Activity Feed
- Posted Re: Field extration based on Event Type on Splunk Search. 06-27-2022 08:03 AM
- Got Karma for If Cisco IPS App is now deprecated, how should SDEE events be collected?. 06-05-2020 12:47 AM
- Karma Re: How do I remove Print/Generate PDF buttons? for emechler_splunk. 06-05-2020 12:46 AM
- Got Karma for Alerts - enrichment. 06-05-2020 12:46 AM
- Posted Re: Should my Cisco IPS ips_sdee.log files be rotating? on Monitoring Splunk. 09-02-2014 07:36 AM
- Posted Re: Does stats understand the % symbol? on Splunk Search. 07-11-2014 06:19 AM
- Posted Re: Does stats understand the % symbol? on Splunk Search. 07-11-2014 05:56 AM
- Posted Does stats understand the % symbol? on Splunk Search. 07-11-2014 05:43 AM
- Tagged Does stats understand the % symbol? on Splunk Search. 07-11-2014 05:43 AM
- Posted Re: Cisco IPS Error [errno="" 8] on Getting Data In. 06-30-2014 10:43 AM
- Posted Re: If Cisco IPS App is now deprecated, how should SDEE events be collected? on All Apps and Add-ons. 06-30-2014 06:41 AM
- Posted If Cisco IPS App is now deprecated, how should SDEE events be collected? on All Apps and Add-ons. 06-30-2014 05:26 AM
- Tagged If Cisco IPS App is now deprecated, how should SDEE events be collected? on All Apps and Add-ons. 06-30-2014 05:26 AM
- Posted Re: Can I add text on the login page ? on Security. 05-16-2014 09:43 AM
- Posted Re: Splunk 6.0.1 Login page customization on Splunk Search. 05-16-2014 09:28 AM
- Posted Re: How do I remove Print/Generate PDF buttons? on Other Usage. 10-30-2013 03:47 PM
- Posted Alerts - enrichment on Alerting. 10-30-2013 03:21 PM
- Tagged Alerts - enrichment on Alerting. 10-30-2013 03:21 PM
- Posted Timeranger picker is great for timerange, is there something similar for Granularity...? on Dashboards & Visualizations. 10-30-2013 03:14 PM
- Tagged Timeranger picker is great for timerange, is there something similar for Granularity...? on Dashboards & Visualizations. 10-30-2013 03:14 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
1 | |||
1 | |||
0 | |||
0 | |||
0 |
06-27-2022
08:03 AM
Nine years on... is it possible yet to define field extractions for particular eventtypes ? Defining them on a sourcetype basis is too generic... one extraction does not fit all events for a given source type. Example. - Linux file /var/log/secure contains Username in different places for successful login and for failed login... so two extractions are required for the same field "Username" Is this a reliable way to do it... ? Will the extractions conflict or will the results just be merged?
... View more
09-02-2014
07:36 AM
Im also struggling with this...
Would be good if
a) the logs were not collected at all... just imported straight to the index
b) the logs were located in the /var/log folder... and managed with normal unix logrotate...
anyone know how to do either of those things...?
thanks
... View more
07-11-2014
06:19 AM
... and is it possible to include the host in the label...
ie ... as $host_CPU_Util% by time
many thanks
... View more
07-11-2014
05:43 AM
Hi,
My events actually report CPU and Mem utilization... 35.45% and 25.56%
I extract these over time but I don't get Lines on my chart.
I'm wondering if these fields are read as text... so cant be graphed?
My search is below
CSCOacs_System_Statistics host="bob" | stats list(SysStatsUtilizationMemory) as MemUtil list(SysStatsUtilizationCpu) as CPU_Util by _time
I'm wondering if I need to strip out the % from the results... or if I should be using a different tool... timechart or something.
thanks
... View more
- Tags:
- stats
06-30-2014
10:43 AM
I installed the pySDEE.py file attached earlier, tried it with v1 and v3... I get the same fault with both.
ERROR - Exception thrown in sdee.get(): URLError:
ERROR - Attempting to re-connect to the sensor: 173.30.4.68
INFO - Checking for exsisting SubscriptionID on host: 173.30.4.68
INFO - SubscriptionID: sub-1-c0a4a321 found for host: 173.30.4.68
INFO - Attempting to connect to sensor: 173.30.4.68
INFO - Successfully connected to: 173.30.4.68
Any ideas welcome...
thanks
... View more
06-30-2014
06:41 AM
Have just install Cisco Security Suite but Im no wiser. It seems there is no way to configure IPS event collection via SDEE from within the App... and a Technology Addon is required. (but it doesnt say which one or where to find it...)
CiscoIPS app used to be fine but it stopped working since upgrading to Splunk 6.1 (somekind of SSL error)
... View more
06-30-2014
05:26 AM
1 Karma
If Cisco IPS App is now deprecated, how should SDEE events be collected?
thanks
... View more
- Tags:
- Splunk for Cisco IPS
05-16-2014
09:28 AM
So how do I insert and center my own logo?
This was clearly explained for v5, now its broken and now explanation on how to fix it.
... View more
10-30-2013
03:47 PM
Hi...
I've just implemented this change... its successful removed the Edit Buttons...
However I would actually like to have a title on my charts.. is there a simple way to insert some text so I can have a Title... without using the title bar... ?
Also I'd like to add a logo.
Many thanks
... View more
10-30-2013
03:21 PM
1 Karma
I have a search defined to trigger an alert...
eg
search all failed logins and count by user_name
If the number of failed logins > 5 in time_frame, then trigger alert.
This works fine... I get an alert telling me that the Alert_ has triggered....
But this is not much information... The information content of the alert should at least contain the name of the user who failed to login 5 times.
In general I'm asking for the ability to pass an extracted field from the search into the Alert forwarded to an up-stream system.
Is this possible?
Best regards
Mathew
... View more
- Tags:
- alerts
10-30-2013
03:14 PM
eg
When I run a search over 7 days I get a bar chart with 7 bars (daily granularity)
When I run a search over 24 hours I get a bar chart with 48 bars (30 min granularity)
If I run a search over 7 days how can I make it give me (24x7) 168 bars?
Is there something similar to Timerange picket for Granularity?
thanks
... View more
09-20-2013
10:18 AM
I also would like to do this. If a pdf can be generated and emailed, surly it can be generated and dropped on the local disk somewhere.
Sounds simple...
Does anyone know how to do it?
... View more
08-15-2013
02:12 PM
Just reinstalled Splunk for Cisco Firewalls and restarted...
Not seen this error before... Any suggestions?
received event for unconfigured/disabled/deleted index='firewall' with source='source::DirectSysLogMessages' host='host::173.30.4.67' sourcetype='sourcetype::syslog' (1 missing total
thanks
... View more
08-14-2013
11:58 AM
Hi thanks
I removed the app as suggested
rm -rf Splunk_CiscoFirewalls
splunk restart
I still have the firewall reports in the Splunk for security app
I still get the error " Error in 'SearchParser': Could not find macro 'cisco_firewall' that takes 0 arguments. Expecting stanza name 'cisco_firewall'. " and when I search for the missing macro... I can see lots of reference to it, but no actual macro
grep -r cisco_firewall ./*
./etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf:search = cisco_firewall
Im not sure if this macro was part of the app I deleted or not? Any ideas?
... View more
08-14-2013
11:25 AM
ok, a blut approach, but usualy reliable. Two more questions...
1)With the Cisco ASA app, there are no transform, props or inputs defined in the app directory. Does this suggest they are integrated with the main conf files? If so how can you remove that app... not with the rm -rf command...
2) why does the 'splunk remove app /opt/splunk/etc/apps/Splunk_CiscoFirewalls' not work
many thanks
Mathew
... View more
08-14-2013
11:12 AM
Disabling it does not remove menus from 'Splunk for Cisco Security'
The splunk remove app command says app does not exist.
[root@hostname apps]# ll
total 92
drwx--x--x 8 root root 4096 Jul 15 17:14 amMap
drwx------ 2 root root 4096 Aug 6 14:36 default
drwxr-xr-x 2 root root 4096 Aug 6 16:15 ******
drwxr-xr-x 6 splunk splunk 4096 Jul 11 13:51 gettingstarted
drwxr-xr-x 7 splunk splunk 4096 Jul 15 17:53 launcher
drwxr-xr-x 5 splunk splunk 4096 Jul 11 13:53 learned
drwxr-xr-x 3 splunk splunk 4096 Jul 11 13:51 legacy
drwx--x--x 8 root root 4096 Aug 8 14:52 maps
drwx------ 5 root root 4096 Jul 15 17:14 MAXMIND
drwxr-xr-x 6 splunk splunk 4096 Jul 11 13:51 sample_app
drwxr-xr-x 8 splunk splunk 4096 Jul 11 13:51 search
drwx--x--x 9 root root 4096 Aug 6 14:37 sideview_utils
drwx--x--x 8 root root 4096 Jul 16 15:30 Splunk_CiscoFirewalls
drwx------ 9 root root 4096 Jul 15 17:12 Splunk_CiscoIPS
drwx--x--x 7 root root 4096 Aug 14 17:42 Splunk_CiscoSecuritySuite
drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 splunk_datapreview
drwx------ 7 root root 4096 Jul 15 18:04 splunk_deployment_monitor
drwx--x--x 6 root root 4096 Jul 15 17:12 Splunk_for_CiscoASA
drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 SplunkForwarder
drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 SplunkLightForwarder
drwx--x--x 6 root root 4096 Aug 8 14:51 TA-cisco_ios
drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 user-prefs
drwx------ 9 root root 4096 Jul 15 18:04 windows
[root@ams-coms-btnm-04 apps]# splunk remove app /opt/splunk/etc/apps/Splunk_CiscoFirewalls
Application does not exist: /opt/splunk/etc/apps/Splunk_CiscoFirewalls
[root@hostname apps]# ll Splunk_CiscoFirewalls
total 72
drwx--x--x 3 root root 4096 Jul 15 17:13 appserver
drwx--x--x 2 root root 4096 Jul 16 15:30 default
drwx--x--x 2 root root 4096 Jul 15 17:13 default.old.20130716-153026
-r-------- 1 root root 19031 Jul 16 15:30 license-eula.rtf
-r-------- 1 root root 18526 Jul 16 15:30 license-eula.txt
drwx--x--x 2 root root 4096 Aug 8 14:46 local
drwx--x--x 2 root root 4096 Jul 15 17:13 lookups
drwx--x--x 2 root root 4096 Aug 8 14:46 metadata
-r-------- 1 root root 5890 Jul 16 15:30 README.txt
[root@hostname]#
... View more
06-24-2013
03:33 AM
I would also like to know the answer.
My environment is also isolated from the internet.
Can I create some .png files or something like that?
Regards
Mathew
... View more