Activity Feed
- Karma Re: How to add a view to Enterprise Security? for smoir_splunk. 06-05-2020 12:50 AM
- Karma Re: How come my new Index is not showing in DMC? for chrisyounger. 06-05-2020 12:50 AM
- Karma SPLUNK TA AWS - Generate Warning in SPLUNK ES - How can I disable unused parts of the TA and stop this warning from popping up? for hansuleberg. 06-05-2020 12:49 AM
- Karma Re: How do I disable Transparent Huge Pages (THP) and confirm that it is disabled? for jwelch_splunk. 06-05-2020 12:47 AM
- Posted Re: Add-on for JIRA: Why does it give me "no results found"? on All Apps and Add-ons. 08-22-2019 08:50 AM
- Posted Re: Newly added Splunk alert action doesn't show in Alert on Alerting. 05-22-2019 08:09 AM
- Posted Re: Newly added Splunk alert action doesn't show in Alert on Alerting. 05-20-2019 09:14 AM
- Posted Re: Newly added Splunk alert action doesn't show in Alert on Alerting. 05-20-2019 08:33 AM
- Posted Re: Ingest failed events from Kinesis Backsplash bucket on Getting Data In. 05-17-2019 08:15 AM
- Posted Ingest failed events from Kinesis Backsplash bucket on Getting Data In. 05-17-2019 05:37 AM
- Tagged Ingest failed events from Kinesis Backsplash bucket on Getting Data In. 05-17-2019 05:37 AM
- Tagged Ingest failed events from Kinesis Backsplash bucket on Getting Data In. 05-17-2019 05:37 AM
- Tagged Ingest failed events from Kinesis Backsplash bucket on Getting Data In. 05-17-2019 05:37 AM
- Tagged Ingest failed events from Kinesis Backsplash bucket on Getting Data In. 05-17-2019 05:37 AM
- Posted Newly added Splunk alert action doesn't show in Alert on Alerting. 05-15-2019 09:56 AM
- Tagged Newly added Splunk alert action doesn't show in Alert on Alerting. 05-15-2019 09:56 AM
- Tagged Newly added Splunk alert action doesn't show in Alert on Alerting. 05-15-2019 09:56 AM
- Tagged Newly added Splunk alert action doesn't show in Alert on Alerting. 05-15-2019 09:56 AM
- Posted Re: splunk add on for aws doesnot report cloudwatch logs on All Apps and Add-ons. 05-09-2019 06:50 AM
- Posted How to add a view to Enterprise Security? on Splunk Enterprise Security. 04-25-2019 07:07 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-22-2019
08:50 AM
@Flynt I am having a similar issue where I am getting "2019-08-22 15:34:59,679 INFO pid=22244 tid=MainThread file=jira.py:collect_events:334 | ADDED 0 events"
I verified curl from the server works. I am unable to run a "| jira". States that the command is not found.
... View more
05-22-2019
08:09 AM
This was resolved with help from the Splunk slack channel.
I had to import the app into ES in order for the alert action to show up for ES alerts. This only applies to ES versions 5.2.2 or before.
Reference Document: https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps
... View more
05-20-2019
09:14 AM
What am I looking for in the alert_actions.conf that tells me which app owns the alerts? I don't see anything specifically referring to ownership.
These are also standalone search heads.
... View more
05-20-2019
08:33 AM
I also tried direct install of the alert actions/app onto the Search Head, and I am having the same problem.
... View more
05-17-2019
08:15 AM
I was able to get some clarification via the Splunk slack channel.
Here is what I've learned:
The S3 can either publish to an SNS or SQS. SNS allows for more flexibility
The SQS and DLQ are both standard, not FIFO. (FIFO is not currently supported for SQS/SNS subscription).
If using SNS, the SQS will then subscribe to the SNS.
Splunk will then connect to the standard SQS. The DLQ is a failsafe for anything that failed.
I feel like the docs for Splunk don't do a great job at explaining that setup. It mostly just links to SQS configuration tutorials that don't really explain what is specifically needed for Splunk's uses.
... View more
05-17-2019
05:37 AM
I have just setup a Kinesis Firehose stream to push data into Splunk. While doing this I have setup a backsplash bucket to store any events that fail. I am running into the issue of things not being super clear on how to set it up.
I would like to setup an S3 - SQS input. I know we need to have a dead letter queue setup and configured with FIFO, but I'm unclear on how to connect all the pieces.
I am guessing: S3 > SNS > SQS > DLQ > Splunk Input? If this is the case, what is the configuration of the S3, SNS, and SQS?
... View more
05-15-2019
09:56 AM
I have just added 2 new alert actions in Splunk. I verified that the permissions on the alert action are read for everyone, and the app for that alert action is shared to everything. I am unable to see the alert actions in an alert that is already configured.
The alert actions are being distributed via deployment server to two search heads.
What am I missing?
... View more
05-09-2019
06:50 AM
This error is due to throttling on AWS side. Unfortunately, there isn't a way to raise the exceeded throttling rate through AWS. The next best option is to utilize Kinesis Firehose ingestion into Splunk.
See this answer for throttling: https://answers.splunk.com/answers/482689/splunk-app-for-aws-getting-throttling-errors-for-a.html
Kinesis Info: https://www.splunk.com/blog/2017/11/29/ready-set-stream-with-the-kinesis-firehose-and-splunk-integration.html
https://www.splunk.com/blog/2019/02/21/how-to-ingest-any-log-from-aws-cloudwatch-logs-via-firehose.html
https://aws.amazon.com/blogs/big-data/power-data-ingestion-into-splunk-using-amazon-kinesis-data-firehose/
... View more
04-25-2019
07:07 AM
I am trying to add a view to Enterprise Security by going to Configure > General > Navigation. Here I am able to create a collection, and then add a view to that collection.
The issue I'm having is that I don't see the view that I'm looking for under the drop down. A view that I want is an overview dashboard housed in another app. How can I get that dashboard overview to show up in the view drop down list?
... View more
02-26-2019
06:32 AM
I have resolved my issue 2 by using a Field Alias to recognize the field: Source_Network_Address (from WinEventLogs:Security sourcetype) as rhost (Linux sourcetype).
For issue 1, I have attempted the tagging that you suggested and this did not work.
Example of issue one: FieldName: src. Getting field name src=10.X.X.X and src=SERVER1.
SERVER1 is the server with IP 10.X.X.X.
... View more
02-22-2019
12:25 PM
Even after doing the Field Alias for scenario 2, I am still receiving those events. Seems more to do with my inputlookup language.
... View more
02-22-2019
09:05 AM
I am trying to whitelist events from a specific server using IP and hostname. I am running into 2 issues.
I have different field values come up for the same host. (Ex: server1 and 10.2.3.4) I can use inputlookup to remove ip, however I can't figure out how to remove multiple values in the most efficient way.
On another search, I am also whitelisting, but in this case I need to add a whitelist of one server using IP, but for 2 different field values. For context, these are linux auth logs and WinEvent:Security logs.
Base part of search that I'm using for both:
NOT [ | inputlookup ess_whitelist_security.csv | where match(alert_name, "Access - Default Account In Use") | rename src AS rhost | fields rhost ]
... View more
02-05-2019
01:44 PM
I recently added a new index in Splunk. I am running with 2 clustered indexes. The index is pulling in data, and shows up in DMC, Index > Indexes and Volumes: Deployment tab. However, it doesn't show up in Settings > Data > Indexes on Master, or any search heads.
Index shows up showing data is there using this search
| REST /services/data/indexes
| eval sizeGB = currentDBSizeMB/1024
| eval sizeGB = round(sizeGB, 3)
| table title, sizeGB
Is there a way to get the index to show up in the web GUI?
... View more
11-02-2018
11:40 AM
I saw that I was receiving the following errors in splunkd.log on the master:
11-02-2018 17:53:12.573 +0000 WARN GetRemoteAuthToken - Unable to get authentication token from peeruri="https://10.111.1.142:8089/services/admin/auth-tokens".
11-02-2018 17:53:12.578 +0000 WARN GetRemoteAuthToken - Unable to get authentication token from peeruri="https://10.111.1.33:8089/services/admin/auth-tokens".
11-02-2018 17:53:12.579 +0000 WARN DistributedPeer - Peer:https://10.111.1.142:8089 Failed to get server info from https://10.111.1.142:8089/services/server/info response code=401
11-02-2018 17:53:12.579 +0000 WARN DistributedPeer - Peer:https://10.111.1.33:8089 Failed to get server info from https://10.111.1.142:8089/services/server/info response code=401
I re-authenticated the search heads to the master node and the health status changed to healthy.
... View more
11-01-2018
08:59 AM
I'm receiving the following error message for health check failures for 2 search heads:
Error [00000080] Instance name "XXXX" REST interface to peer is taking longer than 5 seconds to respond on https. Peer may be over subscribed or misconfigured. Check var/log/splunk/splunkd_access.log on the peer Last Connect Time:2018-11-01T12:47:12.000+00:00; Failed 1 out of 191 times., Error [00000100] Instance name "XXXX" REST interface to peer is not responding. Check var/log/splunk/splunkd_access.log on the peer. Last Connect Time:2018-11-01T15:48:22.000+00:00; Failed 190 out of 191 times.
I have checked the logs and don't see anything relating to this. Can I get some assistance on how to go about fixing this?
... View more
