Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About damode
damode
Motivator
Member since:
09-26-2017
05-06-2021
Community Statistics
| Posts | 310 |
| Solutions | 8 |
| Karma Given | 132 |
| Karma Received | 21 |
| Member Since | 09-26-2017 |
Activity Feed
- Got Karma for Re: How to upgrade add-ons on Indexers and Forwarders after Splunk ES upgrade ?. 01-27-2026 11:03 AM
- Got Karma for Re: operation:"copying source to destination", error:"Access is denied.". 03-19-2025 09:25 PM
- Got Karma for Bucket replication issues - No possible srcs for replication. 08-26-2021 01:26 PM
- Posted cannot change user and/or app context of a report that is embedded on Knowledge Management. 05-06-2021 03:57 AM
- Posted Re: How to configure index settings to index data directly in S3 buckets/smartstore ? on Getting Data In. 05-05-2021 06:48 PM
- Posted How to configure index settings to index data directly in S3 buckets/smartstore ? on Getting Data In. 05-04-2021 05:38 PM
- Posted Is there any Splunk recommended best practice for ingesting Netflow data ? on Getting Data In. 05-03-2021 09:16 PM
- Got Karma for How to configure input in DB Connect v3.1.2 for Splunk Add-on for Microsoft SQL Server using template mssql:audit ?. 03-01-2021 04:55 PM
- Posted Re: What is the recommended logging requirement for Linux OS from Splunk ES perspective ? on Splunk Enterprise Security. 02-04-2021 01:54 PM
- Posted What is the recommended logging requirement for Linux OS from Splunk ES perspective ? on Splunk Enterprise Security. 02-03-2021 09:18 PM
- Posted Need help to find specific auth logs for Linux OS on Getting Data In. 02-01-2021 12:31 AM
- Posted Re: Is there any ES Analytical Story or Usecase for Certificates and Alerts datamodel ? on Splunk Enterprise Security. 01-31-2021 04:22 AM
- Posted Is there any ES Analytical Story or Usecase for Certificates and Alerts datamodel ? on Splunk Enterprise Security. 01-28-2021 11:48 PM
- Posted Application Protocols list in ES - unclear in documentation on Splunk Enterprise Security. 01-28-2021 02:30 AM
- Posted What is the actual use of Expected Views lookup ? on Splunk Enterprise Security. 01-28-2021 02:23 AM
- Posted How does ESCU app exactly maps Analytical Stories against CIS Controls ? on Splunk Enterprise Security. 01-12-2021 03:43 AM
- Posted Is there any automated way to check or validate magix six parsing attributes have been configured ? on Getting Data In. 01-09-2021 05:28 PM
- Posted Re: Accelerating CIM Validation (S.o.S.) datamodel results in error on Splunk Enterprise Security. 01-06-2021 04:09 PM
- Posted Re: SSL Certificate Checker: Which extensions are supported? on All Apps and Add-ons. 01-05-2021 02:17 PM
- Posted Strategies for populating watchlist field in Assets and Identity Framework on Splunk Enterprise Security. 01-04-2021 05:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-27-2019
09:09 PM
There are two type of S3 buckets for Umbrella DNS. one is Cisco Managed and other is self Managed bucket.
... View more
03-25-2019
08:53 PM
2 Karma
Answering my own question here. I was able to fix the issue by doing the following,
From the FROM keyword in the sql query, replaced all table names from EPOEvents --> "ePO_ABCEPO_Events"."dbo"."EPOEvents"
Added this statement - AND [EPOEvents].[ReceivedUTC] > DATEADD(day, -1, GETDATE() ) at the end of the query as the query used to get timed out all the time.
the default template query mentions OSServicePackVer as one of the table columns, however, it seems to have changed in new version of EPO server to OSCsdVersion , so change that part in the query.
So the modified query looks like below,
SELECT
[EPOEvents].[ReceivedUTC] as [timestamp],
[EPOEvents].[AutoID],
[EPOEvents].[ThreatName] as [signature],
[EPOEvents].[ThreatType] as [threat_type],
[EPOEvents].[ThreatEventID] as [signature_id],
[EPOEvents].[ThreatCategory] as [category],
[EPOEvents].[ThreatSeverity] as [severity_id],
[EPOEventFilterDesc].[Name] as [event_description],
[EPOEvents].[DetectedUTC] as [detected_timestamp],
[EPOEvents].[TargetFileName] as [file_name],
[EPOEvents].[AnalyzerDetectionMethod] as [detection_method],
[EPOEvents].[ThreatActionTaken] as [vendor_action],
CAST([EPOEvents].[ThreatHandled] as int) as [threat_handled],
[EPOEvents].[TargetUserName] as [logon_user],
[EPOComputerProperties].[UserName] as [user],
[EPOComputerProperties].[DomainName] as [dest_nt_domain],
[EPOEvents].[TargetHostName] as [dest_dns],
[EPOEvents].[TargetHostName] as [dest_nt_host],
[EPOComputerProperties].[IPHostName] as [fqdn],
[dest_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ),
[EPOComputerProperties].[SubnetMask] as [dest_netmask],
[EPOComputerProperties].[NetAddress] as [dest_mac],
[EPOComputerProperties].[OSType] as [os],
[EPOComputerProperties].[OSCsdVersion] as [sp],
[EPOComputerProperties].[OSVersion] as [os_version],
[EPOComputerProperties].[OSBuildNum] as [os_build],
[EPOComputerProperties].[TimeZone] as [timezone],
[EPOEvents].[SourceHostName] as [src_dns],
[src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ),
[EPOEvents].[SourceMAC] as [src_mac],
[EPOEvents].[SourceProcessName] as [process],
[EPOEvents].[SourceURL] as [url],
[EPOEvents].[SourceUserName] as [source_logon_user],
[EPOComputerProperties].[IsPortable] as [is_laptop],
[EPOEvents].[AnalyzerName] as [product],
[EPOEvents].[AnalyzerVersion] as [product_version],
[EPOEvents].[AnalyzerEngineVersion] as [engine_version],
[EPOEvents].[AnalyzerDATVersion] as [dat_version],
[EPOProdPropsView_VIRUSCAN].[datver] as [vse_dat_version],
[EPOProdPropsView_VIRUSCAN].[enginever64] as [vse_engine64_version],
[EPOProdPropsView_VIRUSCAN].[enginever] as [vse_engine_version],
[EPOProdPropsView_VIRUSCAN].[hotfix] as [vse_hotfix],
[EPOProdPropsView_VIRUSCAN].[productversion] as [vse_product_version],
[EPOProdPropsView_VIRUSCAN].[servicepack] as [vse_sp]
FROM "ePO_ABCEPO"."dbo"."EPOEvents"
LEFT JOIN "ePO_ABCEPO"."dbo"."EPOLeafNode" ON [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID]
LEFT JOIN "ePO_ABCEPO"."dbo"."EPOProdPropsView_VIRUSCAN" ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_VIRUSCAN].[LeafNodeID]
LEFT JOIN "ePO_ABCEPO"."dbo"."EPOComputerProperties" ON [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID]
LEFT JOIN "ePO_ABCEPO"."dbo"."EPOEventFilterDesc" ON [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId]
AND ([EPOEventFilterDesc].[Language]='0409')
WHERE [EPOEvents].[AutoID] > ? AND [EPOEvents].[ReceivedUTC] > DATEADD(day, -1, GETDATE() )
ORDER BY [EPOEvents].[AutoID] ASC
If you choose the right, Connection, catalog, schema, select the mcafee add-on template and modify the generated sql query accordingly, the rising column should get populated automatically.
... View more
03-24-2019
08:37 PM
Hi @jmheaton, did you also make your Search Heads HTTPS based? If yes, please share the method you used to configure that. Thanks.
... View more
03-20-2019
08:10 PM
I am trying to setup an input in DBConnect app to ingest logs from McAfee ePO. I have successfully created a connection to the DB. However, unable to get past the input settings. As per the docs, that mention, If a database other than the default McAfee database is selected, the template must be updated with the actual McAfee database and schema name. I have updated the template to change the default DB from EPOEvents --> "ePO_ABCEPO_Events"."dbo"."EPOEvents"
On the "New Inputs", I have selected the connection, catalog, schema and chose the McAfee template. But still, the rising column is not generating any column.
However, when I just choose the Table, it automatically runs the query - SELECT * FROM "ePO_ABCEPO"."dbo"."EPOEvents" and displays the table and Rising Column does display all the available columns.
Please advise how can I solve this issue. The docs arent so well documented for setting the inputs. for DBConnect 3.x.x
... View more
Labels
- Labels:
-
troubleshooting
03-14-2019
06:21 PM
As per the documentation, I have generated a new token in Splunk and configured ADAuditplus using the token. However, I still dont see any logs from it.
I have also checked the HTTP Event Collector: Instance page under Monitoring Console-->Indexing-->Inputs, but it says, "You currently have no tokens configured."
UPDATE: It was the firewall initially that was blocking the connection. However, now its a SSL issue.
When SSL was enabled on ADAuditplus, it gave this error, while idling: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
After disabling the SSL, its giving this error, error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
Please advise.
... View more
03-14-2019
04:21 PM
As the title suggests, I am looking to configure Splunk on Windows platform to consume logs from Cisco-managed S3 bucket ?
There are already instructions to configure Splunk on Linux, but wondering if there is a similar solution for Splunk on Windows ?
... View more
03-05-2019
09:09 PM
I am trying to install UFs on a number of hosts using the below script got from one of the post in this forum,
#!/bin/sh
# This EXAMPLE script shows how to deploy the Splunk universal forwarder
# to many remote hosts via ssh and common Unix commands.
# For "real" use, this script needs ERROR DETECTION AND LOGGING!!
# --Variables that you must set -----
# Set username using by splunkd to run.
SPLUNK_RUN_USER="splunk"
# Populate this file with a list of hosts that this script should install to,
# with one host per line. This must be specified in the form that should
# be used for the ssh login, ie. username@host
#
# Example file contents:
# splunkuser@10.20.13.4
# splunkker@10.20.13.5
HOSTS_FILE="uf_hosts"
# This should be a WGET command that was *carefully* copied from splunk.com!!
# Sign into splunk.com and go to the download page, then look for the wget
# link near the top of the page (once you have selected your platform)
# copy and paste your wget command between the ""
WGET_INSTALL="sudo yum -y install wget"
WGET_CMD="wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'"
# Set the install file name to the name of the file that wget downloads
# (the second argument to wget)
INSTALL_FILE="splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz"
# After installation, the forwarder will become a deployment client of this
# host. Specify the host and management (not web) port of the deployment server
# that will be managing these forwarder instances.
# Example 1.2.3.4:8089
DEPLOY_SERVER="18.207.205.49:8089"
# Set the seed app folder name for deploymentclien.conf
DEPLOY_APP_FOLDER_NAME="ap3_all_deploymentclient"
# Set the new Splunk admin password
PASSWORD="QzpU9l8T"
REMOTE_SCRIPT_DEPLOY="
cd /opt
sudo $WGET_INSTALL
sudo $WGET_CMD
sudo tar xvzf $INSTALL_FILE
sudo rm $INSTALL_FILE
sudo useradd $SPLUNK_RUN_USER
echo "
[user_info]
USERNAME = admin
PASSWORD = $PASSWORD
" > /opt/splunk/etc/system/local/user-seed.conf
sudo mkdir -p /opt/splunkforwarder/etc/apps/$DEPLOY_APP_FOLDER_NAME/local
sudo echo "[target-broker:deploymentServer] targetUri = $DEPLOY_SERVER" > /opt/splunkforwarder/etc/apps/$DEPLOY_APP_FOLDER_NAME/local/deploymentclient.conf
sudo chown -R $SPLUNK_RUN_USER:$SPLUNK_RUN_USER /opt/splunkforwarder
sudo -u $SPLUNK_RUN_USER /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user $SPLUNK_RUN_USER
exit
"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
#===============================================================================================
echo "In 5 seconds, will run the following script on each remote host:"
echo
echo "===================="
echo "$REMOTE_SCRIPT_DEPLOY"
echo "===================="
echo
sleep 5
echo "Reading host logins from $HOSTS_FILE"
echo
echo "Starting."
for DST in `cat "$DIR/$HOSTS_FILE"`; do
if [ -z "$DST" ]; then
continue;
fi
echo "---------------------------"
echo "Installing to $DST"
echo "Initial UF deployment"
sudo ssh -t "$DST" "$REMOTE_SCRIPT_DEPLOY"
done
echo "---------------------------"
echo "Done"
echo "Please use the following app folder name to override deploymentclient.conf options: $DEPLOY_APP_FOLDER_NAME"
After executing the script, I am getting the below error in the logs,
bash: line 7: /opt/splunkforwarder/etc/system/local/user-seed.conf: Permission denied
bash: line 9: /opt/splunkforwarder/etc/apps/ap3_all_deploymentclient/local/deploymentclient.conf: Permission denied
Already executing those commands as a sudo user, still I am getting the errors. Please advise.
... View more
03-05-2019
07:17 PM
I got the below error, when I ran this script,
bash: line 7: /opt/splunkforwarder/etc/system/local/user-seed.conf: Permission denied
bash: line 9: /opt/splunkforwarder/etc/apps/org_all_deploymentclient/local/deploymentclient.conf: Permission denied
... View more
02-28-2019
03:40 PM
Got it. I am already running a dedicated MC separate to a SHC I have deployed.
... View more
02-28-2019
03:22 PM
Yes, that was my view too but the docs clearly say not to add any clustered indexers. What they failed to mention was that the DMC has to be added as a search head within the indexer clustering setting.
... View more
02-28-2019
02:51 PM
But the documentation is so confusing. It doesn't clearly say that apart from integrating the SHC
to search the indexer cluster, in order to be able to view the clusters in the DMC, the DMC also needs to be added enabled as a Search Head on the Indexer Cluster. There is no mention in the DMC documentation about enabling it as a search head within the Indexer Clustering setting.
In this doc, https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Enablethesearchhead, it only says enable a search head to manage searches across the Indexer. How is one supposed to know the S.H mentioned here is applicable for a DMC too.
... View more
02-28-2019
01:03 AM
oh sorry I am mistaken. did you mean enabling search head on the MC ?
... View more
02-28-2019
12:58 AM
if I have a search head cluster then should I enable the search head on all 3 search heads ?
... View more
02-27-2019
09:17 PM
As per the documentation for adding search peers in DMC which states Do not add clustered indexers, but be sure to add clustered search heads. If you are monitoring an indexer cluster and you are hosting the monitoring console on an instance other than the cluster master, you must add the cluster master(CM) as a search peer.
I have added C.M as a search peer and haven't added any clustered indexers as search peer. However, still I am unable to see Indexers on the overview page of the DMC or under General settings page. All it shows that the Master Node has two peers.
Is this an expected behaviour ?
... View more
- Tags:
- splunk-enterprise
02-11-2019
02:37 PM
Thanks. If I choose to add a third member, whats the lowest spec I can add to it to make it part of the cluster and participate in the dynamic captain election process ?
Will 2GB ram and 2 vCPU be enough for it ?
... View more
01-28-2019
02:17 PM
I have to setup a Splunk Indexer on a Cisco UCS box.
Please advise how this can be achieved. Thanks
... View more
01-24-2019
06:55 PM
I have deployed the Splunk Search Head Cluster with two Search Head members and a Deployer.
I read here Captain election process has deployment implications
that a cluster must consist of a minimum of three members to participate in dynamic captain election process.
If I don't have the option to add a third one. and a cluster cannot function without a captain, can I use the "static captain" option to overcome the problem? Or are there any better alternatives or workarounds for this issue ?
... View more
01-24-2019
06:15 PM
Captain_election_process_has_deployment_implications
Based on the above link,
A cluster must consist of a minimum of
three members.
Is there any workaround to this ?
... View more
01-21-2019
02:21 PM
thanks alot for sharing this!
I will definitely give that a try on my test instance.
... View more
01-21-2019
02:18 PM
1 Karma
I resolved this issue by downgrading the app from 2.5.2.3 to 2.5.2. I was able to get events in Phantom after that.
... View more
01-20-2019
04:57 PM
I tried forwarding events using the New Saved Search Export option
, however I am getting this error - File contains parsing errors: [line 2]: '\xef\xbb\xbf# Version 7.2.1\n'
... View more
01-20-2019
02:59 PM
Hi @tomaszdziwok, thanks. that explains it. I am also using non-ES splunk instance.
So, the only option to get events from Splunk non-ES instance to Phantom is the saved search, no option to send alerts ?
... View more
01-17-2019
08:46 PM
I have created an alert in Splunk that fires off once a particular type of event is detected and also configured an alert action that should supposedly send that event to Phantom via "Send to Phantom" action.
However, despite the alert having firedoff multiple times, I still see no event received in Phantom.
I have tried sending the alerted event through "run Playbook in Phantom" alert action as well, still of no use. I have ensured connectivity between Phantom and Splunk is successful.
Tried other ways such as exporting saved search available in Splunk Phantom app, but that didnt work either. Can someone please share some documentation on the phantom app as well ? Thanks.
... View more
01-15-2019
06:24 PM
2 Indexers - 12GB ram and 12 vCPU
2 Search Heads - 12GB ram and 12 vCPU
1 Heavy Forwarder/ D.S - 12GB ram and 12 vCPU
I am working on deployment with the above components and h/w specs.
Can I combine Indexer Cluster Master node with SHC Deployer and License Master ? If yes, what would be the recommended h/w specs for that ?
Regarding DMC, can I combine it with my H.F/D.S ?
... View more
- Tags:
- splunk-enterprise
10-18-2018
09:25 PM
Hi @vgollapudi, what version of Splunk you were using when you deployed this app and add-on successfully ?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-06-2021
08:24 AM
|
