Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bworrellZP
bworrellZP
Communicator
Member since:
08-11-2015
07-19-2021
Community Statistics
| Posts | 103 |
| Solutions | 3 |
| Karma Given | 9 |
| Karma Received | 7 |
| Member Since | 08-11-2015 |
Activity Feed
- Karma Adding more fields that are in the CB Defense console to the splunk app? for pmac22. 06-05-2020 12:50 AM
- Karma carbon black add-on defense CIM support for OBsecurity. 06-05-2020 12:50 AM
- Karma Re: Dashboard visibility issue for mayurr98. 06-05-2020 12:49 AM
- Karma Re: Validate success versus failed logins for HeinzWaescher. 06-05-2020 12:49 AM
- Karma Cb Defense Add-On for Splunk: Typo in props.conf for wfjarrett538. 06-05-2020 12:49 AM
- Karma Re: How to create summary index to track count of records per index, per sourcetype, per day? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Trying to create a search that will use the results to feed another search and output the results in a table.. 06-05-2020 12:48 AM
- Got Karma for How to convert at geo map to a choropleth map?. 06-05-2020 12:48 AM
- Got Karma for Dashboard using base search with subsearches for panels.. 06-05-2020 12:48 AM
- Karma Re: Search for a field not containing a specific pattern. for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Trying to create a graph that shows Combined stats and an average..... for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Splunk DB Connect 2: Is there a way to tell how many records were imported per poll, and can we go back an import missing records? for Richfez. 06-05-2020 12:47 AM
- Got Karma for Why is the Splunk DB Connect 2.0.5 Health dashboard not populating data?. 06-05-2020 12:47 AM
- Got Karma for Re: Why is the Splunk DB Connect 2.0.5 Health dashboard not populating data?. 06-05-2020 12:47 AM
- Got Karma for Re: Why is the Splunk DB Connect 2.0.5 Health dashboard not populating data?. 06-05-2020 12:47 AM
- Got Karma for How to edit my Simple XML to pass time variables from one dashboard to another?. 06-05-2020 12:47 AM
- Posted Installing 8.0.1 on Fedora server. Have an error that I am just missing. on All Apps and Add-ons. 01-04-2020 02:44 PM
- Posted Re: Dashboard Permissions question on Security. 01-29-2019 12:00 PM
- Posted Re: Dashboard Permissions question on Security. 01-25-2019 09:43 AM
- Posted Dashboard Permissions question on Security. 01-25-2019 07:10 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
01-04-2020
02:44 PM
During the setup, when going to have Splunk run on boot up, I run this command (after editing /etc/init.d/splunk)
sudo /opt/splunk/bin/splunk enable boot-start -systemd-managed 0 -user splunk
But rather than it run correctly, I get the following.
execve: No such file or directory
while running command /sbin/chkconfig
At work, we use RedHat with Systemd disabled for Splunk. (Note we deployed to 7.0 and have updated over time, so the servers do have systemd now, just not using it for splunk, and the boot-start was there already). Testing on Fedora for a new QA server. First time dealing with it. I know its something stupid, but missing it.
Any help would be great.
... View more
01-29-2019
12:00 PM
In this scenerio, the roles are already created. Someone in SplunkDevOps1 creates a new dashboard. They do not have the option to give SplunkDevOps2 write access to this dashboard. They can give "Everyone" the ability to read (which is okay), but giving write access to "Everyone" is an issue.
This is the thing we are trying to figure out. How a person in a role can give read and write access to other roles, without having to use "everyone" or having the admin go alter the roles.
... View more
01-25-2019
07:10 AM
Howdy,
We have roles setup for our various splunk users. They are able to create dashboards. When they go to share it, they can only share with Everyone, or the group they are in.
Example
SplunkDevOps1
SplunkDevOps2
SplunkDevOps3
Each has the same base Index access, but higher levels have more index access. SplunkDevOps1 creates a dashboard for IIS data. They want to share with SplunkDevOps3.
Since they cannot see that group, is there a perm to add or a setting that would allow them to do this?
Thanks
... View more
04-13-2018
03:01 AM
Excellent, your suggestion was able to get me where I needed you go. Thank you
... View more
04-12-2018
04:25 AM
Okay, this is good, they (management) liked it. They had two questions. Can we add the amount of times the login was tried, and can we also add the ones that did login successfully, and show the failed counts for those.
I am going to try and mess with this some, as the distinct count option was not one I had thought of.
... View more
04-11-2018
08:08 AM
I was asked if we can run a report / create an alert to act on the following:
Accounts that have had failed logins, but never a successful login, within a defined time window. The goal is to determine is an account has ever been used successfully, and if it has not, then it can be sent to the access management team to review.
In my data, I have the default _time but also have a time field from the source of "LoginAttemptDateTime". For login status, I have a field called "LoginStatus", and of course user field of "User".
Looking at some of the Brute force posts offered ideas, but nothing that gave me exactly what I was asked for. Hoping someone has another idea.
Thanks in advance
... View more
- Tags:
- splunk-enterprise
01-17-2018
05:28 AM
Documentation has some errors and needs a few points of clarification.
Example. There is reference to changing the Port for the app, but nothing about how to change the port on Firepower to account for the change.
... View more
01-11-2018
12:47 PM
I believe I have found a bug. Test user is in a splunk group that comes from AD, (splunktier3sec), but also inherits some other roles. (User ends up with these roles - admin, power, splunktier3sec ) I had to add the searched indexes by default the indexes in use, to the admin role, even though they were in the splunkteir3sec role already. (Dashboard searches also had the indexes listed, so it should not have been needed anyway). Guess that role trumps all others.
Will test later with non-admin, with only one role. But at this point, I believe this to be the case.
... View more
01-11-2018
10:39 AM
So I had a dashboard that was in testing, so it was private. Since I have completed it, I changed it, made visible in the app (search app), set to everyone for read.
Then I logged in as a test user. The dashboard is there, all panels are visible. Issue is that everything says "no results found", If I click the spyglass, nothing shows in the statistics, yet there are events in the events tabs.
User that I was testing with is also an admin.
Thoughts on what to check and where?
... View more
- Tags:
- splunk-enterprise
01-11-2018
06:31 AM
This worked, without the need for the timewrap. Thank you.
... View more
01-11-2018
06:30 AM
This option still listed today in the list. Thank you for the suggestion though
... View more
01-11-2018
04:37 AM
I am trying to compare daily failed logins for a web app. The initial ask was they wanted to know how many failed Yesterday, as compared with the day before. Racking my head around the search, as no matter what I do, I seem to also get todays failed logins, which then does not show yesterday and the day before, but rather today and yesterday.
(index=web1 OR index=web2) AND LoginStatus=Failed
| stats first(*) as * by LoginAttemptID, index, _time
| table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus | eval earliestTime = relative_time(now(),"-2d@d")
| eval latestTime = relative_time(now(),"-0@d")
| where _time>=earliestTime AND _time<=latestTime
| timechart count as Total span="1d" fixedrange=false
I am sure its something silly, but any help is appreciated.
... View more
08-22-2017
07:33 AM
Hrm, thinking differently, could I use a lookup for that? And yes the goal is to move to a CIM compliance at some point, and use ES as well, though I believe that is a bit off still (team understaffed at the moment).
... View more
08-22-2017
06:58 AM
3no,
I thought about that, but as I understand the process, I would have to make an alias per sourcetype, for each alias. I was hoping there was a way to do a field alias or another alias, across all sourcetypes.
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-19-2021
03:01 PM
|
Karma from
Karma given to
