Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About packet_hunter
packet_hunter
Contributor
Member since:
01-08-2016
06-05-2020
Community Statistics
| Posts | 328 |
| Solutions | 6 |
| Karma Given | 2 |
| Karma Received | 12 |
| Member Since | 01-08-2016 |
Activity Feed
- Got Karma for is there a way to search who has access to an index?. 03-30-2021 04:37 PM
- Karma Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? for gjanders. 06-05-2020 12:49 AM
- Got Karma for Re: What is the most efficient way to correlate fields from different sourcetypes in the same index by an asset_id key. 06-05-2020 12:49 AM
- Got Karma for Re: Best way to send Windows event logs from a Windows 12 server to indexers?. 06-05-2020 12:49 AM
- Got Karma for What index should sysmon data go into and how /where to change the index?. 06-05-2020 12:49 AM
- Got Karma for Re: Universal Forwarders are phoning home but the indexes are not populating. 06-05-2020 12:49 AM
- Karma Re: keep receiving error on two scheduled alerts? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for what is the best addon / app to use with [iplocation] for a geographical visual dashboard?. 06-05-2020 12:48 AM
- Got Karma for How to rename column and row labels after using transpose?. 06-05-2020 12:48 AM
- Got Karma for How to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local ?. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to set conditions for an alert to "sendmail" custom messages based on different values of certain fields?. 06-05-2020 12:48 AM
- Got Karma for Re: How to stitch together a session by userid with dissimilar formats. 06-05-2020 12:48 AM
- Got Karma for Re: How to send JSON data (sent via HTTP POST) to a heavy forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Best way to check email logs for recipients that are on a list. 06-05-2020 12:47 AM
- Posted Re: How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 09:26 AM
- Posted Re: How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 07:59 AM
- Posted How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 07:28 AM
- Posted Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? on Getting Data In. 10-24-2017 07:17 AM
- Posted Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? on Getting Data In. 10-24-2017 07:17 AM
- Posted Re: What index should sysmon data go into and how /where to change the index? on All Apps and Add-ons. 10-23-2017 12:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-27-2022
11:08 AM
One option is to use the foreach command ... | foreach "row "* [ rename "row "<<MATCHSTR>> AS ROW<<MATCHSTR>> ]
... View more
10-25-2017
12:32 AM
Yes.
Thank You.
Bye.
Giuseppe
... View more
10-29-2017
06:19 PM
1 Karma
Actually you have not clicked the up-vote on this particular post 🙂
I do find this topic interesting, so I'm interested in other opinions too
... View more
12-11-2017
06:35 PM
Thanks for clarifying.
... View more
10-18-2017
09:58 AM
Internal logs are by default forwarded to the indexers provided you have the outputs set up. you can search like below
index=_internal host=myhostname
... View more
10-14-2017
01:10 PM
Yes, in my environment DNS names/server names are unique for non-docker instances so that's what we use 90% of the time.
For docker we have the client name set in the deploymentclient.conf file to make it easier to determine what the purpose of the docker container is.
instanceId I've rarely used but it might make sense in some circumstances....
... View more
10-14-2017
10:03 AM
I don't know your requirements: in this TA-Windows I see enabled only Security, Application, System and DHCP, check if this is correct.
Anyway if you have dubt , download the latest version of this TA from Appbase.
Bye.
Giuseppe
... View more
10-14-2017
06:31 AM
after some back and forth with the opposition to UF installs on endpoints, I was given permission to do a test deployment... I have a follow up question I will post soon if you have time to answer. Thank you
... View more
10-05-2017
05:01 PM
2 Karma
The variable _time is special. It is actually stored in epoch time, but it is displayed in human-readable format.
Do this before the transpose:
| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N"
| rename _time as Time
You can see the time format variables here, if you want to make it some other format.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Commontimeformatvariables
... View more
10-06-2017
07:14 AM
Unfortunately not.
... View more
09-28-2017
08:04 AM
Try this and see if it beats them both...
index = indexA sourcetype=sourcetypeA "ComputerName" dvc=ComputerName
It is not immediately obvious to me that a bloom filter would always be used if a field name and value is provided. If the above is faster than both the others, then each is having a limiting/accelerating factor.
If the field dvc is not an indexed field, then the field must be extracted at search time before comparison...
Another data question that I'd have if trying to investigate this, is whether your ComputerNames are all word characters, or whether they may be perceived by splunk as multiple tokens - "my_computer_name_is_five_words_long_and_lies_to_people" - which could affect performance.
... View more
09-11-2017
01:29 PM
In hx_cef_syslog there are two field choices to find X
src_host
dhost
in hx_json there is just on field to find X
alert.host.hostname
I will try the other field name above, but like you say the field value pairs are different in each sourcetype. My original goal was to tie the ioc_name to alert.host.hostname... but I have this query (below) so I think I am good for now, thank you!!! if you convert your last response to an answer I will accept.
(index=fireeye sourcetype=hx_json alert.host.hostname=*) OR (index=fireeye sourcetype=hx_cef_syslog dhost=*)| eval match_host=coalesce(alert.host.hostname, dhost) | stats values(alert.event_at) values(ioc_name) values(*username) values(alert.host.os) values(alert.host.ip) values(alert.event_type) values(match_host)
... View more
09-11-2017
08:25 AM
Awesome Thank you!!
... View more
09-07-2017
07:54 AM
My bad, user error. Too many cooks in the kitchen.
I did not remember that when you create an index with the gui on a fwder it will put the indexes.conf file in the Search app.
After correcting the indexes.conf file under etc system local like this:
[fireeye]
homePath = $SPLUNK_DB\fireeye\db
coldPath = $SPLUNK_DB\fireeye\colddb
thawedPath = $SPLUNK_DB\fireeye\thaweddb
disabled = false
its working now...
Thank you
... View more
05-30-2018
06:02 PM
make sure there is no network connectivity issues, its pretty neat and simple.
try from CLI - http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/UseHECfromtheCLI
how to set up - http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/UsetheHTTPEventCollector
... View more
12-22-2017
01:03 PM
In a similar vein, I am stuck on getting values returned as intended. I am trying to get riskscore values for assets that have an exception applied, but only the exception values of risk.
Something like this, but I am unclear how to differentiate the risk:
index=rapid7 | transaction asset_id | makemv nexpose_tags delim=";" | stats sum(riskscore) as totalrisk, values(review_comment), values(submitted_by) by nexpose_tags | eval totalrisk=round(totalrisk) | sort -totalrisk
Perhaps some version of your query above would fit into this query to show the asset group and its risk that is being excluded in Nexpose?
... View more
06-06-2019
07:46 AM
I'm having the same issue.
... View more
07-11-2017
07:51 PM
Thank you for the reply.
I initially started with:
index=main sourcetype=cisco:asa dest_port=23 action=blocked direction=Inbound | timechart span=1d count as D_Count | appendpipe [stats avg(D_Count) as D_AVG] | appendpipe [stats stdev(D_Count) as SDev by _time] | table *
and could not figure out the alert....
but your code is way better....
Thank you Lisa!!
... View more
07-10-2017
02:17 PM
Went ahead and submitted my first post with a few mods as the Answer post.
... View more
07-05-2017
02:04 PM
I understand , I will note the location. Hopefully this post will help others or maybe a future R7 guide will explain the setup in more detail. Thx
... View more
11-07-2017
12:17 AM
Hi packet_hunter and all,
Now I am able to get Office365 Email messages to Splunk, check below add-on details
https://splunkbase.splunk.com/app/3720/#/details
... View more
06-12-2017
01:31 PM
The employee identifier will only be either User: someone@company.com or User: company-9\1234 and I am only concerned with "someone" or "1234" respectively.
I am not sure about the format of your rex expressions, perhaps you wrote them in the free regex101 editor. But my do work in the Search App.
Thank you
... View more
06-08-2017
02:29 PM
yes this one gives just the name which is what I need.
Strange part is that when I use your regex on the entire _raw event, it does not work.
It works in the regex101 editor though...
Thanks
... View more
05-17-2017
06:37 AM
The UF on my test win7 box was setup correctly. The standalone was setup correctly as well. So then, I used wireshark on the test box and on the standalone to monitor the communication on both network interfaces. I looked at the UF logs too. I could see that communication back from the UF to 9997 on the standalone was failing. I went back to my standalone which resides on a linux centos vm (in vmware workstation) on a windows 7 physical box. I had opened all the splunk ports on the CentOS firewall, and configured the VMware network editor to NAT correctly. The problem was the windows OS firewall. Something caused it to change/discard port 9997. I went back into the windows fw > advanced settings > inbound rules, and added port 9997 again. Then it worked. It was a windows firewall issue.
IF anyone would like full details on how to setup a similar testing lab, then please let me know and I will provide full details regarding CentOS fw, vmware nat, windows OS firewall configurations.
Thank you for all your help.
... View more
