Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bradp123
bradp123
Path Finder
Member since:
05-01-2012
01-22-2021
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 8 |
| Karma Received | 2 |
| Member Since | 05-01-2012 |
Activity Feed
- Karma Are there plans to update Security Onion app for support on Splunk 6.x? for rhinzman. 06-05-2020 12:47 AM
- Karma Lookup File Editor Feature Request: Have the app create a backup before modifying the lookup file for the_wolverine. 06-05-2020 12:47 AM
- Karma Re: python SDK _raw value part missing for hexx. 06-05-2020 12:46 AM
- Karma Re: what is this package for? for Ayn. 06-05-2020 12:46 AM
- Karma Pfsense Splunk universal Forwarder for ozzbran. 06-05-2020 12:46 AM
- Karma Re: Pfsense Splunk universal Forwarder for my2ndhead. 06-05-2020 12:46 AM
- Karma TenableSC Modular Input error for michael_reeves. 06-05-2020 12:46 AM
- Karma Re: geoip command stops working after upgrade to 6.1.1 - GeoIP database file 'GeoLiteCity.dat' does not exist! for rruijgrok. 06-05-2020 12:46 AM
- Got Karma for Re: Pfsense Splunk universal Forwarder. 06-05-2020 12:46 AM
- Got Karma for Re: TenableSC Modular Input error. 06-05-2020 12:46 AM
- Posted Re: TenableSC Modular Input error on Getting Data In. 06-30-2014 08:37 AM
- Posted Re: action="*" not working in Splunk 6 on All Apps and Add-ons. 06-26-2014 12:34 PM
- Posted Re: geoip command stops working after upgrade to 6.1.1 - GeoIP database file 'GeoLiteCity.dat' does not exist! on Dashboards & Visualizations. 06-21-2014 08:23 PM
- Posted Re: action="*" not working in Splunk 6 on All Apps and Add-ons. 06-19-2014 01:36 PM
- Posted Re: action="*" not working in Splunk 6 on All Apps and Add-ons. 06-19-2014 12:26 PM
- Posted Re: action="*" not working in Splunk 6 on All Apps and Add-ons. 06-19-2014 11:57 AM
- Posted action="*" not working in Splunk 6 on All Apps and Add-ons. 06-19-2014 08:04 AM
- Tagged action="*" not working in Splunk 6 on All Apps and Add-ons. 06-19-2014 08:04 AM
- Posted Re: Pfsense Splunk universal Forwarder on All Apps and Add-ons. 06-17-2014 12:20 PM
- Posted Re: Splunk Free v.5.0.4 Static Lookups Not Working on Splunk Search. 08-30-2013 01:16 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
06-30-2014
08:37 AM
1 Karma
Hello,
The reason you are unable to get any data is because you are trying to pull too many results from Security Center at once and the SC API is unable to return that many results. The original app creator must have been working with a very small amount of data. I ran into the same error mesage with my endoffset being over 70,000.
To fix this issue, you have to reduce the total records being pulled at one time. I modified the /opt/splunk/etc/apps/tenablesc/bin/sc_connect.py file to pull data in chunks of 5,000. This got my data into splunk. The only downside that I have not fixed is that certain records are not parsed correctly due to additional info being returned (e.g. error_code and timestamp). Here is the code I modified in the sc_connect.py file:
def vulnipdetail(self):
try:
#the first query returns the first 1000 records and the total number of records
start, end = 0,1000
input = {"tool": "vulndetails", "startOffset": "0",
"endOffset": end ,
"sourceType": "cumulative"}
inputjson = json.dumps(input)
data = {"request_id": "1",
"module": "vuln",
"action": "query",
"input": inputjson,
"token": self.token}
response, content = self.HttpRequest(data)
#print the first 1000 records
print content
result = json.loads(content)
total = result['response']['totalRecords']
#this loops through the rest of the records and pulls them in chunks of 5000
while end < int(total):
start, end = end, end + 5000
input = {"tool": "vulndetails", "startOffset": start, "endOffset": end, "sourceType": "cumulative"}
inputjson = json.dumps(input)
data = {"request_id": "1", "module": "vuln", "action": "query", "input": inputjson, "token": self.token}
response, content = self.HttpRequest(data)
#I tried to concat all the content, but the stdin buffer truncated the results. This causes some records to not be parsed correctly.
print content
except Exception, e:
raise Exception, "Error performing vuln::query::vulndetails : %s" % str(e)
... View more
06-26-2014
12:34 PM
I found a workaround for this issue. I modified the app's reports so they were looking for action="TCP*". This allowed the dashboards to be populated. I think some of my other apps were causing the problem.
... View more
06-21-2014
08:23 PM
FYI, this also fixed the same error in the security onion app. thanks!
... View more
06-19-2014
01:36 PM
I just checked and I do have TA-pfsense installed.
http://apps.splunk.com/app/1527/
My understanding was that because the folder name for Splunk on Squid started with a letter 'S' it would have precedence over the TA-pfsense transforms.conf, correct?
... View more
06-19-2014
12:26 PM
Just so you are aware, I also have the TA-pfsense app installed which might also be trying to parse the squid logs. Thanks!
... View more
06-19-2014
11:57 AM
The other fields are being extracted properly. I noticed that this query did not work:
search sourcetype="squid" action="*" | eval reqcount=1 | timechart per_second(reqcount) by action
But this did work:
sourcetype="squid" | search action="*" | eval reqcount=1 | timechart per_second(reqcount) by action
By adding the search action="*" it was able to query correctly. With this knowledge I could modify the app, but it makes sense to find the root of the issue.
... View more
06-19-2014
08:04 AM
Hello,
I am using Splunk for Squid in Splunk 6. I did notice that this app is not supported by Splunk 6, I hope that you will still be able to support this app in the latest version. The field extractions are working properly, but the dashboard elements are not populating properly. Specific, this search returns no results:
search sourcetype="squid" action="*" | eval reqcount=1 | timechart per_second(reqcount) by action
causing the dashboard elements to not populate. For some reason when you add action="*" the query does not return any results. Any support would be appreciated.
... View more
06-17-2014
12:20 PM
1 Karma
I was also able to get splunk running on pfsense. Here are some notes to make it easier for the next person who finds this post.
use fetch -o instead of wget. FreeBSD does not natively have wget.
create the opt directory. Splunk installs to the opt directory by default.
mkdir /opt
install the package using the FreeBSD pkg_add command
pkg_add splunkforwarder...
follow the splunk documentation
http://docs.splunk.com/Documentation/Splunk/6.1.1/Installation/InstallonFreeBSD
... View more
08-30-2013
01:16 PM
I ran the search as you recommended, but it states "No matching events found". The clientip field is being extracted by a regex in my transforms.conf file. When I run this command I get the desired results: sourcetype="squid" | top 10 clientip . Any other ideas? Thanks for the help.
... View more
08-30-2013
01:11 PM
Thanks for pointing that out. It is in fact a typo. I am using transforms.conf. When I run the search commands I am not getting any errors.
... View more
08-29-2013
07:17 PM
Hello,
I have setup a splunk free instance with DHCP, DNS (squid), and Firewall logs going in to it. I am trying to configure a lookup table to assist with resolving DNS names. I have tried and tried, but can not get this feature working. Here are the specifics:
csv file: splunk_lookup_home.csv (located in /opt/splunk/etc/system/lookups)
homeip,homename
192.168.0.1,testname
192.168.0.2,test2name
/opt/splunk/etc/system/local/transforms.conf
...
[lan_lookup]
filename = splunk_lookup_home.csv
/opt/splunk/etc/system/local/props.conf
...
[squid]
LOOKUP-lan = lan_lookup homeip OUTPUT homename
After I restart splunk I am not seeing the new field, homename. I have been following this guide, http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Addfieldsfromexternaldatasources. Even when I run the lookup from the search bar I am not getting the new fields sourcetype="squid" | lookup lan_lookup homeip OUTPUT homename sourcetype="squid" | lookup lan_lookup homeip as clientip OUTPUT homename as clientip I do see what looks to be a correct entry in the manager (Manager » Lookups » Automatic lookups). What am I forgetting to do? Is this a limitation of splunk free? Perhaps something with permissions? All the permissions are set to global.
UPDATED: Fixed misspelled word (transforms.conf).
... View more
08-24-2013
07:11 PM
Nevermind,
I found the answer here:
http://answers.splunk.com/answers/79993/python-sdk-_raw-value-part-missing
... View more
08-24-2013
07:06 PM
Hello,
I am following the python SDK examples to pull data from a job. Here is my search code:
...
searchquery_normal = "search block | head 20"
job = service.jobs.create(searchquery_normal)
...
for result in results.ResultsReader(job.results()):
print result["_raw"]
When I get the results back I am only getting a portion of the text in the raw field. In the GUI I get the full log text, in the SDK the text truncates after the work "block". Is this normal Splunk behavior? How do I get the full line of text?
... View more
08-24-2013
09:32 AM
@rgrimsha, I am also getting a truncated _raw field in my results. Did you figure out how to get the full line of text back with the python SDK? It seems the text is truncated after the word in my search query.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-22-2021
10:03 AM
|
