ah I see what you mean...updating answer ... View more

what do you mean? do you not have parallelization turned on? ... View more

yeah it looks as if the process spins up just to realize it doesn't have to run. ... View more

what version of the forwarder are you on? The newer versions don't install windows monitors by default more, IIRC. Checking... ... View more

yep, the alert action framework or the old run a script methods allow you to do what you want at that time. What do would you want to search if this alert hit? ... View more

banged head table till it worked 😉 https://jqplay.org/ - cheat sheet at the bottom of the page https://stedolan.github.io/jq/tutorial/ - couple simple tutorials on how to learn the syntax/capabilities. Spent a night trying to wrastle the same thing for another data source. basically telling it to unwrap the array...the powers are amazing, you can literally format the json any which way you want. ... View more

yeah you need to install jq on the os. you are working on nix right? Its worth it because its less a point solution and more an other spell in the voodoo book ... View more

I could gladly help with notes on the learning curve the from the perspective of someone who knows just enough to get into trouble 😉 I think I know a few splunkers that could so something like that justice... ... View more

ok cool...so might need to catch you in Slack to give you the full tour (though I am a jq n00b too), but heres what I did. I took your json and threw it in jqplay then used its magic syntax, which is like sed/awk for json, and i told it to "unwrap" the results array so that we can get something splunk can eat as single events... .results[] I know, i know..ugh another thing to learn...but this one is worth it, and like you, i no speaka good python, so this is easier for me than learning python to create a handler for the mod input... Anwyays, I took the ouput, saved it to file then ran it thru add data wiz...looking good to me...so basically you would just run the api results thru jq as part of your script to ingest... ... View more

you just want each of these as events, right? { "id": 592594, "name": null, "status": { "id": 2963, "name": "Handled" }, "priority": { "id": 2864, "name": "Low" }, "queue": { "id": 2144, "name": "Default" }, "description": null, "assigned_to": { "id": 2426, "username": "user1@company.com" }, "asset_list": null, "advisory": { "id": 199009, "advisory_identifier": "SA74347", "title": "VMware ESXi Script Insertion Vulnerability", "released": "2016-12-21T22:28:44Z", "modified_date": "2016-12-21T22:28:44Z", "criticality": 4, "criticality_description": "Less critical", "solution_status": 2, "solution_status_description": "Vendor Patched", "where": 1, "where_description": "From remote", "cvss_score": 4.3, "cvss_vector": "(AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)", "type": 0, "is_zero_day": false } do you care about this piece? { "count": 66, "next": "https://api.app.secunia.com/api/tickets/?page=2", "previous": null, "results": [ ... View more

what version of the app? Did you try multiple browsers? ... View more

Hi a212830! The where clause goes at the end, but you gotta be careful with fields with spaces...i used single quotes to get it to work. | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [ rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used" | where '% used' > .2 To send an email, hit Save AS > Alert and configure it run on a schedule and to trigger an email action when number of results is greater than 0 (and list in triggered alerts for verification/troubleshooting) Also note @hexx answer that an alert for overall usage exists in the management console and can be triggered as an email alert as well. ... View more

check out jq then. I have a enhancement request in to see if we can incorporate some of its magic into the json pipeline. ... View more

The best bet for this topic is to either 1) use the REST API modular input to call the endpoint and create an event handler to parse this data so that Splunk has a better time ingesting or 2) preparse with something like jq to split out the one big json blob into smaller pieces so you get the event breaking you want but maintain the json structure - throw ur entire blob in here https://jqplay.org and see if you can break it out the way you want. Can you share an entire event on pastebin or Slack? Then we can play with the jq syntax and get it rocking ... View more

yeah im leaning toward audit logs like hgrow, although depending on what exactly your use case is, that can get a little crazy in terms of volume and config tuning...is this a security and compliance use case? If so then, yeah...audit logs...otherwise if ur requirements are a bit more relaxed then there things like hhGA is eluding to, where you just eat the sftp logs, which usually get you the transaction info ur looking for - maybe check /var/log/messages or like hhGA said, cronjob an ls -lah on the dir or something...but like I said, need to know more about your requirements and drivers ... View more

can you share a but more on how you have it currently set up? What exactly are you using to monitor the changes? Have you considered locking down the index that gets the file contents and serving a summary of the changes to the wider audience? ... View more

Another answers post suggested configuring rhe http_proxy like: http_proxy=a_user:a_password@proxy.local:80 Did you try with your credentials? Sounds like your proxy requires auth. https://answers.splunk.com/answers/59873/how-to-get-splunk-to-work-behind-a-proxy.html ... View more

My guess is that the alert action may not be sending the client_url string in the alert payload that Pagerduty need to build that link? Splunk:8000 sounds like a default entry, perhaps check the script that the pager duty app has in its bin folder to see how it constructs the call to the pagerduty url? ( i will check in my lab and follow up) https://v2.developer.pagerduty.com/docs/trigger-events I believe pagerduty provides the option to view he raw payload, can you post an example? Splunks alert action args contain a results url that should work here. Is your Splunk instance available to the internet? ... View more

what was the piece that needed to be updated? ... View more

ok cool, will try it in the lab and see if I can figure out whats up ... View more

hi twh1, The history file found at that path is a SQLite db file. If you try and open that file in a text editor, you will see that it is not an readable text file, and as such, Splunk won't be able to handle it the way you would like by simply pointing a monitor at it. It looks like there is an app on Splunkbase that claims to be able to allow you to index these files, though I have never tried it. It appears to leverage a python script and SQLite binary...which means a universal forwarder won't be able to do it without some customization as a UF doesn't ship with python. https://splunkbase.splunk.com/app/1217/ I'll give it a try when I get the chance. ... View more

It would matter, If there is another app with a local folder, it will win against this fluentd config if it conflicts ( please review file precedence)....but moving on... What does the data look like in the index at this point? what sourcetype is being applied? Syslog? Fluentd? json? Can we see your inputs.conf please? Is any other sourcetype coming in on this port? Is this a standalone Splunk deployment or distributed? If the data is being caught on a tcp port by a forwarder, does it have this props? Because you are using indexed extractions, you need to ensure the forwarder has the props. https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Extractfieldsfromfileswithstructureddata see caveats section ... View more

oh yeah..is that actually your props file? ... View more