Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About becksyboy
becksyboy
Communicator
Member since:
02-10-2016
06-22-2022
Community Statistics
| Posts | 75 |
| Solutions | 3 |
| Karma Given | 30 |
| Karma Received | 10 |
| Member Since | 02-10-2016 |
Activity Feed
- Posted Re: How do you tabulate a percentage of field value in a table? on Splunk Search. 06-22-2022 01:49 AM
- Karma Re: How do you tabulate a percentage of field value in a table? for niketn-deceased. 06-22-2022 01:49 AM
- Karma Re: Exporting Knowledge objects with their permissions in CSV for dmarling. 05-16-2022 06:09 AM
- Karma Re: Omit "NULL" and "OTHER" from area chart for Stephen_Sorkin. 02-22-2022 01:06 AM
- Posted Re: Is there a dashboard to monitor when event data is no longer being sent to Splunk from our hosts? on Dashboards & Visualizations. 01-17-2022 01:59 AM
- Karma Re: Is there a dashboard to monitor when event data is no longer being sent to Splunk from our hosts? for gjanders. 01-17-2022 01:58 AM
- Posted Re: Is there a dashboard to monitor when event data is no longer being sent to Splunk from our hosts? on Dashboards & Visualizations. 01-13-2022 08:57 AM
- Posted Re: Field extraction with multiple matches per line on Splunk Search. 07-23-2021 07:47 AM
- Karma Re: Field extraction with multiple matches per line for Ayn. 07-23-2021 07:46 AM
- Posted Re: ServiceNow Security Operations add-on for Splunk - missing passwords.conf? on All Apps and Add-ons. 07-15-2021 06:07 AM
- Posted ServiceNow Security Operations add-on for Splunk - missing passwords.conf? on All Apps and Add-ons. 07-15-2021 04:19 AM
- Posted Re: Microsoft Office 365 Reporting Add-on not obeying interval configuration on Splunk Search. 07-08-2021 12:37 AM
- Posted Re: Microsoft Office 365 Reporting Add-on not obeying interval configuration on Splunk Search. 07-01-2021 01:09 AM
- Karma Re: Splunk Add-on Builder: How to resolve "Invalid key in stanza" error for param._cam? for ibmresilient. 03-10-2021 06:23 AM
- Posted Re: Add Picture to Dashboard on Dashboards & Visualizations. 02-26-2021 05:49 AM
- Karma Re: Add Picture to Dashboard for Michael. 02-26-2021 05:48 AM
- Posted Re: DB connect permissions issue on All Apps and Add-ons. 02-08-2021 06:55 AM
- Karma Re: DB connect permissions issue for richgalloway. 02-08-2021 06:55 AM
- Posted DB connect permissions issue on All Apps and Add-ons. 02-08-2021 05:31 AM
- Tagged DB connect permissions issue on All Apps and Add-ons. 02-08-2021 05:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
06-22-2022
01:49 AM
Thanks, just what i was looking for.
... View more
- Tags:
- thanks
01-17-2022
01:59 AM
Thanks, some useful links here.
... View more
01-13-2022
08:57 AM
Hi @somesoni2 when i try this, i get " Error in 'eval' command: The arguments to the 'case' function are invalid." do you know why this is the case?
... View more
07-23-2021
07:47 AM
Thanks worked for me!
... View more
07-15-2021
06:07 AM
Thanks @venkatasri yep am aware of that, but when we use the older version of this app: ServiceNow Security Operations | Splunkbase if you enter the parameters in via the gui, the password is encrypted into a passwords.conf file automatically.
... View more
07-15-2021
04:19 AM
Hi All, we are trying to install the ServiceNow Security Operations add-on for Splunk, and after we add in the required details including the password, we cannot locate where the password is being stored. Was expecting a passwords.conf to be created with the password encrypted, but am not seeing anything in: /opt/splunk/etc/apps/TA-ServiceNow-SecOps/default Or in /opt/splunk/etc/apps/TA-ServiceNow-SecOps/local ServiceNow Security Operations Addon | Splunkbase We do have a sn_sec_instance.conf created in /local, but it only lists the url of our ServiceNow instance and the username. thanks
... View more
- Tags:
- add on
Labels
- Labels:
-
installation
07-08-2021
12:37 AM
Our query size window is set to 10, and delay throttle of 5. However, below are the actual times data was pulled into Splunk: 08/07/2021/05:58:56 08/07/2021/04:48:29 08/07/2021/04:32:54 08/07/2021/02:58:49 08/07/2021/01:50:45 08/07/2021/00:18:25
... View more
07-01-2021
01:09 AM
Hi there, nope we still have the issue. Sometimes it obeys the interval, but it tend to pull in logs at random intervals. We had to write a simple alert to notify us if we don't see any logs after 4 hrs. We still see the c ontinuous connections every minute or so.
... View more
02-08-2021
06:55 AM
Thanks, yep Splunk was running under the expected account. Compared the permissions for splunk_app_db_connect/linux_x86_64/bin against another working version and they were different. changed it to 700 and seems to have come back working fine.
... View more
02-08-2021
05:31 AM
Hi, we have started to get the following errors on what was a working version of DB connect v 3.4.2. Would appreciate any help figuring out how to resolve this. Unable to initialize modular input "server" defined in the app "splunk_app_db_connect": Introspecting scheme=server: Unable to run "/opt/splunk/etc/apps/splunk_app_db_connect/linux_x86_64/bin/server.sh --scheme": child failed to start: Permission denied. thanks
... View more
- Tags:
- db
Labels
- Labels:
-
troubleshooting
01-28-2021
02:50 AM
This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs. This may help you: https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporti... Also from the App: https://splunkbase.splunk.com/app/3720/#/details Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes. Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".
... View more
01-27-2021
07:50 AM
This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs. This may help you: https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporting-Add-on-for/m-p/437206#M53764 Also from the App: https://splunkbase.splunk.com/app/3720/#/details Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes. Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".
... View more
01-27-2021
03:18 AM
You should be able to do an index once. Can't remember how far you can go back but you should be able to do 20-30 days worth? [ms_o365_message_trace://index_once] delay_throttle = 1 index = ******** input_mode = index_once interval = -1 office_365_password = ******** office_365_username = ******** query_window_size = 60 start_date_time = 2021-01-01T11:01:01 end_date_time = 2021-01-27T11:01:01
... View more
12-01-2020
02:27 AM
On version 1.2.4 on Splunk 7.3.7. We had applied the suggested fix of adding a \ before the $filter. But we are faced with two issues. [1] The connection interval is not being obeyed. We have it set to 10 mins, but our logs seems to be continuously updated like the connection hasn't completed. 2020-12-01 10:21:10.854 2020-12-01 10:21:10,854 DEBUG pid=28567 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): reports.office365.com:443 2020-12-01 10:21:10.850 2020-12-01 10:21:10,850 DEBUG pid=28567 tid=MainThread file=base_modinput.py:log_debug:288 | Endpoint URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=413999 2020-12-01 10:21:10.850 2020-12-01 10:21:10,850 DEBUG pid=28567 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ nextLink URL (@odata.nextLink): https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=413999 2020-12-01 10:21:10.850 2020-12-01 10:21:10,850 DEBUG pid=28567 tid=MainThread file=binding.py:new_f:73 | Operation took 0:00:00.022766 2020-12-01 10:21:10.848 2020-12-01 10:21:10,848 DEBUG pid=28567 tid=MainThread file=connectionpool.py:_make_request:437 | https://127.0.0.1:9001 "POST /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/batch_save HTTP/1.1" 200 39 2020-12-01 10:21:10.827 2020-12-01 10:21:10,827 DEBUG pid=28567 tid=MainThread file=binding.py:post:750 | POST request to https://127.0.0.1:9001/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/batch_save (body: {'body': '[{"_key": "index_continuously_obj_checkpoint", "state": "{\\"max_date\\": \\"2020-12-01 09:54:07.121067\\"}"}]'}) 2020-12-01 10:21:10.827 2020-12-01 10:21:10,827 DEBUG pid=28567 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ max date after getting messages: 2020-12-01 09:54:07.121067 2020-12-01 10:21:09.913 2020-12-01 10:21:09,913 DEBUG pid=28567 tid=MainThread file=connectionpool.py:_make_request:437 | https://reports.office365.com:443 "GET /ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=411999 HTTP/1.1" 200 None 2020-12-01 10:21:21.866 2020-12-01 10:21:21,866 DEBUG pid=28567 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): reports.office365.com:443 [2] When we do have a successful connection that pulls logs (happens every 1-2 hours) we get these errors: HTTPError: 500 Server Error: Internal Server Error for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=999999 2020-12-01 09:53:50,446 ERROR pid=13324 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. 2020-12-01 09:53:50,440 ERROR pid=13324 tid=MainThread file=base_modinput.py:log_error:309 | HTTP Request error: 500 Server Error: Internal Server Error for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=999999
... View more
11-23-2020
08:53 AM
Hi, we are using version 1.2.4 on Splunk 7.3.7, and we noticed our interval setting of (interval=600 / 10 mins) is not being obeyed. We can see when it does make a successful connection and pull the logs, we see at the start of the connection "HTTP connection pooling" in the logs. However, what we see subsequently are continuous connections every minute or so. We tried a splunk restart to see if this made a difference but it hasn't changed it's behaviour. So now we see connections from every 30-40 mins or longer. Below is an example of the logs: 2020-11-23 15:42:12,824 INFO pid=32193 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling 2020-11-23 15:42:12,824 DEBUG pid=32193 tid=MainThread file=binding.py:get:677 | GET request to https://127.0.0.1:9001/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/config/TA_MS_O365_Reporting_checkpointer (body: {}) 2020-11-23 15:42:12,826 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): 127.0.0.1:9001 2020-11-23 15:42:12,834 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_make_request:437 | https://127.0.0.1:9001 "GET /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/config/TA_MS_O365_Reporting_checkpointer HTTP/1.1" 200 5509 2020-11-23 15:42:12,835 DEBUG pid=32193 tid=MainThread file=binding.py:new_f:73 | Operation took 0:00:00.010786 2020-11-23 15:42:12,836 DEBUG pid=32193 tid=MainThread file=binding.py:get:677 | GET request to https://127.0.0.1:9001/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/config/ (body: {'count': -1, 'search': 'TA_MS_O365_Reporting_checkpointer', 'offset': 0}) 2020-11-23 15:42:12,842 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_make_request:437 | https://127.0.0.1:9001 "GET /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/config/?count=-1&search=TA_MS_O365_Reporting_checkpointer&offset=0 HTTP/1.1" 200 7403 2020-11-23 15:42:12,844 DEBUG pid=32193 tid=MainThread file=binding.py:new_f:73 | Operation took 0:00:00.007860 2020-11-23 15:42:12,852 DEBUG pid=32193 tid=MainThread file=binding.py:get:677 | GET request to https://127.0.0.1:9001/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/index_continuously_obj_checkpoint (body: {}) 2020-11-23 15:42:12,857 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_make_request:437 | https://127.0.0.1:9001 "GET /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/index_continuously_obj_checkpoint HTTP/1.1" 200 128 2020-11-23 15:42:12,857 DEBUG pid=32193 tid=MainThread file=binding.py:new_f:73 | Operation took 0:00:00.005903 2020-11-23 15:42:12,858 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ Start date: 2020-11-23 14:21:59.057785, End date: 2020-11-23 14:31:59.057785 2020-11-23 15:42:12,858 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | Endpoint URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?\$filter=StartDate eq datetime'2020-11-23T14:21:59.057785Z' and EndDate eq datetime'2020-11-23T14:31:59.057785Z' 2020-11-23 15:42:12,863 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): reports.office365.com:443 2020-11-23 15:42:16,000 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_make_request:437 | https://reports.office365.com:443 "GET /ecp/reportingwebservice/reporting.svc/MessageTrace?%5C$filter=StartDate%20eq%20datetime'2020-11-23T14:21:59.057785Z'%20and%20EndDate%20eq%20datetime'2020-11-23T14:31:59.057785Z' HTTP/1.1" 200 None 2020-11-23 15:42:16,073 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ max date before getting message: 2020-11-23 14:21:59.057785 2020-11-23 15:42:16,893 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ max date after getting messages: 2020-11-23 15:41:50.582546 2020-11-23 15:42:16,894 DEBUG pid=32193 tid=MainThread file=binding.py:post:750 | POST request to https://127.0.0.1:9001/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/batch_save (body: {'body': '[{"state": "{\\"max_date\\": \\"2020-11-23 15:41:50.582546\\"}", "_key": "index_continuously_obj_checkpoint"}]'}) 2020-11-23 15:42:16,926 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_make_request:437 | https://127.0.0.1:9001 "POST /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/batch_save HTTP/1.1" 200 39 2020-11-23 15:42:16,928 DEBUG pid=32193 tid=MainThread file=binding.py:new_f:73 | Operation took 0:00:00.033994 2020-11-23 15:42:16,928 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ nextLink URL (@odata.nextLink): https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=1999 2020-11-23 15:42:16,928 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | Endpoint URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=1999 2020-11-23 15:42:16,932 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): reports.office365.com:443 2020-11-23 15:42:18,938 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_make_request:437 | https://reports.office365.com:443 "GET /ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=1999 HTTP/1.1" 200 None 2020-11-23 15:42:19,777 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ max date after getting messages: 2020-11-23 15:41:50.582546 2020-11-23 15:42:19,778 DEBUG pid=32193 tid=MainThread file=binding.py:post:750 | POST request to https://127.0.0.1:9001/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/batch_save (body: {'body': '[{"state": "{\\"max_date\\": \\"2020-11-23 15:41:50.582546\\"}", "_key": "index_continuously_obj_checkpoint"}]'}) 2020-11-23 15:42:19,827 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_make_request:437 | https://127.0.0.1:9001 "POST /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/batch_save HTTP/1.1" 200 39 2020-11-23 15:42:19,829 DEBUG pid=32193 tid=MainThread file=binding.py:new_f:73 | Operation took 0:00:00.051431 2020-11-23 15:42:19,830 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ nextLink URL (@odata.nextLink): https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=3999 2020-11-23 15:42:19,830 DEBUG pid=32193 tid=MainThread file=base_modinput.py:log_debug:288 | Endpoint URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=3999 2020-11-23 15:42:19,834 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): reports.office365.com:443 2020-11-23 15:42:21,872 DEBUG pid=32193 tid=MainThread file=connectionpool.py:_make_request:437 | https://reports.office365.com:443 "GET /ecp/reportingwebservice/reporting.svc/MessageTrace?$skiptoken=3999 thanks
... View more
Labels
- Labels:
-
Other
11-10-2020
05:53 AM
Thanks for the suggestions, I will investigate to see if there is a unique field.
... View more
11-09-2020
09:17 AM
Hi I have a field name called report_name, it can have a number of status values associated with it, i.e. status=a or status=b or status=c etc. A complete report run would have (status = a & status = b) A failed report run would have (status = a & status = b & status = c) How do I group results where (status = a & status = b) = Good and (status = a & status = b & status = c) = Failed for a particular report name? The issue I'm running into is when a report_name has both (status = a & status = b) & a little while later (status = a & status = b & status = c) I am unable to group them correctly, and end up naming both the same. thanks
... View more
Labels
- Labels:
-
fields
09-16-2020
06:12 AM
Hi, we have a requirement to configure the ServiceNow Security Operations Add on to use a proxy url, proxy port and also a certificate for the proxy. I can see there are option to specify proxy_url & proxy_port. Is it also possible to also integrate the certificate of our proxy? Does it need to be done within the add on or within Splunk or at the OS/Linux level? thanks
... View more
- Tags:
- servicenow
Labels
- Labels:
-
configuration
03-13-2020
08:51 AM
Hi All,
we have been informed our current/valid internal SHA2 Intermediate certificate is being replaced with a newer version. The Certificate management team has asked that the new one sit along side the older/current one on all systems which need it.
I'm aware of the importance of the certificate chain, and was wondering if just inserting the new internal SHA2 Intermediate certificate details in our chain after the current/older one for the current .pem certificates would be valid?
Example below for our Splunk forwarders:
-----BEGIN CERTIFICATE----- >>> splunkforwarder host
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- >>> splunkforwarder.key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- >> CURRENT Intermediate details
-----END CERTIFICATE------
-----BEGIN CERTIFICATE----- >> INSERT NEW Intermediate details here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- >>> ROOT details
-----END CERTIFICATE-----
thanks
... View more
- Tags:
- sha
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-22-2022
11:21 AM
|
Karma from
Karma given to
