Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About tiaatim
tiaatim
Path Finder
Member since:
05-14-2019
10-26-2020
Community Statistics
| Posts | 27 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 05-14-2019 |
Activity Feed
- Posted Zoom Logging - Firewall Question on Security. 09-11-2020 10:18 AM
- Karma Re: Remove colons from a number for xpac. 08-18-2020 04:31 PM
- Karma Re: Add result of eval to datamodel field for richgalloway. 07-23-2020 07:45 AM
- Posted Re: Add result of eval to datamodel field on Splunk Enterprise Security. 07-22-2020 12:42 PM
- Posted Re: Add result of eval to datamodel field on Splunk Enterprise Security. 07-22-2020 12:25 PM
- Posted Add result of eval to datamodel field on Splunk Enterprise Security. 07-22-2020 10:58 AM
- Got Karma for Re: Heavy Forwarders Dropping Logs. 06-05-2020 12:51 AM
- Got Karma for Re: Splunk Enterprise Security: Cisco ASA logs extracting in ES search- in search and reporting, but not in ES search?. 06-05-2020 12:50 AM
- Posted Endpoint Data model does not finish building. on Splunk Enterprise Security. 05-26-2020 06:44 AM
- Tagged Endpoint Data model does not finish building. on Splunk Enterprise Security. 05-26-2020 06:44 AM
- Tagged Endpoint Data model does not finish building. on Splunk Enterprise Security. 05-26-2020 06:44 AM
- Tagged Endpoint Data model does not finish building. on Splunk Enterprise Security. 05-26-2020 06:44 AM
- Tagged Endpoint Data model does not finish building. on Splunk Enterprise Security. 05-26-2020 06:44 AM
- Posted Re: CEF parsing on under Splunk Enterprie Security App on Splunk Enterprise Security. 05-04-2020 10:32 AM
- Posted Re: Heavy Forwarders Dropping Logs on All Apps and Add-ons. 04-09-2020 02:08 PM
- Posted Re: Heavy Forwarders Dropping Logs on All Apps and Add-ons. 03-14-2020 10:28 AM
- Posted Re: Heavy Forwarders Dropping Logs on All Apps and Add-ons. 03-11-2020 07:34 AM
- Posted Heavy Forwarders Dropping Logs on All Apps and Add-ons. 03-11-2020 07:13 AM
- Tagged Heavy Forwarders Dropping Logs on All Apps and Add-ons. 03-11-2020 07:13 AM
- Tagged Heavy Forwarders Dropping Logs on All Apps and Add-ons. 03-11-2020 07:13 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-16-2021
10:30 AM
Did you ever figure out a solution to this? We are having the same trouble.
... View more
07-22-2020
12:42 PM
I thought about that too but then the datamodel wouldn't populate and the data wouldn't be CIM compliant.
... View more
05-26-2020
06:44 AM
Hey guys, we have Enterprise Security and the Endpoint data model never finishes building. I even knocked the backfill range to 4 hours and it still doesn't complete. I know there is a TON of data and even when I run the base macro used in all of the datasets it takes forever to run just in a 15 minute window. We just moved over a to a brand new index cluster with 10 indexers and don't see any performance issues anywhere else other than this one last data model that won't complete building.
... View more
Labels
05-04-2020
10:32 AM
Did you ever figure this out? I'm experiencing the same issue.
... View more
04-09-2020
02:08 PM
Thanks. One output is UDP/514 and the other is TCP/9997 to Splunk indexers. I've been looking to see how I can performance tune the NIC but where would I see that they are being blocked? I see a bunch of reset errors on the NIC btw.
... View more
03-05-2020
09:01 AM
I tested this and couldn't get it to work so going a different route.
... View more
02-04-2020
03:43 PM
You could try the example in the documentation, which will work, and also ensure you don't get duplicate data.
#
# The following example shows how to route events to syslog server
# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING
#
# 1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing
# attribute:
[default]
TRANSFORMS-routing=errorRouting
[syslog]
TRANSFORMS-routing=syslogRouting
# 2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting
# and syslogRouting rules:
[errorRouting]
REGEX=error
DEST_KEY=_SYSLOG_ROUTING
FORMAT=errorGroup
[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup
# 3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog
# outputs go to with servers or groups:
[syslog]
defaultGroup=everythingElseGroup
[syslog:syslogGroup]
server = 10.1.1.197:9997
[syslog:errorGroup]
server=10.1.1.200:9999
[syslog:everythingElseGroup]
server=10.1.1.250:6666
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf?utm_source=answers&utm_medium=in-comment&utm_term=outputs.conf&utm_campaign=refdoc#outputs.conf.example
... View more
11-08-2019
07:55 AM
Looks like the reason why is because these settings in local/inputs.conf under the ESS app were disabled.
[app_imports_update://update_es]
disabled = 1
[app_imports_update://update_es_da]
disabled = 1
[app_imports_update://update_es_main]
disabled = 1
Thanks again for your help!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-26-2020
02:16 PM
|
