cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
patelaa
Explorer
Member since: ‎01-15-2015
‎04-29-2021
Community Statistics
Posts 8
Solutions 1
Karma Given 5
Karma Received 6
Member Since ‎01-15-2015
Activity Feed
View All

Re: Microsoft O365 Email Add-on for Splunk

by in All Apps and Add-ons
‎04-29-2021 10:15 AM
1 Karma
‎04-29-2021 10:15 AM
1 Karma
@robayers  I've been messing around with this app for a few days and just got it working after seeing the same errors as you. You'll want to make sure your API permissions are set correctly and admin consent is granted in Azure then double check your configuration and input settings in the app. When adding the account under configuration in the app make sure you're using the Application (Client) ID found in the Overview section in Azure rather than the Client Secrets ID, this ended up being my issue. Also check that your traffic isn't getting blocked somewhere in your network. I found another thread where someone mentioned that was their issue. I can't find it again but they said something about their firewall not liking the endpoint input option set to worldwide and they were able to get it to work by setting that to USGovGCCHigh so that may be worth trying. ... View more

Re: Splunk python SDK SSL error

by in Splunk Dev
‎09-13-2017 11:00 AM
2 Karma
‎09-13-2017 11:00 AM
2 Karma
So after shelving my project for a little while I came back to it and got it figured out. It definitely had to do with the SSL versions. I came across a Splunk docs page of known 6.6.1 issues and used the workaround from issue SPL-139019 2017-03-20 SPL-139019 Possible compatibility issues between Python / SDK clients and new 6.6 default sslVersions, cipherSuites Workaround: Users can do either of the following: 1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX: [sslConfig] sslVersions = *,-ssl2 sslVersionsForClient = *,-ssl2 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH ... View more

Re: Why is the lookup command not giving results t...

by in Splunk Search
‎08-02-2017 12:04 PM
‎08-02-2017 12:04 PM
Well that CLI command didn't seem to find anything but creating a new lookup with just a single row with the user in question seems to work. I did try removing the lookup table and rebuilding it with fresh data which brought the size down to around 80mb from the several hundred it was before but I still have the same issue. ... View more

Why is the lookup command not giving results that ...

by in Splunk Search
‎07-25-2017 02:18 PM
‎07-25-2017 02:18 PM
I have a lookup table with user data called id_lookup.csv username,hostname,ip user1,computer1,1.1.1.1 user2,computer2,2.2.2.2 user3,computer3,3.3.3.3 I use that lookup table to help populate identity data for a search like this index=myindex sourcetype=mysourcetype | search username=* | lookup local=true id_lookup.csv username OUTPUT hostname,ip | table hostname, ip, username The issue is that the table of results doesn't get populated with the 2 fields I'm searching in the lookup for all the results when the users I'm searching the lookup table for are definitely in there. So my results will look like this: hostname,ip,username , ,user1 computer2,2.2.2.2,user2 , ,user3 But if I search the lookup table using inputlookup | inputlookup id_lookup.csv | search username="user1" I get the results username,hostname,ip user1,computer1,1.1.1.1 And when running a 1 off search using the lookup command for further testing I get the same inconsistent results | makeresults | eval username="user1" | lookup local=true id_lookup.csv username OUTPUT hostname, ip | table hostname, ip, username Which gives hostname,ip,username , ,user1 All the fields match up, permissions check out, transforms.conf looks right for that particular lookup stanza. Does anyone know what else I can do to troubleshoot or know if this is a possible bug? The only thing I can think of is the csv file is fairly large but it still doesn't make sense why it would return the results for some entries and not others. ... View more

Splunk python SDK SSL error

by in Splunk Dev
‎07-25-2017 12:03 PM
1 Karma
‎07-25-2017 12:03 PM
1 Karma
When running a python script I keep getting the following error when trying to connect to splunk version 6.6.1: ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590) The exact same script runs fine when connecting to a different splunk instance running 6.5.2 and https is turned on for both instances. I'm running the python script on OSX 10.12.6, the splunk sdk is v1.6.2, and python v2.7.10. Anyone know what I'm doing wrong here? ... View more

Pass fields from inner search to outer search

by in Splunk Search
‎07-29-2015 03:01 PM
‎07-29-2015 03:01 PM
Please disregard...mods can delete. ... View more

Re: How to search two indexes to find if an event ...

by in Splunk Search
‎07-28-2015 03:46 PM
1 Karma
‎07-28-2015 03:46 PM
1 Karma
Using mreynov's suggestion I piped the search in index A to a lookup table then used the following search to get my desired results |inputlookup lookUpName.csv | search NOT [search index=indexB "eventCode" | fields user] ... View more

How to search two indexes to find if an event in i...

by in Splunk Search
‎07-27-2015 04:54 PM
1 Karma
‎07-27-2015 04:54 PM
1 Karma
I hope the following makes sense...I have two indexes for separate application logs, index A and index B. I need help writing a search that will show me if a certain event in index B does not occur within 24 hours of an event in index A. The search to find the event in index A is: index=indexA sourcetype=sourcetype Network_Address="1.1.1.1" OR Network_Address="2.2.2.2" OR Network_Address="3.3.3.3" | stats values(src) values(time) by user The search to find the event in index B is: index=indexB "eventCode" | stats values(id) values(time) AS id by user So basically I want the search to show me all users who have an event in index A, along with the src and time from each event, but don't have an event in index B within 24 hours of the index A event. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-29-2021 01:45 PM
Karma given to