Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dokaas_2
dokaas_2
Path Finder
Member since:
01-31-2019
Online
Community Statistics
| Posts | 46 |
| Solutions | 1 |
| Karma Given | 8 |
| Karma Received | 4 |
| Member Since | 01-31-2019 |
Activity Feed
- Posted Re: Best method to write all event to RFS with Ingest Actions on Getting Data In. 2 hours ago
- Posted Re: Where to implement Ingest Actions? on Getting Data In. yesterday
- Posted Where to implement Ingest Actions? on Getting Data In. Saturday
- Posted What is the best method to write all event to RFS with Ingest Actions? on Getting Data In. Thursday
- Tagged What is the best method to write all event to RFS with Ingest Actions? on Getting Data In. Thursday
- Posted Why don't UFs parse data when docs say splunktcp-ssl is only for "parsed" data to indexers? on Getting Data In. 02-27-2023 07:06 AM
- Karma Re: Indexers Cluster and Smartstore S3 buckets configuration for scelikok. 02-24-2023 01:38 PM
- Posted Indexers Cluster and Smartstore S3 buckets configuration on Splunk Search. 02-24-2023 08:10 AM
- Posted Can you search S3 buckets from the search head that were written from ingestion actions? on Splunk Search. 02-24-2023 08:06 AM
- Tagged Can you search S3 buckets from the search head that were written from ingestion actions? on Splunk Search. 02-24-2023 08:06 AM
- Karma Re: Configuration Preccedence for Splunk UF for gcusello. 02-20-2023 02:10 AM
- Posted What is the configuration precedence for Splunk UF? on Deployment Architecture. 02-16-2023 03:08 AM
- Posted Re: Can a Heavy-Forwarder just raw forward and not parsing? on Getting Data In. 02-14-2023 03:26 AM
- Karma Re: HF Intermediate Forwarder for PickleRick. 02-14-2023 03:13 AM
- Posted Does the data flow through those same queues at the indexer? on Getting Data In. 02-13-2023 05:00 PM
- Posted Re: Can a Heavy Forwarder send cooked but unparsed data? on Getting Data In. 02-11-2023 11:57 AM
- Got Karma for How to manage Windows "Server Certificate Hostname Validation". 01-12-2023 02:32 PM
- Posted Is there a way to query ES investigations for artifacts? on Splunk Enterprise Security. 10-12-2022 04:53 AM
- Posted Re: How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devic on Splunk Enterprise Security. 10-09-2022 05:42 AM
- Posted How to manage Windows "Server Certificate Hostname Validation" on Security. 08-21-2022 06:10 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
2 hours ago
That script, I believe, moves frozen buckets to an S3 storage location. However, I what I want is to use the ingest actions (Settings / Data / Ingest actions) to write all raw events in compressed JSON format. Ingest actions is per source type and with nearly 100 or more source types, manually creating one for each is onerous. Ingest actions use RULESET in the props to define how to store on the Remote File System (RFS).
... View more
yesterday
To clarify. Splunk +9 provides 'ingest actions' to filter, mask and route data. This can be done on a heavy forwarder or indexer. Heavy forwarders would receive their configuration from a deployment server, but clustered indexers receive their configuration from the cluster manager (I guess stand-alone indexers could get their configurations from a deployment server too). It was that in the class documentation, they only mentioned that 'ingest actions' were deployed through the deployment server and not that they would be deployed by the cluster manager if you had clustered indexers.
... View more
- Tags:
- y.
Saturday
In a recent "Splunk Enterprise 9.0 Data Administration" class, the documentation says that Ingest Actions should be implemented on a Deployment Server. Am I correct that this only refers to Ingest Actions defined for a heavy forwarder and that if the Ingest Action is to be deployed on an indexer it should be defined on the cluster manager?
... View more
- Tags:
- Ingest Actions
Labels
- Labels:
-
heavy forwarder
Thursday
Our requirements are to have readily searchable data for 12 months and 'cold store' of data for an additional 18 mths (30 mths total). Ingest Actions seems like the obvious choice since it can write to an S3 bucket and compress the data in a format easily re-ingested or passed to a 3rd party if needed. However, the ingest actions seem to only work given you apply the ruleset to a sourcetype. Given that there may be a hundred or more sourcetypes, this is a little onerous. Is there a method to accomplish this w/o creating a ruleset for every sourcetype?
... View more
- Tags:
- Ingest Actions
- rfs
- s3
Labels
- Labels:
-
other
-
props.conf
-
transforms.conf
02-27-2023
07:06 AM
According to the Splunk documentation on the attribute [splunktcp-ssl:<port>] it states that: * Use this stanza type if you are receiving encrypted, parsed data from a forwarder."
UFs cook, but do not 'parse' the data. Thus, is this effective to send encrypted data from the UF to indexers?
... View more
Labels
- Labels:
-
universal forwarder
02-24-2023
08:10 AM
When one configures the indexer cluster for SmartStore, does each indexer get its own S3 bucket? Or is there just one very large S3 bucket and all indexers write into the same S3 bucket (separated by indexer GUID or something like that)?
... View more
- Tags:
- S3 bucket
- smartstore
Labels
- Labels:
-
other
02-24-2023
08:06 AM
Using ingestion actions, one can write a copy of events to an S3 bucket prior to indexing. Can one search these S3 buckets with Splunk even though they were not ingested (it'd be slow, but could be useful for historical searches)?
... View more
Labels
- Labels:
-
other
02-16-2023
03:08 AM
In the Admin classes configuration precedence was defined for index and search time. However, since the Splunk UF is neither index nor search, what precedence order does the Splunk UF follow?
... View more
Labels
- Labels:
-
universal forwarder
02-14-2023
03:26 AM
I may get slapped for this answer since Splunk technically says it's deprecated, but you could consider using the LightWeightForwarder. The LWF disables the parsing & index queues on the HF, but gives one the HEC inputs and Python (for running apps such as eStreamer, dbConnect, etc) as an intermediate relay. A LWF disables the web interface, but that can be turned back on in a higher precedence web.conf. I use a LWF in the DMZ which gives me all the above, but also provides a deployment server for assets in the DMZ.
... View more
02-13-2023
05:00 PM
If an HF is used for a intermediate / aggregation tier and the data is parsed, what does the ingestion pipeline look like when it hits the indexer. That is, if the HF does parsing, aggregation, typing, but not indexing, does the data flow through those same queues at the indexer? Or is the data injected directly in the the indexing queue?
... View more
Labels
02-11-2023
11:57 AM
I realize this is a very old post, but as I was browsing I didn't see an answer to your questions. The best answer is probably to use a LightweightForwarders. Yes, I know it's supposedly deprecated, but it does pretty much what you want. That is, it sends cooked, but unparsed/unindexed data to the indexer. It also gives you all of the functionality such as Python, HEC inputs, etc. By default, the LightweightForwarder will disable the web interface, but that can be turned though the web.conf setting. I use this configuration in my DMZ.
... View more
10-12-2022
04:53 AM
Is there a way to query ES investigations for artifacts? For example, suppose that I have a current notable with a hostile foreign IP address. I would like to query Splunk and find all previous investigations with that IP address so that analyst can review the previous investigations.
... View more
- Tags:
- artifacts
Labels
- Labels:
-
investigation
10-09-2022
05:42 AM
Correlation rules from sources such as ESCU will have a filter macro. For example, the rule "ESCU - Access LSASS Memory for Dump Creation - Rule" has a macro named "access_lsass_memory_for_dump_creation_filter". You should modify the macro rather than the rule itself. Sometimes rules are updated in the ESCU. If one modifies the rule directly, the search will be saved in the 'local' folder and have precedence over an updated rule in the default folder.
... View more
When deploying apps with the deployment server, I receive the following warning: "Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details..." It appears as though Splunk wants host certificates for authentication on all deployment clients. With over 10K Windows systems, generating PEM formatted certificates for use in Splunk seems onerous. Does anyone have a solution for how to manage this? It would seem that the Splunk UF for Windows should be able to read the Windows certificate store for this authentication, but I've not found that solution.
... View more
Labels
- Labels:
-
other
07-31-2022
07:10 AM
Seems like Splunk should incorporate that feature; however, as far as I can tell they haven't. My work around has been to: 1. Run Splunk https on port 8443. 2. Install lighttp light web server that redirects http port 80 to https port 8443. 3. Run firewalld and redirect port 443 to port 8443.
... View more
07-06-2022
09:32 AM
I'm seeing something similar with my v9 intermediate forwarders. I have not upgraded my indexer cluster to v9 yet (8.2.5) and was wondering if the forwarders being at a higher version than the indexer was causing the issues. I'm seeing events from the problem relay servers such as: Invalid ACK received from indexer=aaa.bbb.ccc.ddd:9997. Got unexpected ACK with eventid=53825 Are you seeing anything such as that? index=_internal sourcetype=splunkd ack
... View more
06-30-2022
11:04 AM
I'm running into the same issue, but with Ricoh printers. But my direction will be what you outlined with sending to SYSLOG, writing to file and forwarder to read that file.
... View more
03-05-2022
04:25 AM
Seems like Splunk should incorporate that feature; however, as far as I can tell they haven't. My work around has been to: 1. Run Splunk https on port 8443. 2. Install lighttp light web server that redirects http port 80 to https port 8443. 3. Run firewalld and redirect port 443 to port 8443.
... View more
01-18-2022
01:20 PM
The query is something like this: The query uses CoreLight data and excludes local and well known sources. | timechart count as s span=5ds | fillnull value = 0 | eval time_interval = 0.5 | eval sequence_number = 1 | streamstats current=f sum(sequence_number) as seq | streamstats sum(time_interval) as time | eval time = time - time_interval | head=4096 | table time, s | fit FFT s from time Still working with it .... Do you have any suggestions, improvements?
... View more
- Tags:
- sample query
Contact Me
| Online Status |
Online
|
| Date Last Visited |
15m ago
|
Karma given to
