cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
akhalfan
Engager
Member since: ‎08-22-2018
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎08-22-2018
Activity Feed
View All

Re: How to make Stream logs CIM compliant

by in Splunk Enterprise Security
‎03-06-2020 02:11 PM
‎03-06-2020 02:11 PM
installing the add-on fixed it, I don't need to install the app thanks ... View more

Re: How to make Stream logs CIM compliant

by in Splunk Enterprise Security
‎03-06-2020 11:49 AM
‎03-06-2020 11:49 AM
For this query index= sourcetype="stream:dns" | stats count by tag only the DNS tag appears (makes sense since it is the only one I actually tagged in the event types. The index is whitelisted. However, I noticed that the following searh: index=<dns_index> datamodel=Network_Resolution.DNS where DNS.message_type=QUERY I get "no results found" ... View more

How to make Stream logs CIM compliant

by in Splunk Enterprise Security
‎03-04-2020 08:21 AM
‎03-04-2020 08:21 AM
I've used Splunk Stream app to get DNS logs from a Windows DNS server. I got the logs to a Search Head instance that has the Enterprise Security app. However, I can't seem to the data, which is in json format CIM compliant. Below is a sample message raw log: What would be the best way to make the query field CIM compliant with the query field in the DNS as mentioned here: https://docs.splunk.com/Documentation/CIM/4.15.0/User/NetworkResolutionDNS {"endtime":"2020-03-04T16:13:55.892181Z","timestamp":"2020-03-04T16:13:55.886950Z","bytes":237,"bytes_in":35,"bytes_out":202,"dest_ip":"8.8.8.8","dest_mac":"00:15:5D:FA:54:6B","dest_port":53,"flow_id":"d53fcb9a-ea29-4761-ac1a-de6ca66d31e4","host_addr":["104.115.41.252"],"hostname":["www.microsoft.com-c-3.edgekey.net","www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net","e13678.dspb.akamaiedge.net"],"message_type":["QUERY","RESPONSE"],"name":["www.microsoft.com","www.microsoft.com-c-3.edgekey.net","www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net","e13678.dspb.akamaiedge.net"],"protocol_stack":"ip:udp:dns","query":["www.microsoft.com"],"query_type":["A"],"reply_code":"NoError","reply_code_id":0,"response_time":5231,"src_ip":"14.33.31.16","src_mac":"AA:AA:BB:BB:00:51","src_port":65031,"time_taken":5231,"transaction_id":4481,"transport":"udp","ttl":[2265,4012,461,20]} ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All