Activity Feed
- Got Karma for Re: Python script errors(code 255) and Invalid start time errors. 05-14-2021 01:16 AM
- Karma Palo Alto Dashboard (URL Filtering) not populating any data. for MatthewH007. 06-05-2020 12:50 AM
- Karma Re: Why is the Splunk Add-on for Microsoft Office 365 Add-on duplicating log data? for rkantamaneni_sp. 06-05-2020 12:50 AM
- Karma ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: \|.*?summarize.*?action\= for sathwikr076. 06-05-2020 12:50 AM
- Karma Splunk community NEEDS an answer for getting SCCM data into Splunk for nick405060. 06-05-2020 12:50 AM
- Karma Re: Time Skew for when logs are read. for swatts1000. 06-05-2020 12:50 AM
- Karma Maxmind Threat Intelligence Database is not downloading for josephliion. 06-05-2020 12:50 AM
- Karma Python script errors(code 255) and Invalid start time errors for becksyboy. 06-05-2020 12:50 AM
- Karma MSFT System Center 2016 and Endpoint Protection Data for william_tong. 06-05-2020 12:50 AM
- Karma Issue while downloading logs for thambisetty. 06-05-2020 12:50 AM
- Karma Palo Alto Networks for Splunk v 6.1.1: Receiving error "lookup table is empty or has not yet been replicated to the search peer" for jwightman2. 06-05-2020 12:50 AM
- Karma How to integrate SA-Investigator with ES for richardphung. 06-05-2020 12:50 AM
- Karma Adobe experience manager integration with SPlunk for bbiswabhusan. 06-05-2020 12:50 AM
- Got Karma for Re: Python script errors(code 255) and Invalid start time errors. 06-05-2020 12:50 AM
- Got Karma for Re: Python script errors(code 255) and Invalid start time errors. 06-05-2020 12:50 AM
- Got Karma for Why is the Splunk Add-on for Microsoft Office 365 Add-on duplicating log data?. 06-05-2020 12:50 AM
- Got Karma for Why is the Splunk Add-on for Microsoft Office 365 Add-on duplicating log data?. 06-05-2020 12:50 AM
- Karma Splunk Enterprise 7.1, ES 5.1 and phased_execution_mode for janispelss. 06-05-2020 12:49 AM
- Karma Version 1.1.0 doesn't get message trace for wstarowicz. 06-05-2020 12:49 AM
- Karma Re: Strange issue with missing menu in Enterprise Security for kcepull_splunk. 06-05-2020 12:49 AM
Topics I've Started
06-27-2019
07:15 AM
Same issue here, even on 7.2.6 now!
... View more
06-10-2019
11:27 AM
How do we fix this in the jobs page?
/en-US/app/SplunkEnterpriseSecuritySuite/job_manager
... View more
03-26-2019
12:40 PM
Anyone know if this has been fixed yet?
... View more
03-20-2019
07:03 AM
I have the same issue. The problem is there is no field called "nodename" in the datamodel. I can not find in the TA anywhere that defines this field, thus it will never match. Thus a lot of the dashboards don't work.
~/Splunk_TA_paloalto
└──╼ grep -ri nodename *| grep -v .js
bin/splunk_ta_paloalto/cloudconnectlib/splunktalib/modinput.py: if doc.nodeName == "input":
bin/splunk_ta_paloalto/solnlib/net_utils.py: # [Errno 8] nodename nor servname provided, or not known
lookups/threat_list.csv:36853,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0764"
lookups/threat_list.csv:36707,"Advantech WebAccess Browser ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0985"
lookups/threat_list.csv:38655,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability","code-execution",medium,"CVE-2014-0764"
... View more
02-08-2019
01:16 PM
Yes.. the end-time is always moving so when it runs it uses the "now" as the end-time, and subtracts the days. As long as you keep it lower than 7 it should complete successfully.
... View more
02-05-2019
07:31 AM
2 Karma
I've noticed that this Add-on simply pulls the last 7 days of log data from the Azure API, but makes no effort to create a marker. Thus when I enable pulls, it just duplicates the log data over and over. I've tested this by pulling in the Audit.Exchange blobs and by watching a 2 hr time period in the past. I can see the event count going up for that range every time the Add-on fires. I also can run a streamstats to check for duplicate _raw,_time events, and I see them as well.
Please advise.
... View more
02-04-2019
11:59 AM
2 Karma
@MuS ♦ Thanks for the info! Funny thing.. I actually did it a little simpler, albeit with a sledgehammer. (PS I'm using the Splunk Add-on for Microsoft Office 365)
I edited this file "splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py"
Changed the timedelta to 1 day 🙂
119c119
< start_time = end_time - timedelta(days=7)
---
> start_time = end_time - timedelta(days=1)
Now at least it only asks Azure for 24 hrs worth of data at a time 🙂 You could probably get away with 6 days if you wanted to check back that far.
... View more
02-04-2019
11:28 AM
Looks like now we need to have the ability to tell the add-on to only go back X days, otherwise it never completes and just keeps pulling in the same weeks worth of data. I've turned off my inputs until this is figured out 😞
... View more
02-04-2019
11:11 AM
1 Karma
I just found this post on another thread. Makes sense because my pulls bomb out exactly 1 week back
Looks like the limitation is in the O365 Management API that the Splunk app relies on:
https://msdn.microsoft.com/office-365/office-365-management-activity-api-reference
"Content older than 7 days cannot be retrieved."
... View more
01-22-2019
12:10 PM
What's the status on this?
... View more
12-20-2018
06:41 AM
Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal.
... View more
12-20-2018
06:41 AM
Thanks for commenting on this, I had forgotten I had opened it.
Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal.
... View more
11-27-2018
06:51 AM
But how do we PULL events? I can't open up my Splunk instance to Amazon.
... View more
08-21-2018
06:53 AM
I'm hoping someone can assist me with this strange issue. For some reason my menu bar for enterprise security is gone when on the "Home" choice, i.e. it only shows the "search" choice. However, if I click on Incident Review, the bar shows up and everything else renders properly, with the exception that "Investigations" has the same issue. I've compared everything in my SplunkEnterpriseSecurity app directory with the installation tar, and have poked around in the local dir to see if anything has changed. I can even look at the source code on the page and I see the menu choices in the javascript. They just don't render. Any ideas??
... View more
08-03-2018
08:46 AM
You need to put the [dropadlog] stanza BEFORE your [adlog] one, otherwise it will drop everything regardless of the tag. See "Keep specific events and discard the rest" on http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad
... View more
06-06-2018
12:56 PM
Same issue here with Splunk 7.1.1 and the latest plugin. Randomly quits within 2 weeks.. no errors, process is just still running.
I ran an strace on the stalled process, and it is generating these events over and over
[pid 18829] <... select resumed> ) = 0 (Timeout)
[pid 18829] select(0, NULL, NULL, NULL, {0, 50000}
[pid 18726] <... select resumed> ) = 0 (Timeout)
[pid 18726] select(0, NULL, NULL, NULL, {0, 50000}
[pid 18835] <... select resumed> ) = 0 (Timeout)
[pid 18835] stat("/opt/splunk/etc/apps/Splunk_TA_nessus/local/tenable_sc_inputs.conf", {st_mode=S_IFREG|0600, st_size=201, ...}) = 0
[pid 18835] stat("/opt/splunk/etc/apps/Splunk_TA_nessus/local/tenable_sc_inputs.conf", {st_mode=S_IFREG|0600, st_size=201, ...}) = 0
[pid 18835] stat("/opt/splunk/etc/apps/Splunk_TA_nessus/local/nessus.conf", {st_mode=S_IFREG|0600, st_size=533, ...}) = 0
[pid 18835] stat("/opt/splunk/etc/apps/Splunk_TA_nessus/local/nessus.conf", {st_mode=S_IFREG|0600, st_size=533, ...}) = 0
[pid 18835] stat("/opt/splunk/etc/apps/Splunk_TA_nessus/local/tenable_sc_servers.conf", {st_mode=S_IFREG|0600, st_size=172, ...}) = 0
[pid 18835] stat("/opt/splunk/etc/apps/Splunk_TA_nessus/local/tenable_sc_servers.conf", {st_mode=S_IFREG|0600, st_size=172, ...}) = 0
[pid 18835] getppid() = 18566
[pid 18835] select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout)
[pid 18835] select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout)
[pid 18835] select(0, NULL, NULL, NULL, {0, 4000}
[pid 18836] <... select resumed> ) = 0 (Timeout)
[pid 18836] select(0, NULL, NULL, NULL, {0, 50000}
[pid 18835] <... select resumed> ) = 0 (Timeout)
... View more
04-27-2018
12:48 PM
Thank you smoir for responding. Everything seems somewhat ok except for the incident_review_page.xml .. Browser console shows "Uncaught TypeError: i._btnClass is not a constructor"
If only I knew javascript 🙂
... View more
04-26-2018
10:11 AM
Is there an ETA on when it's going to be compatible? I'm in the same boat on my production instance.
... View more