Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About sherrysafdar
sherrysafdar
Explorer
Member since:
02-04-2019
06-05-2020
Community Statistics
| Posts | 22 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 02-04-2019 |
Activity Feed
- Karma Re: How do you set up an alert for a failed password attempt? for chrisyounger. 06-05-2020 12:50 AM
- Karma Re: How to upload multiple files in Splunk? Is it possible to upload multiple files like 100 1MB files in Splunk at the same time? for csnidsplunk. 06-05-2020 12:47 AM
- Posted Re: Import json file in app. on Getting Data In. 03-28-2020 04:59 PM
- Posted Re: Import json file in app. on Getting Data In. 03-28-2020 02:48 PM
- Posted Re: Import json file in app. on Getting Data In. 03-28-2020 10:01 AM
- Posted Import json file in app. on Getting Data In. 03-27-2020 10:38 PM
- Tagged Import json file in app. on Getting Data In. 03-27-2020 10:38 PM
- Tagged Import json file in app. on Getting Data In. 03-27-2020 10:38 PM
- Tagged Import json file in app. on Getting Data In. 03-27-2020 10:38 PM
- Posted Events are going to multiple indexes. on Archive. 12-06-2019 06:05 PM
- Tagged Events are going to multiple indexes. on Archive. 12-06-2019 06:05 PM
- Posted Re: unable to send data to indexer. on Getting Data In. 09-07-2019 04:28 PM
- Posted unable to send data to indexer. on Getting Data In. 09-07-2019 11:48 AM
- Tagged unable to send data to indexer. on Getting Data In. 09-07-2019 11:48 AM
- Tagged unable to send data to indexer. on Getting Data In. 09-07-2019 11:48 AM
- Posted Re: How to create a new index? on Archive. 04-13-2019 12:12 PM
- Posted How to create a new index? on Archive. 04-13-2019 10:07 AM
- Tagged How to create a new index? on Archive. 04-13-2019 10:07 AM
- Tagged How to create a new index? on Archive. 04-13-2019 10:07 AM
- Posted Re: How do you set up an alert for a failed password attempt? on Alerting. 03-01-2019 02:36 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-28-2020
04:59 PM
Splunk does support JSON indeed even zip and 7zip and many other formats.
Thanks,
... View more
03-28-2020
02:48 PM
We have pulled some raw data from our provider and that data format is JSON. There are multiple files and we need to parse from the JSON files. I can do that with Python easily but re-format and exporting it to CSV will take a lot of time. Now with Splunk, if I can get JSON data imported parsing should be easier and quicker as well as the statistics and visualization. Export that to a CSV is just on a single click.
It is a one-time import only, yes.
... View more
03-27-2020
10:38 PM
Hello,
How can I import json files inside the application i.e. cisco app?
Thanks,
... View more
12-06-2019
06:05 PM
I have an issue where events are indexed into multiple indexes partially.
Now the problem is that
Example: -
Some events from SWITCH-A are indexed in main
Some events from SWITCH-A are indexed in cisco
How can I ignore those events being indexed into the main index?
thanks,
... View more
09-07-2019
04:28 PM
Yes, I can see data in index=fortinet
However, I cannot see any data in index=cisco_asa
Yes, there is data is D:\Syslog\ASA
... View more
09-07-2019
11:48 AM
Hello, this is my forwarder inputs.conf looks like but I am unable to see any data in the second index cisco_asa.
index fortinet works just fine.
[default]
host = ABC
[monitor://D:\Syslog\Fortinet]
index = fortinet
sourcetype = fortigate
[monitor://D:\Syslog\ASA]
index = cisco_asa
sourcetype = cisco:asa
Please advise!
... View more
04-13-2019
12:12 PM
I am unable to find the indexes.conf under /opt/splunk/etc/system/local I wonder if I need to need to create one? if that doesn't exist?
Also, on my syslog my current inputs.conf looks like below with the default installation.
[default]
host = SP-FWDR
Do I need to reference each index inside the inputs.conf whatever I need to be in a separate indexes? how about the rest of the events will it go to the main?
... View more
04-13-2019
10:07 AM
I am collecting the log files from my syslog server and defined the index for the source path but it is still sending the the events to the main index.
Need to change the index for the event.
Please help!
... View more
03-01-2019
02:36 PM
It worked perfectly!!!!
Thank you sir!
... View more
03-01-2019
01:14 PM
I have set the Time Range 15 minutes and Run on Cron Schedule with * * * * * every minute. Do I also have to do something in Trigger Conditions or leave it default?
So basically it checks in 15 minutes time range and run Cron job every minute and make sure if there are any failed login attempts in last 15 minutes? Please correct me if I am wrong.
... View more
03-01-2019
12:48 PM
For that I think I may need to change my condition in the query, please correct my if I am wrong
index="main" "Failed password for" OR "authentication failure"
| bin _time span=10m
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | where count >= 1
I have done the following alert
*/10 * * * *
Run in every 10 minutes and if counts are equal to or more than 1 in 10 minutes of time span send the alert
Please advise!
thanks,
... View more
03-01-2019
12:19 PM
Hello,
I am trying to set up alerts on failed password attempts for any user on my *nix box.
Below is my query and it works fine, but I am having trouble setting up alerts. It just floods my mailbox as soon as the condition matches.
index="main" "Failed password for" OR "authentication failure"
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | eventstats count by SSHInvalidUser
Below is my current trigger condition look like.
Alert type = Real-time
Trigger alert when -> Number of Results
Is Greater than 1
In 1 minutes
Trigger Once
Basically, I would like to get it triggered if there are multiple users or even a single user trying to break-in or possible brute force.
Thanks!
Regards,
... View more
02-13-2019
04:49 PM
I am getting wrong results on the field such as host,dvc and no results period on src,src_ip is there a way I can modify delete or modify host field for the app?
And where can I find this field?
Please advise!
... View more
02-13-2019
02:33 PM
I have a syslog server and all the syslogs are currently going to KiwiSyslog. I have the Splunk Enterprise addition and would like to get data from KiwiSyslog server. I have already installed Splunk Universal Forwarder and I can see the data in the Splunk.
The question is how can I change the sourcetype or sourcename and call it instead of source="F:\Syslog\Cisco\Switches\xyz.log to something like sourcetype="CISCOSWITCHES"
Please advise!
Thanks,
... View more
02-05-2019
06:08 PM
I need to identify 192.168.100.1 as TexasFirewall and 192.168.200.1 as CaliforniaFirewall.
This is what I am trying to accomplish.
And later if in future there are more firewalls in Texas I can simply add them to the Texas_Firewall group or whatever it is.
I am also quite not sure how can I be able to write the query at this point but need to accomplish first task first.
Thanks,
... View more
02-05-2019
12:15 PM
BainM, we have multiple Fortinet firewalls and we would like to separate each firewall in the search hope that clarify your question?
... View more
02-05-2019
09:33 AM
We have 10 different sites and I would like to create a group for each site.
For example, I want to add SITE-A devices in SITE-A group and SITE-B devices in SITE-B group to be visible.
Please help, thanks!
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
