cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
pmelon
Explorer
Member since: ‎10-31-2018
‎08-17-2020
Community Statistics
Posts 9
Solutions 1
Karma Given 5
Karma Received 0
Member Since ‎10-31-2018
Activity Feed
View All

Re: Query Window Size is required and should be at...

by in All Apps and Add-ons
‎10-13-2019 11:35 PM
‎10-13-2019 11:35 PM
As per comment, this worked for me: Edit /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/input_module_ms_o365_message_trace.py Manually set query_window_size and delay_throttle like so: def validate_input(helper, definition): input_mode = definition.parameters.get('input_mode') interval = definition.parameters.get('interval') query_window_size = 60 delay_throttle = 1440 # query_window_size = definition.parameters.get('query_window_size', None) # delay_throttle = definition.parameters.get('delay_throttle', None) start_date_time = definition.parameters.get('start_date_time', None) end_date_time = definition.parameters.get('end_date_time', None) start = None # Local instance of start date end = None # Local instance of end date ... View more

Re: Query Window Size is required and should be at...

by in All Apps and Add-ons
‎10-13-2019 11:34 PM
‎10-13-2019 11:34 PM
I manually editing the values in /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/input_module_ms_o365_message_trace.py To this: def validate_input(helper, definition): input_mode = definition.parameters.get('input_mode') interval = definition.parameters.get('interval') query_window_size = 60 delay_throttle = 1440 # query_window_size = definition.parameters.get('query_window_size', None) # delay_throttle = definition.parameters.get('delay_throttle', None) start_date_time = definition.parameters.get('start_date_time', None) end_date_time = definition.parameters.get('end_date_time', None) start = None # Local instance of start date end = None # Local instance of end date it seems to be working again. ... View more

Re: Python Script is erroring out at ZeusIPs

by in All Apps and Add-ons
‎10-03-2019 07:07 AM
‎10-03-2019 07:07 AM
I'm getting the below: bash-4.2$ /opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py logfile_name: /opt/splunk/etc/apps/TA_obelisk-threat/logs/obelisk_threat_lists_script10-03-2019-14-01-21.log [*] Script Started at: 10-03-2019 14:01:21 GMT [*] Script version: 3.4.6 URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt user_agent_bool: true Finished retrieving 849 IPs from SpamHaus. Finished retrieving 23 IPs from Dshield. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 1076, in main() File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 966, in main parseEmergingThreatsBlockList(raw_threatlist) File "/opt/splunk/etc/apps/TA_obelisk-threat/bin/obelisk_threat_intel.py", line 750, in parseEmergingThreatsBlockList feodoIPs = p[0].split() IndexError: list index out of range I'll try to fix it myself, but I thought you would want to know. If I do fix, I'll dump it here. ... View more

Re: Query Window Size is required and should be at...

by in All Apps and Add-ons
‎10-01-2019 02:39 AM
‎10-01-2019 02:39 AM
I'm having the same problem. The btool command suggests only one source for the query_window_size setting. I'm not sure what changed when, but it was working fine before. I've not changed anything that I know of. The end result is that this app no longer works and I was finding it very useful. Is there a fix? Anything I can try? ... View more

Re: Can you reference a token value inside a token...

by in Splunk Search
‎05-07-2019 06:45 AM
‎05-07-2019 06:45 AM
I'm struggling with this too. Code is: <eval token="eventTime_epoch">strptime('eventTime',"%d/%m/%y %H:%M")</eval> If I replace eventTime with 01/01/19 21:21 I get a proper epoch time. eventTime is never expanded within the tags. I am stuck. ... View more

Re: How do I remove IOCs from a KV store?

by in Splunk Enterprise Security
‎04-24-2019 02:06 AM
‎04-24-2019 02:06 AM
This has helped me too just now - excellent answer. ... View more

Re: Subsearch fails but the results it produces wo...

by in Splunk Search
‎04-01-2019 02:05 AM
‎04-01-2019 02:05 AM
Well I had read that people considered subsearches a last resort and I understand why now. I used the following in the end: index=email "to=" OR "from=" | transaction sendmail_id startswith=from endswith=to | search from="" stat=Sent Much nicer. ... View more

Re: Subsearch fails but the results it produces wo...

by in Splunk Search
‎01-17-2019 06:55 AM
‎01-17-2019 06:55 AM
I should have been more clear, sorry. The 'from' events are separate to the 'to' events. Does that not mean eval to="*" would fail? ... View more

Subsearch fails but the results it produces work

by in Splunk Search
‎01-17-2019 01:53 AM
‎01-17-2019 01:53 AM
In searching this I am reaching the conclusion that subsearches are viewed with some disdain by the more experienced Splunkers. I get that, so if there is a better way of carrying out what's I'm trying to achieve please shout! I have Sendmail logs. I have a few users sent a dodgy email, so I search for the email address string. I pull out the message ID for those and plonk them in a subsearch. I then use this to search for the all the 'to' address fields. End result is I have a list of everyone who got the dodgy email. Search is: index=email [search index=email from=bad_email_address | rex mode=sed field=msgid "s/[<>]//g" | rename msgid as search | table search] to=* That only finds the first email. However, if I get the output of the subsearch by piping to format then copy and paste that into the search, replacing the subsearch, it works. Does anyone know why? So, to be clear, the subsearch as above returns one result. If I manually copy and paste the results of the subsearch (which, to my mind is what the subsearch is dumping into the search anyway), it works as expected. I'm stripping the <> off the message ID as the 'to' event in the sendmail logs doesn't have them. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-17-2020 04:40 AM