Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About livehybrid
livehybrid
Contributor
Member since:
08-15-2013
03-23-2023
Community Statistics
| Posts | 122 |
| Solutions | 15 |
| Karma Given | 2 |
| Karma Received | 32 |
| Member Since | 08-15-2013 |
Activity Feed
- Got Karma for Re: Custom REST API endpoint with PersistentServerConnectionApplication. 02-28-2023 05:52 AM
- Got Karma for Splunk draw.io icon library. 06-28-2022 01:43 AM
- Got Karma for Re: MS Teams Add-On Graph subscription fails. 12-13-2021 12:14 AM
- Got Karma for Re: Splunk draw.io icon library. 07-15-2021 12:44 PM
- Got Karma for Re: Splunk draw.io icon library. 07-15-2021 12:44 PM
- Got Karma for Splunk draw.io icon library. 07-15-2021 12:44 PM
- Posted Re: Need to install Jira module in python splunk . on Getting Data In. 02-09-2021 09:44 PM
- Posted Re: Log ingestion Via HEC - Huge log volume on Getting Data In. 02-08-2021 08:14 PM
- Got Karma for Re: http event collector truncates event to 10,000 characters. 11-24-2020 01:46 PM
- Got Karma for Re: AWS Missing feeds. 09-24-2020 04:17 AM
- Posted Re: No Data in Trusted Advisor Dashbaords on Dashboards & Visualizations. 08-25-2020 12:42 PM
- Posted Re: Splunk Cloud - cron expresion for alert on Alerting. 08-11-2020 01:04 AM
- Posted Re: Splunk Cloud - cron expresion for alert on Alerting. 08-10-2020 12:28 AM
- Posted Re: REST API Input for Splunkbase on Splunk Cloud Platform. 08-04-2020 01:37 PM
- Posted Re: HTTP Event Collector: Unable to send data to the REST endpoint (Using Splunk Cloud Trial) on Splunk Cloud Platform. 08-02-2020 02:57 AM
- Posted Re: Custom search command with python stopped working - not returning ressult on Building for the Splunk Platform. 07-22-2020 11:59 AM
- Posted Re: Adding meta without changing splunk cloud on Splunk Enterprise. 07-21-2020 12:52 AM
- Got Karma for Re: Custom REST API endpoint with PersistentServerConnectionApplication. 07-20-2020 04:39 AM
- Got Karma for Re: http event collector truncates event to 10,000 characters. 07-15-2020 02:43 PM
- Posted Re: http event collector truncates event to 10,000 characters on Getting Data In. 07-15-2020 01:35 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 4 |
02-09-2021
09:44 PM
Are you looking to use an existing Jira app? There are a number of them on Splunkbase that might help: https://splunkbase.splunk.com/apps/#/search/jira/ Alternatively, if you're building your own app then you can put Python dependencies in <yourApp>/lib. More info at https://dev.splunk.com/enterprise/docs/developapps/appanatomy#Considerations-for-Python-code-files I hope this helps!
... View more
02-08-2021
08:14 PM
Hi @vijaysri , What size host is your HEC receiver running? Its worth checking out https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf to check your setup aligns with best practice, however I would not personally consider 5GB to be to a particularly large volume when it comes to Splunk HEC ingest.
... View more
08-25-2020
12:42 PM
@ptursun I'm very sorry, I didnt get a notification of this. I'm picking this up again as very keen to go to the bottom of it. @maxr7866 If you're still up for a screenshare then that would be great. Ping me an email to splunk at livehybrid . com and we'll get something setup. Thanks Will
... View more
08-11-2020
01:04 AM
Is that on a schedule just between 2.30 and 4.00 AM? e.g. every 5 minutes between those times?
... View more
08-10-2020
12:28 AM
Hi, You'll need two alerts for this, as both the minutes and hours are different. You could use: 30 2 * * * for 02:30am 0 4 * * * for 04:00am I hope this helps! Will
... View more
08-04-2020
01:37 PM
The REST API Modular Input app on Splunkbase doesnt look to be approved for SplunkCloud installs, however I have used DBData/App for REST Lookup (https://splunkbase.splunk.com/app/4253/) which is cloud approved and might work for you?
... View more
08-02-2020
02:57 AM
Have you checked this directly with something like CURL to check the connection and token? curl -k "https://<yourHECAddress>.splunkcloud.com/services/collector/raw" \
-H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77131" -H "Authorization: Splunk <YOUR_TOKEN_HERE>" \
-d '{"event": "Welcome to SplunkCloud", "sourcetype":"test"}' Remove the X-Splunk-Request-Channel if you arent using Acknowledgments. Does this give any errors?
... View more
07-22-2020
11:59 AM
Is there anything in C:\Program Files\Splunk\var\log\splunk\python.log ? Its also worth checking the search log, Inspect your search through Job -> Inspect Job and then click the "search.log" link. Does this shine any light on things?
... View more
07-21-2020
12:52 AM
Hi, I think you may still need to update fields.conf on Splunk Cloud with [region]
INDEXED = true in order for Splunk to know that it is an indexed field. (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf)
... View more
07-15-2020
01:35 PM
2 Karma
It feels like the limit you are hitting here is a truncate limit in props.conf Can you confirm that it is arriving in Splunk as "_json" sourcetype? If so try running this on the host receiving the HEC: /opt/splunk/bin/splunk btool props list _json --debug | grep -i truncate If it gives 10000 then that is where the limit is being applied!
... View more
07-15-2020
01:30 PM
2 Karma
Ive recently been working with REST endpoints in this way, it took a bit of head scratching but the process stays running, and can be killed with something like this: sudo kill $(ps -aux | grep -i [\/]opt.*persistconn | awk '{print $2}') Then it will pick up your changes next time you query it. I hope this helps Will
... View more
07-15-2020
09:22 AM
Hi @splunksrk You need to configure a DNS record for your domain to point from your chosen subdomain to the IP address of your Splunk instance (you'll probably use an "A" record), this will vary depending on your domain name registrar and the DNS options they provide. I hope this helps Will
... View more
07-13-2020
09:44 AM
Hi @anandhalagaras1 The documentation on supported forwarders for SplunkCloud (https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice#Supported_Forwarder_Versions) states that the minimum supported forwarder version for a 8.0 cloud stack is 7.2.x (Until October 2020) which means strictly speaking anything less than that currently isnt supported. Having said that, there is obviously a difference between what is *supported* and what *works*.... This page on compatibility between forwarders and indexers (https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Compatibilitybetweenforwardersandindexers) suggests that you will need at least a version 7.x forwarder to send to SplunkCloud. If its not possible to upgrade your 6.x instances, whilst not necessarily best practice, you may be able to use an Intermediary Forwarder running 7.3 to receive your 6.x traffic and send on to Splunk Cloud running 8.x
... View more
07-10-2020
08:40 AM
Sorry yes, you could use a variety of different regexs depending on what the rest of your data looks like - I missed the numerical digits.. index=your_index sourcetype=your_sourcetype
| rex field=_raw "The following DAP records were selected for this connection: (?<dap_record>[a-zA-Z0-9_]+)
| stats count by dap_record Let me know how you get on! Fingers crossed! Will
... View more
07-10-2020
07:59 AM
2 Karma
Hi @dv2323 You can use the rex command to extract the DAP record and then use stats, something like this: index=your_index sourcetype=your_sourcetype
| rex field=_raw "The following DAP records were selected for this connection: (?<dap_record>[A-Z_]+)"
| stats count by dap_record I hope this helps!
... View more
07-10-2020
07:51 AM
2 Karma
Hi, In terms of general OS hardening and communication between Splunk servers - this will be covered and dealt with by the Splunk team. This page has a section on security which might be appropriate: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice A few of the things to note - * You are in control of your own Role-Based-Access-Control (RBAC) policies and procedures, such as ensuring an appropriate password policy is set, users have the right groups etc. * You cannot use the same MFA options available on-prem (such as Duo) - Instead you should consider using SAML auth and connecting to a system that allows MFA (such as Azure ActiveDirectory).* You're also responsible for the elements that sit outside the SplunkCloud environment, such as heavy forwarders - these will need securing in the usual way. Splunk do provide a client certificate for connecting to the SplunkCloud index tier for sending your data securely. * Only SplunkCloud approved apps can be used. Most apps (typical those not containing any (python) code) will pass automated vetting without any issues, however some may require manual vetting by the CloudOps/Support team who will check it for security compliance etc. This is to protect you from uploading anything that could cause harm to your environment, but also to allow Splunk to provide the level of service promised. I hope this helps!
... View more
07-09-2020
11:50 AM
Ive seen Unauthorized issues before when not having a valid license, particularly on a HF. Do you have a valid license on the HF? (Trial, Enterprise license or a Heavy Forwarder license)?
... View more
07-09-2020
02:25 AM
When you've added your SQS input it should set the sqs_queue_url field, something like: [aws_sqs_based_s3://YourInputName]
aws_account = loader
aws_iam_role = audit_cloudtrail
index = my_index
interval = 300
s3_file_decoder = ELBAccessLogs
sourcetype = aws:elb:accesslogs
sqs_batch_size = 10
sqs_queue_region = eu-west-2
sqs_queue_url = https://eu-west-2.queue.amazonaws.com/<yourAccountID>/<yourSQSQueue> You should then be able to update the queue URL to sqs_queue_url = https://sqs.REGION.amazonaws.com/<YourAccountID>/<YourQueueNamee>
... View more
07-09-2020
02:19 AM
You could use props and transforms to filter out data that you dont want and drop into the nullQueue. Something like this: props.conf [aws:cloudtrail]
TRANSFORMS-0 = ignorePrismaCloudRORole transforms.conf [ignorePrismaCloudRORole]
REGEX = userIdentity\"\:\s\{\"sessionContext\".+\"sessionIssuer[^\}]+\"userName\": \"ignorePrismaCloudReadOnlyRole\"[^}]+
DEST = queue
FORMAT = nullQueue
... View more
07-09-2020
02:11 AM
Are you looking for something to get the data in to Splunk or more the data enrichment? We're using a customised version of the app you mentioned, we took the props/transforms/lookups/tags etc from the app to build our own. We're bringing data in through the method mentioned in the app, which is Cloudwatch events -> Firehose -> HEC and landing it as aws:cloudwatch:guardduty.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-23-2023
11:53 AM
|
Karma from
