Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Ohiotech
Ohiotech
Explorer
Member since:
05-07-2018
07-26-2022
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 4 |
| Member Since | 05-07-2018 |
Activity Feed
- Got Karma for Re: Cannot perform action POST without a target name to act on. 06-05-2020 12:50 AM
- Got Karma for Re: How to Get Eventgen working?. 06-05-2020 12:49 AM
- Got Karma for Re: How to Get Eventgen working?. 06-05-2020 12:49 AM
- Got Karma for Re: How to Get Eventgen working?. 06-05-2020 12:49 AM
- Posted Re: splunk db connect index1 out of range error on All Apps and Add-ons. 02-20-2020 05:10 AM
- Posted Re: Cannot perform action POST without a target name to act on on Getting Data In. 09-16-2019 11:56 AM
- Posted Re: How to Get Eventgen working? on All Apps and Add-ons. 05-07-2019 10:30 AM
- Posted Re: How to add an extra event field to the ePO query using DB connect 2.4 and ePO 5.3? on Splunk Enterprise Security. 08-27-2018 10:36 AM
- Posted Re: Splunk OPEN SSL: unable to load library files. on Getting Data In. 06-22-2018 03:25 AM
- Posted Re: How to add an extra event field to the ePO query using DB connect 2.4 and ePO 5.3? on Splunk Enterprise Security. 05-30-2018 12:45 PM
- Posted How to add an extra event field to the ePO query using DB connect 2.4 and ePO 5.3? on Splunk Enterprise Security. 05-18-2018 09:46 AM
- Tagged How to add an extra event field to the ePO query using DB connect 2.4 and ePO 5.3? on Splunk Enterprise Security. 05-18-2018 09:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
02-20-2020
05:10 AM
After the 5.10 schema upgrade, having two databases to modify my table query pointers, and getting the index 1 error, I figured out that you have to unlock the pointer and set it to zero because you are starting the index from scratch and the pointer (AutoID) had no place to start. This fixed my error and allowed me to continue to the last step and save the query. I did have to take the line pull up to 100,000 lines to catch up in a hurry.
... View more
09-16-2019
11:56 AM
1 Karma
This is a syntax issue. To update the spl, use this syntax from the bin folder "./splunk install app /tmp/splunkclouduf.spl -update 1", enter your admin creds and then restart the splunk daemon.
... View more
05-07-2019
10:30 AM
3 Karma
After installing the event gen manually (did not path correctly with directions), I added the SA-Eventgen app through the manage apps\ install from file. The trick for me was to go into the Data Input/SA-Eventgen input and enable it. (disabled during install). Events were there within minutes after a restart.
... View more
08-27-2018
10:36 AM
Working Solution*****
I worked with a Splunk SME and added the following syntax which gave me a column for target_hash and saved in the input statement without error***
[AnalyzerDetectionMethod] AS [detection_method],
[ThreatActionTaken] AS [vendor_action],
[ePO_xxxxxxxxxxxx].[dbo].[EPExtendedEventMT].[TargetHash] AS [target_hash],
CAST([ThreatHandled] AS int) AS [threat_handled],
LEFT JOIN [ePO_xxxxxxxxxxxx].[dbo].[EPExtendedEventMT]
ON [ePO_xxxxxxxxxxxx].[dbo].[EPOLeafNodeMT].[AutoID] = [ePO_xxxxxxxxxxxx].[dbo].[EPExtendedEventMT].[EventAutoID]
AND (EPOEventFilterDesc.Language='0409')) t WHERE AutoID > ? ORDER BY AutoID ASC
... View more
06-22-2018
03:25 AM
I found that this gives me the text output without a password after following the directions in this URL.
http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Getthird-partycertificatesforSplunkWeb
LD_LIBRARY_PATH=/opt/splunk/lib/ /opt/splunk/bin/openssl rsa -in /opt/splunk/etc/auth/mycerts/myprivate.key -text
... View more
05-30-2018
12:45 PM
My apologies for the delay, I went on PTO right after posting this question.
I changed the query to match the full path and added the correct table per your statements. I still get the same invalid query response with a slightly different output that doesn't supply the full output of the error.
The DB structure is the default ePO tables for version 5.3. This does not make sense that the Splunk supplied query (what is currently working) and a simple change of an additional field (corrected from your suggestion) fails to execute in the DB connect app.
Is this type of issue supported by Splunk Support for DB connect?
... View more
05-18-2018
09:46 AM
Additional information: I'm not confident on the left join syntax, but the query appears to fail before it gets to that syntax. Also, using MS SQL mgmt studio, this query without my changes fails a syntax check.
SELECT [ReceivedUTC] AS [timestamp],
[ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[AutoID],
[ThreatName] AS [signature],
[ThreatType] AS [threat_type],
[ThreatEventID] AS [signature_id],
[ThreatCategory] AS [category],
[ThreatSeverity] AS [severity_id],
[DetectedUTC] AS [detected_timestamp],
[TargetFileName] AS [file_name],
[AnalyzerDetectionMethod] AS [detection_method],
[TargetHash] AS [target_hash],
[ThreatActionTaken] AS [vendor_action],
CAST([ThreatHandled] AS int) AS [threat_handled],
[TargetUserName] AS [logon_user],
[ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[UserName] AS [user],
[ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[DomainName] AS [dest_nt_domain],
[ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[TargetHostName] AS [dest_dns],
[ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[TargetHostName] AS [dest_nt_host],
[ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[IPHostName] AS [fqdn],
[dest_ip] = ( convert(varchar(3),nx
convert(tinyint,
substring(convert(varbinary(4),
convert(bigint,
([ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[IPV4x] + 2147483648))),
1,
1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[IPV4x] + 2147483648))),4,1))) ), [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[SubnetMask] AS [dest_netmask], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[NetAddress] AS [dest_mac], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[OSType] AS [os], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[OSServicePackVer] AS [sp], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[OSVersion] AS [os_version], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[OSBuildNum] AS [os_build], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[TimeZone] AS [timezone], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceHostName] AS [src_dns], [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceIPV4] + 2147483648))),4,1))) ), [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceMAC] AS [src_mac], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceProcessName] AS [process], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceURL] AS [url], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[SourceUserName] AS [source_logon_user], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[IsPortable] AS [is_laptop], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[AnalyzerName] AS [product], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[AnalyzerVersion] AS [product_version], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[AnalyzerEngineVersion] AS [engine_version], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[AnalyzerEngineVersion] AS [dat_version], [ePO_xxxxxxxxxxxx].[dbo].[EPOProductPropertiesMT].[DATVer] AS [vse_dat_version], [ePO_xxxxxxxxxxxx].[dbo].[EPOProductPropertiesMT].[EngineVer64] AS [vse_engine64_version], [ePO_xxxxxxxxxxxx].[dbo].[EPOProductPropertiesMT].[EngineVer] AS [vse_engine_version], [ePO_xxxxxxxxxxxx].[dbo].[EPOProductPropertiesMT].[Hotfix] AS [vse_hotfix], [ePO_xxxxxxxxxxxx].[dbo].[EPOProductPropertiesMT].[ProductVersion] AS [vse_product_version], [ePO_xxxxxxxxxxxx].[dbo].[EPOProductPropertiesMT].[Servicepack] AS [vse_sp]
FROM "ePO_xxxxxxxxxxxx"."dbo"."EPOEventsMT"
LEFT JOIN [ePO_xxxxxxxxxxxx].[dbo].[EPOLeafNodeMT]
ON [EPOEventsMT].[AgentGUID] = [ePO_xxxxxxxxxxxx].[dbo].[EPOLeafNodeMT].[AgentGUID]
LEFT JOIN [ePO_xxxxxxxxxxxx].[dbo].[EPOProductPropertiesMT]
ON [ePO_xxxxxxxxxxxx].[dbo].[EPOLeafNodeMT].[AutoID] = [ePO_xxxxxxxxxxxx].[dbo].[EPOProductPropertiesMT].[AutoID]
LEFT JOIN [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT]
ON [ePO_xxxxxxxxxxxx].[dbo].[EPOLeafNodeMT].[AutoID] = [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[ParentID]
LEFT JOIN [ePO_xxxxxxxxxxxx].[dbo].[EPOEventFilterDesc]
ON [EPOEventsMT].[ThreatEventID] = [ePO_xxxxxxxxxxxx].[dbo].[EPOEventFilterDesc].[EventId]
AND (EPOEventFilterDesc.Language='0409')
LEFT JOIN [ePO_xxxxxxxxxxxx].[dbo].[EPExtendedEventMT]
ON [ePO_xxxxxxxxxxxx].[dbo].[EPOLeafNodeMT].[AutoID] = [ePO_xxxxxxxxxxxx].[dbo].[EPOEventFilterDesc].[TargetHash]
Invalid Query
External search command 'dbxquery' returned error code 1. First 1000 (of 5282) bytes of script output: "RuntimeError: Failed to run query: "SELECT * FROM (SELECT [ReceivedUTC] AS [timestamp], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[AutoID], [ThreatName] AS [signature], [ThreatType] AS [threat_type], [ThreatEventID] AS [signature_id], [ThreatCategory] AS [category], [ThreatSeverity] AS [severity_id], [DetectedUTC] AS [detected_timestamp], [TargetFileName] AS [file_name], [AnalyzerDetectionMethod] AS [detection_method], [TargetHash] AS [target_hash], [ThreatActionTaken] AS [vendor_action], CAST([ThreatHandled] AS int) AS [threat_handled], [TargetUserName] AS [logon_user], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[UserName] AS [user], [ePO_xxxxxxxxxxxx].[dbo].[EPOComputerPropertiesMT].[DomainName] AS [dest_nt_domain], [ePO_xxxxxxxxxxxx].[dbo].[EPOEventsMT].[TargetHostName] AS [dest_dns], [ePO_xxxxxxxxxxxx].[dbo].[EPOEven"
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-26-2022
02:46 PM
|
