Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dokaas_2
dokaas_2
Path Finder
Member since:
01-31-2019
2 weeks ago
Community Statistics
| Posts | 17 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 01-31-2019 |
Activity Feed
- Posted What is the purpose of [admon] stanza in Windows Splunk UF default folder on All Apps and Add-ons. 2 weeks ago
- Tagged What is the purpose of [admon] stanza in Windows Splunk UF default folder on All Apps and Add-ons. 2 weeks ago
- Posted Why is host=$decideOnStartup for Splunk Stream, but not other events? on All Apps and Add-ons. 4 weeks ago
- Tagged Why is host=$decideOnStartup for Splunk Stream, but not other events? on All Apps and Add-ons. 4 weeks ago
- Tagged Why is host=$decideOnStartup for Splunk Stream, but not other events? on All Apps and Add-ons. 4 weeks ago
- Tagged Why is host=$decideOnStartup for Splunk Stream, but not other events? on All Apps and Add-ons. 4 weeks ago
- Posted Re: STREAM in DMZ with Intermediate Forwarder on All Apps and Add-ons. 02-24-2021 08:45 AM
- Posted STREAM in DMZ with Intermediate Forwarder on All Apps and Add-ons. 02-24-2021 06:56 AM
- Tagged STREAM in DMZ with Intermediate Forwarder on All Apps and Add-ons. 02-24-2021 06:56 AM
- Tagged STREAM in DMZ with Intermediate Forwarder on All Apps and Add-ons. 02-24-2021 06:56 AM
- Posted Re: How do I set different source types on one data input? on Getting Data In. 02-16-2021 04:41 AM
- Posted Using Heavy Forwarder as a Relay on Deployment Architecture. 10-28-2020 10:17 AM
- Posted Re: Using a clickable image to select query on Dashboards & Visualizations. 07-18-2020 04:44 AM
- Tagged Re: Using a clickable image to select query on Dashboards & Visualizations. 07-18-2020 04:44 AM
- Karma Re: In a mulit-site cluster, does Splunk replicate just the data to the remote and then the remote site indexer indexes the data? for nickhills. 06-05-2020 12:51 AM
- Karma Re: How do you add notes for events? for woodcock. 06-05-2020 12:50 AM
- Karma Re: image in dashboard for tormodbp. 06-05-2020 12:48 AM
- Posted Re: How to prevent getting an error using brackets < > in a rex expression while creating a dashboard view in XML? on Dashboards & Visualizations. 05-08-2020 09:44 AM
- Posted Re: Using a clickable image to select query on Dashboards & Visualizations. 03-31-2020 04:42 AM
- Posted Using a clickable image to select query on Dashboards & Visualizations. 03-25-2020 06:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
Our Windows admins are complaining about high CPU usage on our AD DCs and are pointing their finger at the Splunk UF. In the inputs.conf file i the default folder, there is a stanza: [admon] / interval=60 / baseline = 0. This is installed on about 10K workstations/servers. There are no other inputs.conf files with settings to monitor AD. Does this cause the workstations to query AD even if no other inputs are defined?
... View more
Labels
- Labels:
-
configuration
4 weeks ago
I have several Windows servers that the host=$decideOnStartup, but other Windows events correctly provide the Windows host name. Any ideas why and how to correct this?
... View more
Labels
- Labels:
-
configuration
-
installation
02-24-2021
08:45 AM
Thanks for the reply. I got the splunk_stream_app_location correct (just to be clear for others, the 8000 is the default port used by Splunk web. If one changes the web port, the app location should match -- port 8443 for me). My concern with opening up port 8443 in the DMZ, is well, it's the DMZ and not fully trusted. Do you have any references for the manual option. Thought I'd just give that a try even if I miss the monitoring or would it show up in my internal Stream app?
... View more
02-24-2021
06:56 AM
In our DMZ we have UFs installed on Windows/Linux hosts. They forward events to an intermediate heavy forwarder in the DMZ w/doubles as a deployment server and Stream app server. I've pushed out the Splunk_TA_stream to the UFs with the correct intermediate heavy forwarder as the Stream server; however, I'm not seeing any of the UFs. I suspect its due to restrictions on the firewall between the different DMZ zones. What ports need to be open between the UFs Splunk_TA_stream and the Splunk stream server? I also assume that once it's configure there won't be an issue with routing through an intermediate relay heavy forwarder..Right? And finally, is there a way to manually configure the Splunk_TA_stream add-on and not use the Splunk Stream app?
... View more
Labels
- Labels:
-
configuration
-
installation
02-16-2021
04:41 AM
Is there a reason you don't just send to different IP ports? [//tcp:10514] connection_host = IP sourcetype = bluecoat:proxysg:access:file index = web #assumes Palo Alto firewall [//tcp:10515] connection_host = IP sourcetype = pan:traffic index = firewall
... View more
10-28-2020
10:17 AM
I've seen the warnings of having UFs sending HFs and relaying to a index cluster. The objection seems to be around uneven distribution of events from the HFs to the indexers. However, doesn't setting the HFs outputs.conf variables: indexAndForward=false and autoLBFrequency=30 fix those issues? Basically, have the UFs load balance to a pool of HFs and the pool of HFs load balance to the index cluster. If you do this, will you still have problems?
... View more
Labels
- Labels:
-
heavy forwarder
07-18-2020
04:44 AM
in the previous solution post I made reference to the image being sizable. the answer that I arrived at was to save the image as an SVG file and use the SVG visualization addon. I used MS Visio and was able to select a Visio element and add an http reference to the element. Another gotcha that when you save as an scalable vector graphic from Visio you must deselect the "Include Visio data in files". The other thing I did was to put the SVG file in a saved macro and used it to pass the SVG code visualization.
... View more
- Tags:
- in
05-08-2020
09:44 AM
The easiest way I've found is to create a macro of your query. The use the macro in your dashboard query statement. Be sure permissions are properly set.
<query>`your_query`</query>
... View more
03-31-2020
04:42 AM
So the answer to my problem was in formatting the href in the element. The html file is show and goes in the /appserver/static folder. The image goes in /appserver/static/images folder.
In the dashboard, the reference to the html file is in an html panel using the element.
The challenge now is that when one resizes the browser, the image also resizes which causes problem b/c the imagemap uses absolute positioning. I'm assuming a script can be written to fix this.
+++++++++++++++++
... View more
03-25-2020
06:46 AM
I've generated an image of our network perimeter with the major equipment (Cisco ASA, Palo Alto, etc) providing a visual image of how data flows through the perimeter wall. The image is on the left hand pane of the dashboard. The image is contained in a dashboard through the use of the HTML element to make it clickable. On the right hand pane I have a table.
What I want to do is to use the clickable image in the left pane to display events in the right hand table pane depending on what piece of equipment they click. The fundamental query will change depending on the equipment (firewall versus IDS versus VPN, etc)
Does anyone have a good solution (other than using a dropdown input box?
... View more
03-17-2020
10:49 AM
You'd be surprised at how many times a user will type their password in the UserID field. This shows up in a Windows EventCode=4625. By itself it wouldn't be an issue since in a single 4625 event you don't know the userID. However, if you correlate that to other events on the same host, you probably can figure out both the username and password. You'd want to keep the usernames in the field if they didn't look like a password. So my question is this:
Q: How would one propose to selectively find usernames that look like passwords and then substitute a character string (e.g. "********") at index time?
... View more
03-02-2020
10:06 AM
Two sites, RF=2 SF=2 + Splunk SmartStore. Design for 3TB/day at one site and 2TB/day at the second site (5TB/day total). Both sites will search across all data.
... View more
03-02-2020
08:52 AM
Thanks. I can see the benefits and pitfalls of both ways.
So if the data is replicated to the remote site (target) to be indexed, assuming two sites, does one need to size the number of indexers based on the combined ingestion rate at both sites?
... View more
03-02-2020
05:57 AM
Thanks, but after a little further research, that seems inconsistent with https://docs.splunk.com/Documentation/Splunk/;atest/Indexer/Howclusteredindexingworks. Of course this does not specifically address multisite clusters, but I'd assume this would apply. What do you think?
++++++++++++++++++++++++++++++++++++++
These events occur when a peer node starts up:
1. The peer node registers with the master and receives the latest configuration bundle from the master.
The master rebalances the primary bucket copies across the cluster and starts a new generation.
The peer starts ingesting external data, in the same way as any indexer. It processes the data into events and then appends the data to a rawdata file. It also creates associated index files. It stores these files (both the rawdata and the index files) locally in a hot bucket. This is the primary copy of the bucket.
The master gives the peer a list of target peers for its replicated data. For example, if the replication factor is 3, the master gives the peer a list of two target peers.
If the search factor is greater than 1, the master also tells the peer which of its target peers should make its copy of the data searchable. For example, if the search factor is 2, the master picks one specific target peer that should make its copy searchable and communicates that information to the source peer.
The peer begins streaming the processed rawdata to the target peers specified by the master. It does not wait until its rawdata file is complete to start streaming its contents; rather, it streams the rawdata in blocks, as it processes the incoming data. It also tells any target peer(s) if they need to make their copies searchable, as communicated to it by the master in step 5.
The target peers receive the rawdata from the source peer and store it in local copies of the bucket.
Any targets with designated searchable copies start creating the necessary index files.
The peer continues to stream data to the targets until it rolls its hot bucket.
... View more
03-02-2020
03:33 AM
In an multi-site cluster Splunk replicates the data to the remote site, but doe Splunk also replicate the index information or is indexing left up to the remote site indexer? Also, does Splunk replicate raw data or compressed data?
... View more
04-11-2019
05:55 AM
So this is bugging me. I've got the following script in an HTML form in Splunk:
//
// Get the collection of indexes
var myindexes = service.indexes();
// Get an index to send events to
myindexes.fetch(function(err, myindexes) {
var myindex = myindexes.item("main");
// Submit an event to the index
myindex.submitEvent("Case Opened - lit", {
sourcetype: "notes"
}, function(err, result, myindex) {
console.log("Submitted event: ", result);
});
});
//
Which works. But, if I add a line to use a variable instead of a literal string such as:
//
// Get the collection of indexes
var myindexes = service.indexes();
var event = "Date=" + form_Date + ", BacklogID=" + form_BacklogID + ", evtID=" + form_evtID + ", Comments=" + form_Comments + ", Author=" + form_Author;
// Get an index to send events to
myindexes.fetch(function(err, myindexes) {
var myindex = myindexes.item("main");
// Submit an event to the index
myindex.submitEvent(event, {
sourcetype: "siem:alarm:notes"
}, function(err, result, myindex) {
console.log("Submitted event: ", result);
});
});
//
it doesn't give an error, but it doesn't add the record either. I've debugged and stepped into the code and the var event does have data, but nothing gets pushed to the index.
What gives? Anybody have an idea?
... View more
- Tags:
- add
- api
- javascript
- rest
04-01-2019
02:07 PM
I'm looking for a way to use a modal form to add comments to events. The behavior would be to click on an event, have a modal form displayed with a textfield box, the user adds their comments, and then posts the comments to a Splunk index.
The modal form isn't too much of a problem, I don't know how to get the information into Splunk (REST API maybe)?
... View more
