Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About regriffith
regriffith
Path Finder
Member since:
05-11-2016
06-05-2020
Community Statistics
| Posts | 15 |
| Solutions | 1 |
| Karma Given | 8 |
| Karma Received | 8 |
| Member Since | 05-11-2016 |
Activity Feed
- Got Karma for Re: Subsearch produced 50000 results, truncating to maxout 50000. 10-02-2020 08:36 PM
- Got Karma for How to set the timestamp when using the collect command?. 09-03-2020 07:36 AM
- Karma Re: How to create a regex to extract fields in a certificate? for kchamplin_splun. 06-05-2020 12:49 AM
- Got Karma for How to set the timestamp when using the collect command?. 06-05-2020 12:49 AM
- Karma Re: Splunk Enterprise Security: How to troubleshoot why Incident Review hangs on "loading"? for arandriamanohis. 06-05-2020 12:48 AM
- Got Karma for Re: Universal forwarder consuming 100% CPU. "WARN TimeoutHeap - Either time adjusted forwards by, or event loop was descheduled for 490844ms". 06-05-2020 12:48 AM
- Got Karma for Re: Universal forwarder consuming 100% CPU. "WARN TimeoutHeap - Either time adjusted forwards by, or event loop was descheduled for 490844ms". 06-05-2020 12:48 AM
- Got Karma for Re: Universal forwarder consuming 100% CPU. "WARN TimeoutHeap - Either time adjusted forwards by, or event loop was descheduled for 490844ms". 06-05-2020 12:48 AM
- Got Karma for Re: Universal forwarder consuming 100% CPU. "WARN TimeoutHeap - Either time adjusted forwards by, or event loop was descheduled for 490844ms". 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to use an external list file to whitelist or blacklist hosts in serverclass.conf?. 06-05-2020 12:48 AM
- Karma Re: Move Splunk's VAR folder ($SPLUNK_HOME/var or /opt/splunk/var) for woodcock. 06-05-2020 12:47 AM
- Karma Re: 6.2 Forwarder Configuration on Linux: Why am I getting error "TcpInputProc - Message rejected. Received unexpected 369295616 byte message!" in server's splunkd.log? for Rocket66. 06-05-2020 12:47 AM
- Karma Re: Splunk App for Enterprise Security: Network Resolution Data Model not building for aholzel. 06-05-2020 12:47 AM
- Karma Re: Why is my search with "where NOT equals this OR this OR this" not filtering out results as expected? for Runals. 06-05-2020 12:47 AM
- Karma Re: How to change the path of "datamodel_summary" for mkelderm. 06-05-2020 12:46 AM
- Karma Re: Sending two inputs from One universal forwarder to Two different Indexers (not load balancing) for norbert_hamel. 06-05-2020 12:46 AM
- Posted Re: How to create a regex to extract fields in a certificate? on Splunk Enterprise Security. 05-30-2019 11:12 AM
- Posted Re: Subsearch produced 50000 results, truncating to maxout 50000 on Splunk Search. 09-04-2018 10:55 AM
- Posted Re: Trying to change licensing master <> slave on Deployment Architecture. 08-17-2018 07:33 AM
- Posted Re: How to create a regex to extract fields in a certificate? on Splunk Enterprise Security. 04-04-2018 02:03 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 0 | |||
| 0 |
05-30-2019
11:12 AM
Thanks for the information, it was a tremendous help.
This is what I used for subject:
"ssl_subject\="(CN=(?<ssl_subject_common_name>[^=]*))?(C=(?<C>[^=]*))?(S=(?<ssl_subject_state>[^=]*))?(O=(?<ssl_subject_organization>[^=]*))?(OU=(?<ssl_subject_unit>[^=]*))?" ssl_start_time"
This is what I used for issuer:
ssl_issuer\="(CN=(?<ssl_issuer_common_name>[^=]*))?(C=(?<C>[^=]*))?(S=(?<ssl_issuer_state>[^=]*))?(O=(?<ssl_issuer_organization>[^=]*))?(OU=(?<ssl_issuer_unit>[^=]*))?" ssl_hash
... View more
09-04-2018
10:55 AM
1 Karma
[subsearch]
* This stanza controls subsearch results.
* NOTE: This stanza DOES NOT control subsearch results when a subsearch is called by
commands such as join, append, or appendcols.
* Read more about subsearches in the online documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches
... View more
08-17-2018
07:33 AM
I ran into the same problem and didn't know what the password was in the pass4SymmKey setting in server.conf. I tried a few things in other posts and nothing worked. I noticed that the default server.conf uses changeme as the password. I entered this as the password in the local server.conf, added the master license path to master_uri and restarted. Error is now gone.
... View more
04-04-2018
02:03 PM
Much closer, but it is matching ssl_issuer= and ssl_subject=. It should only match values in ssl_subject=
... View more
04-04-2018
11:10 AM
It is different that what I have tried. This gets tripped up by ssl_issuer. In some cases the result doesn't include country code and other data.
... View more
04-04-2018
08:45 AM
I need to extract various fields if they exist. CN, C, S, O, OU, Here is a sample data of five different events. Please note that this is a snippet of each event and not the entire event. I left in the ssl_issuer in the first event but removed the string in the last four events. One challenge is there are duplicate field names in ssl_issurer and ssl_subject. I have tried various regex expressions but they either get too much or too little out of the events. I would like to have one regex for each field in the transforms.conf, that way I don't have the whole thing fail if there is a problem in the data.
This fairly close, but skips the second and fourth event.
ssl_subject\="CN=(.*)C=(.*)S=(.*)O=(.*)OU=(.*)ssl_start_time
ssl_issuer="CN=DigiCert SHA2 High Assurance Server CA C=US O=DigiCert Inc OU=www.digicert.com" ssl_hash="f41565b049f039e765a0f8be8271a4b4817b7378" ssl_subject="CN=syndication.twitter.com C=US S=California O=Twitter, Inc. OU=Twitter Security" ssl_start_time="Wed Jun 29 00:00:00 2016 UTC" ssl_end_time="Mon Sep 16 12:00:00 2019 UTC" ssl_type="X.509 Certificate" ssl_extended_key_usage="Server Authentication, Client Authentication" ssl_key_length="2048 bits" ssl_key_usage="Digital Signature, Key Encipherment"
ssl_subject="CN=*.eu-west-1.webrootcloudav.com" ssl_start_time="Tue Aug 22 00:00:00 2017 UTC" ssl_end_time="Sat Sep 22 12:00:00 2018 UTC" ssl_type="X.509 Certificate" ssl_extended_key_usage="" ssl_key_length="2048 bits" ssl_key_usage="Digital Signature, Non-Repudiation, Key Encipherment"
ssl_subject="CN=*.us.static.hrsmart.com C=US S=Virginia O=Deltek, Inc. OU=Security Services" ssl_start_time="Thu Jan 11 00:00:00 2018 UTC" ssl_end_time="Sun Mar 31 12:00:00 2019 UTC" ssl_type="X.509 Certificate" ssl_extended_key_usage="Server Authentication, Client Authentication" ssl_key_length="2048 bits" ssl_key_usage="Digital Signature, Key Encipherment"
ssl_subject="CN=*.googleapis.com C=US S=California O=Google Inc" ssl_start_time="Tue Mar 13 18:57:10 2018 UTC" ssl_end_time="Tue Jun 5 18:17:00 2018 UTC" ssl_type="X.509 Certificate" ssl_extended_key_usage="Server Authentication, Client Authentication" ssl_key_length="0 bits" ssl_key_usage="Digital Signature, Certificate Signing, CRL Signing"
ssl_subject="CN=subscription.rhsm.redhat.com C=US S=North Carolina O=Red Hat, Inc. OU=Red Hat Network" ssl_start_time="Thu May 18 16:30:24 2017 UTC" ssl_end_time="Sat May 18 16:30:24 2019 UTC" ssl_type="X.509 Certificate" ssl_extended_key_usage="Server Authentication" ssl_key_length="4096 bits" ssl_key_usage=""
... View more
01-09-2018
02:18 PM
2 Karma
I am searching yesterday's data and trying to insert it into an index for reporting purposes. I need to take multiple indexed events with various date/time fields and override them with the current date/time for the summary index table. The following search is a very simplified version that illustrates the issue.
index=blah | eval _time=now() | collect index=test
When I do the search, it inserts yesterday's date/time into the summary index _time field. Is there any way to reassign this?
Splunk 6.6.3.
... View more
Labels
- Labels:
-
other
11-16-2017
07:39 AM
I have seen this error in two other cases. Bad password for the account binding to Active Directory. The other case was a firewall blocking port 636.
... View more
03-15-2017
03:51 PM
In the end, I setup a heavy forwarder as middle man for FireEye. Seems like I used JSON format in the FireEye configuration. I no longer work at that company and I don't remember all the things I did.
... View more
03-07-2017
03:16 PM
So much for a table of data. Each column represents a week.
Time w 1 2 3 4 5 6
Host A 2 7 1 0 0 5
Host B 0 2 4 7 7 7
Host C 0 1 0 1 0 0
Host D 1 5 0 0 0 0
... View more
03-07-2017
03:12 PM
I have a low volume index where hosts send one event every 24 hours. I need to determine if each host in today's search (last two weeks) has shown up in at least four times (once each week) for the previous six weeks (eight week total time frame). By using four, this allows a host to be turned off for a couple weeks while the owner is on vacation. I need to generate a list of hosts that meet the above criteria. Using the same criteria, I need to find all the hosts that don't show up today that had been sending events over the last four weeks.
It seems like I need to use a combination of the following two searches. One way I saw to do this is by assigning each host a week/count if the number of events is greater than one with a subsearch per week. Then if the count of weeks per host is four or greater than put the host in the table.
Hosts that have sent at least one event by week.
index=blah sourcetype="blah:win" earliest=-8weeks@w latest=-2w@w | bucket span=7d _time |timechart count by host
Missing host
index=blah sourcetype="blah:win" earliest=-8weeks@w latest=-2w@w | dedup host | eval weeks="Y" | table host weeks | join host type=outer [search index=blah sourcetype="blah:win" earliest=-1d@2w latest=-0d@d | dedup host | eval thisweek = "Y" | table host thisweek ] | where weeks="Y" AND NOT thisweek="Y"
So basically with the following data:
Time
wk1
wk2
wk3
wk4
wk5
wk6
Host A
2
7
10
0
0
5
Host B
0
2
4
7
7
7
Host C
0
1
0
1
0
0
Host D
1
5
0
0
0
0
Output
Host A sent events
Host B sent events
Missing host output
Host C is missing
Host D is missing
It would be nice to know when a new host shows up that has never sent data in the last eight weeks.
... View more
- Tags:
- splunk-enterprise
02-24-2017
08:12 AM
The statement | where source1 = "Y" AND source2 != "Y" doesn't work. You can use | where source1 = "Y" AND NOT source2= "Y".
... View more
11-10-2016
09:47 AM
1 Karma
I use this for managing a large number of hosts. In one case I temporarily used it with up to a nine thousand host entries.
Entry in the serverclass.conf
[serverClass:specific_host]
whitelist.from_pathname = etc/system/local/host.txt
restartSplunkd = 1
... View more
08-09-2016
09:53 AM
4 Karma
The system time was adjusted backwards by NTP. Changing to a different NTP server fixed the CPU issue. It appears that the UF can't handle this type of change.
... View more
08-09-2016
09:49 AM
Splunk consumes 100% of the CPU. Installed version is 6.4.
Splunk log:
07-13-2016 19:18:11.904 -0500 WARN TimeoutHeap - Either time adjusted forwards by, or event loop was descheduled for 490844ms.
07-13-2016 19:18:11.904 -0500 WARN TimeoutHeap - Either time adjusted forwards by, or event loop was descheduled for 490813ms.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma from
Karma given to
