Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About IgorB
IgorB
Path Finder
Member since:
10-14-2010
06-05-2020
Community Statistics
| Posts | 43 |
| Solutions | 6 |
| Karma Given | 30 |
| Karma Received | 52 |
| Member Since | 10-14-2010 |
Activity Feed
- Got Karma for Re: Why are CEF Events not all extracting correctly, shifting key-value pairs for pipe-delimited fields?. 11-17-2020 09:37 AM
- Karma Re: Converting relative time into epoch for the time range picker for niketn. 06-05-2020 12:49 AM
- Karma Re: Running one of two searches based on time picker selection for niketn. 06-05-2020 12:49 AM
- Karma Re: DB Connect Checkpoint Value Not Updating for ejenson_splunk. 06-05-2020 12:49 AM
- Karma Re: Performance impacts of Spectre/Meltdown mitigation for jimodonald. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
- Got Karma for Performance impacts of Spectre/Meltdown mitigation. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 29 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 2 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 2 |
06-25-2019
12:17 PM
Apparently this is no longer true in Splunk v.7.x.
Thanks to @woodcock for pointing this out
... View more
07-16-2018
11:31 AM
Apparently there are numerous causes for such problem - mine was that some of the data returned by SQL query was causing HEC issues, so the the input was advancing till it encountered a problematic event and then was indexing same set of entries over and over again because behind-the-scenes HEC was failing mid-flight, so checkpoint never got updated.
... View more
06-22-2018
01:26 PM
Hi @wvalente,
Installing "CEF Extraction Add-on for Splunk" app won't help if you are not using the field extractions it provides. Please see usage examples in the app's README.
--Igor
... View more
05-28-2018
01:22 PM
New (1.5.0+) versions of CEF Extraction Add-on for Splunk have transforms that can be used to extract custom CEF fields without | cefkv
command
... View more
01-08-2018
12:35 PM
That's the document that sent me looking for the exact figures - as far as I understand Splunk workloads are in "Modest" and "Measurable" impact categories,
... View more
01-07-2018
04:37 AM
29 Karma
Does anyone have figures of the performance impact of CVE-2017-5754 , CVE-2017-5753 and CVE-2017-5715 (Spectre/Meltdown) patches on Splunk?
... View more
09-21-2016
05:33 AM
1 Karma
From what I found saving settings in "Edit Incident" window requires 'admin_all_objects' and 'edit_tcp' capabilities in 2.0.5. Security-wise that's a disaster.
... View more
09-12-2016
07:48 AM
I downvoted this post because:
Sorry, can't accept. your reply doesn't answer my question:
1. your assumption that I've used '| tscollect' is incorrect
2. '| tstats ... ' you proposed misses the point of returning only ips in a specific range
... View more
08-02-2016
07:10 AM
We've got a modular input polling an external data source via REST API,running on one of the heavy forwarders in the deployment.
We'd like to ensure that the input "migrates" to another Splunk instance if the forwarder goes down.
Ideas?
... View more
07-11-2016
03:25 PM
Is it possible to match IP address range in tstats where clause?
Example:
It's possible to do this with search+stats:
index=test IP="10.1.1.0/25" | stats count by IP
But since we have IP extracted at index time, I'd rather take advantage of tstats performance and run something like
| tstats count where index=test IP="10.1.1.0/25" by IP
but that doesn't work as expected - tstats matches any IP as if the filter was IP="*"
Ideas?
... View more
08-13-2015
03:16 AM
1 Karma
All you need to do is install the add-on and make sure your CEF data's sourcetype is "cefevents"
... View more
05-26-2015
02:26 PM
2 Karma
@khourihan_splunk - the reason the add-on is not working for you is because your data doesn't comply with CEF format as defined in this document: there's a space before CEF Version field: CEF: 0|Imperva <...snip...> .
| cefkv provides expected results once the space is removed:
AlertNumber 62431
ApplicationName Multiple
Description Distributed Malformed JSON Message
EventID 1728628311230694325
Gateway kmj-us-p1-np-Nwafgw-3-222
QueryParameters
ResponseCode 401
ServerGroup OrbisAZ-B
URLMethod POST
So you've got 2 solutions here:
1. Have your source send events with properly formatted CEF headers
2. Modify the regex in line 11 of $SPLUNK_HOME/apps/cefutils/bin/cefkv.py to match your headers.
Sorry for the late answer. IMO that's still better than leaving the question unanswered ...
BR
--Igor
... View more
05-26-2015
01:37 PM
Apparently I missed this one. Thanks for pointing out
... View more
05-26-2015
01:22 PM
Glad I could help.
A small note - in a distributed environment there's really no need to install the add-on on the indexer(s) if the data is collected by a Heavy Forwarder and you are using a Search Head to run your searches.
... View more
05-24-2015
12:51 PM
2 Karma
Hi,
The add-on contains configurations that are used both at index time (Parsing/Merging pipelines) and at search time, so you need to install it on the Heavy Forwarders and on the Search Heads.
Basically, what you need to do is to install the add-on all relevant Splunk instances (see above) and either:
Modify the relevant inputs.conf on the Heavy Forwarder to set sourcetype for CEF logs collected by the HF to cefevents or
copy the props.conf supplied with the add-on to $SPLUNK_HOME/etc/apps/cefutil/local and modify the stanza name to match your sourcetype or source.
BR
--Igor
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma from
Karma given to
