Activity Feed
- Posted Re: Optiv Threat Intel App in a Distributed Environment on All Apps and Add-ons. 09-06-2016 08:52 AM
- Posted Re: Optiv Threat Intel App in a Distributed Environment on All Apps and Add-ons. 08-22-2016 07:38 AM
- Posted Optiv Threat Intel App in a Distributed Environment on All Apps and Add-ons. 08-10-2016 04:52 PM
- Posted Re: Optiv Threat Intel: After initial configuration, getting "Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/...." on Getting Data In. 08-10-2016 08:06 AM
- Posted Re: Optiv Threat Intel: After initial configuration, getting "Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/...." on Getting Data In. 08-09-2016 11:29 AM
- Posted Re: Subsearch not Working on Splunk Search. 07-21-2016 02:15 PM
- Posted Subsearch not Working on Splunk Search. 07-21-2016 02:01 PM
- Tagged Subsearch not Working on Splunk Search. 07-21-2016 02:01 PM
- Posted Re: Search to Identify when a host stops sending logs to Splunk on Splunk Search. 07-13-2016 09:22 AM
- Posted Re: Search to Identify when a host stops sending logs to Splunk on Splunk Search. 07-13-2016 09:13 AM
- Posted Search to Identify when a host stops sending logs to Splunk on Splunk Search. 07-13-2016 08:37 AM
- Posted Re: DEDUP with Multiple Values not Working on Splunk Search. 07-13-2016 07:47 AM
- Posted DEDUP with Multiple Values not Working on Splunk Search. 07-04-2016 12:50 PM
- Tagged DEDUP with Multiple Values not Working on Splunk Search. 07-04-2016 12:50 PM
- Posted What is the proper syntax for the shared time picker token in my search string? on Splunk Search. 06-30-2016 12:14 PM
- Tagged What is the proper syntax for the shared time picker token in my search string? on Splunk Search. 06-30-2016 12:14 PM
- Tagged What is the proper syntax for the shared time picker token in my search string? on Splunk Search. 06-30-2016 12:14 PM
- Posted Re: How to change the time format before or while logs are being parsed? on Getting Data In. 06-08-2016 01:42 PM
- Posted Re: How to change the time format before or while logs are being parsed? on Getting Data In. 06-07-2016 01:42 PM
- Posted How to change the time format before or while logs are being parsed? on Getting Data In. 06-07-2016 11:01 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
09-06-2016
08:52 AM
Hi Derek,
I was able to get the app working last week and it worked fine up until Friday last week, however since then I have not been able to pull any results in, seems like the app is disabled however it isn't.
This issue seems to be the same even in my test environment. The troubleshooting tab never returns any results for me, both when the app is working fine and when it isn't.
Any ideas?
Thanks,
Makinde
... View more
08-22-2016
07:38 AM
Hi Derek,
Di you have a chance to get to my question yet?
... View more
08-10-2016
04:52 PM
Hi Derek,
My question is a combination of other questions that have previously been asked however after trying the suggested fixes I still don't get any results.
Here are my questions;
I get the error "External search command 'dnslookup' returned error code 1" in the app searches. Any suggestions on how to resolve this or is this part of a bigger issue below?
I have a distributed environment and Splunk installed on a different drive. I installed Splunk on my search head however I got errors from my indexers saying they received logs for an index that hasn't been defined (my environment is such that we have the search heads configured to forward any locally generated logs to the indexers hence why I probably got that error) so I created the Optiv index on my indexers that fixed that error. I also went to every conf file and changed all the "C:\Program files\Splunk" to "E:\Program files\Splunk..." and all the "opt\Splunk" to "E:\Program files\Splunk...". However I noticed the lookups files aren't being populated but I am able to search the raw threat intelligence in splunk from about 10 sources, however the app summary page only shows information from three sources.
Something just doesn't feel right, I don't think I have it configured as it should be. Can you give any suggestions?
Thanks,
... View more
08-10-2016
08:06 AM
Hi Derek,
Can you let me know what config file would be updated during the initial configuration so I can update them manually. I know the macro.conf file would be updated with the three indexes but I am not sure what file gets updated with the alert configuration in the initial configuration.
Maybe I can manually update this file and get past the configuration page to actually be able to see what the app looks like.
Thanks,
... View more
08-09-2016
11:29 AM
Hi Derek,
I am having the same issue, I have tried restarting Splunk and making changes in the stanza. It still takes me back to the setup page and same error every time.
I have even tried installing it on a different search head. Any ideas?
... View more
07-21-2016
02:01 PM
I believe I fully understand the concept of subsearches and have used it a few times perfectly, however, I can't get it to work in this instance.
Below is my search string;
index=main sourcetype="linux:audit" [ search index=main sourcetype="linux:audit" key=CFG_Oracle | return msg ]
The idea here is to search index=main and sourcetype=linux:audit, for any event with key=CFG_oracle, then for those events return the values of the msg field after which the msg values should be searched in index=main and sourcetype=linux:audit and return those events.
However when I run this search, I get all events with keys other than CFG_Oracle, however when I tun the sub-search on it's own I get the desired result, I am not sure why this isn't working properly as a sub-search.
Any ideas?
... View more
07-13-2016
09:22 AM
Hi Twinspop,
Thanks for this new search, it appears to work better than the Metadata. Just curious, If I understand properly, this search looks at logs as far back as I specify in my time selector and identifies hosts that haven't reported in the time specified in the search age criteria (search age > 86400) in this case more than a day?
Is that what this search does?
... View more
07-13-2016
09:13 AM
Hi Muebel,
The new search definitely makes a change in my results however I noticed it doesn't identify hosts that stopped sending logs older than 3 days ago. So say a host stopped sending logs last month and it hasn't sent any logs up until now that won't show up in this search result.
... View more
07-13-2016
08:37 AM
Hello,
I have this search string to identify hosts that have stopped sending logs to Splunk, however the search string below identifies every hosts that has ever stopped sending logs, however I want only hosts that have not sent any logs in the past 3 days. What do I need to change in this search string to get that number?
|metadata type=hosts | eval age = now() - lastTime | search age > 86400 | sort age d | convert ctime(lastTime) | fields age,host,lastTime
... View more
- Tags:
- splunk-enterprise
07-04-2016
12:50 PM
I have vulnerability detection in Splunk where there is the possibility of duplicate QID, IP and PORT, so I run a search string to dedup QID IP PORT however it doesn't give me the values I want because some detection don't have a PORT associated.
I try to add ... | fillnull PORT | dedup QID IP PORT | ... however the result is the same as when I don't do a dedup and I know for sure there are detection with all three as it's creating the descripances with the result we get from the Vulnerability scanner itself.
How else can I make this work?
... View more
06-30-2016
12:14 PM
I am currently ingesting my vulnerability scan reports into Splunk, but we receive more results than scanned as there are other details that get reported. However, there is a Last_Scan_Datetime Field that seems to be the best way to identify only results from the scan and not the other information.
I have a dashboard with Time input and lots of panels on the results of the vulnerability scan. I would like this Last_Scan_Datetime information to pre-populate based on the information selected in the Time input. How can I do this?
Currently I tried doing this;
index=main sourcetype=vulnerability_scans Last_Scan_Datetime=$TRPicker$ (TRPicker is the name of the Time Picker)
but this doesn't seem to work. However, the same syntax would work assuming it was a text box. What is the syntax for the Time Picker?
... View more
06-08-2016
01:42 PM
Thanks Woodcock.
After looking at the logs, it appears there is no TZ attached to the timestamp. Here is what the timestamp in the log look like;
2016-06-08T18:01:36.293126Z
Looking at this setting, do you think I need to add "TZ = UTC" to the props.conf file?
... View more
06-07-2016
01:42 PM
How do you configure TZ in Props, is it;
TZ = US/Mountain
Can I also get Splunk to ignore the time stamp in the log and use the time it received the log as the time stamp?
... View more
06-07-2016
11:01 AM
I have a database log that comes in with a time stamp which is used by Splunk as the time stamp. However, I noticed the time is in UTC which is neither my time zone nor the time zone the server is in, but somehow the Database admin can't change the time reported in the raw log.
Is there a way to have Splunk convert the time to MST or its own time zone that matches that of my other logs? Can I put this in the props.conf file so it's done on the indexers before the logs are searched?
What command/string can I put in the props.conf file to make this change?
Thanks,
... View more
04-19-2016
09:21 AM
Hi All,
I have a search string to identify size of data sent out the network. I would like to create an alert to notify me when the size of data sent out the network doubles the max value of the previous data, however, I want the days to be rolling such that on Monday, the max data sent out on Sunday is used and on Tuesday, the max data sent out on Monday is used and the process continues.
I do know how to create alerts, but including the rolling day logic is what I don't know how to do as well as specify the double factor, I would like to do same for averages too, I am guessing the logic will be the same.
Thanks,
... View more
04-11-2016
03:11 PM
Thanks Martin_Mueller.
I realized that after posting the question however this is an App deployed through the deployment manager, how can I create a lookup definition such that it is a part of the App and gets deployed through the deployment manager?
... View more
04-11-2016
08:31 AM
Hello,
I have a custom written app. Actually it's a legit app which I just added a few lines in the props.conf and inputs.conf files to help obtain some other types of logs and extract useful fields in the log.
So far it appears to be working well, however, I had the following line in the props to help make some comparison to a lookup table;
LOOKUP-signals = signals signal_number as sig
I put the lookup file signals.csv in the lookup folder.
However now I get the following error when I do my searches
[WSECP0005] The lookup table 'signals' does not exist. It is referenced by configuration 'linux:audit'.
Any ideas what could be wrong?
Thanks,
Makinde
... View more
04-08-2016
09:58 AM
Hi Javiergn,
Let's start with the second request, I tried it but no luck. Let's go thru this line again, as I think the problem is somewhere there;
| eval user_type = case(user=="foo", "admin", user=="bar", "non-admin", 1==1, "others")
What does this line mean? why the "==" I would have thought it should be just "=".
Why are we defining non-admin if we aren't using it in the search?
Thanks
... View more
04-06-2016
11:54 AM
Thanks Javiergn,
I think I got that part nailed down, I have a new challenge now,
I would like to lookup a user against a lookup table, where it will exclude the a user account if it matches a list of workstation. The idea is we have some service accounts that are used on certain workstations I am think putting those workstations against the respective accounts in a lookup table and having splunk exclude users based on that list would be ideal. Is that even possible?
Secondly, even though I set the count to greater than 5, can specify a different count for a different type of user, so say for administrative accounts, only display results greater than 10.
Please let me know if this is possible, if you have an idea of another way to do this I would appreciate it as well.
Thanks,
... View more
04-06-2016
10:28 AM
I think I figured it out, I used the count filed against the user after the dedup. seems to be working.
Any other ideas will be welcomed.
... View more
04-06-2016
10:24 AM
Hello,
Like the title says, I have the search criteria pretty nailed down, however, I would like to do a count so only events that match the count shows up in my report.
Here is the search string:
... search string .... | dedup user Workstation_Name | stats list(Workstation_Name) by user
This search string displays list of workstations each user has logged on to. However, I want to set a where condition where it only displays a user that has logged on to more than 5 different workstations as well as sort it such that it displays the users that have logged on to the most workstations.
How can I do this?
... View more
03-30-2016
11:14 AM
Thanks Javiergn
This seems to work, however how can round up the duration value to the nearest days so instead of 1+01:01:01 how can I round it off to one day and if larger than 12 hrs round it off 2 days
Secondly I would like to do a stats average of all the duration value, is that possible? something like this:
... search ... | stats avg(diffInDuration)
... View more
03-29-2016
09:32 AM
Hi,
I would like to find out the difference in days between two timestamps however the time format is a little weird.
This is the time format: 2016-03-19T15:05:40Z
... View more