I am trying to setup Splunk Security Essentials in a distributed environment on a SHC. I've installed v3.3.2 and all the app was successfully deployed to our search heads however I am having an issue with populating the data inventory. Periodically when we try and enter SPL in for a specific data source and refresh the page the data in input prior will simply disappear. While I see to be able to get around this by adding the input then staying on the page for an extended period in time, all of my data sources that I've added are stuck on the "Analyzing CIM and Event Size" status. I am testing on data sources which have the proper TA's installed for CIM parsing (ex. windows events), but none of my sources are able to get past this stage. Has anyone ever encountered this before or have any suggestions? I don't see any errors in the internal logs coming from the app. ... View more

Hello, I am currently in the process of normalizing some fields from some DNS logs we are receiving an I am running into an issue with field aliases. Essentially, I have a few automatic lookups that run when a search is done on this index that provide some enrichment details. One of this details is a username which I am simply trying to map to either "src_user" or "user". For the time being, I am creating an alias to set this value based on a field from the lookup (the field name is "username"). However, I went enter the below in the props.conf file on the SH I am not seeing the field created: [dns_data] FIELDALIAS-dns_username = username AS user And when I try and search for the field within this index I am getting back blank values. The username is not part of the event so I can't perform an extract so I thought field aliasing would be best here. I know there is an order of precedence with the way that Splunk processes this search time extractions, but is it possible to perform a field alias on field that was created from an automatic lookup? Or does anyone have any suggestions on a better way to make this work? ... View more

We are collecting logs from Infoblox and forwarding from the product into Splunk which is working as expected, however the timezone Splunk is indexing appears to be in GMT/UTC when the timestamps are actually in EST (when I run a search _time is 4 hours behind). I've gone through the documentation which references setting TZ in props.conf, but this has been unsuccessful so far. Also, Infoblox sends this data over a s2s tcp connection since Splunk is built in which acts as a Universal Forwarder. Is it possible to set a TZ setting on the Infoblox side before sending logs over the Splunk or am I just missing something in my current configuration to get this to work? For context, the infoblox DNS events do not have a timezone in the raw event and we are collecting the events in this fashion: Infoblox (UF) -> HF -> IN This is also my props.conf settings which are on the HF and IN: [source::/infoblox/logs*] TZ = US/Eastern [host::servername*] TZ = US/Eastern ... View more

As the title says im running into an issue with what appears to be the pull count from SQS queues. For example, right now we have 3 different SQS queues and 15 inputs per queue to addresses all of the regions they encompass. According to the AWS Add-on docs this appears to be a recommended way to scale and increase throughput. However, in our production environment, we have a backlog of events in one of the SQS queues and it doesn't look like Splunk is able to process all of these events and is stuck in a limbo state where it is pulling in events, but not able to catch up with the most recent events. According to the docs SQS queue EPS in Splunk should be 670 however the numbers I am pulling from _internal are significantly less. Has anyone ever run into an issue like this or addresses a similar SQS issue? ... View more

I am getting the below error in the splunk_ta_aws_inspector.log: level=ERROR pid=1042 tid=MainThread logger=splunk_ta_aws.modinputs.inspector pos=util.py:call:163 | | message="Failed to execute function=run, error=Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/splunktalib/common/util.py", line 160, in call return func(*args, **kwargs) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/inspector/init.py", line 53, in run do_run() File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/inspector/init.py", line 30, in _do_run aiconf.AWSInspectorConf, "aws_inspector", logger) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/common/ta_aws_common.py", line 136, in get_configs tasks = conf.get_tasks() File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/inspector/aws_inspector_conf.py", line 60, in get_tasks _cleanup_checkpoints(tasks, config) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/inspector/aws_inspector_conf.py", line 119, in _cleanup_checkpoints internals = store.get_state("internals") File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/splunktalib/state_store.py", line 155, in get_state state = json.load(jsonfile) File "/opt/splunk/lib/python2.7/json/init.py", line 291, in load **kw) File "/opt/splunk/lib/python2.7/json/init_.py", line 339, in loads return _default_decoder.decode(s) File "/opt/splunk/lib/python2.7/json/decoder.py", line 364, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/opt/splunk/lib/python2.7/json/decoder.py", line 382, in raw_decode raise ValueError("No JSON object could be decoded") ValueError: No JSON object could be decoded I have this exact same app/setup in two lower environments which working just fine and im getting data. Today when I logged in I noticed we are not longer receiving AWS logs in my production environment and this is the only error I can find. Again, I have not changed any configurations from the Splunk side and this was working the night prior. Any idea what would be causing the object error? ... View more

Hello, I've run into an issue lately where I want both my search heads and Enterprise Security to show the same field extractions and use the same lookups to sync the data across the components/data sources. However, I'm finding that unless I add a lookup/props.conf/transforms.conf to one of Enterprise Security's stock apps (ex. SplunkEnterpriseSecuritySuite or any of the ES SA's), my extracted fields and lookups will only show in an Enterprise Security search and not on any other app searches. For administrative purposes, I'd like to keep these files specific to the app, and then just control the permissions to either Global or App based. In this case, I want them to be global. Has anyone else run into this issue or am I doing something wrong here? If I add a props/transform/lookup field outside the base ES apps, my ES searches are missing these fields/enrichment. This is not the same behavior as any other app I've worked with or any of the base Splunk apps. ... View more

Is it possible to rename auto-discovered fields? I can't seem to find a way to do this. I tried adding events to a datamodel and then renaming the auto-extracted events, but this does not seem to actually change the field name (not sure what the point of the display name is really). Has anyone found a workaround for this? And no I am not trying to perform a rename on every search and I would rather not manually extract each field from the JSON events I am trying to parse. ... View more

I'm trying to install the splunk DB connect app in a new distributed lower environment and am running into the below error any time I enter an input: "java.lang.RuntimeException: java.security.GeneralSecurityException: org.bouncycastle.crypto.InvalidCipherTextException: pad block corrupted" For context, we currently have this app setup in our testing environment and I am copying over the same directories/files which include identities, connections, drivers, etc. I did create a input in our testing environment, but that file (db_inputs.conf) is not being recognized in the app on my new environment. The other articles that I found did not appear to have a solution to problem. If anything has any advise or context to this problem, please advise. ... View more

I have a search in which is generating results when I have it set as an alert and is successfully creating and event in the notable index. However, when I look on the Incident Review dashboard it does not show. I have multiple other searches/alerts which are working without any issues. Has anyone experienced this or been able to resolve this? I've tried rebuilding the search/alert, but am still having the same issue (notable event is generated, but does not show in the Incident Review dashboard). ... View more

How would I go about pre-populating the fields from splunk (ex. $name$) to the resilient action/app and have this set as default when an action is invoked manually? In this case I would like for specific fields to be pre-populated with Splunk data when a user click on this action. I've seen this setup prior, but I am not familiar with the process on how to setup (I know you can do this through the correlation search, but the action is being performed manually from Incident Review on a notable event). Would this be something that needs to be adjusted in one of the .conf files or can it be done through the UI? ... View more