Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About raoul
raoul
Path Finder
Member since:
12-03-2010
05-03-2023
Community Statistics
| Posts | 41 |
| Solutions | 5 |
| Karma Given | 10 |
| Karma Received | 49 |
| Member Since | 12-03-2010 |
Activity Feed
- Got Karma for Re: Getting a comma separate string from values function within stats command. 08-08-2023 03:02 AM
- Got Karma for Re: Stats count as a percentage as the total. 10-28-2022 03:18 PM
- Got Karma for Re: Getting a comma separate string from values function within stats command. 10-07-2021 09:20 AM
- Got Karma for Re: Getting a comma separate string from values function within stats command. 08-17-2021 05:04 AM
- Got Karma for Re: Getting a comma separate string from values function within stats command. 10-26-2020 07:40 PM
- Got Karma for Re: Getting a comma separate string from values function within stats command. 10-26-2020 07:40 PM
- Got Karma for Re: Getting a comma separate string from values function within stats command. 10-26-2020 04:08 PM
- Got Karma for How can I add a custom SMTP mail header to alert emails. 06-05-2020 12:51 AM
- Karma How to migrate from LDAP authentication to Microsoft Azure Single Sign On with change of username? for joxley. 06-05-2020 12:48 AM
- Karma Re: How to migrate from LDAP authentication to Microsoft Azure Single Sign On with change of username? for joxley. 06-05-2020 12:48 AM
- Got Karma for Use of color field in treemap visualization. 06-05-2020 12:48 AM
- Got Karma for Re: Use of color field in treemap visualization. 06-05-2020 12:48 AM
- Got Karma for Re: Use of color field in treemap visualization. 06-05-2020 12:48 AM
- Karma Why time range picker on default Splunk 6.1.x UI shows "Earliest time cannot be greater than latest time" errors? for wpreston. 06-05-2020 12:47 AM
- Karma Re: Reload separate element within HTML dashboard for nfilippi_splunk. 06-05-2020 12:47 AM
- Karma Re: Regular expression help and error (Regex: unmatched parentheses ) for Rob. 06-05-2020 12:46 AM
- Karma SPL-58112 -> Metadata results from this peer are incomplete for lpolo. 06-05-2020 12:46 AM
- Got Karma for What is the complete list of tokens available for the message in the new 6.1 alerts?. 06-05-2020 12:46 AM
- Got Karma for Re: Getting a comma separate string from values function within stats command. 06-05-2020 12:46 AM
- Got Karma for What is the complete list of tokens available for the message in the new 6.1 alerts?. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 2 | |||
| 3 | |||
| 0 | |||
| 2 | |||
| 3 |
03-02-2020
04:27 AM
1 Karma
How would I go about adding a custom SMTP mail header to alert emails?
We are making use of SendGrid and I would like to be able to use their "category" feature to track emails related to different use cases.
Ideally I'd like NOT to customise the Python script used to send emails.
... View more
- Tags:
Labels
- Labels:
-
other
08-31-2018
03:34 AM
I set up an alternate ingest pipeline: AAD --> Event Hub --> Azure function --> Splunk HEC
That reliably produces a full set of the events in the graph the new ingest is "aad_audit" and the reporting add-in is shown as "ms:aad:signin". The difference is quite marked.
... View more
08-31-2018
03:27 AM
Ok, the results are in and on this basis I can see that the Azure AD Reporting Add-on is missing events.
I set up an alternate ingest pipeline: AAD --> Event Hub --> Azure function --> Splunk HEC
That reliably produces more events than the reporting add-on.
... View more
08-17-2018
03:54 AM
Thanks for the suggestion, will try this out. Have set up the event hub and can see activity. Will be interesting to do a side-by-side and see if I get a more complete set of events via this route than the API-based reporting add-on.
... View more
08-17-2018
03:52 AM
Completely agree with your statement:
the latencies in the Microsoft reporting infrastructure causing lots of confusion/issues on how we can properly schedule our data ingestion without incomplete/duplicate data problem
... View more
08-13-2018
05:26 AM
Thanks. That did work.
... View more
07-27-2018
08:02 AM
I upgraded to version 1.0.3 and now I get the following error in the _internal log:
07-27-2018 14:30:01.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py" HTTP Request error: 400 Client Error: Bad Request for url: https://graph.windows.net/notTheRealDomain.onmicrosoft.com/activities/signinEvents?api-version=beta&$orderby=signinDateTime&$filter=signinDateTime+gt+2018-07-26T07:19:59.822962
... View more
05-19-2018
11:44 PM
Thanks, will try that. Initially I did not think it did the sign-ins, but on closer reading it may do.
... View more
05-19-2018
03:28 AM
Ok, so there is some relationship between the frequency of polling and how many events get ingested. The more frequent the polling the fewer events (the more missing events). The less frequent the polling the more events get ingested for any given period.
I changed the polling from 300s to 600s and the number of events per minute went up by a factor of 3.
... View more
05-19-2018
12:30 AM
Changed the polling frequency to 600s to see if that makes a difference.
... View more
05-18-2018
05:07 AM
Some further details:
Splunk Enterprise 7.0.2
Set the AAD Reporting add-on to retrieve every 300s
After 24 hours of running am still only getting a subset of the audit records
Can discern no pattern to the missing events; no obvious time boundary issue, no attribute of the events not present in splunk that stands out
Needless to say this is a deal-breaker. If the audit in Splunk is not complete it is all but useless.
Not sure how to progress in diagnosing this.
... View more
05-17-2018
07:47 AM
On the basis of the data I see from our tenant the add on is not retrieving all of the sign in records when compared with the Azure Portal sign in page.
The number of records loaded appears correlated with the polling frequency set. I have tried 300s (5m), 600s (10m) and 900s (15m). In each case the number of underlying events that the add on loads appears different. The effect is quite marked.
Query for the chart above:
index=liquid_it sourcetype="ms:aad:signin"
| timechart span=5m count
| eval tpm=round(count / 5, 2)
| fields - count
... View more
05-16-2018
07:07 AM
Thanks, I see the following in the logs:
15/05/2018
14:25:47.912
***aborting after fassert() failure
host = splunk.example.com source = /opt/splunk/var/log/splunk/mongod.log sourcetype = mongod
15/05/2018
14:25:47.912
2018-05-15T14:25:47.912Z I -
host = splunk.liquidtelecom.com source = /opt/splunk/var/log/splunk/mongod.log sourcetype = mongod
15/05/2018
14:25:47.912
2018-05-15T14:25:47.912Z I - Fatal Assertion 28652
host = splunk.example.com source = /opt/splunk/var/log/splunk/mongod.log sourcetype = mongod
15/05/2018
14:25:47.912
2018-05-15T14:25:47.912Z F NETWORK The provided SSL certificate is expired or not yet valid.
host = splunk.example.com source = /opt/splunk/var/log/splunk/mongod.log sourcetype = mongod
15/05/2018
14:25:47.902
2018-05-15T14:25:47.902Z W CONTROL No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter
host = splunk.example.com source = /opt/splunk/var/log/splunk/mongod.log sourcetype = mongod
... View more
05-16-2018
05:42 AM
I have installed the addon but I cannot get data flowing.
If I search in _internal
index="_internal" aad NOT raoul log_level=ERROR
I see the following:
5-15-2018 16:09:05.540 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py" ERRORHTTP 503 Service Unavailable -- KV Store initialization failed. Please contact your system administrator.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-03-2023
05:47 AM
|
Karma from
