×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- About denose
denose
Explorer
Member since:
07-24-2015
09-22-2021
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 07-24-2015 |
Activity Feed
- Karma Re: /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py is pulling down many duplicate events for ehoward. 06-05-2020 12:49 AM
- Karma Re: Alert if data not received to an index for 1 hour for mayurr98. 06-05-2020 12:49 AM
- Got Karma for Re: Sophos Central app for Splunk: Data is not being pulled by the API. 06-05-2020 12:49 AM
- Got Karma for Re: Sophos Central app for Splunk: Data is not being pulled by the API. 06-05-2020 12:49 AM
- Posted Re: Alert if data not received to an index for 1 hour on Splunk Dev. 03-18-2018 09:28 PM
- Posted Re: Alert if data not received to an index for 1 hour on Splunk Dev. 03-15-2018 03:32 PM
- Posted Re: Alert if data not received to an index for 1 hour on Splunk Dev. 03-14-2018 07:41 PM
- Posted Alert if data not received to an index for 1 hour on Splunk Dev. 03-14-2018 03:51 PM
- Tagged Alert if data not received to an index for 1 hour on Splunk Dev. 03-14-2018 03:51 PM
- Posted Re: /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py is pulling down many duplicate events on All Apps and Add-ons. 10-29-2017 10:38 PM
- Posted Re: /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py is pulling down many duplicate events on All Apps and Add-ons. 10-23-2017 10:54 PM
- Posted Re: Sophos Central app for Splunk: Data is not being pulled by the API on All Apps and Add-ons. 10-23-2017 06:16 PM
- Posted Re: /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py is pulling down many duplicate events on All Apps and Add-ons. 10-23-2017 03:35 PM
- Posted Re: /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py is pulling down many duplicate events on All Apps and Add-ons. 10-22-2017 11:21 PM
- Posted Re: Sophos Central app for Splunk: Data is not being pulled by the API on All Apps and Add-ons. 10-22-2017 10:30 PM
- Posted Re: Sophos Central app for Splunk: Data is not being pulled by the API on All Apps and Add-ons. 10-22-2017 08:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
03-18-2018
09:28 PM
Thanks for that. I think that's enough to do what I wanted for now.
I appreciate your assistance.
... View more
03-15-2018
03:32 PM
Thanks mayurr98 though, I'm not sure how this works on a per index basis?
I want to know which index hasn't received events rather than source, sourcetype or hosts.
... View more
03-14-2018
07:41 PM
Thanks, I still don't get any indexes listed with 0 events.
It just returns, under the Statistics tab, the current timestamp in the _time column and blank under count column?
... View more
03-14-2018
03:51 PM
I am currently using this search:
index=_audit OR index=_internal OR index=_introspection OR index=a OR index=b OR index=c OR index=d earliest=-1h latest=-59m | stats count by index | where count=0
I tried input lookups for listing all the indexes but didn't get far quickly. If I take off the where command, it will show a count of events for only the indexes that have events. So when I say where=0 there are not indexes to be seen.
How can I make it search those indexes and tell me if they have in fact had no events?
... View more
- Tags:
- splunk-enterprise
10-29-2017
10:38 PM
Hey @ehoward ,
I ran the first search and the count column was 296 but not sure what that means?
Running your second search finds 12 events per hour which would be one per scheduled API call. they are all errorCode=500.
What wording did you send to Sophos? Just that duplicate events are being retrieved from their API?
Cheers
... View more
10-23-2017
10:54 PM
Now for some reason it has resolved itself and updates every 5 minutes as expected.
Only thing is, that is the sophos_events.py script that's running.
sophos_alerts.py is not running at all.
... View more
10-23-2017
06:16 PM
Hey, for that one I manually delete /opt/splunk/etc/apps/sophos_central/local/passwords.conf then restart Splunk. Also make sure permissions are fine but they should be. If not, create a passwords.conf there. Restart Splunk, go in and get the same error, delete it, restart Splunk and then hopefully you can save it this time.
As for Sophos, so far so good 🙂
We have used on-prem Enterprise Console for a few years and it has gotten quite old and not great but new Sophos Central seems quite good and useful. Just ramping up the roll-out now that we've tried it for a couple weeks in pilot and no major issues.
How do you find it?
... View more
10-23-2017
03:35 PM
Thanks @ehoward for the update regarding Sophos. Do you find that events are imported quite quickly for you?
Thanks Nick for the reply as well. Some more events came in over night for about an extra minutes worth since yesterday. Yesterday it ran and updated to 12:13:~ and then never updated through the afternoon. Then last night it must have got some more events for 12:14:~ but our tenancy has stacks more since then as well. Any things that I could check on? Surely it isn't a lag between the events view able in GUI and events available to the API?
... View more
10-22-2017
11:21 PM
I am experiencing the same duplication of events, when it gets events, seems to have stopped since the first time that it scraped in all the previous events.
... View more
10-22-2017
10:30 PM
1 Karma
First issue I had was with the firewall allowing calls out to the API.
Then I got some data in for sophos_events.py but it only seemed to run/work the first time that it was allowed. After that, I can see it run every 5 minutes but it isn't bringing in any new events.
Also the sophos_alerts.py has never brought in anything. I noticed that is was missing the Python header at the start of the file compared to the other script and also the first i in import command at the start of the script. Even after updating the file though I've got no alert events in.
Hopefully the author is following these threads and I can assist to debug.
... View more
10-22-2017
08:07 PM
1 Karma
I just had to allow out bound HTTPS and it worked.
... View more
