap) on an existing Dashboard for ziegfried. 06-05-2020 12:45 AM
- Karma Re: How do you change the legend value for ftk. 06-05-2020 12:45 AM
- Karma Drilldown from Flashchart object for Ant1D. 06-05-2020 12:45 AM
- Karma Re: How do you add sourcetypes to the pre-defined sourcetypes for southeringtonp. 06-05-2020 12:45 AM
- Karma Re: hostname extraction regex for bbingham. 06-05-2020 12:45 AM
- Karma Re: Bucket Search Command Question for ziegfried. 06-05-2020 12:45 AM
- Karma Re: Timechart and Chart display buggy column "count" when using "limit=0" for sideview. 06-05-2020 12:45 AM
- Karma Re: Given a bucket name of db_1274129994_1273525194_0 what is the span of the events within this bucket? for the_wolverine. 06-05-2020 12:45 AM
- Karma Re: How do you filter Windows Event Log? for gkanapathy. 06-05-2020 12:45 AM
- Karma Re: Can Splunk monitor MSSQL database content for gkanapathy. 06-05-2020 12:45 AM
- Karma Re: Will Splunk automatically create an index listed in inputs.conf? for gkanapathy. 06-05-2020 12:45 AM
- Karma What Windows Event Codes are generally acceptable to filter out? for jones4bob. 06-05-2020 12:45 AM
- Karma Calculate the percentage for top X values of a field per day over time for sranga. 06-05-2020 12:45 AM
- Karma Re: Disable monitoring of sub directories for gkanapathy. 06-05-2020 12:45 AM
- Karma Re: Where are the logs for buckets activity located for Glenn. 06-05-2020 12:45 AM
- Karma Re: How can you get rid of the GUI notifications for Glenn. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 |
04-30-2010
01:17 PM
I'm having an access issue with Splunk for IE8. The error message is
TypeError: 'NoneType' object is unsubscriptable
Anybody familiar with this issue?
... View more
- Tags:
- error
04-28-2010
12:53 PM
4 Karma
I have created my manual extraction of the fields due to the fact that I've never had the CHECK_FOR_HEADER attribute to work. Here's my IIS config:
props.conf
[iis_default]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-iis_default = iis_default
[iis_w3c]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-iis_w3c = iis_w3c
TRANSFORMS-comment = comment
transforms.conf
[no_header]
REGEX = NetBIOSName,DNSName,IP,MAC,OS,AuditID,CVE,Name,Description,Date,Risk,CVSSScore,FixInformation
DEST_KEY = queue
FORMAT = nullQueue
[iis_default]
FIELDS="c-ip","cs-username","date","time","service","s-name","s-ip","time-taken","c-sent","s-sent","sc-status","sc_win_status","cs_method","cs-uri-stem"
DELIMS = ","
[iis_w3c]
FIELDS="date","time","c-ip","cs-username","s-sitename","s-ip","s-port","cs-method","cs-uri-stem","cs-uri-query","sc-status","sc-win32-status","cs(User-Agent)"
DELIMS = " "
... View more
04-23-2010
07:24 PM
2 Karma
You can rename the passwd file to passwd.bak and restart splunk. You should be able to use the default login.
These 2 answers are similar to your question.
http://answers.splunk.com/questions/1718/ive-lost-my-splunk-admin-password-can-it-be-recovered
http://answers.splunk.com/questions/834/how-could-i-reset-the-admin-password
... View more
04-23-2010
07:22 PM
2 Karma
You can add a stanza on your props.conf and transforms.conf:
props.conf
[customsourcetype]
TRANSFORMS-logformat = customlogformat
transforms.conf
[customlogformat]
REGEX = ****insert regex here****
FORMAT = field1::$1 field2::$2 field3::$3
... View more
04-21-2010
10:29 PM
1 Karma
There are scanners that can detect the open port of a host. Try to run a scanner, i.e. nmap, nessus, etc, to see what's using the port 514 on your host (or where you have your splunk installed).
... View more
04-20-2010
08:24 PM
I would like to create a graph that would show values compared from an initial source.
Here's an example:
[file1.txt's content]
value1,name1
value1,name2
value1,name3
value2,name1
value2,name2
value2,name3
value3,name1
value3,name2
value3,name3
[file2.txt's content]
value1,name1
value1,name2
value2,name2
value2,name3
value3,name2
value3,name3
[file3.txt's content]
value1,name2
value2,name2
I would like to show on a bar/line graph the number per value.
... View more
- Tags:
- chart
- search-language
You should be able to modify the web.conf with the following setting:
[settings]
httpport = 80
... View more
04-20-2010
05:22 PM
From what the user is saying, it seems that setting the TZ to GMT was not working. Perhaps a bug?
... View more
04-20-2010
03:45 PM
BTW, my inability to make the ARR on IIS work doesn't mean the answer provided is not correct, so I will hand it to you gkanapathy, for the patience :).
... View more
04-20-2010
03:44 PM
I'm giving up. I'm going to use the trustedIP on the web.conf to perform restriction.
... View more
04-20-2010
02:23 PM
Should I configure both web.conf and server.conf for trustedIP or just the server.conf?
... View more
04-19-2010
08:17 PM
Understood. The problem really is either you're blacklisting or whitelisting. You can either allow for certain events and then drop everything else or you can drop certain events and allow everything else. Does this make sense?
... View more
04-19-2010
12:45 PM
It should be possible. What are you trying to accomplish? If you want to keep the rest of the events on Splunk you're probably better off creating a saved search instead of filtering.
... View more
04-19-2010
12:36 AM
Understood, gkanapathy, for right now, I simply just need to control access, possibly to testers only, until the Ent comes in the door. However, it might take quite a while until I get my hands on the Ent so for now this will do. So SSO can still be configured with Free? I would assume the remote_user would have to be the "Admin" user?
... View more
04-16-2010
03:34 PM
You can go to the machines where the LightWeightForwarder are installed and run the command ./splunk list forward-server. If the forward-server is listed as inactive, most likely, the server does not have the port open to receive the Splunk tcp traffic.
... View more
04-16-2010
12:48 PM
Try removing the transforms stanza and modify your props with the below settings, restart afterwards:
props.conf
[host::192.168.9*]
index = index_GroupA
[host::192.168.13.*]
index = index_GroupB
... View more
04-16-2010
12:41 PM
4 Karma
Please see this:
http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log
This talks about filtering the native Windows Event Log. Since the eventlog is a multiline type event log, you will have to add the (?m) before your query. Also, if you're using LWF, you would want to have the props.conf and transforms.conf configured on the indexer. I would do a negate regex, so that way everything is not indexed but eventCodes 4634 and 4662. By doing this, you can remove the InputNull reference on your props, and completely remove it from your transform. Change your transform to this:
transforms.conf
[WinEventLog:Security]
TRANSFORMS-InputNegate = InputNegate
transforms.conf
[InputNegate]
REGEX = (?msi).*EventCode=([^4634]|[^4662]).*
DEST_KEY = queue
FORMAT = nullQueue
... View more
04-15-2010
09:50 PM
1 Karma
Windows authentication itself is not passthru as cleartext, with a few exceptions (IIS basic authentication, Telnet, etc etc). If these are the items you're looking for, you might find this on different logs than from the Security event log, as that stores actual Windows logon, and are therefore, not going to be cleartext. My understanding is that Telnet is sent in the clear, and therefore you will see the password when you perform network sniffing, but I'm not sure if it ends up clear on the server. Eitherway, you might be looking at a different eventID than 540.
BTW, only because I'm a security geek, be careful looking for cleartext password.
... View more
04-15-2010
12:45 PM
1 Karma
Mine is simply this:
[default]
TZ = US/Eastern
So maybe try this?
[name_of_sourcetype]
TZ = US/Pacific
Make sure that whatever it is that you put on the name_of_sourcetype is the sourcetype that the IIS log is using.
... View more
04-15-2010
12:21 PM
This can be easily done through regex on your props.conf & transforms.conf:
props.conf
[sourcetype_for_the_csv]
REPORT-multifield = multifield
transforms.conf
[multifield]
REGEX = Books:(\d+,\d+,\d+,\d+,\d+,\d+)
FORMAT = book::$1
... View more
04-15-2010
02:43 AM
Try this search:
sourcetype=whatever | chart count(ssl_type) over protocol by ssl_type
... View more
04-14-2010
03:41 PM
1 Karma
You can solve this by assigning a higher priority on [monitor:///foo/bar/.../.../wu_*.log]
Please see this: http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Attributeprecedencewithinafile
and go to section "Attribute precedence within a single file"
... View more
04-14-2010
01:43 PM
1 Karma
You can either do it from the config file (indexes.conf) or through the GUI (Manager > Indexes). Keep in mind if you do rename the index and you have setup inputs to go in that index, you will have to reconfigure those input to point to the new name of the index.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma from
