Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About justinhart
justinhart
Path Finder
Member since:
10-08-2010
06-05-2020
Community Statistics
| Posts | 35 |
| Solutions | 3 |
| Karma Given | 1 |
| Karma Received | 11 |
| Member Since | 10-08-2010 |
Activity Feed
- Got Karma for Universal Forwarder on Laptop. 06-05-2020 12:46 AM
- Karma Re: Google Maps App Not Showing Results for Simeon. 06-05-2020 12:45 AM
- Got Karma for Google Maps App Not Showing Results. 06-05-2020 12:45 AM
- Got Karma for Re: How to get the "splunk" command working with Windows 2008 and UAC?. 06-05-2020 12:45 AM
- Got Karma for Re: How to get the "splunk" command working with Windows 2008 and UAC?. 06-05-2020 12:45 AM
- Got Karma for Re: How to get the "splunk" command working with Windows 2008 and UAC?. 06-05-2020 12:45 AM
- Got Karma for Re: How to get the "splunk" command working with Windows 2008 and UAC?. 06-05-2020 12:45 AM
- Got Karma for Re: About data input, some data didn't be eaten.. 06-05-2020 12:45 AM
- Got Karma for Re: combining date fields into a single field for charting.. 06-05-2020 12:45 AM
- Got Karma for Re: WMI firewall ports. 06-05-2020 12:45 AM
- Got Karma for Re: Three Questions from a Splunk newbie. 06-05-2020 12:45 AM
- Got Karma for Re: IIS 6.0 logs (W3C Extended) columns names are shifted one position from the data due to "#Fields: ". 06-05-2020 12:45 AM
- Posted Re: Universal Forwarder on Laptop on Deployment Architecture. 05-11-2012 06:39 AM
- Posted Re: Universal Forwarder on Laptop on Deployment Architecture. 05-10-2012 07:03 AM
- Posted Universal Forwarder on Laptop on Deployment Architecture. 05-10-2012 06:25 AM
- Tagged Universal Forwarder on Laptop on Deployment Architecture. 05-10-2012 06:25 AM
- Posted Re: breaking multiline forefront events on Getting Data In. 02-28-2012 07:41 AM
- Posted Re: breaking multiline forefront events on Getting Data In. 02-10-2012 12:14 PM
- Posted Re: breaking multiline forefront events on Getting Data In. 02-10-2012 11:51 AM
- Posted Re: breaking multiline forefront events on Getting Data In. 02-10-2012 11:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 1 |
05-11-2012
06:39 AM
Only starting the UniversalForwarder service only when connected to our network solved the problem. Thanks for your help.
... View more
05-10-2012
07:03 AM
Yes these are windows laptops, but they are not joined to the domain as they are mostly used offsite.
Would this approach also collect the historical data from when the device wasn't connected to our network?
... View more
05-10-2012
06:25 AM
1 Karma
We have a use case where we want to forward system logs from a laptop to our default Splunk instance. The tricky thing is that the laptop will not be connected to our network most of the time. We plan on having them connect to our network to send the data over at certain intervals.
We have thought about using the Universal Forwarder to do this, but it doesn't seem to send any of the data over from when it wasn't connected to the network. Is there a trick to getting this to work, or a better Splunk solution for this issue? Thanks for your help.
... View more
- Tags:
- universalforwarder
02-28-2012
07:41 AM
Just an update on what actually solved this problem. I wasn't real clear in my original question, leaving out the fact that the production data, that I was having problems with, was coming from a forwarder. This is why the changes made to the props.conf on the indexer did not fix the production data. It did fix the test data which was not coming from a forwarder.
I applied the props stanza below on each of the forwarders and my issue is resolved. Thanks for everybody's help.
[ms_forefront]
CHARSET = UTF-16LE
LINE_BREAKER = ([\r\n]+)(\*{60})
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = 1
pulldown_type = 1
... View more
02-10-2012
12:14 PM
What I did, after using your props.conf stanza, added CHARSET=UTF-16LE to the stanza and removed my SEDCMD entry. This pulled it in without the \x00 "null" characters and for the most part broke the events as they are supposed to be. There are just a few that didn't break. Now, I think, it's just a matter of fine-tuning the line break commands. Thanks for your help.
... View more
02-10-2012
11:51 AM
Actually, just doing a monitor of a UNC path where the files are located.
... View more
02-10-2012
11:31 AM
It does have something to do with it. I created a second log file and copied/pasted log data into it and it broke the lines fine.
If I remove the sedcmd then i get an \x00 in between each character of my log. I guess I need to look and see exactly what the sedcmd is doing.
... View more
02-10-2012
11:26 AM
I am not deleting them and reindexing, I'm making the changes, restarting splunk, and then triggering more events to be written to my forefront logs.
Yes, I do have crcSalt = in my input.
Would the SEDCMD that I have to put in my props.conf affect anything?
... View more
02-10-2012
11:19 AM
This is the event in Splunk:
Microsoft Forefront Client Security Log, (c) 2006
Microsoft Forefront Client Security Log, (c) 2006
Started On Fri Feb 10 2012 14:15:44
Product Version: 1.5.1941.0
Engine Version: 1.1.8001.0
AS Signature Version: 1.119.1709.0
AV Signature Version: 1.119.1709.0
The second and third row of -----'s are actualy asterisks, not sure why the comment changed them.
... View more
02-10-2012
10:38 AM
Thanks dmaislin, but that didn't seem to do what I'm wanting.
Each line in between the "***************" lines should be one event. Here is the props.conf stanza that I'm using right now that isn't working
[ms_forefront]
NO_BINARY_CHECK = true
SEDCMD-stripnull = s/\\x00//g
LINE_BREAKER = ([\r\n]+)(\*{60})
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = (\*{60})
BREAK_ONLY_BEFORE_DATE = false
I have to wonder if the SEDCMD has something to do with it. Without the sedcmd, I get a "\x00" inserted in between each character of my log.
... View more
02-10-2012
06:54 AM
Hello,
I'm trying to break logs collected from Microsoft Forefront Client Security into separate events. Here is a sample of the logs:
--------------------------------------------------------------------------------
Microsoft Forefront Client Security Log, (c) 2006
Started On Fri Feb 10 2012 08:57:48
************************************************************
Product Version: 1.5.1941.0
Engine Version: 1.1.8001.0
AS Signature Version: 1.119.1683.0
AV Signature Version: 1.119.1683.0
************************************************************
Microsoft Forefront Client Security Log, (c) 2006
Stopped On Fri Feb 10 2012 09:20:43 (Exit Code = 0x0)
************************************************************
--------------------------------------------------------------------------------
Microsoft Forefront Client Security Log, (c) 2006
Started On Fri Feb 10 2012 09:20:45
************************************************************
Product Version: 1.5.1941.0
Engine Version: 1.1.8001.0
AS Signature Version: 1.119.1683.0
AV Signature Version: 1.119.1683.0
************************************************************
Begin Resource Scan
Scan ID:{4D865233-FA4A-42C5-87A3-962CC4E6B95A}
Scan Source:4
Start Time:Mon May 09 2011 15:10:29
End Time:Mon May 09 2011 15:10:30
Explicit resource to scan
Resource Schema:taskscheduler
Resource Path:@S-1-5-21-3171008878-1269407668-386151811-1006\C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe
Extended Info:481036337152
End Scan
************************************************************
I'd like for the data in between the asterisks to be one event.
I've tried several versions of the props.conf stanza with nothing working all of the time. What is the best and most efficient way to do this. Thanks.
... View more
02-06-2012
12:35 PM
Thanks, this seemed like the easiest way to get what I was wanting.
... View more
02-06-2012
08:46 AM
I am performing a search on some data that contains the computername, drive letter, and path of drives mapped to the computer. I also have a second search that returns the username associated with the computer. How can I add a field to the first search that ties the computername in search 1 to the username in search 2. Can I do this with a eval/subsearch or by doing a lookup to a csv file?
Thanks.
... View more
12-11-2010
03:56 PM
1 Karma
You will need to set up the headers of the columns manually that will be extracted. See this Q/A. Basically, you will set up a manual extraction defined by the sourcetype of the IIS logs that you are indexing. Hope this helps.
... View more
12-03-2010
09:14 PM
1 Karma
It sounds like you are planning on building out a fairly complex Splunk environment. Here is the documentation describing several different scenarios of clusters. Hopefully it helps.
I would guess that the CPU spike is due to the Splunk process going through all of your inputs and processing the backed up items.
... View more
12-02-2010
06:51 PM
1 Karma
TCP/135 is the standard port for RPC. It also uses a randomly assigned port between 1024-65535(TCP) for Windows 2003 and older, and 49152 - 65535(TCP) for Windows 2008. As far as I know there is not a way to change this since it is a internal windows service.
... View more
12-02-2010
06:37 PM
1 Karma
Try:
| eval full_date = date_year." ".date_month." ".date_mday
You can format that in whatever way you want, the area between " " is the seperator.
This was found under the eval command reference here.
... View more
12-02-2010
01:32 PM
Sorry about the above comment didn't show correctly. Please see my initial answer for the revisions.
... View more
12-02-2010
01:30 PM
Add:
crcSalt =
as in:
[monitor://xxxxxxxxxxxxxxxxxx]
disabled = 0
followTail = 0
host = xxxxxxxxxxxx
index = xxxxxxxxx
crcSalt =
sourcetype = iis_w3c_default
to your input in inputs.conf. This should be typed exactly and splunk will have to be restarted. Monitor the logs again to see if you keep getting the errors you mentioned. Also watch for your data to start appearing. Let me know how it goes.
... View more
12-02-2010
01:25 PM
That's what I was afraid of. Please copy/paste your entire search string of your report and I'll see what I can come up with.
... View more
