Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ZacEsa
ZacEsa
Communicator
Member since:
07-13-2016
06-05-2020
Community Statistics
| Posts | 68 |
| Solutions | 3 |
| Karma Given | 15 |
| Karma Received | 2 |
| Member Since | 07-13-2016 |
Activity Feed
- Karma Re: How do I use a value from a different field in drilldown? for harsmarvania57. 06-05-2020 12:50 AM
- Karma Re: How do I use a value from a different field in drilldown? for niketn. 06-05-2020 12:50 AM
- Karma Re: How do I exclude fields with certain values from a table when the event has multiple values for the same fields? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Join not working for two different searches for MuS. 06-05-2020 12:48 AM
- Karma Re: How to count similar events per 5 minutes in a 60 minute search? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to compare values of a field in a transaction? for lguinn2. 06-05-2020 12:48 AM
- Karma Re: How to compare values of a field in a transaction? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How do I filter out results of a search AFTER the search? for ddrillic. 06-05-2020 12:48 AM
- Karma Re: How do I filter out results of a search AFTER the search? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How do I find all the possible fields from our raw logs for a particular index, excluding internal fields generated by Splunk? for muebel. 06-05-2020 12:48 AM
- Karma Re: How do I show other fields after top? for woodcock. 06-05-2020 12:48 AM
- Karma Re: How do I add days taken from a field to a date field? for javiergn. 06-05-2020 12:48 AM
- Got Karma for Re: Join not working for two different searches. 06-05-2020 12:48 AM
- Got Karma for How do I show other fields after top?. 06-05-2020 12:48 AM
- Karma Re: Replace a character with a linebreak in table results for Ayn. 06-05-2020 12:46 AM
- Karma Re: Add newline into table cell? for nagendra008. 06-05-2020 12:46 AM
- Karma Re: Add newline into table cell? for marcellodesales. 06-05-2020 12:46 AM
- Posted Re: How do I use a value from a different field in drilldown? on Dashboards & Visualizations. 01-10-2019 12:09 AM
- Posted Re: How do I use a value from a different field in drilldown? on Dashboards & Visualizations. 01-09-2019 12:50 AM
- Posted Re: How do I use a value from a different field in drilldown? on Dashboards & Visualizations. 01-08-2019 05:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-10-2019
12:09 AM
Hadn't tried it but I'll accept your answer and use Device_Name for now. Thanks!
... View more
01-09-2019
12:50 AM
I actually renamed it to "Device Name:" so that it looks nicer on the dashboard. So, I can't use a nice name if I want to use a custom drilldown?
... View more
01-08-2019
05:55 AM
Actually, I tried with the row but, my column name is like, Device Name: so, when I tried $row.Device Name:$, it didn’t work. Is there any special format or I can’t rename it as such if I want to use the drill down?
... View more
01-08-2019
01:41 AM
Okay, I didn't test it out before but strangely, if I click on {row_one, column_three}, then $cell.value2$ = 5.
... View more
01-08-2019
01:35 AM
Right now, when I click on the value in column two, I can use the values in column one and two with $click.value$ and $click.value2$. However, if I click on the value in column one, I can only use the value in column one with $click.value$. $click.value2$ basically becomes the same as $click.value$.
Example;
If I click on {row_one, column_two}, $cell.value$ = 1 and $cell.value2$ = 3
If I click on {row_one, column_one}, $cell.value$ = 1 and $cell.value2$ = 1
So, how do I use the value of {row_one, column_two} even if only {row_one, column_one} is clicked?
... View more
12-12-2017
02:08 AM
Unaccepting as answer as it seems indicatorName="DETECTED_SUSPECT_APP" is not showing if I select a wider time range. Not sure what the issue is.
... View more
12-12-2017
01:32 AM
I think I managed to get it working! Posting my answer here. If anyone has any suggestions on optimizing it or, think that it may not work, please do let me know!
(search) //My initial search string
| rename threatInfo.indicators{}.applicationName as "appName", threatInfo.indicators{}.indicatorName as "indicatorName" //Renames the JSON field names to something easier (and also mv commands sometimes doesn't work with JSON field names)
| eval appindName=mvzip(appName, indicatorName) //Zip up the two related fields
| mvexpand appindName //Expands the zipped up multi-value fields into their own events
| makemv appindName delim="," //Converts into multi-value
| eval appName=mvindex(appindName, 0) //Assigns the first value into appName
| eval indicatorName=mvindex(appindName, 1) //Assigns the second value into indicatorName
| top deviceInfo.deviceName appName indicatorName //Top to get top by deviceName, appName and indicatorName
| fields - percent //To remove the percent field in the table
| where indicatorName="DETECTED_MALWARE_APP" OR indicatorName="DETECTED_SUSPECT_APP" OR indicatorName="DETECTED_PUP_APP" //To only show events which have the stated as indicatorName
... View more
12-11-2017
10:50 PM
Not exactly. Refer to the other answers with the more info in the event. Each event has multiple appName field which comes with an indicatorName field. What I'm trying to do is get the appNames which has an indicatorName of "DETECTED_SUSPECT_APP". But right now, however way I put it, I'm getting all the appNames in the event, even if they don't have "DETECTED_SUSPECT_APP" as their indicatorName.
... View more
12-06-2017
11:06 PM
This one removed the rest but, the event came out as two same events instead. I managed to change it to make it into a table but that got worse as the count became 4.
| spath
| rename "threatInfo.indicators{}.*" as "*"
| rename "threatInfo.*" as "*"
| eval data=mvzip(applicationName,indicatorName)
| top deviceInfo.deviceName data
| mvexpand data
| eval data=split(data,",")
| eval applicationName=mvindex(data,0)
| eval indicatorName=mvindex(data,1)
| fields - data percent
| search indicatorName="DETECTED_SUSPECT_APP"
| table deviceInfo.deviceName applicationName indicatorName count
... View more
12-06-2017
09:59 PM
That got it much closer however, it's still showing the other indicatorNames for Setup.exe. I used where indicatorNames="DETECTED_SUSPECT_APP" to remove other applicationNames which does not have that indicatorName.
... View more
12-06-2017
07:10 PM
Doesn't seem to work. Each applicationName keeps taking the other indicatorNames too.
... View more
12-06-2017
05:49 PM
Thanks! It sort of works. Haha. Unfortunately, my event turns out to be more complicated. 😕
Below is an example of the event;
threatInfo: { [-]
incidentId: 123ABC
indicators: [ [-]
{ [-]
applicationName: Setup.exe
indicatorName: RUN_SUSPECT_APP
sha256Hash: 123456
}
{ [-]
applicationName: Setup.exe
indicatorName: DETECTED_SUSPECT_APP
sha256Hash: 123456
}
{ [-]
applicationName: WinRAR.exe
indicatorName: MODIFY_PROCESS
sha256Hash: 654321
}
{ [-]
applicationName: iexplore.exe
indicatorName: RUN_UNKNOWN_APP
sha256Hash: 987654
}
{ [-]
applicationName: WinRAR.exe
indicatorName: UNKNOWN_APP
sha256Hash: 654321
}
{ [-]
applicationName: iexplore.exe
indicatorName: RUN_ANOTHER_APP
sha256Hash: 987654
}
{ [-]
applicationName: Setup.exe
indicatorName: POLICY_TERMINATE
sha256Hash: 123456
}
]
Basically, I only want to show the applicationName which has DETECTED_SUSPECT_APP as an indicatorName.
... View more
12-06-2017
04:31 PM
I have events which have multiple of the same fields but with different values.
E.g;
Event 1: deviceName="device1" appName="app1" appName="app1" appName ="app1" appName="app2" appName="app2" appName="app3"
Event 2: deviceName="device1" appName="app1" appName="app2" appName="app2"
Event 3: deviceName="device2" appName="app1" appName="app2" appName="app3"
I want to "dedup" only for event, not for multiple event. How do I do so?
Current table output:
| deviceName | appName | count |
| device1 | app2 | 4 |
| device1 | app1 | 3 |
| device1 | app3 | 1 |
| device2 | app1 | 1 |
| device2 | app2 | 1 |
| device2 | app3 | 1 |
Table I want:
| deviceName | appName | count |
| device1 | app1 | 2 |
| device1 | app2 | 2 |
| device1 | app3 | 1 |
| device2 | app1 | 1 |
| device2 | app2 | 1 |
| device2 | app3 | 1 |
My apologies if the question is unclear. Not really sure how to explain it.
... View more
10-18-2017
08:13 PM
Nevermind, found out the issue. Splunk doesn't like it when my field name is threatInfo.indicators{}.indicatorName . Had to rename it to something else and then it worked. Thank you! Will mark your answer as correct now.
... View more
10-18-2017
08:08 PM
I tried it with eval threatInfo.indicators{}.indicatorName=mvfilter(match(threatInfo.indicators{}.indicatorName, "DETECTED_MALWARE_APP")) but it's throwing Error in 'eval' command: The expression is malformed. Expected ).
... View more
10-18-2017
06:22 PM
Hi,
As the title says. Refer to the screenshot below too;
The above is the log for the event. as you can see, there are multiple indicatorName in a single event.
And this is the table when I do a top. However, I only want certain values to show. E.g. Only show indicatorName: DETECTED_MALWARE_APP and not indicatorName: CODE_DROP .
... View more
07-20-2017
05:15 PM
I found out what the issue is already.
I added the inputs and the API key and connect ID through my Splunk master web UI, and then I copied the generated configuration files to the deployment-apps folder to be pushed to my heavy forwarder. However, this would not work as the encryption would be different.
Note: The app encrypts the API key and connector ID.
To solve this issue, I removed the deployed app so that the forwarder will not pull the apps from the master, then I enabled the webserver on the heavy forwarder using ./splunk enable webserver , installed the app directly to the heavy forwarder and configured from the heavy forwarder web UI. After that, I disabled the webserver using ./splunk disable webserver to save resources.
... View more
07-19-2017
03:08 AM
I'm trying to get my app input coming in via a heavy forwarder. I've deployed the app to the heavy forwarder and configured the necessary but, I'm seeing these logs in my splunkd.log file in the heavy forwarder.
07-19-2017 18:06:36.599 +0800 ERROR PasswordHandler - Decrypted password from stanza=credential:__REST_CREDENTIAL__#TA-Cb_Defense#configs/conf-ta_cb_defense_settings:additional_parameters``splunk_cred_sep``1: is not utf8, skipping
07-19-2017 18:06:36.600 +0800 ERROR PasswordHandler - Decrypted password from stanza=credential:__REST_CREDENTIAL__#TA-Cb_Defense#configs/conf-ta_cb_defense_settings:additional_parameters``splunk_cred_sep``2: is not utf8, skipping
07-19-2017 18:06:36.642 +0800 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunk_aoblib/rest_migration.py", line 38, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/handler.py", line 120, in wrapper\n raise RestError(500, traceback.format_exc())\nRestError: REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/handler.py", line 299, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/credentials.py", line 184, in decrypt_for_get\n clear_password = self._get(name)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/credentials.py", line 389, in _get\n string = mgr.get_password(user=context.username())\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/solnlib/utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/solnlib/credentials.py", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/solnlib/utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/solnlib/credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n\n
07-19-2017 18:06:36.642 +0800 ERROR AdminManagerExternal - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/handler.py", line 299, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/credentials.py", line 184, in decrypt_for_get\n clear_password = self._get(name)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/splunktaucclib/rest_handler/credentials.py", line 389, in _get\n string = mgr.get_password(user=context.username())\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/solnlib/utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/solnlib/credentials.py", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/solnlib/utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/TA-Cb_Defense/bin/ta_cb_defense/solnlib/credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n". See splunkd.log for more details.
Anyone have any ideas what's the issue?
... View more
12-12-2016
10:21 PM
I don't know what happened but, I stopped the splunk service, I re-ran the set_permissions.sh and I started the splunk service(while still in root) and now it's working.
Haven't tried to stop and start the splunk service using splunk user to see if that was the issue.
I'll leave it as it is and I'll mark your question as the answer since you did answer my question on how to uninstall the Independent Stream Forwarder. Haha.
... View more
12-12-2016
05:59 PM
Data link types for ens160 (use option -y to set):
DOCSIS (DOCSIS) (printing not supported)
EN10MB (Ethernet)
... View more
12-12-2016
05:55 PM
From the Splunk Stream Interface.
... View more
12-12-2016
05:53 PM
The Independent Stream Forwarder was never able to capture. When I use tcpdump, I'm able to see the packets coming in. I have two interfaces on this VM and the Sniffer Reactor isn't able to open pcap adapter for both interfaces. And yes, it's in promiscuous mode already.
... View more
12-12-2016
05:24 PM
And as you can see from 2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message: , it's not really showing any error message. It's just showing it failed to open pcap adapter. The universal forwarder is on a VM with VMXNET3 adapter, connected to a tap so, there is no IP address.
... View more
12-12-2016
05:19 PM
Yes, I've run ./set_permissions.sh on both the /opt/streamfwd/ and $SPLUNK_HOME/etc/apps/Splunk_TA_Stream/
... View more
12-12-2016
04:55 PM
I did quite a dumb thing, I installed the Independent Stream Forwarder onto my Universal Forwarder, I didn't know that the Universal Forwarder can become a Stream Forwarder without installing the Independent Stream Forwarder.
Now, my Stream Forwarder isn't working. Is there any way to uninstall the Independent Stream Forwarder?
If anyone wants to try assist me to solve the Stream Forwarder not working, please see error message below.
2016-12-13 08:36:41 INFO [140079871240000] (SnifferReactor/SnifferReactor.cpp:154) stream.SnifferReactor - Starting network capture: sniffer
2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message:
2016-12-13 08:36:41 FATAL [140079871240000] (CaptureServer.cpp:1893) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer
2016-12-13 08:36:41 INFO [140079871240000] (main.cpp:1084) stream.main - streamfwd has started successfully (version 7.0.0 build 128)
2016-12-13 08:36:41 INFO [140079871240000] (main.cpp:1086) stream.main - web interface listening on port 8889
Unfortunately, there's no error message. So I can't really tell what's wrong so, I'm assuming it's because I installed the Independent Stream Forwarder.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
