Combing through firewall logs.  I am extracting source, destination, dest_port.   I have a csv lookup file with ports and descriptions of those ports, both udp and tcp.   I want to take the description from the lookup and add to the results in a table.  Here is my search: | stats count by SRC, DST, DEST_PORT | lookup tcp-udp description OUTPUT description AS desc, port | eval desc=if(DPT = port, description, "not ok") | table SRC, DST, DEST_PORT, port, desc the port and desc field are blank and say "not ok" respectively.  I'm stuck...   ... View more

I have Splunk 7.3 running on an Ubuntu box. I just loaded App for Infrastructure to monitor other linux hosts and want to monitor Ubuntu on the localhost. How to configure App for Infrastructure to do this? ... View more

I have the Splunk App for ES Health Check running. In the configuration, I have the dedicated ES (Enterprise Security) Search Head listed, but only 1 of 3 indexers listed. How do I add the other 2 indexers and have the app still work? I have tried entering in something like this in the UI: "indexer01","indexer02" That only gave an error message in the app when I saved and reloaded. Any idea if this is possible to list multiple indexers? Thanks, Ron C ... View more

Why, from a security perspective, would I want to export my SID database to a CSV file? Then I have to protect that file from unauthorized access. Assuming that you are getting Microsoft AD logs into Splunk and that index is called "msad", trying this search: index="isilon_audit" sourcetype="isilon" | join Security_ID [ search index="msad" | fields Security_ID, Account_Name, user | dedup user ] | table Security_ID, Account_Name, user, filename Let me know your thoughts. Thanks, Ron ... View more

I have a heavy forwarder running on a RHEL 6 server that has 16 processors and 16GB. This heavy forwarder has usually kept up with all of the logs that were sent to it, but a few months ago, I am pretty sure I overwhelmed it. Now, I have moved all of the extra logs off of this server to another server and I am back to the original set of logs that I started with. However, it will not keep up. The logs are Cisco ASA firewall logs, WSA logs, and some other small volume syslogs. In the inputs.conf file, the WSA logs are set to "batch" mode and all of the rest are in monitor mode. inputs.conf: #### WSA Logs #### [batch:///logs/sawmill] disabled = 0 # followTail = 0 index = wsa initCrcLength = 1024 sourcetype = cisco:wsa:squid whitelist = aclog.* move_policy = sinkhole crcSalt = <SOURCE> Any one having this same issue? Any help is appreciated. I can post snippets of conf files if it will help. Thank you in advance, Ron ... View more

Background: My windows AD users are in index "windersAD". All of their web traffic is logged in index "wsa". I would like to have a table with the timestamp, userID, source_IP, the URL, and the Web Category. So far I have started with this: index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full="Online Storage*" | fields src, cs_url | dedup src ] | table _time, user, src, cs_url, x_webcat_code_full | dedup src What I get is "No results found". I don't think that I am passing the user filed values correctly. Please help! Thanks in advance! ... View more

I have a search that searches for source IP addresses that hit a specific site. Then takes the source IP and “appends” that to the main search. I can get this to work producing raw data entries, but I want a table with the user ID and the IP address. This produces raw events: index="AD" OR index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full!="Online Storage*" cs_url_host="www.privateinternetaccess.com" OR cs_url_host="hola.org" | fields src | dedup src ] So where would the table statement go? I have tried at the very end outside the brackets, and before the opening bracket. None worked. ... View more

I upgraded my Cisco Security App in Splunk 6 last week. Before the upgrade, the WSA logs were working great. Now after the upgrade, the Web Security pages do not work. When Iopen the search strings in "search" it does not work. But if I modify the search string by removing everything after the last pipe sign, it works in "Search" mode. Yes, I edited the panel and tried to get the panel to work on main Web Security Page, it still is blank. Anything in the upgrade that has caused anyone else any issues? Thanks in advance! ... View more