About zekiramhi

PickleRick · ‎11-29-2022

+1 to that. Disabling inputs wasn't sufficient because theye were still defined albeit disabled. Had to comment them out completely.

zekiramhi · ‎06-01-2021

After checking the splunkd logs for all the machines with the same situation, they all had the same following message in the logs concerning DC: DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected deploymentclient.conf also seems to be pointing to the correct DNS name for the deployment server. I assume there is a DNS problem here that happenned After the initial setup was made, will checkup with the server owners. But until then, thank you for the input. Best Regards,

zekiramhi · ‎05-27-2021

So IIS logs are usually delimited by a space between every other field, however I have recently realized that when a certain field value contains a quotation mark in this example it would be the "cs_uri_query" field , the field value starting with a quotation mark grabs all the remaining rest of the log included as its value even though there would be spaces included in the value itself. An example log of the problem from what I mean could be found bellow: 2021-05-15 14:02:58 11.11.11.11 GET /WebID/IISWebAgentIF.dll postdata="><script>foo</script> 55000 - 11.11.11.111 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 0 11.11.11.111:60754 My Transforms with field delimeter set as " " is as follows: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken X-Forwarded-For Thank you for reading,

gcusello · ‎12-14-2020

Hi @zekiramhi, As I said it's important to normalize fields using the same name in both the searches and eventually the same case (upper or lower). If you haven't all the fields in both the searches, use only the one surely present in both and take the others as values or first or last. about the fields choice, you have the fields command: list after the field command all the fields you need from both the searches. About your curiosity, is the driver of your knowledge! Continue to try and to ask questins: me and many others will surely answer you. Ciao and happy splunking. Giuseppe P.S. Karma Points are appreciated 😉

zekiramhi · ‎12-08-2020

Hello, I will try to gather all the confs under the [SPLUNK HOME]/etc/system/local/ directory to see what the issue could be from. Thank you for your response

gcusello · ‎11-29-2020

hi @zekiramhi, Yes exactly: you have to implement a filter on your Indexers or (if present) on HF. Obviously you lose the logs you discard and you cannot use them more. Ciao and good splunking. Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉

zekiramhi · ‎11-25-2020

It was still in the process of injesting, after checking for all time I was able to see my logs. Many Thanks 😁

zekiramhi · ‎11-06-2020

Hello, I do not want to disable the messages caused by the specific alert you have mentionned, but rather find the specific search, alert or dashboard that is causing said message to popup every now and then. Hopefully I made myself clear 😁

gcusello · ‎09-18-2020

Hi @zekiramhi, take a sample of the csv file in your pc and ingest it following the guided procedure [Settings -- Add Data -- Upload]. In this way you can find the correct props.conf to use, then you can copy it in your Universal Forwarder: in $SPLUNK_HOME\etc\system\local if you're in test, in $SPLUNK_HOME\etc\apps\your_TA\local when you will be in production, where your_TA is a Technical Add-On that contains also inputs.conf. Ciao. Giuseppe P.S.: if the answer solves your need, please accept it for the other people of Community and Karma Points are appreciated 😉

ehqtrainorm · ‎04-01-2020

Hey mate, I had a similar issue with the sparkline persisting after a subsequent join/stats. All I did was in the stats command following the join: | stats list(spark) as spark So yours would be after the join: | stats list(sparkline) as sparkline by host It worked for me. YMMV. Let me know how you go.

zekiramhi · ‎05-08-2019

Hello Splunkers, Being on a tight schedule as I cannot be watching webinars in most of my time, I would like to know the most beneficial webinars concerning Splunk ES and some useful Queries or Techniques about certain use cases that are critical in the cyber security world. Got any recommendations ? Let me know below. Thanks.

skoelpin · ‎03-26-2019

Well all the rows are going to represent now() .. You should probably pass _time throughout your search to your final transformational command so each row has its true time. We will need to see your SPL to make this happen

nickhills · ‎03-04-2019

The problem is ... timing... Splunk is not the correct tool for monitoring in real time for the removal of 'Splunk Forwarders' - why? Because the second you stop/break/uninstall Splunk you stop seeing events from that host, and in 99% of cases, the log which records Splunk was removed, will only be written AFTER the Splunk process has stopped. Because of this, you need to tackle the issue differently. Your first aim should be prevent uninstallation of the tool - and making sure users are running is least privilege mode (ie, not as admins) wins you most of that war. A second approach is to automatically reinstall missing applications when they are removed, but if your user has Admin rights, this becomes a game of 'cat and mouse' The world however, is not perfect, and sometimes local admin rights may be necessary evil for many people (although there is ALWAYS another way) so if you can't prevent admins getting up to mischief, your next best bet is retrospectively detecting when they have been. So the third approach is to look for machines which have previously sent events, but have now stopped. There are some pitfalls with this approach, such as laptops which are not on all the time, so you have to look at the numbers subjectively - unless you have another source which can tell you categorically that a machine is really on the network (DHCP/Forescout/Firewall Logs/CMDB discovery tools etc) If your forwarders are managed by a Deployment Server, the DS can show you clients which haven't connected for a while. The DMC call also show you missing forwarders Finally this app is very handy for finding other forwarder issues https://splunkbase.splunk.com/app/3805/ In short, this sounds like a people problem - and not an fun one if you can't trust your privileged users.

zekiramhi · ‎02-27-2019

Fantastic, Exactly what I needed. Thanks!

Posts	37
Solutions	1
Karma Given	16
Karma Received	4
Member Since	‎02-14-2019

Online Status	Offline
Date Last Visited	‎09-22-2021 11:06 AM

Space Delimeter Problem with Quotation Mark

UF Logs Sent to Indexer but cannot be seen in Forw...

Detected deprecated Threat Intelligence Manager in...

Alternative method to using Join command

Splunk Universal Forwarder Problematic or Bugged V...

Whitelist _raw with Regex string in Inputs.conf

Question about Inputs.conf

Health Check: The list of indexes to be searched b...

Inputs.conf a CSV File From Universal Forwarder

Sparkline after Join Command Problem

Re: Detected deprecated Threat Intelligence Manage...

Re: UF Logs Sent to Indexer but cannot be seen in ...

Space Delimeter Problem with Quotation Mark

Re: Alternative method to using Join command

Re: Splunk Universal Forwarder Problematic or Bugg...

Re: Whitelist _raw with Regex string in Inputs.con...

Re: Question about Inputs.conf

Re: Health Check: The list of indexes to be search...

Re: Inputs.conf a CSV File From Universal Forwarde...

Re: Sparkline after Join Command Problem

Which are the Best Recommended Splunk ES Webinars ...

Re: Scheduled SPL Search Results with it's Schedul...

Re: How to Produce a Log for "Splunk Forwarder Rem...

Re: Auditing Datamodels