Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About MonkeyK
MonkeyK
Builder
Member since:
05-13-2014
a week ago
Community Statistics
| Posts | 240 |
| Solutions | 14 |
| Karma Given | 35 |
| Karma Received | 31 |
| Member Since | 05-13-2014 |
Activity Feed
- Karma Gregg Woodcock & Splunxter introduction for woodcock. 4 weeks ago
- Karma Re: Palo Alto Add-on CIM Network_Traffic, can we map only end events? for panguy. 06-05-2020 12:50 AM
- Karma Re: Palo Alto Add-on CIM Network_Traffic, can we map only end events? for lakshman239. 06-05-2020 12:50 AM
- Karma Re: How to search that only the scheduled search adds results to the summary index for woodcock. 06-05-2020 12:50 AM
- Karma Re: How do I create a timechart with spans that aren't aligned to the start of a minute/hour/day etc? for DalJeanis. 06-05-2020 12:50 AM
- Karma Re: Why are Splunk alerts not sending to cell phone/mobile addresses? for delappml3. 06-05-2020 12:50 AM
- Karma Re: Why are Splunk alerts not sending to cell phone/mobile addresses? for woodcock. 06-05-2020 12:50 AM
- Karma Re: How do I create an alert that only fires when threshold is exceeded and resets once results are within that threshold? for woodcock. 06-05-2020 12:50 AM
- Karma Re: Is it possible to create an alert that does summary indexing and sends an email? for woodcock. 06-05-2020 12:50 AM
- Karma Re: can I join report results for cmerriman. 06-05-2020 12:49 AM
- Karma Re: lookup several fields in one lookup command for deepashri_123. 06-05-2020 12:49 AM
- Karma Re: Can I do kmeans by a for a column by a column? for niketnilay. 06-05-2020 12:49 AM
- Karma Re: How to replace the value when another field has "error"? for MuS. 06-05-2020 12:49 AM
- Karma Re: How do I look for domains that aren't in the Alexa top 1 million? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: How do you properly upload CSV data to Splunk? for adonio. 06-05-2020 12:49 AM
- Karma Re: How to get the standard deviation of the interval between the occurrence of events? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Pattern: loopable lookup table to bypass map subsearch limits - looking for feedback for woodcock. 06-05-2020 12:49 AM
- Karma Re: compare data list for niketnilay. 06-05-2020 12:49 AM
- Got Karma for Re: How do you properly upload CSV data to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: Natural sort order instead of lexicographical order in search?. 06-05-2020 12:49 AM
04-24-2020
09:30 AM
OK. Learned where I went wrong on this one.
I actually entered
match_type=WILDCARD(IP)
into the UI.
I actually only needed to enter
WILDCARD(IP)
... View more
04-15-2020
04:06 PM
kind of an old thread, but it seems to me that the streamstats needs a "by host" clause. Otherwise it will be comparing the last entry for one host with the first entry of another host
... View more
03-31-2020
09:15 AM
For now I cheated and re-evaluated the query IP to match the lookup.
First checks the lookup for a full IP match, and then checks for a match on the final octet "wildcarded".
|makeresults |eval IP="10.10.35.9"
| lookup tools IP
| eval IP3=IP
| rex mode=sed field=IP3 "s/(?<IP3>\d{1,3}\.\d{1,3}\.\d{1,3}+\.)\d{1,3}/\1*/g"
| lookup tools IP as IP3 OUTPUTNEW
... View more
03-31-2020
05:43 AM
Tried
match_type=WILDCARD(IP)
with the same results. Waited an hour as well, but still same results.
sorry on the csv. I should have written that correctly. Since it was just a lookup table, the data was actually stored correctly as
IP,Tool
Splunk,10.10.35.*
Also tried
Tried
match_type=WILDCARD(IP)
and changing the lookup table to
IP,Tool
Splunk,10.10.35.0/24
with the same results --no lookup match
although
|makeresults |eval IP="10.10.35.0/24" | lookup tools IP
does return a Tool value of Splunk
... View more
03-30-2020
09:45 PM
I recently noticed that the UI for lookup definitions now has an advanced checkbox. If I select that I get the option to set match_type , which is described as
Match type
Optionally set up non-exact matching of a comma-and-space-delimited field list. Format is (). Available values for match_type are WILDCARD and CIDR.
so I added a wildard match for my lookup field IP to my lookup definition for tools :
match_type=WILDCARD (IP)
(note, I tried CIDR , too, with similar results)
and in the lookup file tools.csv , I had an entry with a *
IP: 10.10.35.*
Tool: Splunk
but when try to use it, I do not get a match:
|makeresults |eval IP="10.10.35.9" | lookup tools IP
This did not return the Tool field, although if I pass it a matching string it does:
|makeresults |eval IP="10.10.35.*" | lookup tools IP
gets me back tool = Splunk
is there something that I am misunderstanding about the UI based lookup wildcard? Something else that I should be doing?
... View more
02-26-2020
09:00 AM
@niketnilay time is in epoch time.
I have since figured out that if I sort the time field with a key of "time" rather than "time" it works.
... View more
02-12-2020
06:12 PM
Trying to create a sparkline from data in a lookup table
monitorusertraffic.csv has fields
-user
-trafficdestip
-app
-bytes_out
-time
when I run
| inputlookup monitorusertraffic.csv
| eval time=time
| stats sum(bytesout) sparkline(sum(bytesout),1d) as datatrend by user trafficdestip app
I get a value for "sum(bytesout)" but nothing under "sparkline(sum(bytesout),1d) as data_trend"
Is there some sort of magical way that I need to alert my data for Splunk to be able to create a sparkline?
... View more
02-04-2020
10:01 AM
Where in the UI do I find the command's script file? Where do I see the command ownership info?
... View more
01-15-2020
05:56 PM
Well. In the custom commands listing that I described how to find, these commands are listed as part of the search app with an owner of "no owner"
I consulted the app documentation as shown by the links above.
I guess that's why I asked the question that I did.
... View more
01-07-2020
08:06 AM
"Settings|Advanced Search"
"Search Commands"
lists the number of commands that are showing.
some of these are clearly common search commands (head, diff). Others I see no documentation on how to use.
For example:
https://docs.splunk.com/Special:SplunkSearch/docs?q=arulespy
https://docs.splunk.com/Special:SplunkSearch/docs?q=createrss
https://docs.splunk.com/Special:SplunkSearch/docs?q=mocknodegraph
... View more
01-03-2020
06:51 AM
Lots of custom commands come with Splunk. 31 in the search app alone.
I often see all of those commands and wonder if there is anything that I could be using. Since I am not an admin on the system, I can't just look at the code to find out.
Is there a place that documents what these commands do and what sort of arguments they expect?
... View more
09-13-2019
10:12 AM
Super useful! Thank you!
... View more
08-26-2019
12:28 PM
I have enabled the Network_Traffic data model with acceleration going back 32 days. After a recent Splunk upgrade to
Splunk: 7.2.6
Splunk ES: 5.2.2
I noticed that my Network Traffic data model count volumes dropped off after going back about 2 weeks, despite an acceleration status of 100% complete. Found that by setting allowoldsummaries=t I could get all of the data.
Tried re-indexing the data model. It seemed to pick up data further back, but still not all of it.
I can check the model with this:
| tstats summariesonly=t allow_old_summaries=t count as DMcountWithOld from datamodel=Network_Traffic.All_Traffic by span=1d _time
| append [tstats summariesonly=t count as DMcountNoOld from datamodel=Network_Traffic.All_Traffic by span=1d _time ]
| timechart span=1d sum(DMcountWithOld) as DMcountWithOld sum(DMcountNoOld) as DMcountNoOld
and I still see results diverge starting about 2 weeks back
Any ideas on why the data model acceleration fizzled out?
If it matters, ES is on a 6 search head cluster
... View more
06-05-2019
12:28 PM
Slightly indirect question.
What I am really trying to do is to ensure that only the scheduled search adds results to the summary index.
For lookup tables, the report scheduling dialog box lets me specify that search results should go to a lookup table. This is nice because if I edit the search, I don't have to worry about accidentally updating the lookup table.
Unfortunately, report scheduling does not have a similar option for summary indices (#featurerequest), so I was thinking that I could roll my own if the report could know that it is running as part of a schedule. Something like
<base search>
| eval isScheduled=check_scheduling_info()
| search isScheduled
|<summarize data>
|collect index=my_summary marker="search_name=my_search"
or maybe somehow conditionally write to the test index instead of my_summary if the search is not running as part of a schedule.
Is this something that can be done? Is there a better way to go about what I really want?
... View more
05-23-2019
01:43 PM
1 Karma
I like it! if we are only interested in fields likely on every record of a sourcetype, we could speed it up by only taking the first record found:
index=my_index sourcetype=my_sourcetype | head 1| fieldsummary
furthermore, if we are only interested in a summary the field values (say to search on where certain named fields appear), we can aggregate those
index=pan_logs sourcetype=pan:traffic
| head 1
| fieldsummary
| table field
| mvcombine delim=", " field
| nomv field
... View more
02-08-2019
11:05 AM
Panguy's suggestion addressed my need. Turns out that it is PA best practice to not log traffic start events. I was under the impression that my MSSP required that we log them, but when challenged, they said that they did not.
Firewall admins have disabled log traffic start and we have about a 40% reduction in Firewall log ingestion! I am also still pursuing having my Splunk admin filter out the logs to handle the situations where the Firewall admins may need to turn on start logging for troubleshooting.
... View more
01-09-2019
06:19 PM
That might be an option. I'll bring it up with my Splunk Admin
... View more
12-18-2018
03:48 PM
Or will removing "log at session start" result in only "end" events getting logged?
... View more
12-18-2018
02:29 PM
Panguy,
I think that you are saying that I can get less start/end records if I remove "log at session start" from the policy. This is a good thing and I will bring it up with my firewall administration team.
I do not think that it will address the problem with the datamodel though. The datamodel will still include 2 Network_Traffic events for every Pan logged session. Is there a best way to incorporate only the end events in the datamodel?
... View more
12-18-2018
07:29 AM
Palo Alto traffic logs include start and end events. Sometimes multiple start events.
Since all traffic logs get the tags "network" and "communicate", they all get mapped to the Network_Traffic datamodel This is problematic for a couple of reasons:
The number of events is inaccurate (at least 2x the actual number of events, but sometimes more)
This is made worse if we had an additional source that logged Netflow (with only one event per connection)
Traffic summaries are inaccurate:
If I try to find allowed traffic, I will find some traffic that was actually blocked. this is because the start event may be allowed when the end event is blocked.
If I try to summarize on durations or bytes, I get values at each start and end added into my totals
It seems to me that these could be corrected by only mapping the PAN end event to the Network Traffic datamodel.
I guess that I am looking for feedback on the best way to do this. And what the drawbacks to doing so might be.
If it matters, I am using Splunk Enterprise Security, but mostly do my own correlations of Network Traffic in the search app.
My thoughts on how to do it:
-add the "end" tag to NetworkTraffic
--if I do this then any other source with events to map to Network Traffic would also need to add the "end" tag. Seems unintuitive
-remove "communicate" from the PAN traffic "start" events
--not really sure what this might do
-add an additional tag to the PAN traffic "end" events ("traffic"?)
--add this to the NetworkTraffic defn
--modify all sources that map to Network Traffic to include the "traffic" tag. I guess this is more intuitive than the first option.
Any other ideas or thoughts?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a week ago
|
Karma from
