Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mmqt
mmqt
Path Finder
Member since:
02-13-2019
06-05-2020
Community Statistics
| Posts | 16 |
| Solutions | 2 |
| Karma Given | 4 |
| Karma Received | 3 |
| Member Since | 02-13-2019 |
Activity Feed
- Got Karma for Re: Windows Infrastructure app lookups have no data. 07-01-2020 06:38 PM
- Karma Re: Retrieving Windows Event logs with hyphens in the name for torowa. 06-05-2020 12:50 AM
- Karma Re: Is there any current documentation on how to add network nodes to Splunk to gather data? for diogofgm. 06-05-2020 12:50 AM
- Karma Re: timechart not respecting exclude searches but stats is for jawaharas. 06-05-2020 12:50 AM
- Got Karma for Re: eval if(X,Y,Z) always returns Z whether X matches or not. 06-05-2020 12:50 AM
- Got Karma for What provides data to inputlookup:system_version_tracker. 06-05-2020 12:50 AM
- Karma Re: Why is the Splunk App for Windows Infrastructure unable to build lookups after install? for stephen_p_brown. 06-05-2020 12:48 AM
- Posted Re: Transforms.conf not using match_type = CIDR(ip) when searching on All Apps and Add-ons. 03-19-2020 10:22 AM
- Posted Re: Transforms.conf not using match_type = CIDR(ip) when searching on All Apps and Add-ons. 02-13-2020 09:18 AM
- Posted Re: Transforms.conf not using match_type = CIDR(ip) when searching on All Apps and Add-ons. 02-12-2020 03:46 PM
- Posted Transforms.conf not using match_type = CIDR(ip) when searching on All Apps and Add-ons. 02-12-2020 11:25 AM
- Tagged Transforms.conf not using match_type = CIDR(ip) when searching on All Apps and Add-ons. 02-12-2020 11:25 AM
- Tagged Transforms.conf not using match_type = CIDR(ip) when searching on All Apps and Add-ons. 02-12-2020 11:25 AM
- Tagged Transforms.conf not using match_type = CIDR(ip) when searching on All Apps and Add-ons. 02-12-2020 11:25 AM
- Posted Re: anyone familiar with this error in splunkd for o365 TA on Monitoring Splunk. 10-30-2019 04:53 PM
- Posted What provides data to inputlookup:system_version_tracker on Splunk Enterprise Security. 09-24-2019 11:43 AM
- Tagged What provides data to inputlookup:system_version_tracker on Splunk Enterprise Security. 09-24-2019 11:43 AM
- Posted Re: timechart not respecting exclude searches but stats is on Splunk Search. 09-10-2019 03:19 PM
- Posted Re: Pass the hash detection on Splunk Search. 09-05-2019 12:14 PM
- Posted Re: timechart not respecting exclude searches but stats is on Splunk Search. 09-04-2019 11:06 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
03-19-2020
10:22 AM
I needed to reboot the instance for it to recognize the input, after the reboot it worked
... View more
02-13-2020
09:18 AM
No props as this is not intended to be an automatic lookup, this lookup is called on demand for any sourcetype that contains an IP.
Props would just remove the need to put in ip as src OUTPUTNEW asn
Which is not the problem I'm trying to solve
... View more
02-12-2020
03:46 PM
changing the query to asn.csv still does not provide any ip transformation.
... View more
02-12-2020
11:25 AM
Leveraging the app ASN Lookup Generator - https://splunkbase.splunk.com/app/3531/ to build a lookup table for that has the following in a lookup table called 'asn'
the transforms.conf file has the following - note I commented out max_matches to test, with or without that line commented it still wont return results
# cat TA-asngen/default/transforms.conf
[asn]
filename = asn.csv
match_type = CIDR(ip)
#max_matches = 1
If I run the following search
| makeresults |eval src="1.0.0.1"| lookup asn ip as src
Nothing is matched, but it should be matched to asn 1335, any thoughts? I feel like I'm doing something wrong
... View more
10-30-2019
04:53 PM
In the same boat, unable to pull any data now
... View more
09-24-2019
11:43 AM
1 Karma
I'm trying to figure out what provides data to the inputlookup:system_version_tracker for ES. Currently its only populating linux machine information, but I am running the ta_windows add-on which I assumed would put data in here but its not populating with windows info.
Just wondering which add-on would generate data that would get piped into this lookup
... View more
09-05-2019
12:14 PM
based on a stealthebits blog, You want to look for event 4624, Logon type 9, Authentication Package = negotiate, Logon Process = seclogo
... View more
09-04-2019
11:06 PM
Putting the regex before the timechart command returns zero results as well though which should be calculated before the timehchart. What would the appId field change to after being piped into timechart
... View more
09-04-2019
03:29 PM
I have some Json data that looks like this
{
"target":[
{
"detailEntry":{
"signOnModeType":"dummy info"
},
"alternateId":"AppName1",
"displayName":"dummy info",
"id":"dummy info",
"type":"AppInstance"
},
{
"detailEntry":null,
"alternateId":"someemail@domain.com",
"displayName":"dummy info for email",
"id":"dummy info",
"type":"AppUser"
}
]}
I then have a search to grab the alternateId but I only want the 'AppName1' info and not the 'someemail@domain.com' since they both use "alternateId" if you just search target{}.alternateId both values are returned, but if you do spath and then use a regex and state to not match emails I get the results I want. Doing stats on like target{0}.alternateId (or any number) also returns zero results.
index=events (target{}.alternateId="*") | spath | rename target{}.alternateId as appId | stats count by appId | regex appId!="([a-z0-9][-a-z0-9_\+\.]*[a-zA-Z0-9])@([a-zA-Z0-9][-a-zA-Z0-9\.]*[a-zA-Z0-9]\.(ca|com|org|net)|([0-9]{1,3}\.{3}[0-9]{1,3}))" | sort -count
This above command runs as expected and only returns results for the AppName1. But if I use the same type of search and use a timechart rather than a stats or chart command it doesnt respect the regex appId!= and still displays all matches of target{}.alternateId including email addresses
ndex=events (target{}.alternateId="*") | spath | rename target{}.alternateId as appId | timechart count by appId usenull=f limit=5 useother=f | regex appId!="([a-z0-9][-a-z0-9_\+\.]*[a-zA-Z0-9])@([a-zA-Z0-9][-a-zA-Z0-9\.]*[a-zA-Z0-9]\.(ca|com|org|net)|([0-9]{1,3}\.{3}[0-9]{1,3}))"
Putting the regex appId!= before the timechart actually returns zero results
Am I doing something wrong?
... View more
07-24-2019
03:11 PM
1 Karma
Z is the false statement, so its stating that field:"Event" does not match "mock". Try using a like statement
|eval "newEvent"=if(like(Event, "%mock%"), "true", "false")
... View more
07-22-2019
04:38 PM
If anyone stumbles into this question in the future, I wasn't able to solve the initial problem of monitoring my processes with perfmon so I setup a powershell script and a custom app, my app is configured as follows
local/inputs.conf
# Process Monitor script
[script://.\bin\myapp.path]
interval = 10
disabled = 0
#monitor output of proc
[monitor://$SPLUNK_HOME\var\log\myapp\proc.csv]
disabled = 0
sourcetype = myappProc
interval = 10
crcSalt = <SOURCE>
index = oswin
local/props.conf
[myappProc]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
FIELD_DELIMITER = ,
FIELD_NAMES = Name,StartTime,cpu_user_percent,NPM,PM,WS(MB),WS,VM,PID,Path,user
FIELD_QUOTE = "
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = myapp Process Monitor
disabled = false
pulldown_type = true
bin/myapp.path
$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command " & 'C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\myappproc.ps1'"
bin/myappproc.ps1
$CPUPercent = @{
Name = 'CPU'
Expression = {
$TotalSec = (New-TimeSpan -Start $_.StartTime).TotalSeconds
[Math]::Round( ($_.CPU * 100 / $TotalSec), 3)
}
}
$owners = @{}
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
Set-Variable -Name "LogFolder" -Value "C:\Program Files\SplunkUniversalForwarder\var\log\myapp"
Set-Variable -Name "MonitoredLogFile" -Value "C:\Program Files\SplunkUniversalForwarder\var\log\myapp\proc.csv"
if (!(Test-Path -Path $LogFolder )) {
New-Item -ItemType directory -Path $LogFolder
}
$Processes = Get-Process |
Where-Object -property Path -like "*MYAPP*"|
Select-Object -Property Name,StartTime, $CPUPercent,NPM,PM,{$_.WorkingSet /1mb},WS,VM,Id,Path,@{l="Owner";e={$owners[$_.id.tostring()]}} |
Select-Object
$output = ForEach ($Process in $Processes){
$Process
}
$output |ConvertTo-Csv -NoTypeInformation |Select-Object -Skip 1| Set-Content -Path $MonitoredLogFile
Hope this helps anyone who finds this.
... View more
07-22-2019
12:10 PM
1 Karma
Thanks to @gcusello for suggesting to look into the setup a bit more. After examining some of the saved searches in /default/ I noticed that it was calling a few specific macros
wineventlog-index
windows-index
msad-index
perfmon-index
These macros had predefined index names, like "wineventlog" which if you aren't using that specific name is going to cause the macro to fail.
To modify these macros go to Settings> Advanced Search > Search macros, specify the app for "Splunk App for Windows Infrastructure"
Edit the macros so that its looking the specific index that you use. This solved my problem with running the build lookup script, hope this works for you as well @pir8radio
... View more
07-15-2019
03:00 PM
It's probably your monitor path
Try
[monitor://C:\inetpub\logs\LogFiles\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#MONITOR:
Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
"..." for recursive directory matching and "*" for wildcard matching in a
single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
does not recurse. For example, /foo/*/bar matches the files
/foo/1/bar, /foo/2/bar, etc. However, it does not match
/foo/bar or /foo/1/2/bar.
A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
the bar directory within the specified path.
Splunk is recursive by default
recursive = <boolean>
* Whether or not the input monitors subdirectories that it finds within a
monitored directory.
* If you set this setting to "false", the input does not monitor sub-directories
* Default: true.
... View more
07-15-2019
09:15 AM
So my systems can spawn upto and above 150+ instances of the same application. I'm using the generic perfmon Process monitor:
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; ID Process; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = myapp
interval = 1
mode = single
object = Process
useEnglishOnly=true
index = perfmon
My concern is that instances can't use wildcards in naming standards.
instances = myapp* doesn't work. Only works when doing instances = * which I don't want. I could write a script that generates myapp#1,myapp#2,myapp#3 (etc.) but I'm worried that's not going to be the best way to deploy this monitor.
Does anyone have any other suggestions?
Thanks
... View more
07-10-2019
11:54 AM
Recently updated the WI app to version 1.5.2, on version 1.5.1 I was able to build lookups fine and data was populating. After updating to 1.5.2 none of the lookups populate with data. The lookups themselves are "running" when I run the build, just no data is being added to them
Building lookup - WinApp_Lookup_Build_Perfmon - Update - Server ...
WinApp_Lookup_Build_Perfmon - Update - Server built. (took 0.93s)
Building lookup - WinApp_Lookup_Build_Perfmon - Update - Detail ...
WinApp_Lookup_Build_Perfmon - Update - Detail built. (took 1.49s)
Building lookup - WinApp_Lookup_Build_Event - Update - Server ...
WinApp_Lookup_Build_Event - Update - Server built. (took 0.76s)
Building lookup - WinApp_Lookup_Build_Event - Update - Detail ...
WinApp_Lookup_Build_Event - Update - Detail built. (took 0.31s)
Building lookup - WinApp_Lookup_Build_Hostmon - Update - Server ...
WinApp_Lookup_Build_Hostmon - Update - Server built. (took 0.32s)
Building lookup - WinApp_Lookup_Build_Hostmon_Machine - Update - Detail ...
WinApp_Lookup_Build_Hostmon_Machine - Update - Detail built. (took 0.97s)
Building lookup - WinApp_Lookup_Build_Hostmon_FS - Update - Detail ...
WinApp_Lookup_Build_Hostmon_FS - Update - Detail built. (took 0.32s)
Building lookup - WinApp_Lookup_Build_Hostmon_Process - Update - Detail ...
WinApp_Lookup_Build_Hostmon_Process - Update - Detail built. (took 0.32s)
Building lookup - WinApp_Lookup_Build_Hostmon_Services - Update - Detail ...
WinApp_Lookup_Build_Hostmon_Services - Update - Detail built. (took 0.34s)
Building lookup - WinApp_Lookup_Build_Netmon - Update - Server ...
WinApp_Lookup_Build_Netmon - Update - Server built. (took 0.35s)
Building lookup - WinApp_Lookup_Build_Netmon - Update - Detail ...
WinApp_Lookup_Build_Netmon - Update - Detail built. (took 0.74s)
Building lookup - WinApp_Lookup_Build_Printmon - Update ...
WinApp_Lookup_Build_Printmon - Update built. (took 0.32s)
Building lookup - DomainSelector_Lookup ...
DomainSelector_Lookup built. (took 0.32s)
Building lookup - HostToDomain_Lookup_Update ...
HostToDomain_Lookup_Update built. (took 0.32s)
Building lookup - tHostInfo_Lookup_Update ...
tHostInfo_Lookup_Update built. (took 0.76s)
Building lookup - tSessions_Lookup_Update ...
tSessions_Lookup_Update built. (took 0.35s)
Building lookup - SiteInfo_Lookup_Update ...
SiteInfo_Lookup_Update built. (took 0.34s)
Building lookup - ActiveDirectory: Update GPO Lookup ...
ActiveDirectory: Update GPO Lookup built. (took 0.34s)
Building lookup - ActiveDirectory: Update Group Lookup ...
ActiveDirectory: Update Group Lookup built. (took 0.31s)
Building lookup - ActiveDirectory: Update User Lookup ...
ActiveDirectory: Update User Lookup built. (took 0.33s)
Building lookup - ActiveDirectory: Update Computer Lookup ...
ActiveDirectory: Update Computer Lookup built. (took 0.32s)
The dashboards are populating with data, so i can go to the Windows > Event Monitoring section and data is there and populated. But if I go to Windows > Windows Overview page then all overview panels pulling from the lookups are empty
If I then drill into the search
| inputlookup windows_event_system
I get a zero results returned.
As per this doc:
https://docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/TroubleshoottheSplunkAppforWindowsInfrastructure#No_data_types_found_after_upgrade
and a few splunk answers:
https://answers.splunk.com/answers/556067/why-is-the-splunk-app-for-windows-infrastructure-u.html
https://answers.splunk.com/answers/180709/how-to-troubleshoot-why-splunk-app-for-windows-inf.html
I've configured a local admin account, that admin account has the role admin,winfra-admin and has access to all indexes. If I go to manage the app permissions I've set everyone to - read/write - perms. So I'm a bit confused as to why nothing is being populated. Does anyone know why this is happening?
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
