About _joe

_joe · ‎02-25-2025

Hello, Does anyone know when this app will become cloud compliant?

_joe · ‎02-21-2025

Hello, Does anyone know if there are any plans for this app to become compatible with recent versions of Splunk? It claims to be compatible with 9.4 but it is running python 2...

_joe · ‎02-03-2025

I think that app was removed for 9.3. What is confusing is that you said this was a new build as opposed to an upgrade - maybe you are pushing it and it shouldn't be there? https://docs.splunk.com/Documentation/SecureGateway/3.5.15/ReleaseNotes/Releasenotes

_joe · ‎02-03-2025

Hello all, I am wondering if anyone has run into an issue where they receive a "500 error" on some large reports (small reports work fine)? The only feedback I got from the cSAM admin was to add a time out value in Microsoft PowerQuery, doesn't quite seem to relate to CURL though. personal_access_token = "MyRealToken", request_timeout_in_minutes = 10, // Specify your timeout value here data = Table.FromRecords( Json.Document( Web.Contents( csam_api_endpoint_url, [ Headers = [ #"Authorization"="Bearer " & personal_access_token, #"Content-Type" = "application/json" ], Timeout = #duration(0, 0, request_timeout_in_minutes, 0) ] ) ) ) in data

_joe · ‎01-29-2025

I updated it to a 4 digit year to match my logs. %d %b %Y %H:%M:%S, %Z

_joe · ‎01-29-2025

This isn't so much a question as a comment. I found that time config to be incorrect. My logs start like this: {"Time": "29 Jan 2025 03:16:30, PST", The default timestring is expecting a 2 digit year. %d %b %y %H:%M:%S, %Z Prior to the update, Splunk was stil able to figure out the time but issed the timezone parameter. In other words, if your heavy forwarder has the same timezone as your zScaler logs you would probably be fine.

_joe · ‎09-04-2024

_joe · ‎09-04-2024

Similar issue. There are no error logs per say. The search log shows the the output appears to be happening on the remote SH. Results written to file '/opt/splunk/etc/apps/search/lookups/mylookup.csv' on serverName=',<<remoteServerName>> In other words, if I login to my local search head and run this and get an output of 100 entries: | federated from:my report | outputlookup mylookup.csv Then I run this (Again on the local search head), it will be empty: | inputlookup mylookup.csv

_joe · ‎05-16-2024

Hello all, Just wondering if anyone else is removed index time extractions for the Cisco DNA Center Add-on (6668). I don't like that it needlessly indexes fields then resolved the duplicate-field issue by disabling KV_MODE. I was thinking of adding something like this to the app props.conf but I am still looking better options. INDEXED_EXTRACTIONS = KV_MODE=JSON SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n\[\]\,]+\s*)([\{])

_joe · ‎05-13-2024

Thanks for taking the time to respond. I guess I should have better explained that I was hoping to receive audit logs (failed logins, etc.). That is what the UiPath team here is saying that cannot put at a file location without "manual labor." We settled on a database connection.

_joe · ‎05-13-2024

Hello all, In our environment, the UiPath team doesn't seem to know how to expect the export expecting in the default inputs.conf (C:\uipath_logs). Is there any documentation that might help them?

_joe · ‎04-05-2024

Hello all, SynApp: 3.0.3 OS: RHEL8 FIPS Splunk 9.0.x I configured this app and changed the index IPs in the local inputs.conf but it isn't working. Obviously there are a lot of things that could be wrong but I am really not seeing any app logging. Is there anyway to configure that? Does this app have a FIPS incompatibility? The only thing I am finding are these logs in splunkd.log: ERROR ExecProcessor [1044046 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Synack/bin/assessment_data.py" obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ERROR ExecProcessor [1044046 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Synack/bin/vuln_data.py" json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

_joe · ‎07-20-2023

Sorry, only GCC (literally the "GCC" selection an the API input configuration). I have not had the opportunity to work with GCC high yet so I cannot confirm if it works.

_joe · ‎07-20-2023

I believe when I posted this support had not yet been added. At this time, this app does support GCC and I have gotten it working in at least one environment. My guess would be you are running into an Azure permissions issue. https://splunkbase.splunk.com/app/6207

_joe · ‎05-04-2023

Hello, Has anyone been able to ingest Certificate Transparency logs (via Certificate Transparency Log add-on for Splunk or any other app) on Splunk Enterprise version 9?

_joe · ‎09-13-2022

Has anyone setup CIM parsing for the Akamai SIEM TA? I am assuming these events should be going to the Alerts data model, but there is almost no parsing in the app. https://splunkbase.splunk.com/app/4310/

_joe · ‎07-29-2022

I don't have a whole lot of information about this, just wanted to comment that personally I've had an issue with Burp Suite crashing Splunk. We have had to ask them to turn back the Burp Suite threads to half.

_joe · ‎07-18-2022

Something like this would work best: index = _internal sourcetype = splunkd component=Archiver Archiving large_file=* | stats count latest(size_in_bytes) by large_file

_joe · ‎06-28-2022

This warning got added to "known issues" for 9.0.0 Date filed Issue number Description 2022-06-23 SPL-226019 Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.

_joe · ‎06-28-2022

No actually. I was trying to use the App to ingest from an onprem server which isn't even supported (Only CyberArk SaaS).

_joe · ‎06-21-2022

Is anyone else running into boot-start/permissions issues with the 9.0.0 UF running on Linux using init.d scripts for bootstart? Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" I am also finding that "./splunk disable boot-start" does not correctly remove the /etc/init.d/splunk script and, contrary to documentation, splunk UF 9.0.0 uses systemd as default. https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/ConfigureSplunktostartatboottime Also systemd scripts seem to fail getting the permissions needed even when trying to enable-boot as root. A key error I am seeing is "Failed to create the unit file" when running the install. But it seems to be a total fail. ## When upgrading (from 8.2.5) runuser -l splunk -c "/opt/splunkforwarder/bin/splunk stop" tar -xzvf /tmp/splunkforwarder-9.0.0-6818ac46f2ec-Linux-x86_64.tgz -C /opt chown -R splunk:splunk /opt/splunkforwarder/ runuser -l splunk -c "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt" runuser -l splunk -c "/opt/splunkforwarder/bin/splunk status" Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" (NOTE: Seems to be non-impacting) ### When doing a new install tar -xzvf /tmp/splunkforwarder-9.0.0-6818ac46f2ec-Linux-x86_64.tgz -C /opt chown -R splunk:splunk /opt/splunkforwarder [root]# sudo -H -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" This appears to be your first time running this version of Splunk. IMPORTANT: Because an admin password was not provided, the admin user will not be created. You will have to set up an admin username/password later using user-seed.conf. Creating unit file... Current splunk is running as non root, which cannot operate systemd unit files. Please create it manually by 'sudo splunk enable boot-start' later. Failed to create the unit file. Please do it manually later. Splunk> Now with more code! sudo -H -u splunk /opt/splunkforwarder/bin/splunk status Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" splunkd is running (PID: 3132350). splunk helpers are running (PIDs: 3132354). # sudo -H -u splunk /opt/splunkforwarder/bin/splunk stop Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. . [ OK ] Stopping splunk helpers... [ OK ] Done. # /opt/splunkforwarder/bin/splunk enable boot-start -user splunk Systemd unit file installed by user at /etc/systemd/system/SplunkForwarder.service. Configured as systemd managed service. systemctl start SplunkForwarder.service Job for SplunkForwarder.service failed because the control process exited with error code. See "systemctl status SplunkForwarder.service" and "journalctl -xe" for details. systemctl status SplunkForwarder.service ● SplunkForwarder.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' Loaded: loaded (/etc/systemd/system/SplunkForwarder.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2022-06-21 12:58:55 UTC; 27s ago Process: 3141480 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/SplunkForwarder.service (code=exited, status=0/SUCCES> Process: 3141478 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/SplunkForwarder.service (code=exited, status=0/SUCCESS) Process: 3141477 ExecStart=/opt/splunkforwarder/bin/splunk _internal_launch_under_systemd (code=exited, status=203/EXEC) Process: 3141475 ExecStartPre=/bin/bash -c chown -R splunk:splunk /opt/splunkforwarder (code=exited, status=0/SUCCESS) Main PID: 3141477 (code=exited, status=203/EXEC) Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Failed with result 'exit-code'. Jun 21 12:58:55 <host> systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Service RestartSec=100ms expired, scheduling restart. Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Scheduled restart job, restart counter is at 5. Jun 21 12:58:55 <host> systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Start request repeated too quickly. Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Failed with result 'exit-code'. Jun 21 12:58:55 <host> systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'.

_joe · ‎06-08-2022

You are correct, it is missing when you switch to kvstore. You can add it in the transforms.conf manually and it works - but any further saving to the lookup definition through the Web UI will overwrite/remove the change. A little frustrating. [lookup_definition_name] ... case_sensitive_match = 0

_joe · ‎05-23-2022

Hello, Nothing has changed from my prior note. It is working pretty well, I no longer have scripted restarts. As a side note, restarting streamer doesn’t work very well and might even cause issues. Our ingest volume is about 5million a day with "workerProcesses": 1. I am not sure what a good “workerProcesses to ingest rate” would be but more workerProcesses did cause us issues. I believe we may have been told by Cisco that we should upgrade to version 5.x as other people have had special characters crash their ingest but we haven’t had that happen. I'm sure you've noticed, but it looks like they pushed 5.10 a few days ago. We are still on 4.8. Unfortunately, it really does seem like Cisco is using their customers as their dev department which is frustrating.

_joe · ‎05-09-2022

Thanks for your comment. I have looked at that TA, but the props/transforms doesn't seem to have anything that could handle the logs I had mentioned.. It has line breaking (which matches) and very limited parsing for "extract_jira_issue" which just collects <key>:<value> (a pattern I am only seeing in about 25% of the "thread" fields), practically nothing else from a props/transforms standpoint.

_joe · ‎05-09-2022

Hello all, I need to ingest audit logs from Atlassian Jira, Confluence, and Bitbucket. Most of that is pretty straight forward, but I am finding the Jira audit logs (atlassian-jira.log and atlassian-servicedesk.log) seem very random (sometimes fields are missing, occasionally a field will be long with multiple words and spaces with no fields or brackets). Are there any TAs that can assist with parsing for on-prem Jira audit logs (atlassian-jira.log and atlassian-servicedesk.log)? Or any Splunk guidance I can give the Jira admin to help make logging better. So far they have told me they don't want to update their log4j properties files because it will just get overridden the next time they upgrade.

Posts	96
Solutions	3
Karma Given	20
Karma Received	14
Member Since	‎04-09-2019

Online Status	Offline
Date Last Visited	‎02-25-2025 02:41 PM

Splunk Cloud compliance for zScaler TA

Splunk 9x compatibility for Certificate Transparen...

CSAM Reports - 500 ERROR

Time config incorrect

Disabling indexed fields for CIsco DNA

Setup UiPath logging export

SynAck logging channel

Has anyone been able to use Certificate Transparen...

Has anyone set up CIM parsing for Akamai SIEM TA?

Linux UF boot-start issues and non-impacting error...

Splunk Cloud compliance for zScaler TA

Splunk 9x compatibility for Certificate Transparen...

Re: Getting the following error on my indexers

CSAM Reports - 500 ERROR

Re: Time config incorrect

Time config incorrect

Re: Federated Search -How do I create lookup file ...

Re: Federated Search -How do I create lookup file ...

Disabling indexed fields for CIsco DNA

Re: Setup UiPath logging export

Setup UiPath logging export

SynAck logging channel

Re: Why is Splunk Add-on for Microsoft Security fo...

Re: Why is Splunk Add-on for Microsoft Security fo...

Has anyone been able to use Certificate Transparen...

Has anyone set up CIM parsing for Akamai SIEM TA?

Re: Executing Web Scanner on Splunk WebUI

Re: Splunk says bundle directory contains a large ...

Re: Linux UF boot-start issues and non-impacting e...

Re: Splunk Add-on for CyberArk EPM Login with SAML

Linux UF boot-start issues and non-impacting error...

Re: Why are the kvstore lookups uncharacteristical...

Re: Sourcefire Encore data ingestion issue

Re: Splunk ingest on-prem Jira audit logs

Splunk ingest on-prem Jira audit logs

Are you a member of the Splunk Community?