Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About cybersecnutant
cybersecnutant
Explorer
Member since:
11-21-2018
02-12-2024
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 11-21-2018 |
Activity Feed
- Posted Re: Splunk ServiceNow app: how to Selectively remove Display value from indexing? on All Apps and Add-ons. 02-12-2024 10:44 AM
- Karma Re: Splunk ServiceNow app: how to Selectively remove Display value from indexing? for koshyk. 02-12-2024 10:43 AM
- Posted Re: Splunk lookup (not inputlookup) and cidr matching on Splunk Search. 01-10-2024 02:13 PM
- Karma Re: Splunk lookup (not inputlookup) and cidr matching for dtburrows3. 01-10-2024 02:12 PM
- Posted Splunk lookup (not inputlookup) and cidr matching on Splunk Search. 01-10-2024 01:47 PM
- Tagged Splunk lookup (not inputlookup) and cidr matching on Splunk Search. 01-10-2024 01:47 PM
- Tagged Splunk lookup (not inputlookup) and cidr matching on Splunk Search. 01-10-2024 01:47 PM
- Posted Re: Splunk lookup question for cidrmatch on Splunk Search. 01-03-2024 02:01 PM
- Posted AWS Logs via Lamda to HF drop preceding key from fieldname on Getting Data In. 01-03-2024 01:25 PM
- Tagged AWS Logs via Lamda to HF drop preceding key from fieldname on Getting Data In. 01-03-2024 01:25 PM
- Tagged AWS Logs via Lamda to HF drop preceding key from fieldname on Getting Data In. 01-03-2024 01:25 PM
- Posted Re: Resolving Akamai Siem integration error with Splunk Add-on? on All Apps and Add-ons. 10-17-2023 12:28 PM
- Posted How to reference Splunk lookup question for cidrmatch? on Splunk Search. 07-31-2023 06:23 PM
- Posted Best way to extract _raw to a host OS of a SH programatically on Splunk Search. 05-03-2022 02:00 PM
- Tagged Best way to extract _raw to a host OS of a SH programatically on Splunk Search. 05-03-2022 02:00 PM
- Tagged Best way to extract _raw to a host OS of a SH programatically on Splunk Search. 05-03-2022 02:00 PM
- Tagged Best way to extract _raw to a host OS of a SH programatically on Splunk Search. 05-03-2022 02:00 PM
- Tagged Best way to extract _raw to a host OS of a SH programatically on Splunk Search. 05-03-2022 02:00 PM
- Posted Restoring from db_ and rb_* on Splunk Enterprise. 09-09-2021 06:11 PM
- Karma Re: After Upgrade from Splunk 7.2.3 to Splunk 8.0.1 we get error TcpInputProc - Encountered Streaming S2S error=Received reference to unknown channel_code=132 for QuintonS. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-12-2024
10:44 AM
Used this to drop the comments related fields. Longstanding tickets had more than 10,000 characters and would cause false negatives and/or crash browsers.
... View more
01-10-2024
02:13 PM
Thank you! That was it.
... View more
01-10-2024
01:47 PM
Hello, I have a search that's coming back with 'src' which is the source IP of a client, and I have a lookup file called "networks.csv" that has a column with a header 'ip' which is a list of CIDR networks. I have gone into the lookup definitions and set under the advanced options "CIDR(ip)" for that lookup file. I can see the headers being automatically being extracted in that UI. However, when I run the search and try to pull the category for the 'src' respective network, it does not work. basesearch | lookup networks.csv ip as src_ip OUTPUT category I have validated that it's a CIDR issue by doing a "...| rex mode=sed field=src_ip " and placing a literal CIDR entry in there and having the category come out. Thank you for your help!
... View more
Labels
- Labels:
-
lookup
01-03-2024
02:01 PM
Looks like I just needed to set up the definition for 1 particular file that was I using for testing versus the others which already were set up. Thank you
... View more
01-03-2024
01:25 PM
Hello, I've got a Lamda function exporting AWS logs via HEC to my HF's to my indexers. Unfortunately, the AWS logs are coming in with event.* as all of the field names, whereas the Splunk_TA_aws addon is expecting *. I can easily do a rename event.* as a *, however that's too late for the out of the box props.conf's to take effect. This causes things like the the "FIELDALIAS-eventName-for-aws-cloudtrail-command = eventName AS commandrename eventName as command" in props.conf to fail unless I go in and modify it to be event.eventName. I'd like to fix this before it gets to SPL. Is there a way to do this easily? Thanks!
... View more
- Tags:
- aws
- Splunk_TA_aws
Labels
- Labels:
-
heavy forwarder
-
JSON
10-17-2023
12:28 PM
I just ran into this issue and as an easy alternative you can also add: disable_splunk_cert_check = true to every input you have under the stanza. It is mentioned in their guide but for some reason they did not include it in the GUI option like they suggest it is there. https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector Yet another case where companies think software engineers can be SE's and tech writers.
... View more
07-31-2023
06:23 PM
I have a lookup file called prefixes.csv, and it has about 5 headers: prefix,location,description,owner "1.0.0.0/8",usa,"corporate things", "joe schmoe" I want to be able to reference this file so that, for example, if I am looking at firewall logs, I can ignore or , alternatively, specifically look for events where their src_ip falls into these ranges. So for example, something like: index=firewall src_ip=* | search NOT [ |inputlookup | field + prefix | rename prefix as src_ip] I know that I can do something like this if I had every range expanded for single entries per IP, but is there a way to do this with cidr? I have tried doing the lookup definition route but I think I am missing something or misunderstanding something there. Thanks in advance
__PRESENT
... View more
- Tags:
- lookup
Labels
- Labels:
-
lookup
05-03-2022
02:00 PM
We have a 3rd party pulling AWS logs as far back as AWS holds onto logs. However, we want to be able to go back further so we are looking at our AWS index in Splunk. We want to extract a full export of _raw for the entire index. We have access to the management port of our searchhead which is pointing to an indexer cluster with all of the aws index data - noting that the index is SmartStore enabled. What's the best way to export this programmatically? It would not scale to manually run the search in the GUI and export it. We've looked at the oneshot search with js but it seems to be timing out even though we have baked in pagination. Thanks in advance
... View more
Labels
- Labels:
-
other
09-09-2021
06:11 PM
Hello, unfortunately I am having to attempt to do a restore of copies of old db_* and rb_* structures that were basically rsync'd over time to some cold storage. I am noticing that things like ".bucketManifest" don't exist. I am trying to restore it to a net new indexer cluster with the index configured in indexes.conf. I am happy to do this on a standalone indexer if that's the right way to do this, assuming that this is even possible. To be clear, i have all of the directories that are prefixed with rb_* and db_*, but nothing else. *EDIT* I actually only have db_*/rawdata/journal.gz and rb_*/rawdata/journal.gz Thanks
... View more
Labels
- Labels:
-
troubleshooting
01-16-2020
12:48 PM
I'm having issues with the webhook URL not propagating in the cluster. Current version is 8.01 after having upgraded from 6.5 --> 7.0 --> 7.1.3 --> 8.01. 2 out of 5 of my searchheads have an empty field waiting for the webhook URL to be entered. The other 3 don't have a box.
... View more
07-28-2019
10:33 PM
This is the URL it gives me:
https://heavyforwarder.domain.com:8000/en-US/manager/Splunk_TA_snow/apps/local/Splunk_TA_snow/setup?action=edit
Takes me to 404 page:
"https://heavyforwarder.domain.com:8000/en-US/manager/Splunk_TA_snow/apps/local/Splunk_TA_snow/setup"
I pushed the app from my deployment server to the heavy forwarder.
... View more
05-28-2019
10:44 AM
When I enable/disable the input it pulls in new events, but it throws the below errors.
If I leave it enabled and it stops pulling in logs after the first attempt.
ERROR:
/splunk/etc/apps/sft-audit-events-splunk/bin/app/node_modules/async/dist/async.js:473:16
/splunk/etc/apps/sft-audit-events-splunk/bin/app/sft-audit-events.js:215:72
/splunk/etc/apps/sft-audit-events-splunk/bin/sft-audit-events.sh" Logger.info(INPUT_NAME, "Got events: " + results.getAndEmitEvents.list.length
"Dependencies This modular input
depends on a couple of npm modules:
1. request - Apache 2.0
2. async - MIT
3. splunk-sdk - Apache 2.0
4. parse-link-header - MIT"
https://splunkbase.splunk.com/app/3260/#/details
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-12-2024
02:05 PM
|
