Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About asieira
asieira
Path Finder
Member since:
12-16-2014
06-05-2020
Community Statistics
| Posts | 36 |
| Solutions | 6 |
| Karma Given | 22 |
| Karma Received | 52 |
| Member Since | 12-16-2014 |
Activity Feed
- Got Karma for Re: Getting Session key for app built using add-on builder. 09-12-2021 11:24 PM
- Got Karma for Re: Why is my sourcetype configuration for JSON events with INDEXED_EXTRACTIONS making each extracted field multivalue with duplicate values?. 07-30-2021 08:21 AM
- Got Karma for Re: Display time in UTC. 11-11-2020 11:34 PM
- Got Karma for Re: Why is my sourcetype configuration for JSON events with INDEXED_EXTRACTIONS making each extracted field multivalue with duplicate values?. 10-06-2020 10:18 AM
- Got Karma for Why is my sourcetype configuration for JSON events with INDEXED_EXTRACTIONS making each extracted field multivalue with duplicate values?. 10-06-2020 10:16 AM
- Got Karma for Re: Why is my sourcetype configuration for JSON events with INDEXED_EXTRACTIONS making each extracted field multivalue with duplicate values?. 10-06-2020 10:13 AM
- Got Karma for Windows DNS debug logs TA not using CIM fields?. 10-02-2020 09:02 AM
- Got Karma for Re: Force displayed timezone in results to be UTC (not the local timezone of the viewer) through the Search. 07-31-2020 09:46 AM
- Karma Re: Getting Session key for app built using add-on builder for starcher. 06-05-2020 12:49 AM
- Karma Re: Getting Session key for app built using add-on builder for ramesh_babu71. 06-05-2020 12:49 AM
- Got Karma for Re: Getting Session key for app built using add-on builder. 06-05-2020 12:49 AM
- Got Karma for Re: JSON format - Duplicate value in field. 06-05-2020 12:49 AM
- Karma Re: CIM definition for dest_host and dest_name is missing for jcoates_splunk. 06-05-2020 12:47 AM
- Karma Re: Windows DNS debug logs TA not using CIM fields? for mikaelbje. 06-05-2020 12:47 AM
- Karma Re: Windows DNS debug logs TA not using CIM fields? for mikaelbje. 06-05-2020 12:47 AM
- Karma Re: Windows DNS debug logs TA not using CIM fields? for mreynov_splunk. 06-05-2020 12:47 AM
- Karma Re: Windows DNS debug logs TA not using CIM fields? for Richfez. 06-05-2020 12:47 AM
- Karma Re: Splitting a multi value field in configuration files for somesoni2. 06-05-2020 12:47 AM
- Karma Re: REST endpoint for modifying $app/local/macros.conf for vcarbona. 06-05-2020 12:47 AM
- Karma Re: Why does my json event data show duplicate fields? for ppablo. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 6 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 10 |
03-20-2018
05:04 AM
You write Python code to perform the API access and submit JSON or any other kind of data this way. You can find more details at https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/ConfigureDataCollectionAdvanced and https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/PythonHelperFunctions.
... View more
01-30-2018
03:05 AM
I found a reference to a similar problem here and the root cause was a bug in OpenSSL: https://github.com/neo4j/neo4j/issues/9233
What version of Splunk are you running? Is the operating system fully patched, in particular the SSL libraries?
... View more
01-15-2018
09:20 AM
1 Karma
Take a look at https://answers.splunk.com/answers/223095/why-is-my-sourcetype-configuration-for-json-events.html and hopefully the solution for that also applies here.
Also, I see you have a commented-out INDEXED_EXTRACTIONS configuration. If you had that enabled when the events were indexed, that would have created one value for each field and saved that to disk persistently at index time. When you later disabled INDEXED_EXTRACTIONS and used the AUTO_KV_MODE to extract fields at search time, both field values would be combined for existing events. That could be the root cause of the duplication on existing events, no?
... View more
12-15-2017
11:06 AM
Great article, thanks for sharing!
... View more
12-15-2017
04:49 AM
2 Karma
The ideal way of interacting with the rest of Splunk when you use the add-on builder is to use the Python helper object. It allows you to save state using the KV store (which it calls check point data), for example. without resorting to acessing the REST API directly. You can also read configuration provided by the user without needing to use the Splunk REST API to read directly from configuration files.
Still, if you need to access the Splunk REST API for other purposes, take a look at its implementation on the generated add-on code under bin/<TA name>/modinput_wrapper/base_modinput.py . It seems that accessing helper.context_meta['session_key'] should work. Keep in mind, however, that this is an undocumented field that could be removed or renamed in future versions of the add-on builder.
... View more
09-07-2017
08:37 AM
You just need to define jsonText like this:
jsonText = {'format': 'CSV', 'encrypted': 'none', 'queries': [{ 'name': object, 'query': query , 'type': 'type'}], 'name': 'Estrazione'}
So that when later you call json.dumps(jsonText) this will do the right thing.
... View more
04-07-2017
11:10 AM
1 Karma
The problem with this solution is that the difference between timezones is not static, given that DSTs apply at different moments in time.
I was faced with the same problem recently and I solved it by writing the following macro:
[strftime_utc(2)]
args = field, format
definition = "strftime($field$ - (strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%SZ\"), \"%Y-%m-%dT%H:%M:%S%Z\")-strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%S\"), \"%Y-%m-%dT%H:%M:%S\")), \"$format$\")"
iseval = 1
So you can now write a search that looks like this:
index=main | eval utc_time=`strftime_utc(_time, "%Y-%m-%dT%H:%M:%SZ")`
Regardless of what the timezone is on each event, this will cause the output to be in UTC.
Thanks to @richgalloway for the initial suggestion that lead to this.
... View more
04-07-2017
11:07 AM
4 Karma
I was faced with the same problem recently and I solved it by writing the following macro:
[strftime_utc(2)]
args = field, format
definition = "strftime($field$ - (strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%SZ\"), \"%Y-%m-%dT%H:%M:%S%Z\")-strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%S\"), \"%Y-%m-%dT%H:%M:%S\")), \"$format$\")"
iseval = 1
So you can now write a search that looks like this:
index=main | eval utc_time=`strftime_utc(_time, "%Y-%m-%dT%H:%M:%SZ")`
Regardless of what the timezone is on each event, this will cause the output to be in UTC.
Thanks to @richgalloway for the initial suggestion that lead to this.
... View more
08-05-2016
07:11 AM
Thank you very much for that information, using Stream will probably be the best way of gathering the DNS data we'll need, rather than relying on Windows DNS debug logs which are incredibly hard to parse.
... View more
08-05-2016
07:05 AM
That's awesome, thank you for providing the additional details.
Will the JSON include all RRs in a response packet?
... View more
08-05-2016
05:52 AM
@rich7177 is there any walkthrough or tutorial posted anywhere on how to collect DNS data using Splunk App for Stream? Also, would you mind sharing what the DNS events look like (extracted fields, tags, etc)?
... View more
03-11-2016
03:57 PM
Any updates on this?
... View more
11-11-2015
03:58 AM
That might be an alternative, yes. Just keep in mind it's not using the DNS debug logs though, instead it uses new DNS logging functionality Microsoft introduced in 2012r2.
... View more
11-10-2015
03:19 AM
Do you have a link for it? Might be helpful for people that read this thread later on.
... View more
11-02-2015
10:51 AM
If you need to implement an external command using Python generators, look into the Splunk SDK for Python: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2
... View more
11-02-2015
06:30 AM
I would also really like to see that implementation... any chance you could open source this?
... View more
11-02-2015
03:52 AM
Please note that dest_nt_host and dest_fqdn_name are not defined on the Network Traffic model either. So if you do update the documentation of dest to reference them, please make sure they are defined appropriately.
... View more
10-29-2015
05:53 AM
1 Karma
I was reading the CIM Network Traffic data model definition and found this in the description of the dest field:
The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
The fields dest_host and dest_name are used throughout the models, but are never actually defined anywhere. Are they the same thing, or different things? Can NetBIOS names be used, or only DNS FQDNs? Is the reverse DNS resolution of the destination IP address by a firewall accepted, or only the actual domain that was resolved by the endpoint to perform that network communication?
Without clear answers for all of those questions, it's really hard to be able to use these fields.
... View more
08-20-2015
06:34 AM
Turns out that fixing the "ugly" hostnames as generated in Windows DNS debug logs is unfortunately not as simple as the regex replace you implemented there.
First of all, sometimes they contain pointers in brackets that we also need to get rid of: http://stackoverflow.com/questions/20381717/windows-dns-server-debug-log-hostname-format
Second, parenthesis are valid characters inside domain/host names. So it might be that a valid occurrence of a number inside parenthesis will be incorrectly replaced by a dot. One example of an actual use of parenthesis (though not with numbers inside) that is rather common in Windows networks is the following: (9)_carddavs(4)_tcp(6)(null)(0) which should be converted to _carddavs._tcp.(null) .
So the only viable solution that will always work is to actually write code that treats the numbers in parenthesis as what they really are - the length of each dot-separated string that makes up the domain/host name in question. Maybe an external command implementation in Python is in order here.
... View more
07-10-2015
07:59 AM
For the hostname regex, you need to handle the pointers in square brackets as well. See this for more details: http://stackoverflow.com/questions/20381717/windows-dns-server-debug-log-hostname-format
... View more
06-24-2015
07:59 AM
4 Karma
So it turns out that the latest available version of the app claims support to CIM 4.0. And the Network Resolution (DNS) data model didn't show up until CIM 4.1.0 was released around 6 months ago.
So apparently it's a documented current limitation of the app. Oh, well.
... View more
05-21-2015
01:30 PM
1 Karma
Pro tip: pep8 and autopep8 are your friends.
... View more
05-20-2015
01:29 PM
What you want to do is to create a custom search command, and here is the applicable documentation:
Slunk SDK for Python "How to create custom search commands" page: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2
Documentation > Splunk Enterprise > Developing Views and Apps for Splunk Web > Custom search commands page: http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/Searchscripts
The Python script should reside in your apps bin directory, and you should also edit default/commands.conf to configure the new command.
The spec file for commands.conf can be found here: http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Commandsconf
Hope this helps.
... View more
05-20-2015
11:14 AM
6 Karma
I set up a test environment with a Windows 2012 R2 server with the DNS server role, and was able to successfully install TA-DNSServer-NT6 (as per the instructions at http://docs.splunk.com/Documentation/MSApp/1.1.2/MSInfra/DownloadandconfiguretheSplunkAdd-onsforWindowsDNS ).
However, I was very surprised to discover two things:
The DNS packet data (which contains the actual replies, such as the IP addresses a hostname resolved to in a A query) was not being parsed, and in fact generated "incomplete" alerts with each packet line as in this example:
The summary lines were being correctly parsed, but the corresponding CIM fields (http://docs.splunk.com/Documentation/CIM/4.2.0/User/NetworkResolutionDNS ) were not extracted. For example, a query for tag=dns came up empty even though there are DNS events and the Splunk App for Windows Infrastructure "DNS: Top Requested Queries" report is being populated. Here is an example:
For one, I would have expected to see tags with network , resolution and dns values as per the CIM documentation.
Can anyone else with a working installation of the DNS debug log collection confirm whether this field is populated for them? Did I make some mistake in the setup or is this a limitation of the app?
... View more
04-09-2015
11:55 AM
Turns out I found a way to do this using join . Assuming there's a macro called my_events which selects the CIM-compliant events, this is what is looks like:
`my_event` | join type=left src_ip [ search `my_event` NOT src_host="*" | fields src_ip | fields - _* | dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost AS src_host_resolved ] | eval src_host=coalesce(src_host, src_host_resolved)
One interesting advantage is that I am doing a single DNS lookup of each unique source IP address for which there are events with no src_host field.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
