Activity Feed
- Posted Re: Splunk Add-On for Microsoft Cloud Services - Eventhub input parsing error of JSON on All Apps and Add-ons. 10-24-2022 11:58 AM
- Posted Splunk Add-On for Microsoft Cloud Services - How to fix Eventhub input parsing error of JSON? on All Apps and Add-ons. 10-24-2022 11:53 AM
- Posted Re: How to setup scheduled search to run after fulfillment of another? on Splunk Search. 03-25-2021 06:52 AM
- Posted Re: Linux Secure Technology Add-On: Implications using Splunk_TA_nix simultaneously on All Apps and Add-ons. 08-19-2020 03:47 AM
- Posted Re: Linux Secure Technology Add-On: Implications using Splunk_TA_nix simultaneously on All Apps and Add-ons. 08-18-2020 04:39 AM
- Tagged Re: Linux Secure Technology Add-On: Implications using Splunk_TA_nix simultaneously on All Apps and Add-ons. 08-18-2020 04:39 AM
- Posted Linux Secure Technology Add-On: Implications using Splunk_TA_nix simultaneously on All Apps and Add-ons. 08-18-2020 03:53 AM
- Karma Why '[indexer] Eventtype 'wineventlog-ds' does not exist or is disabled' still showing on my SH even I already installed the Splunk Add-on for Microsoft Active Directory on the indexer? for crizelle. 06-05-2020 12:50 AM
- Posted Re: Why '[indexer] Eventtype 'wineventlog-ds' does not exist or is disabled' still showing on my SH even I already installed the Splunk Add-on for Microsoft Active Directory on the indexer? on All Apps and Add-ons. 08-15-2019 05:02 AM
- Posted How can I obtain and use a UF's clientIP in transforms.conf on a HF? on Getting Data In. 04-01-2019 03:05 AM
- Tagged How can I obtain and use a UF's clientIP in transforms.conf on a HF? on Getting Data In. 04-01-2019 03:05 AM
- Tagged How can I obtain and use a UF's clientIP in transforms.conf on a HF? on Getting Data In. 04-01-2019 03:05 AM
- Tagged How can I obtain and use a UF's clientIP in transforms.conf on a HF? on Getting Data In. 04-01-2019 03:05 AM
- Tagged How can I obtain and use a UF's clientIP in transforms.conf on a HF? on Getting Data In. 04-01-2019 03:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
10-24-2022
11:58 AM
As an added input: I've used the Eventhub integration to collect events with proper json rendering earlier, but then the data source was Microsofts own streaming options to Eventhub, e.g. Stream Microsoft Defender for Endpoint events to Azure Event Hubs | Microsoft Learn
... View more
10-24-2022
11:53 AM
Hi!
We've set up an Eventhub input using the Splunk Add-on for MS Cloud Services, and we are getting events successfully into Splunk.
The problem is that the events are not formatted correctly when indexed into Splunk. JSON formatted events are indexed into Splunk with all the quotation marks escaped. This messes up the syntax highlighting, and the auto field extractions.
The sourcetype used during eventhub config is mscs:azure:eventhub, as per the docs states.
The following code is used to generate test data, and the rendered result is in the screenshot.
Anyone seen the same, or resolved it somehow?
#Method 1 - You provide a JSON string
body1 = "{'id':'device2','goo':'frodo'}"
event_data_batch.add(EventData(body1))
#Method 2 - You get the JSON Object and convert to string
json_obj = {"id": "device3", "goo": "bilbo"}
body2 = json.dumps(json_obj)
event_data_batch.add(EventData(body2))
#This just sending the string which will not be captured by TSI
event_data_batch.add(EventData('Third event'))
... View more
Labels
03-25-2021
06:52 AM
Seems like this haven't been implemented yet. There is an idea posted here about it Scheduled reports which are triggered by a different scheduled | Ideas (splunk.com). Give it a vote if you read this question and need this as well.
... View more
08-19-2020
03:47 AM
Thanks, appreciate the added input. And yes, doing standard file monitoring of /var/log/secure and/var/log/audit/audit.log, and using your TA-linux_auditd for the audit.log. Very nice work btw 🙂
... View more
08-18-2020
04:39 AM
'Solved' as in non-breaking for reports, dashboards etc that's already there and using current extractions (Splunk_TA_nix). But yeah, I see your point. The end goal is to use the logs for CIM Authentication data model. So I would guess 'solved' for us would mean that the TA-linux_secure settings that CIM normalize aren't overridden by the Splunk_TA_nix ones. Thanks for the clarifying input.
... View more
- Tags:
- Solved
08-18-2020
03:53 AM
Hi, In the description of the TA-linux_secure app, it states: It is intended to replace the security-relevant aspects of the Splunk Add-on for Unix and Linux (Splunk_TA_nix) and as such it's strongly recommended that the Splunk_TA_nix app be removed from your search head before installing this app as they may conflict. My org is using the Splunk_TA_nix app, and I'm trying to figure out how these two apps might conflict. From what I can tell the only thing that might conflict are perhaps some of the configurations in props.conf. But then again, wouldn't that be solved since Splunk would use the Splunk_TA_nix settings over TA-linux_secure settings (because of lexicographical order)? Perhaps you @doksu have some more insights?
... View more
Labels
- Labels:
-
administration
-
configuration
08-15-2019
05:02 AM
@crizelle Did you solve this? Struggeling with the same problem.
... View more
04-01-2019
03:05 AM
A customer has a case where they are cloning a subset of UF logs to an external third party using an intermediate HF and it’s syslog output functionality.
The architectural setup is roughly this:
UF --> Splunk Cloud
|
(subset of UFs)
|
----> Splunk HF --> Third party (using syslog)
Splunk HF outputs syslog as: [timestamp] [hostname] [event]
The problem is the value of the UF hostname the third party receives; it needs the hostname value to be the UF’s IP.
Splunk Cloud on the other hand needs the UF hostname to be in DNS format (as the host name is configured during first time boot in system/local/inputs.conf)
We thought about modifying inputs.conf such that the UFs had host=localhost , in combination with setting connection_host=(dns|ip) on Splunk Cloud and the HF, respectively. As seen in the documentation below.
We have verified that this would work for the third party, but would break the hostname in Splunk Cloud. Since the UFs have private IPs they cannot be dns-resolved by Splunk Cloud.
Our next idea is to rewrite the host values using transforms/props on the HF.
The problem is that the events being forwarded doesn’t contain the IP value of the UF host (Windows Event logs, can’t modify the raw event), so it’s not trivial to use a regex and write to MetaData::Host.
I know that the HF knows of the UF’s IP, as this can be seen in index=_internal source=*metrics.log sourceIP=*
Do somebody know of some (undocumented) way of tapping into that information and using it to overwrite the MetaData::Host value, such that the HF will output syslog as [timestamp][IP][event]?
From inputs.conf
[splunktcp://[<remote server>]:<port>]
* Receivers use this input stanza.
* This is the same as the [tcp://] stanza, except the remote server is assumed
to be a Splunk instance, most likely a forwarder.
* <remote server> is optional. If you specify it, the receiver only listen for
data from <remote server>.
* Use of <remote server is not recommended. Use the 'acceptFrom' setting,
which supersedes this setting.
connection_host = [ip|dns|none]
* For splunktcp, the 'host' or 'connection_host' will be used if the remote
Splunk instance does not set a host, or if the host is set to
"<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk
system hostname.
* Default: "ip".
... View more
