×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dominiquevocat
SplunkTrust
Member since: ‎08-26-2010
3 weeks ago
Community Statistics
Posts 292
Solutions 20
Karma Given 26
Karma Received 57
Member Since ‎08-26-2010
Activity Feed
Topics I've Started
View All

Re: How to set attachment name in sendemail comman...

by SplunkTrust in Other Usage
‎09-14-2021 04:53 AM
‎09-14-2021 04:53 AM
any update for splunk 8.2? where does this need to be placed? (lso it would be great if it was in the base product) ... View more

Re: How to restart Universal Forwarder from a Depl...

by SplunkTrust in Getting Data In
‎05-22-2020 01:54 AM
‎05-22-2020 01:54 AM
Not saying i disagree with you but would you care to explain how pushing arbitrary code for execution from a deployment server to any endpoint being run with potentially local system/root is saner and safer then using the splunk api remotely from the same box? ... View more

Re: How to restart Universal Forwarder from a Depl...

by SplunkTrust in Getting Data In
‎04-29-2020 07:28 AM
‎04-29-2020 07:28 AM
There is such a feature in https://splunkbase.splunk.com/app/2775/ - one or recursively over a search result. You need to reach port 8089 on the forwarders though and set a password for admin. ... View more

Re: Splunk_TA_mcafee-wg fields wrong?

by SplunkTrust in All Apps and Add-ons
‎01-24-2020 04:31 AM
‎01-24-2020 04:31 AM
no update on the enhancement request - i m not sure if we tried to fix it ourselfs ... View more

Re: mvexpand multiple multi-value fields?

by SplunkTrust in Splunk Search
‎01-21-2020 05:20 AM
‎01-21-2020 05:20 AM
maybe https://splunkbase.splunk.com/app/3936/ is of some use? ... View more

Re: TA-prtg: How do I add the PAI on the prtg to t...

by SplunkTrust in All Apps and Add-ons
‎08-15-2019 08:03 AM
‎08-15-2019 08:03 AM
Hi, i was on vacation so sorry for the delay. Please contact me via email so i can detail it some more for you. The search log you can open by hovering over a dashboard panel and in the lower right corner there should pop up a few icons, one allows yo to run the search in a new window and looks like a magnifying glass and one looks looks like a lower case i this will open the search info windows and there on top is a link to the search log. I would need the logfile. Please make sure you have a copy of prtg.conf in the app folder in an underfolder called local and have the parameters like hostname, user and password in that file all else won't work. ... View more

Re: TA-prtg: How do I add the PAI on the prtg to t...

by SplunkTrust in All Apps and Add-ons
‎07-23-2019 05:55 AM
‎07-23-2019 05:55 AM
ok, i need to check if i can get access to a PRTG, preferably that version... It is in english, right? Also i really need the search log of the job. you can email it to me. ... View more

Re: TA-prtg: How do I add the PAI on the prtg to t...

by SplunkTrust in All Apps and Add-ons
‎07-23-2019 12:38 AM
‎07-23-2019 12:38 AM
PRTG 7.1.0 ? also when you have a panel that gives an error you can inspect the job and get the search log. ... View more

Re: TA-prtg: How do I add the PAI on the prtg to t...

by SplunkTrust in All Apps and Add-ons
‎07-22-2019 01:12 AM
‎07-22-2019 01:12 AM
Local is just a folder under the app. What version of PRTG do you use? I might have to upgrade the implementation... ... View more

Re: commands against localhost?

by SplunkTrust in All Apps and Add-ons
‎01-22-2019 03:52 AM
‎01-22-2019 03:52 AM
thanks, i am aware of the webterminal - that is what i modified heavily to add a minimal bash like shell with some scripting abilities - you can check it out at https://github.com/dominiquevocat/minishell ... View more

commands against localhost?

by SplunkTrust in All Apps and Add-ons
‎01-16-2019 07:56 AM
‎01-16-2019 07:56 AM
I saw the app and like the concept - that said i am curious, can you run commands against the local machine? and if so how did you pass appinspect since i have several times tried to publish my minimal shell with some scripting and failed publishing each time even after rewriting it in pure python 🙂 ... View more

Re: OPSEC LEA R80 logging behind

by SplunkTrust in All Apps and Add-ons
‎11-29-2018 02:51 AM
‎11-29-2018 02:51 AM
the logs also have many new fields so the size of a event is about 3x larger plus you can not deselect the fields since they are not exposed in the inputs definition app plsu i fail to blacklist the superflous fields. 😕 ... View more

Re: Deployment Server - reload configs without res...

by SplunkTrust in Getting Data In
‎10-11-2018 08:14 AM
‎10-11-2018 08:14 AM
You might want to look at https://splunkbase.splunk.com/app/2775/ it has a relod deploy server as well as restart forwarder feature. ... View more

Re: Excel CSV/TSV Export

by SplunkTrust in Getting Data In
‎10-01-2018 07:50 AM
‎10-01-2018 07:50 AM
i can not say much as per araitz' work but maybe https://splunkbase.splunk.com/app/1832/ is of some use to you? ... View more

Re: merging local into default using git

by SplunkTrust in Splunk Search
‎09-28-2018 04:53 PM
‎09-28-2018 04:53 PM
Hi, would love to talk about it some if you have time. I am at .conf already (university) - any chance to meet for chat? ... View more

Re: Has anyone integrated Splunk and NetIQ eDirect...

by SplunkTrust in All Apps and Add-ons
‎08-17-2018 02:36 AM
‎08-17-2018 02:36 AM
LDAP but you need to use https://splunkbase.splunk.com/app/1852/ unless you don't have attributes with non 7bit ascii attributes in your schema. Also look into xdas - i might polish a little what we do and add it to splunkbase if there is interest. ... View more

Re: eDirectory events

by SplunkTrust in Getting Data In
‎08-17-2018 02:34 AM
‎08-17-2018 02:34 AM
You could use xdas, just use a pattern with no timestamp and index it as json. I do a fair lot of edirectory and idm stuff if you need more... ... View more

Re: Splunk_TA_mcafee-wg fields wrong?

by SplunkTrust in All Apps and Add-ons
‎08-03-2018 12:31 AM
‎08-03-2018 12:31 AM
hi, we use the TA out of the box - we have a newer version of mcafee web gateway then is supported by the TA ... View more

Re: Splunk_TA_mcafee-wg fields wrong?

by SplunkTrust in All Apps and Add-ons
‎08-03-2018 12:30 AM
‎08-03-2018 12:30 AM
nope, we opened a support ticket and have a enhancement request going ... View more

Splunk_TA_mcafee-wg fields wrong?

by SplunkTrust in All Apps and Add-ons
‎07-18-2018 01:39 AM
1 Karma
‎07-18-2018 01:39 AM
1 Karma
Is it me or are the extractions in Splunk_TA_mcafee-wg next to totaly wrong? To take an example Log entry from some of my activity the log looks like this: Jul 18 08:44:27 xxx_hostname_xxx mwg: McAfeeWG|time_stamp=[18/Jul/2018:08:44:27 +0200]|auth_user=cn=XXXX,ou=XXX,ou=XXXX,ou=XXX,o=XXX|src_ip=10.9.16.6|server_ip=172.217.22.100|host=www.google.com|url_port=443|status_code=200|bytes_from_client=958|bytes_to_client=426|categories=Search Engines|rep_level=Minimal Risk|method=GET|url=https://www.google.com/searchdomaincheck?format=domain&type=chrome|media_type=text/plain|application_name=Google|user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36|referer=|block_res=0|block_reason=|virus_name=|hash=|filename=searchdomaincheck|filesize=426| for src, src_ip,user,user_agent the value is "unknown" There is the field auth_user containing the dn but i think user should contain the cn... What am i doing wrong? ... View more

Re: extract fields from csv file preamble

by SplunkTrust in Splunk Search
‎06-06-2018 07:25 AM
‎06-06-2018 07:25 AM
nope, sorry but it didn't matter because it was only playing around with my netatmo and the test splunk at home. ... View more

Re: difficulty in updating a lookup file via rest

by SplunkTrust in Splunk Search
‎02-05-2018 09:16 AM
‎02-05-2018 09:16 AM
hi, must be a typo when doing the ticket I just tried again just in case 🙂 hope springs eternal but it was a typo The lookup file is shared globaly /opt/splunk/etc/apps/SA-cve/lookups/cve.csv | No owner | SA-cve | Global ... View more

difficulty in updating a lookup file via rest

by SplunkTrust in Splunk Search
‎02-02-2018 08:38 AM
‎02-02-2018 08:38 AM
i have a script that generates a csv under /var/run/splunk I would like to update my lookup file I read the docs and it says to post a request like this: response = requests.post('https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv', data=payload, verify=False, headers=headers) where headers are like this: headers={'Authorization': 'Splunk xXxXxXXXxXXXy','Content-Type': 'application/json'} and the data is like this: {'eai:data': '/opt/splunk/var/run/splunk/cve.csv'} i can read that endpoint like (excerpt): <entry> <title>cve.csv</title> <id>https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv</id> <updated>2018-02-02T15:57:56+01:00</updated> <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="list"/> <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv/_reload" rel="_reload"/> <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="edit"/> <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="remove"/> <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv/move" rel="move"/> and it looks ok but post failes with >>> print response <Response [500]> >>> print response.text <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR"> In handler 'lookup-table-files': Data could not be written: /nobody/SA-cve/lookups/cve.csv: /opt/splunk/var/run/splunk/cve.cvs</msg> </messages> </response> ... View more

How to write/create permission under /etc from pyt...

by SplunkTrust in Security
‎01-25-2018 09:44 AM
‎01-25-2018 09:44 AM
It seems to me that a python script (custom command and/or controller have no write permission under /etc) Is this me making a mistake or is this a default setting and if so, can it be overcome? (maybe not due to security considerations) I realize that for a search head cluster this could be non trivial . ... View more

Re: merging local into default using git

by SplunkTrust in Splunk Search
‎12-15-2017 04:34 AM
‎12-15-2017 04:34 AM
Sounds cool, i can have a look at it. a pure python way would be nice... I have a semi working git (pure python) for splunk but it is not yet totaly nice. if anyone is interested... ... View more
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma given to