Activity Feed
- Got Karma for How to Splunk the SAP Security Audit Log. 01-14-2025 02:06 AM
- Got Karma for Re: How to Splunk the SAP Security Audit Log. 01-14-2025 01:58 AM
- Karma Re: Create event if no results are returned for richgalloway. 03-01-2024 12:19 AM
- Karma Re: How do I monitor changes to config files? for jeremyfer. 02-09-2024 07:56 AM
- Got Karma for Re: Why is the Universal forwarder executing regmon, powershells and others with out them being explicitly configured?. 10-20-2023 09:23 AM
- Posted Various Errrors in "SANS ISC Adaptive Response Action" (app ID 3697) on All Apps and Add-ons. 09-18-2023 06:02 AM
- Got Karma for Re: How to Splunk the SAP Security Audit Log. 07-24-2023 02:42 AM
- Got Karma for Limit DB Connect Query Seever to localhost. 05-12-2023 04:38 AM
- Posted Re: How to Splunk the SAP Security Audit Log on Getting Data In. 11-12-2021 05:13 AM
- Got Karma for Re: Why does splunk need to be installed as root?. 08-02-2021 01:57 AM
- Got Karma for How to Splunk the SAP Security Audit Log. 04-21-2021 01:12 PM
- Posted Re: Documentation for Knowledge Object Overview App for Splunk on All Apps and Add-ons. 03-11-2021 04:30 AM
- Posted Re: Documentation for Knowledge Object Overview App for Splunk on All Apps and Add-ons. 03-10-2021 06:59 AM
- Posted Documentation for Knowledge Object Overview App for Splunk on All Apps and Add-ons. 03-10-2021 12:45 AM
- Posted Re: CMMaster - Unable to send scheduled jobs on Splunk Enterprise. 03-05-2021 12:31 AM
- Posted Re: JRE/JDK shipped with Splunk Enterprise? on Installation. 01-25-2021 08:53 AM
- Posted Re: JRE/JDK shipped with Splunk Enterprise? on Installation. 01-25-2021 04:45 AM
- Posted Re: JRE/JDK shipped with Splunk Enterprise? on Installation. 01-25-2021 12:39 AM
- Posted Re: JRE/JDK shipped with Splunk Enterprise? on Installation. 01-22-2021 06:37 AM
- Posted JRE/JDK shipped with Splunk Enterprise? on Installation. 01-22-2021 12:52 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
1 | |||
0 | |||
0 | |||
0 | |||
0 |
09-18-2023
06:02 AM
Hi, on a brand new Splunk install, the app tries using urrlib2, but Splunk only has urllib3. There is an exception where a "," is used instead of an "as" (line 388 of splunk_rest_client.py). It tries to use something from a module cStringIO which does not exist in Splunk or the app.
... View more
Labels
- Labels:
-
troubleshooting
03-11-2021
04:30 AM
Brilliant. One gets pointed to the app on splunk ideas by splunk employees that claim this app already fulfills part of the requirements for better audit and state this is step one of what they are working on. Not really confidence inspiring.
... View more
03-10-2021
06:59 AM
Well, I would think Splunk documents their own apps.
... View more
03-10-2021
12:45 AM
Hi, So where is the documentation for this app? https://splunkbase.splunk.com/app/5399/ The overview comes up with many empty items, there is no required configuration step, so I wonder how useful/reliable this is. thx afx
... View more
Labels
- Labels:
-
administration
-
configuration
01-25-2021
08:53 AM
Splunk definitely did ship OpenJDK in 8.0.4.1, just download the RPM and check. It is gone in 8.1.1. That's why I had those artifacts and the reports from our compliance team.
... View more
01-25-2021
04:45 AM
Then please explain the OpenJDK artefacts from splunk_archiver under var/run. They make no sense for stuff that is just kept in case it is needed. Our compliance team found the following executable at some time: /splunk/var/run/searchpeers/splunkds-1608544850/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/bin/java Right now it is gone. Only the directory up to /splunk/var/run/searchpeers/splunkds-1608544850/apps/splunk_archiver/java-bin/jars/ still exists, the bin subdirectory is gone right now.
... View more
01-25-2021
12:39 AM
Even more puzzling then isn't it? Add the artifacts viewable under var/run it becomes a real mystery. This all popped up because our compliance guys ran scans for java runtimes and found them on my splunk servers but they seem to show up only temporarily. My current assumption is that they are unpacked from some place in Splunk at runtime.
... View more
01-22-2021
06:37 AM
Got to /splunk/bin and check the jars directory. Then go to /splunk/apps/splunk_archiver and check there. Or grep for jar in the manifest. All shipped with Splunk.
... View more
01-22-2021
12:52 AM
Hi, Is Splunk Enterprise shipped with a JRE? IT contains a lot of JARs.. Did not find a typical JRE though. If yes do I find the exact version? How often does Splunk update it? If no, why all the JARs? When looking under var/run/searchpeers I see references from the splunk archiver to OpenJDK8U but only directories, no binaries. thx afx
... View more
Labels
- Labels:
-
Other
12-05-2020
11:14 AM
Hi, I am trying to port an app that needs access to x509 details to python 3. Splunk does not ship OpenSSL for python3, only python2 and the new way seems to be using cryptography. But that is also not shipped with Splunk 8. On the other hand. Looking at the modules shipped with Python 3 in Splunk 8 I see that they do reference cryptography as a dependency (pyopenssl). Looks a bit weird to me. Theoretically I could just dump cryptography in my app directory. But that also would include a shared object file which seems to be counterproductive when wanting to publish the module outside my organization. Any ideas on how to resolve this? thx afx
... View more
11-30-2020
12:34 AM
Hi, _introspection reports a higher value for existing memory than the real memory of the machine and also the memory used is wrong (and close to the fake max). OS Tools report the real values which are way lower. Any idea why and how to fix this? If I see this correctly, _introspection is fed by splunkd. A reboot fixed this for now, but what should be done to prevent this from re-apperauing? thx afx
... View more
Labels
11-29-2020
11:48 PM
Absolutely yes please. So far I have only been toying with Alert manager. That feature would make it production worthy 😉 thx afx
... View more
11-25-2020
02:57 AM
1 Karma
Hi, looks like I am missing something. I have a Splunk alert that is a bit spammy. I would like to use the Alert Manager app to give me one alert a day, basically the first time this alert shows up. And be quiet for the rest of the day, just increase the duplicate counter. I can get alerts to be counted as duplicates, but I still get e-mails for all of them. I have not found a way in the suppression rules to hide follow on alerts. thx afx
... View more
Labels
- Labels:
-
administration
-
configuration
10-04-2020
11:35 PM
Sorry, no idea. To me the posted example feels like it was preprocessed somehow. And from the SAP blog post, it should not matter whether RSAU or SM19 control.
... View more
08-13-2020
04:38 AM
I recently switched over my Splunk 8 server to Python 3. Definitely not a nice experience as not just Python itself changed but also some libraries got dropped, most notable OpenSSL. I can understand upgrades like switching from urllib2 to urllib3, but dropping OpenSSL completely? That is rather weird. So I wonder what other silly surprises are lurking and what they are thinking dropping pretty essential libraries. For the time being I switched back. But on the long run, that is not a viable strategy. cheers afx
... View more
Labels
- Labels:
-
development
-
upgrade
07-31-2020
01:30 AM
Thank you, that seems to work out of the Box. Some simple use cases without password ran on the first try. thx afx
... View more
07-30-2020
12:51 AM
Hi, I just installed the "App for REST Lookup" https://splunkbase.splunk.com/app/4253/ on my Splunk 8 SH. The details talk about a setup screen but I do not see any. But I see loads of error in the log: 07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" raise RuntimeError('Failed to parse transport header: {}'.format(header))
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" File "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 866, in _read_chunk
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" metadata, body = self._read_chunk(ifile)
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" File "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 658, in _process_protocol_v2
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" Traceback:
07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" RuntimeError at "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 866 : Failed to parse transport header: U_i7UanLSoQNucQe9p8fvoPRxcC3dy_WKnCtgqt1_gVhrVCwyDW_z2yXBPu7xZbJXJQh6P^q0_gVSO4Ni9MF_nifVBNrTYwDkdk2ND3RqlJQxM4BDyz1^8pFfo0 Has anyone used that App with Splunk 8? thx afx
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
07-06-2020
08:01 AM
Hi, I see error messages from the exec processor on my Splunk DB Connect installs where dbxquery complains about input that suspiciously looks like stuff from Nessus. So it seems that dbxquery is listening on the Ethernet. How can I stop that? Me thinks it should listen only on localhost if it needs to listen at all. thx afx
... View more
Labels
- Labels:
-
configuration
07-06-2020
06:47 AM
Thanks! interesting that this worked in v7. I always thought I had to have a values without field to get any data at all from the model. thx afx
... View more
07-06-2020
05:00 AM
I just upgraded from 7.2.4 to 8.0.4.1 So far everything seems to be OK apart from two data models. Web still works, but Authentication and Change(Account) both report the following error: Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments. This for even the simplest query, like | tstats values from datamodel=Authentication Unfortunately I see no further explanation or hints in the search log. Any ideas on how to get this fixed? thx afx
... View more
Labels
05-20-2020
01:15 PM
I assume you want one deployed app for all the hosts.
Can you define the file names via a regex?
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Specifyinputpathswithwildcards
cheers
afx
... View more
05-08-2020
04:24 AM
Ok,
to answer my own question...
On Some systems doing a findstr "[0-9]$" worked, on some not. Some Windows/PS silliness I guess.
But that also begs the question, why does splunk not tell me that the script has been executed in general?
... View more
05-04-2020
08:10 AM
Hi,
I am trying to get input from a powershell script.
It drives me up the walls. I already have other PS scripts running just fine, so this really puzzles me.
I have 3 heavy forwarder on Splunk 8.0.2.1 and 18 universal forwarders on Splunk 7.2.4.
When using this inputs.conf setting:
[powershell://df]
script = Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID,Size,FreeSpace | findstr.exe '[0-9]$'
index = os_monitoring
schedule=*/5 * * * *
source=df-win
sourcetype=os:monitoring:diskspace
disabled = 0
I get only input on 3 UF hosts and 2 HF hosts.
One of the HF hosts delivers the following in the _audit log, but no output.
05-04-2020 16:35:00.0014151+2 INFO enqueue job for stanza=df
05-04-2020 16:35:00.0014151+2 INFO Start executing script=Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID,Size,FreeSpace | findstr.exe '[0-9]$' for stanza=df
05-04-2020 16:35:00.0170289+2 INFO End of executing script=Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID,Size,FreeSpace | findstr.exe '[0-9]$' for stanza=df, execution_time=0.0156138 seconds
The other boxes do not deliver anything in terms of output or errors, I just see that the app is deployed.
When switching to a real script like in the following
script = . "$SplunkHome\etc\apps\FA-windows-diskspace\bin\scripts\df.ps1"
I again get the the same result. The majority of systems do not deliver output and I see no errors in the _* indices.
I am a bit lost.
I would expect all machines to fail or none, but not this inconsistent behaviour.
Any ideas?
thx
afx
... View more