Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About afx
afx
Contributor
Member since:
05-02-2019
6 hours ago
Community Statistics
| Posts | 147 |
| Solutions | 7 |
| Karma Given | 15 |
| Karma Received | 24 |
| Member Since | 05-02-2019 |
Activity Feed
- Karma Re: How to Reset the Admin password? for cbreshears_splu. 09-04-2025 09:05 AM
- Karma Re: How to Reset the Admin password? for qapabli. 09-04-2025 09:05 AM
- Karma Re: How to change password using CLI in splunk for bjoernhansen. 09-04-2025 08:49 AM
- Posted Re: Issues Indexing SAP System Log (SM21) on Getting Data In. 07-11-2025 04:55 AM
- Posted Re: Issues Indexing SAP System Log (SM21) on Getting Data In. 07-11-2025 04:51 AM
- Karma Re: How to Splunk the SAP Security Audit Log for rigor0_0. 07-11-2025 03:32 AM
- Posted Re: Issues Indexing SAP System Log (SM21) on Getting Data In. 07-11-2025 02:34 AM
- Posted Re: Issues Indexing SAP System Log (SM21) on Getting Data In. 07-11-2025 02:33 AM
- Posted Re: How to Splunk the SAP Security Audit Log on Getting Data In. 04-24-2025 05:16 AM
- Posted Re: How to Splunk the SAP Security Audit Log on Getting Data In. 04-24-2025 05:14 AM
- Got Karma for How to Splunk the SAP Security Audit Log. 01-14-2025 02:06 AM
- Got Karma for Re: How to Splunk the SAP Security Audit Log. 01-14-2025 01:58 AM
- Karma Re: Create event if no results are returned for richgalloway. 03-01-2024 12:19 AM
- Karma Re: How do I monitor changes to config files? for jeremyfer. 02-09-2024 07:56 AM
- Got Karma for Re: Why is the Universal forwarder executing regmon, powershells and others with out them being explicitly configured?. 10-20-2023 09:23 AM
- Posted Various Errrors in "SANS ISC Adaptive Response Action" (app ID 3697) on All Apps and Add-ons. 09-18-2023 06:02 AM
- Got Karma for Re: How to Splunk the SAP Security Audit Log. 07-24-2023 02:42 AM
- Got Karma for Limit DB Connect Query Seever to localhost. 05-12-2023 04:38 AM
- Posted Re: How to Splunk the SAP Security Audit Log on Getting Data In. 11-12-2021 05:13 AM
- Got Karma for Re: Why does splunk need to be installed as root?. 08-02-2021 01:57 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-11-2025
04:55 AM
Totally forgot to post this.. At WallSec someone put up a more complete writeup: WALLSEC IT SECURITY - SIEM Your SAP Security Audit Log with SPLUNK Might be easier to understand for some people than my ramblings.
... View more
07-11-2025
02:34 AM
Since when is the SAL a CSV file? It is a perverted UTF16 fixed record monstrosity. Please read my old post on splunking the SAP log that the OP referenced to understand what is going on.
... View more
07-11-2025
02:33 AM
Hi Splaur, me thinks your EXTRACT-fields is not needed, that action is performed in the transforms.conf file via REPORT-SAP-Delim which refers to the line seperators generated via add_separators. Please reread the example and stick to it also in all the names until it works. That should get you going.
... View more
04-24-2025
05:16 AM
I get that occasionally on many different logs. Setting crcSalt usually helps.
... View more
04-24-2025
05:14 AM
Yes, PowerConnect costs serious money. We are way too cheap for that. Currently waiting for the switch to Hana, apparently, it will have better external file logging from what I heard so far.
... View more
09-18-2023
06:02 AM
Hi, on a brand new Splunk install, the app tries using urrlib2, but Splunk only has urllib3. There is an exception where a "," is used instead of an "as" (line 388 of splunk_rest_client.py). It tries to use something from a module cStringIO which does not exist in Splunk or the app.
... View more
Labels
- Labels:
-
troubleshooting
03-11-2021
04:30 AM
Brilliant. One gets pointed to the app on splunk ideas by splunk employees that claim this app already fulfills part of the requirements for better audit and state this is step one of what they are working on. Not really confidence inspiring.
... View more
03-10-2021
06:59 AM
Well, I would think Splunk documents their own apps.
... View more
03-10-2021
12:45 AM
Hi, So where is the documentation for this app? https://splunkbase.splunk.com/app/5399/ The overview comes up with many empty items, there is no required configuration step, so I wonder how useful/reliable this is. thx afx
... View more
Labels
- Labels:
-
administration
-
configuration
01-25-2021
08:53 AM
Splunk definitely did ship OpenJDK in 8.0.4.1, just download the RPM and check. It is gone in 8.1.1. That's why I had those artifacts and the reports from our compliance team.
... View more
01-25-2021
04:45 AM
Then please explain the OpenJDK artefacts from splunk_archiver under var/run. They make no sense for stuff that is just kept in case it is needed. Our compliance team found the following executable at some time: /splunk/var/run/searchpeers/splunkds-1608544850/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/bin/java Right now it is gone. Only the directory up to /splunk/var/run/searchpeers/splunkds-1608544850/apps/splunk_archiver/java-bin/jars/ still exists, the bin subdirectory is gone right now.
... View more
01-25-2021
12:39 AM
Even more puzzling then isn't it? Add the artifacts viewable under var/run it becomes a real mystery. This all popped up because our compliance guys ran scans for java runtimes and found them on my splunk servers but they seem to show up only temporarily. My current assumption is that they are unpacked from some place in Splunk at runtime.
... View more
01-22-2021
06:37 AM
Got to /splunk/bin and check the jars directory. Then go to /splunk/apps/splunk_archiver and check there. Or grep for jar in the manifest. All shipped with Splunk.
... View more
01-22-2021
12:52 AM
Hi, Is Splunk Enterprise shipped with a JRE? IT contains a lot of JARs.. Did not find a typical JRE though. If yes do I find the exact version? How often does Splunk update it? If no, why all the JARs? When looking under var/run/searchpeers I see references from the splunk archiver to OpenJDK8U but only directories, no binaries. thx afx
... View more
12-05-2020
11:14 AM
Hi, I am trying to port an app that needs access to x509 details to python 3. Splunk does not ship OpenSSL for python3, only python2 and the new way seems to be using cryptography. But that is also not shipped with Splunk 8. On the other hand. Looking at the modules shipped with Python 3 in Splunk 8 I see that they do reference cryptography as a dependency (pyopenssl). Looks a bit weird to me. Theoretically I could just dump cryptography in my app directory. But that also would include a shared object file which seems to be counterproductive when wanting to publish the module outside my organization. Any ideas on how to resolve this? thx afx
... View more
11-30-2020
12:34 AM
Hi, _introspection reports a higher value for existing memory than the real memory of the machine and also the memory used is wrong (and close to the fake max). OS Tools report the real values which are way lower. Any idea why and how to fix this? If I see this correctly, _introspection is fed by splunkd. A reboot fixed this for now, but what should be done to prevent this from re-apperauing? thx afx
... View more
Labels
11-29-2020
11:48 PM
Absolutely yes please. So far I have only been toying with Alert manager. That feature would make it production worthy 😉 thx afx
... View more
11-25-2020
02:57 AM
1 Karma
Hi, looks like I am missing something. I have a Splunk alert that is a bit spammy. I would like to use the Alert Manager app to give me one alert a day, basically the first time this alert shows up. And be quiet for the rest of the day, just increase the duplicate counter. I can get alerts to be counted as duplicates, but I still get e-mails for all of them. I have not found a way in the suppression rules to hide follow on alerts. thx afx
... View more
Labels
- Labels:
-
administration
-
configuration
10-04-2020
11:35 PM
Sorry, no idea. To me the posted example feels like it was preprocessed somehow. And from the SAP blog post, it should not matter whether RSAU or SM19 control.
... View more
08-13-2020
04:38 AM
I recently switched over my Splunk 8 server to Python 3. Definitely not a nice experience as not just Python itself changed but also some libraries got dropped, most notable OpenSSL. I can understand upgrades like switching from urllib2 to urllib3, but dropping OpenSSL completely? That is rather weird. So I wonder what other silly surprises are lurking and what they are thinking dropping pretty essential libraries. For the time being I switched back. But on the long run, that is not a viable strategy. cheers afx
... View more
Labels
- Labels:
-
development
-
upgrade
07-31-2020
01:30 AM
Thank you, that seems to work out of the Box. Some simple use cases without password ran on the first try. thx afx
... View more
07-30-2020
12:51 AM
Hi, I just installed the "App for REST Lookup" https://splunkbase.splunk.com/app/4253/ on my Splunk 8 SH. The details talk about a setup screen but I do not see any. But I see loads of error in the log: 07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" raise RuntimeError('Failed to parse transport header: {}'.format(header))
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" File "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 866, in _read_chunk
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" metadata, body = self._read_chunk(ifile)
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" File "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 658, in _process_protocol_v2
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" Traceback:
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" RuntimeError at "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 866 : Failed to parse transport header: U_i7UanLSoQNucQe9p8fvoPRxcC3dy_WKnCtgqt1_gVhrVCwyDW_z2yXBPu7xZbJXJQh6P^q0_gVSO4Ni9MF_nifVBNrTYwDkdk2ND3RqlJQxM4BDyz1^8pFfo0 Has anyone used that App with Splunk 8? thx afx
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
6 hours ago
|
Karma given to
