Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ColinJacksonPS
ColinJacksonPS
Path Finder
Member since:
08-06-2018
01-25-2022
Community Statistics
| Posts | 26 |
| Solutions | 1 |
| Karma Given | 5 |
| Karma Received | 1 |
| Member Since | 08-06-2018 |
Activity Feed
- Posted Re: Okta Deprovision/Remove users from Splunk Cloud on Splunk Cloud Platform. 01-25-2022 12:59 PM
- Posted Okta Deprovision/Remove users from Splunk Cloud on Splunk Cloud Platform. 01-25-2022 12:49 PM
- Tagged Okta Deprovision/Remove users from Splunk Cloud on Splunk Cloud Platform. 01-25-2022 12:49 PM
- Tagged Okta Deprovision/Remove users from Splunk Cloud on Splunk Cloud Platform. 01-25-2022 12:49 PM
- Tagged Okta Deprovision/Remove users from Splunk Cloud on Splunk Cloud Platform. 01-25-2022 12:49 PM
- Karma Re: Filter AWS Cloudtrail readonly events for venkatasri. 06-24-2021 11:55 AM
- Posted Re: Filter AWS Cloudtrail readonly events on Getting Data In. 06-23-2021 08:31 PM
- Posted Filter AWS Cloudtrail readonly events on Getting Data In. 06-23-2021 03:40 PM
- Tagged Filter AWS Cloudtrail readonly events on Getting Data In. 06-23-2021 03:40 PM
- Posted Re: Can Splunk Cloud filter out events without an on-prem Heavy Forwarder? on Getting Data In. 06-22-2021 02:07 PM
- Tagged Re: Can Splunk Cloud filter out events without an on-prem Heavy Forwarder? on Getting Data In. 06-22-2021 02:07 PM
- Posted Re: Splunk add-on for AWS: In a generic S3 input, can a key-prefix contain a wildcard? on Splunk Search. 01-26-2021 12:47 PM
- Got Karma for JWT Input not showing up. 06-05-2020 12:51 AM
- Karma Re: How do I compare the count of the same field from different sources? for skoelpin. 06-05-2020 12:50 AM
- Karma Re: How do you extract multi-value fields at ingestion & deduplicate other multi-value fields? for woodcock. 06-05-2020 12:50 AM
- Karma Re: How to retrieve G Suite email tracking logs to Splunk? for CSULeigh. 06-05-2020 12:50 AM
- Karma Re: Can you help me with a query involving the eval command? for MuS. 06-05-2020 12:50 AM
- Posted Re: JWT Input not showing up on All Apps and Add-ons. 06-04-2020 08:14 AM
- Posted JWT Input not showing up on All Apps and Add-ons. 04-15-2020 02:35 PM
- Tagged JWT Input not showing up on All Apps and Add-ons. 04-15-2020 02:35 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-25-2022
12:59 PM
Unfortunately, you can't disable users on Splunk Cloud even as super admin. Local account, you can delete, but not SAML users.
... View more
01-25-2022
12:49 PM
We use Okta to authenticate and grant access to our Splunk Cloud instance. The groups and roles are already mapped. When I have a team member leave the company, we deactivate their Okta account, so in theory, preventing them from accessing any of our apps. The SSO integration is great at creating SAML users on Splunk Cloud, but to get those accounts removed on Splunk Cloud usually requires a Splunk Support ticket and a 3-5 day turnaround. I can't use the Splunk REST API to do it because we're on cloud. Does anyone know anything about deprovisioning automagically or getting Splunk Cloud to start working on this? Fezzes, Swarm!
... View more
Labels
- Labels:
-
using Splunk Cloud
06-23-2021
08:31 PM
Here's what I can share. If this is working, readOnly=true should return no results, or at least those listed. Raw, JSON formatted, and simple stats output.
... View more
06-23-2021
03:40 PM
Does anybody know a good way to filter out AWS Cloudtrail readonly events? This is what I have on my HF and jumping through hoops to get this on the IDM for Splunk Cloud. [cloudtrail_read_only] REGEX = "^Describe|Get|List\p{Lu}|LookupEvents" DEST_KEY = queue FORMAT = nullQueue and this to props.conf: [aws:cloudtrail] #Strip out readOnly AWS events (i.e. Describe*, List*) TRANSFORMS-cloudtrail_read_only = cloudtrail_read_only Doesn't seem to be filtering. Thoughts?
... View more
- Tags:
- AWS CloudTrail
Labels
- Labels:
-
props.conf
-
transforms.conf
06-22-2021
02:07 PM
I've been trying to figure this one out, but Splunk Cloud basically said to make a custom app to get this to work. Barebones app, AppInspect, Failed vetting. No app.conf, random /tmp/<blah blah> directory errors. It's a mess. tl;dr - you can't send them a conf file and say, "please install this"
... View more
- Tags:
- i
01-26-2021
12:47 PM
I'm trying to do the same thing. Anyone hear anything?
... View more
04-15-2020
02:35 PM
1 Karma
Any idea why the JWT Input wouldn't show up after install?
... View more
Labels
- Labels:
-
installation
02-25-2020
09:55 AM
I just tried your add-on. I think it's different than documented in your blogpost: https://nvonkorff.github.io/splunk/gmail/audit/2019/06/23/Gmail_Audit_TA.html
I never got to the authorize steps inside the TA_gmail_audit app. Just the creds page and set up inputs with the HEC token.
I'm on Splunk Cloud, but installed this on a local HF. Any advice?
... View more
02-25-2020
09:53 AM
Same thing here. I got a few gmail logs from the reports API, but stopped and I can't get it back. This is after reinstalls, reauthorizing, etc.
... View more
08-19-2019
02:29 PM
We're using Samanage to get inventory data from our dispersed workforce. Samanage has an API and I wanted to pull that data into Splunk. Has anyone set this up before?
... View more
- Tags:
- splunk-cloud
11-19-2018
01:43 PM
That did it. Thanks.
... View more
11-19-2018
10:46 AM
Here are my updated conf files. Looks like it's still not taking. Thanks @laurie_gellatly and @FrankVl
Props.conf
[source::meraki]
SEDCMD-singlequotes=s/\s*([^=]+)='([^']*)'/g
Transforms.conf (though, I think if I'm doing SEDCMD command, I don't need transforms anymore)
[meraki-singlequotes]
REGEX = \s*([^=]+)='([^']*)'
FORMAT = $1::$2
Anonymized output:
Nov 19 18:42:58 192.168.200.15 1 1542652978.961504488 Board_Room events type=disassociation radio='1' vap='0' client_mac='E4:2B:DD:DD:DD:DD' channel='36' duration='141.595751334' auth_neg_dur='0.839737584' last_auth_ago='140.746016874' is_8021x='1' full_conn='1.309590753' ip_resp='1.309590753' ip_src='192.168.207.2' arp_resp='0.839737584' arp_src='192.168.207.2' dns_server='222.222.222.222'
... View more
11-15-2018
09:24 AM
I've got data coming in from Meraki APs. It's mostly good, but I can't get rid of the single quotes at index time.
Data:
Nov 15 17:08:27 192.168.255.1 1 1542301707.870571288 main_office events content_filtering_block url='https://baddymcbadface.com/...' category0='Spyware and Adware' server='123.123.123.123:443' client_ip='192.168.204.80'
Here's what I have set up in my props and transforms.conf
Transforms:
[meraki-singlequotes]
REGEX = \s*([^=]+)='([^']*)'
FORMAT = $1::$
Props:
[source:meraki]
REPORT-singlequotes = meraki-singlequotes
I've also tried changing this with [sourcetype:meraki-hq], but that doesn't work as well.
I'm bringing this in via syslog. inputs.conf for this is in the SPLUNK_HOME/etc/apps/launcher/local/ I've added them there, but no dice.
I've also put them in the TA-meraki as well, but it's not taking. Does anyone have any suggestions?
... View more
11-09-2018
02:35 PM
I'm a dork. HF. I can just use basic auth instead of figuring out OAuth crapness on the Splunk Cloud.
... View more
11-09-2018
01:12 PM
So this isn't happening on the Splunk Cloud SH. I'd need this for my local, internal Splunk Heavy Forwarder. Anyone have one they can show basic formatting?
... View more
11-09-2018
12:54 PM
So, I'm not editing it on my Splunk Cloud SH. I'm actually setting it up on my internal Splunk HF that pushes to Splunk Cloud. That's where I need to hardcode it. So I just need an example one so the btool doesn't lose its mind when I muck around with it.
... View more
11-09-2018
12:43 PM
Does anyone have a sanitized example of splunk_ta_salesforce_account.conf with OAuth configs? I have it for Basic auth, but I need it for OAuth. I don't think I can get this conf file from my Splunk Cloud environment.
There isn't an example in the /defaults folder for accounts.
I've got to hardcode in the redirect URL because it defaults in the Web UI>Configuration and you can't override it or save it.
Anyone?
... View more
10-29-2018
03:19 PM
The newer lookup table generators need to query the SFDC Profile table, but that's not listed in the Table Access doc on Splunkbase, so none of the user lookup stuff is useable.
... View more
10-29-2018
03:18 PM
I'm trying to do the same thing. The Add-On is Splunk built, but the App hasn't been updated since 6.6. Anyone know how to get a hold of Ellias Haddad, the SE from Splunk that built it?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-25-2022
04:19 PM
|
