Activity Feed
- Got Karma for Re: Proofpoint Email Security Add-On: Issues with dashboard population and extractions. 01-09-2023 06:38 AM
- Got Karma for Proofpoint Email Security Add-On: Issues with dashboard population and extractions. 01-09-2023 05:52 AM
- Got Karma for Errors with Rapid7 InsightVM TA. 02-24-2022 06:08 PM
- Got Karma for Re: Microsoft Office 365 Reporting Add-on for Splunk is affected by stop supporting and retire Basic Authentication for. 01-18-2022 06:37 AM
- Karma Re: How to configure Splunk to extract XML fields from Windows security event 4698? for krishnarajapant. 07-12-2021 10:41 AM
- Posted Errors with Rapid7 InsightVM TA on All Apps and Add-ons. 06-15-2021 09:00 AM
- Karma Re: Splunk Add-on for Microsoft Cloud Services vs Microsoft Azure Add on for Splunk for grobendg. 06-14-2021 05:45 AM
- Karma Re: Splunk Add-on for Microsoft Cloud Services vs Microsoft Azure Add on for Splunk for venkatasri. 06-11-2021 11:18 AM
- Posted Re: Splunk Add-on for Microsoft Cloud Services vs Microsoft Azure Add on for Splunk on All Apps and Add-ons. 06-11-2021 11:15 AM
- Posted Splunk Add-on for Microsoft Cloud Services vs Microsoft Azure Add on for Splunk on All Apps and Add-ons. 06-10-2021 10:53 AM
- Posted Re: Splunk Logs to Azure Blob Storage on Getting Data In. 05-19-2021 10:20 AM
- Posted Re: Windows Eventlog field suppression in 8.1.1 on Getting Data In. 04-29-2021 06:45 AM
- Posted Windows Eventlog field suppression in 8.1.1 on Getting Data In. 04-29-2021 06:34 AM
- Karma Re: O365 message tracking logs for J_lo. 02-02-2021 07:58 AM
- Karma Re: ERROR lookup minemeldfeeds for scelikok. 02-01-2021 11:54 AM
- Karma Re: Splunk Permission Error for nickhills. 12-15-2020 11:23 AM
- Posted Calculate Bucket Thaw Time on Splunk Search. 12-15-2020 10:25 AM
- Posted Re: Ingesting logs from Microsoft Teams on All Apps and Add-ons. 12-15-2020 10:12 AM
- Got Karma for Re: Upgrade from 7.3.7 to 8.0.6. 10-08-2020 06:18 AM
- Got Karma for Upgrade from 7.3.7 to 8.0.6. 10-08-2020 06:18 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
1 | |||
0 | |||
0 | |||
0 | |||
1 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
06-15-2021
09:00 AM
1 Karma
Hey All, Hoping someone can help with an issue with the Rapid 7 Insight VM TA. We recently upgraded the app from 1.0.5 to 1.1.0. After upgrading the app stopped working and started throwing an error. The GUI for the app would no longer completely load after the upgrade, config\inputs page would halfway load and just spin. I removed the new version and re-installed the older version 1.0.5 but still the same issues. Is anyone else having issue with it that might be able to assist? Splunk Version: 8.1.1 App is installed on a HF We get the attached error in the newer version and the older version now. Seeing alot of these python related errors also: 06-15-2021 10:04:01.511 -0500 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/bin/runScript.py setup': ImportError: cannot import name 'validator' from 'splunktaucclib.rest_handler.endpoint' (/opt/splunk/etc/apps/TA-rapid7-insightvm/bin/ta_rapid7_insightvm/aob_py3/splunktaucclib/rest_handler/endpoint/__init__.py)
... View more
Labels
- Labels:
-
troubleshooting
06-11-2021
11:15 AM
Thanks for the reply. I figured they were similar but there wasn't any true differences breakdown. I saw the note that it improved compatibility and that's what confused me. It made it seem like it needed MSCS to operate yet they almost collected identical data sets.
... View more
06-10-2021
10:53 AM
Can anyone tell me what the key difference(s) is between the Splunk Add-on for Microsoft Cloud Services vs the Microsoft Azure Add on for Splunk? Looking at the splunkbase descriptions they look almost identical in what data sources they can collect? Is the only difference that the Splunk Add-On can pull in blob storage logs? Or is there something else I am missing? Thanks, Andrew
... View more
Labels
- Labels:
-
installation
05-19-2021
10:20 AM
Are you trying to export the logs? Or use blob storage for index storage?
... View more
04-29-2021
06:45 AM
I should of looked a little harder. Seems it was in the inputs.conf documentation https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Inputsconf#Windows_Event_Log_Monitor
... View more
04-29-2021
06:34 AM
I just recently upgraded to 8.1.1 for our core Splunk infrastructure and our UF's. I noticed in the release notes for 8.1.1 it lists: Remove, suppress any field from Windows Eventlog via universal forwarder Reduce noisy and unnecessary data from Windows Logs by filtering on any fields available at the source. Currently we are using the blacklist option and a few regex's to accomplish our goal of filtering certain windows events at the UF level. Does anyone know where the documentation is that relates to the above new feature? Just trying to figure out the proper usage\syntax in the hopes we can eliminate our blacklist regex's. Thanks, Andrew
... View more
Labels
- Labels:
-
universal forwarder
-
Windows
12-15-2020
10:25 AM
Hey All, Was just curious if there is a way to calculate how long it should take to thaw\rebuild frozen buckets for searching? We recently started a thaw of a month's worth of data of Windows events that is taking a considerable amount of time. Going on 5 hours now across 3 clustered IDX's. We have 6 total IDX's clustered and we perform the thaw\rebuild on 3 at a time to ensure we can balance data ingestion and the thaw process. I would love to be able to set expectations when other business units ask for historical data to be loaded, on how long it will take to be ready. I'm sure it depends on CPU\HDD speed\bucket size but was curious if anyone has a way to determine some rough calculations. Thanks! Andrew
... View more
12-15-2020
10:12 AM
@atuljha82 I had and identical error message in my logs. This is usually due to Microsoft being unable to communicate with your webhook. Mine occurred after Microsoft added some new IP's to the graph API and we had to add them to the whitelist in our FW rule.
... View more
10-07-2020
07:56 AM
1 Karma
Just an FYI all, there are two ideas supporting this requested change. https://ideas.splunk.com/ideas/APPSID-I-27 https://ideas.splunk.com/ideas/APPSID-I-70 I would recommend voting for at least the first (it has the most hits). It is also showing in the Planned stage.
... View more
10-07-2020
07:52 AM
1 Karma
Hey @dmacintosh_splu I appreciate that link. I already have that document and use it as part of all of our upgrades. I was more looking for tips/tricks/gotcha's from others who have made the jump from 7.x to 8.x to help prepare for any issues/concerns before we upgrade.
... View more
10-06-2020
10:10 AM
1 Karma
Hey All, We are looking to upgrade from 7.3.7 to 8.0.6 or the most recent release in the 8.x code base. Besides potential app incompatibilities, does anyone else have any "gotcha's" or issues/concerns they have run into with an upgrade like this? Thanks! Andrew
... View more
Labels
- Labels:
-
upgrade
09-04-2020
12:09 PM
Hey All, I am looking to revamp our Splunk test environment and build a new one from scratch that better suits our needs. Our production environment consists of both a search head cluster and an indexer cluster along with all of the other various Splunk components. I would love to replicate our clusters on a smaller scale to ensure our test environment pretty closely mirrors production. It appears though that the Dev/Test License doesn't support clustering. Does anyone have any recommendations on how to best go about it? I can setup standalone instances with no problem, just curious how other's have addressed this as newer versions of Splunk sometimes make changes to clustering services and I want to ensure they are close to 100% tested before production upgrades. Also whats the best way to get test data into the test environment? Is the best route to just forward some data from production? Is there a way to mask the data or a way to create dummy data? Thanks in advance! Andrew
... View more
07-30-2020
09:11 AM
Yeah my webhook is using 4444. Glad to hear its still working with good ACL's in place. Do you have the cert only on your HF and only a FW in between?
... View more
07-30-2020
08:35 AM
I honestly still can't get it to work but can relay our current setup if it helps. We created an external cert with a specific URL that the webhook would use. We then ensured the webhook setup in the Splunk app had that URL. HTTPS inbound to our URL is translated to our specified port at the firewall. If that traffic matches the security policy, it is forwarded on to the F5. The F5 is listening on that port and will pass traffic to the Splunk server on that same port. We do have the Graph API IPs allowed as part of that security policy on the FW. We can hit the webhook internally via our F5 but still can't get it to work pulling Teams logs.
... View more
07-02-2020
12:32 PM
Hey All, Finishing the configuration and tuning of the Microsoft 365 App for Splunk and on the overview dashboard under M365 a single panel is having an issue with a macro. Error message: Error in 'SearchParser': The search specifies a macro 'o365_service_status' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. I checked the app's default and local folders and in the GUI and don't even see this macro anywhere. Anyone have any clue what this macro holds so that I can create it to get this dashboard panel working? Thanks, Andrew
... View more
Labels
- Labels:
-
configuration
-
dashboard
-
troubleshooting
07-01-2020
12:17 PM
Thanks was looking for this solution too!
... View more
07-01-2020
06:09 AM
Thanks for the super helpful information! Definitely puts me on the right path and kinda confirmed my suspicions. So you used a cert from an external party and NAT'ed that hostname at your FW?
... View more
- Tags:
- Th
06-30-2020
07:24 AM
Hey All, I recently installed/configured the Microsoft Teams Add-on in an attempt to ingest call logs and meeting info from Microsoft Teams. I have run into an issue I was hoping someone could help with or shed some light on. Add-On Version: 1.02 Splunk Version: 7.3.4 App is installed on a HF. I have followed the instructions on the setup and have the Subscription, User Reports, Call Reports and Webhook all setup in the inputs section of the app. It appears though the only thing working is the User Reports. I have granted all of the required permissions in Teams\Azure per the documentation. The _internal logs don't give a whole lot of information indicating what the issue might be even with DEBUG logging enabled for the app. The only thing I am seeing in the logs indicating an issue was this: 127.0.0.1 - splunk-system-user [30/Jun/2020:09:05:36.213 -0500] "GET /servicesNS/nobody/TA_MS_Teams/properties/TA_MS_Teams HTTP/1.1" 404 144 - - - 0ms And this: 2020-06-30 09:25:43,189 ERROR pid=107176 tid=MainThread file=base_modinput.py:log_error:309 | Could not create subscription: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/subscriptions The documentation also mentions a webook which I am a little confused as to where that webhook resides. Is it in Teams itself or where the app is installed? It seems like the webook is in the app on the HF based on how the documentation reads? Any help would be greatly appreciated. Thanks, Andrew
... View more
Labels
06-12-2020
08:58 AM
1 Karma
Would love to hear more about your proposed solution @marcluescher We have thought about taking the powershell route too but havent spent much time on it to be honest.
... View more
05-20-2020
12:07 PM
Just an FYI, I created an idea for it a couple of months back if anyone wants to vote on it
https://ideas.splunk.com/ideas/EID-I-66
... View more
05-20-2020
12:02 PM
Hey @nnimbe1,
I don't have an actual search to provide but rather an app that we use in our environment that is immensely helpful when it comes to license usage. We use Meta Woot! a free Splunk app to provide almost exactly the information you need.
It has a dashboard called Meta Woot! License Event Usage that details the host, sourcetype, index, total_events, license_per_event, and total_license usage.
I would recommend check this app out as it does an amazing job of providing the license usage tracking metrics you might need
Andrew
... View more
05-19-2020
06:57 AM
Ok, thanks for the info Giuseppe. Was just gauging the community to see what my options were and to do due diligence.
... View more
05-14-2020
08:27 AM
Did you perform any type of config cleanup? Did you leave the /opt/splunk/ directory intact?
... View more
05-14-2020
08:11 AM
So due to the fact that our Indexers are Azure servers and required quite a bit of OS customization to align with our company's standards, that is why I was bringing this question up. I am not a fan of the idea and understand the pitfalls and potential issues that could occur down the road but wanted to ask just to do my due diligence.
I personally was thinking clone the server then nuke the Splunk installation directory so the sys admin saves time in setup and I can start from a "fresh install". Just wasn't sure if that would take care of all remaining artifacts from the install.
... View more