Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About morethanyell
morethanyell
Builder
Member since:
06-18-2018
04-12-2022
Community Statistics
| Posts | 159 |
| Solutions | 9 |
| Karma Given | 69 |
| Karma Received | 16 |
| Member Since | 06-18-2018 |
Activity Feed
- Got Karma for Re: how can a saved search owner be changed. 3 weeks ago
- Posted Re: Which Sourcetype for NGIPS? on All Apps and Add-ons. 04-12-2022 01:51 AM
- Karma Re: Which Sourcetype for NGIPS? for ragedsparrow. 04-12-2022 01:51 AM
- Posted Which Sourcetype for NGIPS? on All Apps and Add-ons. 04-08-2022 12:39 PM
- Karma Re: How to Properly Read results.csv.gz From Dispatch for richgalloway. 03-16-2022 04:53 AM
- Posted How to Properly Read results.csv.gz From Dispatch on Reporting. 03-15-2022 11:43 AM
- Posted Splunk AD Monitoring: Replace Host with dcName on Splunk Enterprise. 02-07-2022 10:19 AM
- Got Karma for Re: Join multiple lines using free text. 01-25-2022 04:46 PM
- Posted Re: Join multiple lines using free text on Splunk Search. 01-25-2022 12:22 PM
- Posted Re: need better option than join on Splunk Search. 01-25-2022 12:18 PM
- Posted Logs from `splunk_ta_o365` vs `Splunk_TA_microsoft-cloudservices` on Splunk Cloud Platform. 01-25-2022 08:25 AM
- Posted 404 Not Found on Restart SplunkWeb on Getting Data In. 11-10-2021 06:11 AM
- Posted Re: KV Store Process Terminated on Knowledge Management. 09-30-2021 09:47 AM
- Got Karma for Re: Using the transforms.conf file to only forward events that match a regex.. 08-24-2021 01:41 AM
- Got Karma for Re: how can a saved search owner be changed. 07-14-2021 08:39 AM
- Posted Re: webhook error on Alerting. 07-13-2021 02:54 PM
- Posted Re: Python Script: Permission Denied in one of the Methods on Developing for Splunk Enterprise. 04-05-2021 04:27 AM
- Posted Re: Python Script: Permission Denied in one of the Methods on Developing for Splunk Enterprise. 03-29-2021 08:39 AM
- Posted Python Script: Permission Denied in one of the Methods on Developing for Splunk Enterprise. 03-29-2021 08:04 AM
- Posted Re: How To Know WinLogs Stanza Per Event ID on Splunk Enterprise. 11-05-2020 06:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-12-2022
01:51 AM
Thanks. It did not parse the fields of the logs. I ended up writing our own props for it.
... View more
04-08-2022
12:39 PM
The SplunkWorks-built TA called Splunk Add-on for Cisco FireSIGHT said in the description that it is able to parse NGIPS logs. But upon inspection of the `props.conf`, it doesn't have sourcetype for NGIPS. Which should I use? I tried the `cisco:sourcefire` but it's not working.
... View more
Labels
03-15-2022
11:43 AM
After a successful saved-search run, the results can be found on the directory `$SPLUNK_HOME/var/run/splunk/dispatch/scheduler__...` We know that the result of the search is named `results.csv.gz` How do we read this in the OS level apps? Untarring it using `tar -xzvf` does not work. Thanks
... View more
Labels
- Labels:
-
saved search
-
scheduled search
02-07-2022
10:19 AM
Hi Community, I'm no Windows expert and just trying to tune an alert that we have in place. It's firing whenever a UF that has `admon` has stopped sending `admon` logs. But I just noticed that `admon` logs can have similar `dcName` in multiple UFs. For example, a UF that's meta host is "serverA" sends `admon` logs for dcName="serverDC". And UF that's meta host is "serverB" also sends `admon` logs for dcName="serverDC". Would it be reasonable to just replace the host of the UF with the value for dcName under the ActiveDirectory props.conf stanza? Thanks.
... View more
Labels
- Labels:
-
configuration
01-25-2022
12:22 PM
1 Karma
Untested but this should solve your issue ..base search here...
| rex "sshd\[(?<sshd_pid>\d+)\]"
| eval sshd_pid = host . " - " . sshd_pid
| transaction sshd_pid
... View more
01-25-2022
12:18 PM
Untested by try this ``` index=“something” | rex field=userName "\'(?P<userName>.+)\'" | rex "\/ROOT\/[^\s']+\/(?P<Environment>[^\/]+)\/[^\s\/']+(\s|')" | search NOT (Environment=eu-central-1 OR Environment=BOLCOM) | table userName commandTime | join type=left userName [ search index=okta sourcetype="OktaIM2:user" AND profile.department=* | rename profile.employeeNumber as userName, profile.division as Department, profile.title as Title, profile.countryCode AS Country | stats c by userName Department Title Country] | eval _time = strptime(commandTime, "%the %format %here") | dedup Department Title Environment | table commandTime userName Department Title Country | rename commandTime as "Date/Time" ```
... View more
01-25-2022
08:25 AM
Hello friends. We are in the process of moving the collection of o365 events which we currently do on an on-prem HF via "Splunk_TA_microsoft-cloudservices" to SplunkCloud IDM using "splunk_ta_o365". Using the same Client ID, Client Secret, and Tenant ID, we seem to be getting similar workloads: Aip, AzureActiveDirectory, CRM, Exchange, MicrosoftForms, MicrosoftStream, MicrosoftTeams, OneDrive, PowerApps, PowerBI, PublicEndpoint, SecurityComplianceCenter, SharePoint, SkypeForBusiness, Yammer But if we perform a comparison of number of events, we seem to get lower amount of data using the `splunk_ta_o365` in SplunkCloud versus the `Splunk_TA_microsoft-cloudservices` in on-prem. What seems to be the problem?
... View more
Labels
- Labels:
-
Splunk Investigate
-
using Splunk Cloud
11-10-2021
06:11 AM
What does the error below mean and how to remediate it? This is after running `splunk restart splunkweb` HTTP/1.1 404 Not Found
... View more
Labels
- Labels:
-
heavy forwarder
09-30-2021
09:47 AM
None of the previous mentioned solutions worked for me. It turns out server.pem has expired from my machine so renewing locally fixed the issue. Renew how-to: Solved: Renewing server.pem certificate - Splunk Community
... View more
04-05-2021
04:27 AM
Apparently, the filename / path doesn't exist as './' + temp_filename When changed with absolute filepath, it worked.
... View more
03-29-2021
08:39 AM
meaning give 777 to the script itself?
... View more
03-29-2021
08:04 AM
Hi, I have a working Python script that when ran as whoami=splunk in the same box, works just fine and as expected. When the script is enabled in the Scripted Inputs with "every 5 min" schedule, one line in my ciode does not work and the python processor logs "Permission Denied" in index=_internal. This is the line that doesn't work (Line 3) Line 1.
temp_filename = sess + '.tmp'
Line 2.
wget_result = os.system('wget -O ./' + temp_filename + ' --append-output=' + LOGFILE_DIR_WGET + ' --user ' + svcacct_un + ' --password ' + svcacct_pw + ' --no-check-certificate ' + _url)
Line 3.
checksum = hashlib.md5(open('./' + temp_filename, "rb").read()).hexdigest(); the Error looks like this 03-29-2021 15:55:17.507 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/***************" ./b97fcd39-1201-4638-8d41-8ae32168cd70.tmp: Permission denied Anyone?
... View more
Labels
- Labels:
-
python
-
scripted input
11-05-2020
06:44 AM
Understood. I never thought that Event Codes can have duplicates in System and Security. Thanks a bunch.
... View more
11-05-2020
04:42 AM
Hi, I got a request to onboard Event IDs 3039, 3040, 3041, 2886, 2887, 2888, 2889. I tried to Google them but couldn't see anything that will tell which logsource they're from. I don't know if I should put them under System i.e. [WinEventLog://System]
index = winlogs_of_domain_controllers
whitelist = 2886-2889,3039-3041 Or Security i.e. [WinEventLog://Security]
index = winlogs_of_domain_controllers
whitelist = 2886-2889,3039-3041 I was hoping someone could point me to a trusty website? Thank you.
... View more
Labels
- Labels:
-
configuration
10-23-2020
09:37 AM
Thank you. Just did. EID-I-644
... View more
10-23-2020
08:52 AM
Those aren't indexers. They are intermediate heavyforwarders that represent regions. I.e. # North America UF Outputsconf [tcpout] defaultGroup = NA [tcpout:EMEA]
server = mycompany-emea-hfa:9997, mycompany-emea-hfb:9997
[tcpout:APAC]
server = mycompany-apac-hfa:9997, mycompany-apac-hfb:9997
[tcpout:NA]
server = mycompany-na-hfa:9997, mycompany-na-hfb:9997
[tcpout:LATAM]
server = mycompany-latam-hfa:9997, mycompany-latam-hfb:9997 These intermediate HFs all output to SplunkCloud. I was thinking how I could route traffic to LATAM if say, the servers in NA are down.
... View more
10-23-2020
06:40 AM
Hi, From my understanding, the param `defaultGroup` under the stanza `[tcpout]` in `outputs.conf` can be set to a comma-separated list based on what's defined in `[tcpout:<groupn>]` stanzas, i.e.: [tcpout] defaultGroup = group1, group2, group3, group4 [tcpout:group1]
server=10.1.1.197:9997
[tcpout:group2]
server=myhost.Splunk.com:9997
[tcpout:group3]
server=myhost.Splunk.com:9997,10.1.1.197:6666
[tcpout:group4]
server=foo.Splunk.com:9997 Okay. But when we define `outputs.conf` like this, the forwarder will route all traffic to the target servers in all groups defined in that param `defaultGroup`. How do we define a "backup" group where in the traffic is rerouted to the "next" group in case the default groups aren't reachable?
... View more
Labels
- Labels:
-
other
10-19-2020
04:40 AM
1 Karma
I don't. I think it's a good architectural design to be able to determine which context must implement indexed fields and which context must resort to the default search-time field extractions. For example, TAs that make logs CIM compliant like TAs for network devices (e.g. Aruba or Checkpoint), they extract fields at search time and are best to remain that way because of the sheer size of network devices logs. Also, they are most likely going to be accelerated anyway in a sort of "Network Traffic" `datamodel`. Another example is for specific contexts that could help your unique-to-your-organisation use cases. I used to work in a project where we had to implement index-time field extractions so we can pull them quickly in `tstats` so we can display the data quickly on a dashboard that's viewed by a high-profile boss every Monday. He gets frustrated if the dashboard loads very slowly and we don't want to upset the boss. We could've used accel-datamodel but we decided to do it at indexing phase instead.
... View more
10-09-2020
09:35 AM
Hi, How to properly append the server's hostname, i.e. $HOSTNAME to the source? This was my failed attempt: #transforms.conf
[append-hf-hostname-to-src]
SOURCE_KEY = source
REGEX = (.*)
FORMAT = source::$1:$HOSTNAME
DEST_KEY = MetaData:Source
#props.conf
[my:cute:sourcetype]
TRANSFORMS-newsrc=append-hf-hostname-to-src Thanks in advance.
... View more
Labels
- Labels:
-
administration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-12-2022
06:08 AM
|
Karma from
Karma given to
