Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Adrian
Adrian
Path Finder
Member since:
03-15-2012
06-05-2020
Community Statistics
| Posts | 28 |
| Solutions | 2 |
| Karma Given | 3 |
| Karma Received | 12 |
| Member Since | 03-15-2012 |
Activity Feed
- Karma Re: Find the common/same source ip (src) across several hosts with same sourcetype for martin_mueller. 06-05-2020 12:46 AM
- Karma Re: Searching log for number that is = to or > than for emiller42. 06-05-2020 12:46 AM
- Karma Re: Creating field value pair for somesoni2. 06-05-2020 12:46 AM
- Got Karma for Replace/rename a host name with another host name. 06-05-2020 12:46 AM
- Got Karma for Re: Need to create a ASA VPN user report. 06-05-2020 12:46 AM
- Got Karma for Re: splunkd.log Error: OPENSSL_1.0.0 not found (required by wget). 06-05-2020 12:46 AM
- Got Karma for Re: splunkd.log Error: OPENSSL_1.0.0 not found (required by wget). 06-05-2020 12:46 AM
- Got Karma for Re: splunkd.log Error: OPENSSL_1.0.0 not found (required by wget). 06-05-2020 12:46 AM
- Got Karma for Re: splunkd.log Error: OPENSSL_1.0.0 not found (required by wget). 06-05-2020 12:46 AM
- Got Karma for Re: Windows EventLogs. 06-05-2020 12:46 AM
- Got Karma for Re: Why is my Heavy Forwarder initiating TCP scans and sweeps. 06-05-2020 12:46 AM
- Got Karma for Re: Why is my Heavy Forwarder initiating TCP scans and sweeps. 06-05-2020 12:46 AM
- Got Karma for Re: Why is my Heavy Forwarder initiating TCP scans and sweeps. 06-05-2020 12:46 AM
- Got Karma for Re: Why is my Heavy Forwarder initiating TCP scans and sweeps. 06-05-2020 12:46 AM
- Got Karma for Re: Rotating Data to Frozen After Time Period. 06-05-2020 12:46 AM
- Posted Re: java problem with active-directory on Getting Data In. 01-30-2014 06:41 AM
- Posted Re: Index time field extraction/re-write on Splunk Search. 01-28-2014 02:04 PM
- Posted Re: Index time field extraction/re-write on Splunk Search. 01-28-2014 07:40 AM
- Posted Re: Index time field extraction/re-write on Splunk Search. 01-28-2014 06:43 AM
- Posted Index time field extraction/re-write on Splunk Search. 01-28-2014 06:00 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
01-30-2014
06:41 AM
I would start by reviewing this troubleshooting section of the documentation related to the Splunk App for AD.
... View more
01-28-2014
02:04 PM
Ok, I will give it a test run and let you know how it turns out. Thanks again for the pointers @Ayn and @somesoni2
... View more
01-28-2014
07:40 AM
I am not positive but I think we require index time to populate the dashboards for Splunk App for ES if I am not mistaken, which could definitely be the case. If this is not the case then field aliasing would work fine.
... View more
01-28-2014
06:43 AM
Isn't Field Aliasing at search time? We require index time field extraction/re-write.
... View more
01-28-2014
06:00 AM
I currently have a custom sourcetype=vuln_scan that looks like this:
response_datetime="2014-01-24 06:41:22" scan_date="2014-01-24 06:41:22" org_id=AB5X1896 scan_id=1H6785E host_id=522ZB769 ip=190.1.19.15 testid=2533 vuln_type="FTP servers" vuln_risk=8 vuln_name="HP/UX FTPd Negative REST Buffer Overflow" port=21 protocol=tcp results=
Our goal is to modify the automatic field extractions that occur due to the "=" sign with another field name. For instance ip=190.1.9.15 is automatically extracted giving us a field name "ip" with a value of "190.1.9.15". We would like to map to the common information model (CIM) using the field name "dest" instead of "ip" at index time, not at search time. How would we go about reaching this objective?
... View more
01-04-2014
01:57 PM
1 Karma
This is a great tutorial:
http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
You can also download a copy of this free book:
http://www.splunk.com/goto/book
Here is more info about the Interactive Field Extractor (IFX):
http://docs.splunk.com/Documentation/Splunk/6.0.1/Knowledge/ExtractfieldsinteractivelywithIFX
... View more
01-04-2014
01:44 PM
1 Karma
To answer your question... Yes, it is possible. This is the documentation you require: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes#Route\_specific\_events\_to\_a\_different_index
You would have to modify your REGEX statement in your transforms.conf to grab the events you require:
[<transforms_A>]
REGEX = EventCode:([0-9]{1,3}|1000)
DEST_KEY = _MetaData:Index
FORMAT = indexA
[<transforms_B>]
REGEX = EventCode:1(0[0-9]{3}|1000)
DEST_KEY = _MetaData:Index
FORMAT = indexB
You might have to play around with the regex statements provided in example
... View more
01-04-2014
12:49 PM
One of the searches to populate that dashboard is Critical Network Traffic Analyzer: search = eventtype="ip_check" | stats count by src_ip dst_ip dst_port protocol | lookup threatscore clientip AS dst_ip | sort -threatscore
Do your fields match the search? It would help if you could provide some sample log data as well.
FYI: make sure to comment under my answer/post not your question otherwise I don't receive alert.
... View more
01-04-2014
12:34 PM
You can use instructions here to get Ubuntu on a 1st gen ATV you can obviously skip the XBMC portion: http://wiki.xbmc.org/index.php?title=HOW-TO:Install_Ubuntu_and_XBMC_on_Apple_TV_1
The above instructions worked flawlessly on an old 1st gen I had laying around that I re-purposed. Once you have Ubuntu running you can use the standard 32bit Splunk installer. Considering the 1st gen ATV only has 256mb of RAM and and a 1Ghz Intel processor I hope you don't expect much performance. I believe there was a 40Gb and 160Gb hard drive model. If you have a 40Gb model space may become an issue.
... View more
01-03-2014
03:27 PM
Good point... I was assuming retention was necessary when in fact it is not a requirement.
... View more
01-03-2014
12:50 PM
1 Karma
As long as you specify coldToFrozenDir in your indexes.conf you shouldn't have any problems using frozenTimePeriodInSecs and set it to 1555200 (seconds in 18 days)
Here is the documentation:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Indexer/Configureindexstorage
and here:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Indexer/Setaretirementandarchivingpolicy
... View more
01-03-2014
12:33 PM
I had to adjust the search parameter portion of the Threat_Map_Overview view in Settings » User interface » Views » Threat_Map_Overview to something like this:
index=firewall | rename src as clientip | lookup threatscore clientip | where threatscore>0 | geoip clientip
You might have to do the same for the dashboard in question.
... View more
01-03-2014
12:17 PM
4 Karma
I would suggest doing a packet capture on the Heavy Forwarder to understand what in fact is occurring. This appears to be anomalous behavior and could indicate you have a compromised system.
... View more
01-02-2014
08:49 AM
4 Karma
Add the following to the first line of your fetch.sh script, then save, and restart Splunk then review S.o.S. error messages:
unset LD_LIBRARY_PATH
... View more
01-02-2014
08:16 AM
Edit the props.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.
The documentation you require is here:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Applytimezoneoffsetstotimestamps
There is also a similar question posed with answer here as well:
http://answers.splunk.com/answers/110403/incorrect-event-time-in-splunk
... View more
01-02-2014
08:11 AM
I have a similar setup and instructions here that could be of assistance:
deepimpact.io/blog/splunkandfreeopen-sourcethreatintelligencefeeds
... View more
12-28-2013
02:53 PM
Yes, it was released on December 21st for use with Splunk 6. A maintenance release for Splunk was also released (6.01). Here are the "Known Issues" for ES 3.0.0: http://docs.splunk.com/Documentation/ES/latest/RN/KnownIssues
... View more
12-28-2013
08:28 AM
I also upgrade and was presented with the same error. I believe it is an artifact left behind from previous installation. You have to comment out your entries in /opt/splunk/etc/system/local/serverclass.conf
The entry that was present in my serverclass.conf was the following:
[global]
# whitelist.0=* at the global level ensures that the machineTypesFilter attribute
# invoked later will apply.
whitelist.0=*
[serverClass:AppsByMachineType]
machineTypesFilter=linux-x86_64
[serverClass:AppsByMachineType:app:unix]
# Deploy this app only to unix boxes - 32/64 bit.
machineTypesFilter=linux-x86_64
After commenting it looked like this:
#[global]
# whitelist.0=* at the global level ensures that the machineTypesFilter attribute
# invoked later will apply.
#whitelist.0=*
#[serverClass:AppsByMachineType]
#machineTypesFilter=linux-x86_64
#[serverClass:AppsByMachineType:app:unix]
# Deploy this app only to unix boxes - 32/64 bit.
#machineTypesFilter=linux-x86_64
I then restarted /opt/splunk/bin/restart and the error message disappeared.
... View more
09-27-2013
09:32 AM
It is a very generalized question so hard to give you specific advice. What is it you are trying to monitor specifically?
You can start here:
http://www.splunk.com/view/infrastructure-monitoring/SP-CAAAHXJ
Or here:
http://apps.splunk.com/app/352/
... View more
04-19-2013
02:22 PM
Thanks for the help... Timechart seems to be a more elegant solution. I was also able to find an answer using the search below your answer (it worked but it's ugly)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
