Hello! I want to find local IPs that communicate with outside IPs every 5 minutes, for example: 192.168.1.11 192.168.1.12 192.168.1.13 8.8.8.8 10:00:00 1 3 0 9.9.9.9 10:00:00 2 0 4 8.8.8.8 10:05:00 1 3 1 9.9.9.9 10:05:00 2 1 4 8.8.8.8 10:10:00 1 3 1 9.9.9.9 10:10:00 2 1 0 so i want to find: 192.168.1.11 to 8.8.8.8 192.168.1.11 to 9.9.9.9 192.168.1.12 to 8.8.8.8 i tried | bucket span=10min _time | stats count by int_ip ext_ip but can't understand how to filter it ... View more

Hey everyone. I need to collect linux cpu utilization from forwarder, so what i did: 1. install universal forwarder and Splunk_TA_nix /opt/splunkforwarder/etc/apps/Splunk_TA_nix 2. add needed splunk server throu /opt/splunkforwarder/bin/splunk add forward-server .... 3. add needed files throu /opt/splunkforwarder/bin/splunk add monitor.... 4. copy from default to local inputs.conf file with Shows stats per CPU (useful for SMP machines) [script://./bin/cpu.sh] sourcetype = cpu source = cpu interval = 30 index = mods (existing) disabled = 0 5. restart splunk File monitor working fine, but CPU utilization not. No errors in splunkd. ... View more

Hey guys. I want modsecurity events in Splunk, but can't make right config. I have events like this: --d021db15-A-- [22/Dec/2016:12:46:22 +0300] WFug7n8AAAEAAAgUFKYAAABM 192.168.13.2 58507 192.168.13.141 80 --d021db15-B-- GET /?param=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1 Host: 192.168.13.141 Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 If-None-Match: "13-54429b1b62789" If-Modified-Since: Wed, 21 Dec 2016 11:45:49 GMT --d021db15-F-- HTTP/1.1 304 Not Modified Last-Modified: Wed, 21 Dec 2016 11:45:49 GMT ETag: "13-54429b1b62789" Accept-Ranges: bytes Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html --d021db15-E-- --d021db15-H-- Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache2/modsecurity.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header i r: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. Server: Apache/2.4.23 (Unix) PHP/5.6.29 Engine-Mode: "DETECTION_ONLY" --d021db15-Z-- so it's start from --\w+-A-- and end with --\w+-Z-- my config: [modsec_audit] CHARSET = UTF-8 NO_BINARY_CHECK = true category = Custom pulldown_type = 1 LINE_BREAKER = --\w+-A-- disabled = false SHOULD_LINEMERGE = true MUST_BREAK_AFTER = --\w+-Z-- TRUNCATE = 0 or BREAK_ONLY_BEFORE_DATE = true instead MUST_BREAK_AFTER. but it's all wrong and i see events like "Stopwatch: 1482404729925426 2897 (- - -)" for example, or starting from . ... View more

Hey everyone. I want to search updated events via jira rest for adding them in my index after. My search work fine one day, but next not, and i can't understand why. Finding updated events in my index: index=jira earliest=-1d | stats latest(Updated) by Key | table Key, latest(Updated) | rename latest(Updated) as Updated | sort -Updated Key Updated IFWEBV-17 2016-11-09T10:29:30.000+0300 IFWEBM-151 2016-11-08T20:38:59.000+0300 IFWEBB-16 2016-11-08T14:43:51.000+0300 Finding updated events at Jira server: Key Updated IFWEB-30 2016-11-09T12:09:31.000+0300 IFWEBV-17 2016-11-09T10:29:30.000+0300 IFWEBM-151 2016-11-08T20:38:59.000+0300 IFWEBB-16 2016-11-08T14:43:51.000+0300 So i make subsearch and want to find IFWEB-30 with updated date: index=jira earliest=-1d | stats latest(Updated) by Key | table Key, latest(Updated) | rename latest(Updated) as Updated | search NOT [| jirarest jqlsearch "updated >= -1d" | table Key, Updated] No results found. Why? Yesterday i watched this searches and all work fine, but today....... ... View more

Hey everyone. I read all nearest posts about timestamp and still can't make it work. So, i have events like this: ....................."2016-11-01T21:33:16.000+0300",splunk,splunk...............one, u'Baseline Effort': None, u'Labels': '', u'Updated': u'2016-11-02T20:17:13.000+0300', u'\u03a3 Progress_progress'................ I need take timestamp from Updated field props.conf [Jira] DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Custom description = disabled = false pulldown_type = true TIME_PREFIX = Updated': u' TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z ... View more

Hey everyone. I'm connect my Splunk to Jira server via REST API and make search: | jirarest jqlsearch "" | sort -_time | table _time _time 2016-11-01 09:31:00 2016-10-31 10:20:03 2016-10-31 09:47:29 .............. but i can't use time preset - even i set "last 15 minutes" he show all same rows: _time 2016-11-01 09:31:00 2016-10-31 10:20:03 2016-10-31 09:47:29 .............. Setting "earliest" and "latest" in search: | jirarest jqlsearch "" | sort -_time | table _time | search earliest=-2d No results found. Also i tried make sourcetype with custom timestamp, but it doesn't help. Any ideas? ... View more

Hey guys. When i configured New Connection in Splunk DB Connect v2 to my MSSQL server i had error: Database Type is required com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Java Runtime Environment (JRE) version 1.8 is not supported by this driver. Use the sqljdbc4.jar class library, which provides support for JDBC 4.0. before i installed jre-8u101-linux-x64.rpm ... View more