Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About damode
damode
Motivator
Member since:
09-26-2017
05-06-2021
Community Statistics
| Posts | 310 |
| Solutions | 8 |
| Karma Given | 132 |
| Karma Received | 21 |
| Member Since | 09-26-2017 |
Activity Feed
- Got Karma for Re: How to upgrade add-ons on Indexers and Forwarders after Splunk ES upgrade ?. 01-27-2026 11:03 AM
- Got Karma for Re: operation:"copying source to destination", error:"Access is denied.". 03-19-2025 09:25 PM
- Got Karma for Bucket replication issues - No possible srcs for replication. 08-26-2021 01:26 PM
- Posted cannot change user and/or app context of a report that is embedded on Knowledge Management. 05-06-2021 03:57 AM
- Posted Re: How to configure index settings to index data directly in S3 buckets/smartstore ? on Getting Data In. 05-05-2021 06:48 PM
- Posted How to configure index settings to index data directly in S3 buckets/smartstore ? on Getting Data In. 05-04-2021 05:38 PM
- Posted Is there any Splunk recommended best practice for ingesting Netflow data ? on Getting Data In. 05-03-2021 09:16 PM
- Got Karma for How to configure input in DB Connect v3.1.2 for Splunk Add-on for Microsoft SQL Server using template mssql:audit ?. 03-01-2021 04:55 PM
- Posted Re: What is the recommended logging requirement for Linux OS from Splunk ES perspective ? on Splunk Enterprise Security. 02-04-2021 01:54 PM
- Posted What is the recommended logging requirement for Linux OS from Splunk ES perspective ? on Splunk Enterprise Security. 02-03-2021 09:18 PM
- Posted Need help to find specific auth logs for Linux OS on Getting Data In. 02-01-2021 12:31 AM
- Posted Re: Is there any ES Analytical Story or Usecase for Certificates and Alerts datamodel ? on Splunk Enterprise Security. 01-31-2021 04:22 AM
- Posted Is there any ES Analytical Story or Usecase for Certificates and Alerts datamodel ? on Splunk Enterprise Security. 01-28-2021 11:48 PM
- Posted Application Protocols list in ES - unclear in documentation on Splunk Enterprise Security. 01-28-2021 02:30 AM
- Posted What is the actual use of Expected Views lookup ? on Splunk Enterprise Security. 01-28-2021 02:23 AM
- Posted How does ESCU app exactly maps Analytical Stories against CIS Controls ? on Splunk Enterprise Security. 01-12-2021 03:43 AM
- Posted Is there any automated way to check or validate magix six parsing attributes have been configured ? on Getting Data In. 01-09-2021 05:28 PM
- Posted Re: Accelerating CIM Validation (S.o.S.) datamodel results in error on Splunk Enterprise Security. 01-06-2021 04:09 PM
- Posted Re: SSL Certificate Checker: Which extensions are supported? on All Apps and Add-ons. 01-05-2021 02:17 PM
- Posted Strategies for populating watchlist field in Assets and Identity Framework on Splunk Enterprise Security. 01-04-2021 05:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-07-2018
08:41 PM
index=* sourcetype=symantec:*
|stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| where LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate
| lookup gdpr_system_category Host_Name | search category=*
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)
The input "Host_Name" that the lookup command in the search refers to, is incorrect. The correct input in the "gdpr_system_category" lookup is "host".
Hence, the search needs to be changed to reflect the correct input i.e host.
... View more
10-04-2018
10:17 PM
I have checked the following,
permissions on the add-on and input file and verified its correct.
did reload deploy-server
- used btool and got the following result on the Indexer,
c:\>splunk btool props list --debug | findstr iis
C:\Program Files\Splunk\etc\system\default\props.conf [iis]
C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-iis\default\props.conf [ms:iis:auto]
... View more
10-04-2018
10:02 PM
3 Karma
I have the following sites from the same source and host,
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Does this app supports multiple subdomains to be added in the site configuration ?
... View more
10-04-2018
05:56 PM
As the title says, I have deployed the Splunk Add-on for Microsoft IIS on the Universal Forwarder and have installed the add-ons on the Indexer and Search Head according to the docs.
However, despite all that, I am getting sourcetype=iis in searches. It looks like Splunk is applying the sourcetype=iis from its props.conf in defaults directory.
Can someone please advise how I can fix this ?
... View more
09-30-2018
08:31 PM
Getting the below error in In-Scope Device with Outdated Anti-Malware Found use case of Splunk Security Essentials app,
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
Can someone please advise how to fix it ?
Thanks.
... View more
09-24-2018
11:17 PM
Based on this link - link text
It seems to be an issue with the openssl version.
... View more
09-24-2018
04:26 PM
Before using the Splunk Default Certs, I had tried setting up SSL using self signed itself, as I have mentioned in my post. However, because that was giving me the same errors, I thought to make it simpler by using Splunk defaults.
... View more
09-19-2018
06:08 PM
Windows Security Operations Center app requires Adobe flash. Even after installing the flash player to the latest version, this app page still says, Splunk requires a newer version of Flash. (Minimum version: 9.0.124) Download Flash Player.
I noticed Adobe flash is not supported anymore in chrome. Firefox says it supports, however, the app still gives the above error.
Can someone please advise a workaround this issue ?
... View more
09-18-2018
04:41 PM
Forwarder - outputs.conf
[tcpout:group1]
server = 192.168.14.30:9997
clientCert = C:\Program Files\SplunkUniversalForwarder\etc\auth\server.pem
sslPassword = password
sslVerifyServerCert = true
useClientSSLCompression = true
sslVersions = *,-ssl2
server.conf
[sslConfig]
sslPassword = password
sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem
sslVersions = *,-ssl2
Indexer
inputs.conf
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\server.pem
sslVersions = *,-ssl2
sslPassword = password
requireClientCert = true
server.conf
[sslConfig]
sslPassword = password
sslRootCAPath = C:\Program Files\Splunk\etc\auth\cacert.pem
sslVersions = *,-ssl2
I had initially started with self-signed certs but to make it less complicated, I am using Splunk default certs. Atleast once it starts working properly, I will move to self signed.
... View more
09-16-2018
10:54 PM
When I run the below command,
C:\Windows\system32>splunk cmd openssl
s_client -connect 192.168.14.30:9997
-tls1_2
the connection is successful but with the below errors,
CONNECTED(000000F0)
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
164:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1498:SSL alert number 40
164:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:.\ssl\s3_pkt.c:659: ---
However, when I run the command provided by you, it also connects but with no error.
I also tried to change the ssl version to -
sslVersions = *,-ssl2
However, after doing that, I get this error,
ERROR TcpInputProc - Error encountered for connection from src=192.168.14.10:50890. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
... View more
09-16-2018
09:05 PM
Hi Harsh,
I have configured with above with Splunk default CA.
I was able to establish a successful comms from the forwarder to Indexer using
/opt/splunk/bin/splunk cmd openssl s_client -connect <INDEXER>:<SSLPORT> -cert <PATH_OF_FORWARDER_CERTIFICATE> -CAfile <PATH_OF_ROOTCA_CERTIFICATE>
However, I am still getting the exact same error.
... View more
09-13-2018
09:34 PM
Hi Harsh,
Here are the details,
C:\Windows\system32>splunk cmd openssl s_client -connect 192.168.14.1:9997
CONNECTED(000000F0)
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/CN=SplunkServerDefaultCert/O=SplunkUser
i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
1 s:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDMjCCAhoCCQDQdsr0LOW0rTANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xODA3MTgwMTU2NDhaFw0yMTA3MTcwMTU2
NDhaMDcxIDAeBgNVBAMMF1NwbHVua1NlcnZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
DApTcGx1bmtVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2pd4
Dm5hIWqTwum95KLpNLyW6Bh0vLDWv8N11IZvvmBalr9Mxm4zrdgzeIv8mc26dyg0
Q4D9HyNKGzS1VYDHACohqFpwy6tIXA090TF4jX44vAAL1aAuamKKeHXfudectPTn
PEhwr8hUsNox4WcN9zI9vlBnDFXuByCaA3dMXOsihB/1kFLna4PCBD/VgM8bsi9Q
QWrFhuHWFuNmjTTCKGKeAB8mcoOkDNiSK5pKknMqh+SAfljgioYEdqGLhBUD+cTf
d5feJCWh3G0Hy1+xuC0r8mskcrWGMF0NXLRziskxV4Y3MREfhbRESYpu1i7jTC2X
Zd5VLaJuupGPsgyDFQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCJEj9Zm0E7MEAD
7c1klOS1ZqtPEEUNULiISohJQcTOG17cbl1BZlmLGCgHgmAXhuWC3xoYzwMa6Asm
vrsBtccyDvtXoudssjmzcdR7bd13ply3voMCXtDMTyZcgGzQSTuQtyxnVmzeYfeu
/+ZTP5bck87uKy4v5ElMnwXGx6hATfuaKDcJHPONwU++HBxfMW/mSNhLPQEV7kzT
dcsgB9EFnIYxD7LAVaIAmjTaP5Us5IQ+x5Hw+3nAYW2EvY5WtUEnwRB5BmMPE6eQ
Wh9RrdBxA8GVoodiFnjkEX/BqAo8akE3mECBcgEbg2zP20KWODTlq3ubfkdVbVSn
IpdY5e63
-----END CERTIFICATE-----
subject=/CN=SplunkServerDefaultCert/O=SplunkUser
issuer=/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2387 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 219FFC9E3E943B40B0362FA4EDBCC763873F6FE0B1055F0AE35850A0B2378BE0
Session-ID-ctx:
Master-Key: 76CA9533CD8C2C755EBD9C81EAF9A3967CEA54574FF557C63F0C68017612EA655FC58F56831E58F29C51575DB84C978C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - f7 7d 00 e8 4e 4c 25 f9-a1 d8 fc 89 2b a7 e5 09 .}..NL%.....+...
0010 - 84 bf 4f ec 38 0a b1 d9-84 cf 15 04 16 ca f8 d5 ..O.8...........
0020 - 8d bc cf 45 fb 2f 26 9c-2f 23 ff 69 ef 02 33 77 ...E./&./#.i..3w
0030 - 52 56 b8 d0 98 6d c2 19-79 31 b0 5a 7c 80 56 8d RV...m..y1.Z|.V.
0040 - 42 1a be a0 2f a7 ef 83-8f 03 d2 75 be 8e a8 f0 B.../......u....
0050 - 6d 5a d7 b1 db 6c 66 de-6b 5f 7d 49 0a 0e 5b 73 mZ...lf.k_}I..[s
0060 - f9 30 95 5c 55 c7 52 83-65 35 d5 fc 86 19 01 69 .0.\U.R.e5.....i
0070 - cb 8f c5 7c cc c5 3a 6d-f7 78 98 34 04 b5 66 58 ...|..:m.x.4..fX
0080 - 09 20 3b 97 45 0c 0d e3-ba 04 50 a8 57 b9 ef 6e . ;.E.....P.W..n
0090 - ac 6f 08 9b ae 85 f9 a0-68 7d 36 26 74 90 5d 1f .o......h}6&t.].
Compression: 1 (zlib compression)
Start Time: 1536899254
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
read:errno=0
On the forwarder Splunkd log, I get this message,
DEBUG TcpOutputProc - channel not registered yet
DEBUG TcpOutputProc - Connection not available. Waiting for connection
and on indexer,
INFO TcpInputProc - Creating fwd data Acceptor for IPv4 port 9997 with SSL
... View more
09-11-2018
11:37 PM
Initially I had started to set up Forward-to-indexer SSL setup using self signed certificate. However, I was getting the below error on the indexer in the Splunkd log,
ERROR TcpInputProc - Error encountered for connection from src=192.168.14.10:49497. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Thinking that I may have followed the process incorrectly, I resorted to setup the SSL using Splunk Default certs. however, I am still getting the same error.
I have tried changing the SSLversions to "* ,-ssl2" but retracted and kept the default which is tls1.2
I am using Splunk version 7.1.2 on both Indexer and UF.
Please advise.
... View more
09-06-2018
09:53 PM
Issue resolved.
The issue was with the permission on the inputs.conf file. Changed the permission on the file to include "System" user as well.
... View more
09-04-2018
02:04 AM
So does that mean, we need to create client.pem on each universal forwarder ?
... View more
08-29-2018
05:55 PM
I have created a custom app on D.S and pushed it on the U.F.
The app got pushed successfully except for the inputs.conf.
I have tried everything from splunk reload deploy-server to reloading the U.F, but nothing seems to work.
This is the first time I have ever faced such issue. How do I push the .conf file ?
Please advise.
... View more
08-28-2018
09:21 PM
As the title says, there is no data on the Index Detail page.
The search results says" Search is waiting for input... " for all the panels.
I had changed the Indexer Server name and hostname to INDEXER from HostABC. However, on the Indexer Detail page, its showing the instance name in dropdown list of only HostABC
Please advise a solution to this.
... View more
- Tags:
- dmc
- splunk-enterprise
08-09-2018
12:16 AM
With that, I only got one result same as the first in your screenshot - Operation=create. I am suspecting someone ran splunk clean eventdata -index test_index on cli.
Is there anyway to find user who executed this command ?
Thanks.
... View more
08-08-2018
10:23 PM
I had a test_index index created where I was sending all test data. However, out of nowwhere, today I see all data gone from it.
How can I find out which user messed up with this index ?
... View more
- Tags:
- splunk-enterprise
08-02-2018
11:47 PM
I am getting WinEventLog:System logs however, I am particularly not getting any logs for User Account locked out. The event code is 4740.
I have verified from the AD server that these logs were already generated and all inputs in the inputs.conf on the AD and Windows add-on of the U.F of the AD server are enabled.
I viewed the below stanza, but it doesnt looks like its causing any issue,
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false
Can someone please guide how I can troubleshoot this issue ?
... View more
08-02-2018
10:23 PM
found the answer,
Below is the format :
jdbc:jtds:<server_type>://<server>[:<port>][/<database>][;<property>=<value>[;...]]
Example: jdbc:jtds:sqlserver://IP:1433/master;instance=SQLEXPRESS;user=sa;password=s3cr3t
... View more
08-02-2018
09:27 PM
There is already a post for this question but it deals with DB Connect app version 1. I tried to use the same solution but it doesnt seem to work for me.
I am using jtds driver
Can someone please advise how I can create a DB connection to a instance of an SQL Server. I already have configured connection to the default Database. For e.g, I have configured connection to ServerA but unable to configure connection to ServerA\Instance.
... View more
08-02-2018
01:42 AM
You are right. There was a miscommunication with the client. These logs are actually from Meraki!
Thanks for your assistance on this.
... View more
08-01-2018
03:25 AM
Yes, the add-on has been deployed literally everywhere, the S.H, indexer, heavy forwarder.
The data is in this format now,
<134>1 14245934.01624555 tfC_G_Af14 flows allow src=14.15.150.50 dst=152.56.5.51 mac=50:5E:55:53:82:30 protocol=tcp sport=3560 dport=56
Thats the Cisco PIX PFSS format (raw logging) set in Kiwi
... View more
08-01-2018
03:10 AM
Hi @FrankVI,
Configured Kiwi log file format as raw logs
In 1st attempt, removed host_segment=2 to check whether Cisco's add-on extracts the IP but it didnt work as expected. Resulting host value = syslog server IP.
2nd attempt, brought back host_segment=2, host IP extracted properly.
However, the Cisco networks app is still not showing any data. it looks like transforms is still not getting applied. Its already using the sourcetype = syslog as shown above in monitoring stanza of in the inputs.conf
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-06-2021
08:24 AM
|
