Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About att35
att35
Builder
Member since:
08-30-2013
02-28-2025
Community Statistics
| Posts | 208 |
| Solutions | 8 |
| Karma Given | 35 |
| Karma Received | 29 |
| Member Since | 08-30-2013 |
Activity Feed
- Got Karma for Re: Unable to use nullqueue properly for a Storage Account input. 02-28-2025 05:23 AM
- Posted Re: Unable to use nullqueue properly for a Storage Account input on Getting Data In. 02-27-2025 01:38 PM
- Karma Re: Unable to use nullqueue properly for a Storage Account input for richgalloway. 02-27-2025 01:37 PM
- Posted Unable to use nullqueue properly for a Storage Account input on Getting Data In. 02-27-2025 11:40 AM
- Posted Will deployer delete an app locally created on SHC? on Splunk Dev. 02-26-2025 04:00 PM
- Posted Re: Why UTC events suddenly started displaying as PST instead of Eastern Time? on Getting Data In. 10-24-2024 08:31 AM
- Posted Re: Why UTC events suddenly started displaying as PST instead of Eastern Time? on Getting Data In. 10-11-2024 03:35 PM
- Posted Re: Why UTC events suddenly started displaying as PST instead of Eastern Time? on Getting Data In. 10-11-2024 03:31 PM
- Posted Re: Why UTC events suddenly started displaying as PST instead of Eastern Time? on Getting Data In. 10-11-2024 11:31 AM
- Posted Re: Why UTC events suddenly started displaying as PST instead of Eastern Time? on Getting Data In. 10-11-2024 11:27 AM
- Posted Why UTC events suddenly started displaying as PST instead of Eastern Time? on Getting Data In. 10-11-2024 08:58 AM
- Posted Is there a way to check if Splunk is re-indexing certain files? on Getting Data In. 09-25-2024 04:48 AM
- Posted Re: How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627 on Splunk Search. 09-05-2024 07:56 PM
- Karma Re: How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627 for ITWhisperer. 09-05-2024 07:55 PM
- Posted How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627 on Splunk Search. 09-05-2024 10:10 AM
- Posted Re: need help with spath for json Array on Getting Data In. 08-17-2024 05:29 PM
- Posted need help with spath for json Array on Getting Data In. 08-16-2024 06:54 AM
- Got Karma for Error when using pre trained Deep Learning models with DSDL. 07-05-2024 02:36 AM
- Got Karma for Re: Why do search head cluster members keep old bundle files, and can these be deleted safely?. 06-10-2024 08:57 AM
- Karma Re: How to retain fields from base search to use after a map command? for ITWhisperer. 02-20-2024 08:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-27-2025
01:38 PM
1 Karma
Thanks @richgalloway This worked.
... View more
02-27-2025
11:40 AM
Hi everyone, We are pulling Firewall data from a Storage Account containing several categories. There is one specific category, AZFWDnsQuery which need to be dropped. I tested the regex in the search as well as on regex101. It is successfully matching only those specific events with this category. But once deployed, Splunk starts dropping all events from this input, including for other categories that do not match the regex. Sample events { "time": "2025-02-27T18:46:08.307710+00:00", "resourceId": "/SUBSCRIPTIONS/xxxxxx/xxx/Path", "properties": {"SourceIp":"x.x.x.x","SourcePort":25208,"QueryId":51787,"QueryType":"A","QueryClass":"IN","QueryName":"google.com","Protocol":"udp","RequestSize":48,"DnssecOkBit":false,"EDNS0BufferSize":512,"ResponseCode":"NOERROR","ResponseFlags":"qr,rd,ra","ResponseSize":94,"RequestDurationSecs":0.007257565,"ErrorNumber":0,"ErrorMessage":""}, "category": "AZFWDnsQuery"}
{ "time": "2025-02-27T18:46:08.307329+00:00", "resourceId": "/SUBSCRIPTIONS/xxxxxx/xxx/Path", "properties": {"SourceIp":"x.x.x.x","SourcePort":62730,"QueryId":16828,"QueryType":"A","QueryClass":"IN","QueryName":"google.com","Protocol":"udp","RequestSize":35,"DnssecOkBit":false,"EDNS0BufferSize":512,"ResponseCode":"NOERROR","ResponseFlags":"qr,rd,ra","ResponseSize":68,"RequestDurationSecs":0.012227477,"ErrorNumber":0,"ErrorMessage":""}, "category": "AZFWDnsQuery"}
{ "time": "2025-02-27T18:46:08.307262+00:00", "resourceId": "/SUBSCRIPTIONS/xxxxxx/xxx/Path", "properties": {"SourceIp":"x.x.x.x","SourcePort":45452,"QueryId":25241,"QueryType":"A","QueryClass":"IN","QueryName":"google.com","Protocol":"udp","RequestSize":35,"DnssecOkBit":false,"EDNS0BufferSize":512,"ResponseCode":"NOERROR","ResponseFlags":"qr,rd,ra","ResponseSize":68,"RequestDurationSecs":0.008439891,"ErrorNumber":0,"ErrorMessage":""}, "category": "AZFWDnsQuery"}
{ "time": "2025-02-27T18:46:08.307129+00:00", "resourceId": "/SUBSCRIPTIONS/xxxxxx/xxx/Path", "properties": {"SourceIp":"x.x.x.x","SourcePort":14846,"QueryId":3916,"QueryType":"A","QueryClass":"IN","QueryName":"google.com","Protocol":"udp","RequestSize":35,"DnssecOkBit":false,"EDNS0BufferSize":512,"ResponseCode":"NOERROR","ResponseFlags":"qr,rd,ra","ResponseSize":68,"RequestDurationSecs":0.009026804,"ErrorNumber":0,"ErrorMessage":""}, "category": "AZFWDnsQuery"} Regex \"category\":\s\"AZFWDnsQuery\" Here is how props.conf and transforms.conf are configured. [sourcetype]
TRANSFORMS-null=DropFirewallEvents
[DropFirewallEvents]
REGEX=_raw=\"category\":\s\"AZFWDnsQuery\"
DEST_KEY=queue
FORMAT=nullQueue What could be doing wrong here for Splunk to drop every event from this input? Thanks
... View more
- Tags:
- nullqueue
Labels
- Labels:
-
indexer
02-26-2025
04:00 PM
We have a 4 node SHC connected to a deployer. For a usecase, I created a simple custom app that is just putting handful of dashboards together. Due to ease of use, I create this directly on SHC and all knowledge objects replicated among the members. During the next bundle push, will deployer delete this app from SHC as it has no knowledge of it? Should I move this app under shcluster/apps folder on the Deployer as well to be safe? Thanks, ~Abhi
... View more
- Tags:
- deployer
Labels
- Labels:
-
app
10-24-2024
08:31 AM
@PickleRick I changed the URL to use raw endpoint. This seems to have fixed the timestamp but Splunk is now breaking the events at the timestamp fields. I have added KV_MODE = json for this sourcetype on both HF and SH but that did not fix the line breaking.
... View more
10-11-2024
03:35 PM
@PickleRick It is sending to services/collector/event
... View more
10-11-2024
03:31 PM
Thanks @dural_yyz Will try that.
... View more
10-11-2024
11:31 AM
@PickleRick Updated the post with the settings in place on HF. Data is being received at Heavy Forwader via HEC input. It then gets forwarded to indexers.
... View more
10-11-2024
11:27 AM
@dural_yyz I dont see any specific settings for this sourcetype under local props.conf. I added TIME_PREFIX and TZ values but that didnt change anything. This is on the source which is getting the data, i.e. Heavy Forwarder. Do I need to place any of these settings on indexer/SH as well? [change:auditor]
category = Custom
pulldown_type = 1
TIME_PREFIX = timeDetected
TZ = UTC System time zone on HF is set to EDT
... View more
10-11-2024
08:58 AM
Hi, We have data from Change Auditor coming via HEC setup on a Heavy Forwarder. This HF instance was upgraded to Version 9.2.2. After that, I am seeing a difference in the way Splunk displays new events on SH. It is now converting UTC->PST. I ran a search for previous week and for those events it is converting timestamp correctly, from UTC-> Eastern. I am a little confused since both searches are done from same search head against same set of indexers. If there was a TZ issue, woudn't Splunk have converted both incorrectly? I also ran same searches on indexer with identical output. Recent events in PST whereas older events continue to show as EST. Here are some examples For previous week Recent. Splunk shows a UTC->PST conversion instead. I did test this manually via Add Data and Splunk is correctly formatting it to Eastern. How can I troubleshoot why recent events in search are showing PST conversion? My current TZ setting on SH is still set to Eastern Time. Also confirmed that system time for HF, indexers and Search Heads is set to Eastern. Thanks
... View more
- Tags:
- timezone
Labels
- Labels:
-
heavy forwarder
09-25-2024
04:48 AM
Hi, We use Splunk Forwarder to monitor application data. There are multiple folders on a given server, each with same set of log files, but since the folder names are a distinguishing factor, we are using crcSalt=<SOURCE> so that Splunk treats all log files differently. We also make sure to lock the stanza to a specific extension as needed, e.g. logname.log, or log*.txt, so that rotated files are ignored. That being said, I still want to find out if there are any situations where splunk could be re-indexing files multiple times and might warrant the use of initCrcLen instead. Is this something that's possible via search? Does Splunk forwarder keeps some type of internal record/tracker that it is now re-indexing previously seen file again? Thanks,
... View more
Labels
- Labels:
-
inputs.conf
-
Linux
-
universal forwarder
09-05-2024
07:56 PM
Thanks @ITWhisperer That worked perfectly.
... View more
09-05-2024
10:10 AM
Need some help in extracting Group Membership details from Windows Event Code 4627. As explained in this answer, https://community.splunk.com/t5/Splunk-Search/Regex-not-working-as-expected/m-p/470417 following seems to be working to extract Group_name, but capture doesn't stop once the group list ends. Instead, it continues to match everything till end of line. I experimented with (?ms) and (?m) but didnt have any succes. "(?ms)(?:^Group Membership:\t\t\t|\G(?!^))\r?\n[\t ]*(?:[^\\\r\n]*\\\)*(?<Group_name>(.+))" 09/04/2024 11:59:59 PM
LogName=Security
EventCode=4627
EventType=0
ComputerName=DCServer.domain.x.y
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=64222222324
Keywords=Audit Success
TaskCategory=Group Membership
OpCode=Info
Message=Group membership information.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: DCServer$
Account Domain: Domain
Logon ID: 0x1111
Logon Type: 3
New Logon:
Security ID: Domain\Account
Account Name: Account
Account Domain: Domain
Logon ID: 0x5023236
Event in sequence: 1 of 1
Group Membership:
Domain\Group1
Group2
BUILTIN\Group3
BUILTIN\Group4
BUILTIN\Group5
BUILTIN\Group6
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
Domain\Group7
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. When I use this regex, it does capture starting from the Group list but continues on till the end of event. How can I tell regex to stop matching once the group list ends? Also, this regex seems to be putting all groups as a single match. Is it possible to make it multi-valued, so that we can count total number of groups present in a given event, e.g. 9 groups in the event example above. Thanks, ~Abhi
... View more
Labels
- Labels:
-
regex
08-17-2024
05:29 PM
Thanks @ITWhisperer I have updated the original post with event text.
... View more
08-16-2024
06:54 AM
Hi, Need some help with the following JSON data. ModifiedProperties: [ [-]
{ [-]
Name: Group.ObjectID
NewValue: 111111-2222222-333333-444444
OldValue:
}
{ [-]
Name: Group.DisplayName
NewValue: Group A
OldValue:
}
{ [-]
Name: Group.WellKnownObjectName
NewValue:
OldValue:
}
] I want to extract the 2nd set of values for each event such that Group.DisplayName can become a field in itself, e.g. Group.DisplayName.NewValue=A, Group.DisplayName.OldValue=B. But right now, default extraction is doing something like this How can I create KV pairs for Group.DisplayName within this JSON array? I tried few combinations using spath but was not successful. Thank you
... View more
- Tags:
- spath
Labels
- Labels:
-
field extraction
-
JSON
02-20-2024
08:04 AM
Thanks @ITWhisperer This worked.
... View more
02-20-2024
07:17 AM
We have a search where one of the fields from base search is passed onto a REST API using map command. <Base Search> | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by user, src_ip, activity, riskLevel
|map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc="$src_ip$" But after this search ,only the results returned by the REST API are shown. How can I include some of the fields from original search, e.g. user, activity so that they can later be used in a table? Tried adding the field using eval right before the REST call but that doesn't seem to be working. eval activity=\"$activity$\" | rest Also tried using "multireport" but only the first search is considered. | multireport [ table user, src_ip, activity, riskLevel]
[| map map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc="$src_ip$"] Is there a way to achieve this? API call itself returns a set of fields which I am extracting using spath but also want to keep some of the original ones for added context. Thanks, ~Abhi
... View more
- Tags:
- map
02-02-2024
11:25 AM
Hi, We are using following regex to capture "caused by" exceptions within java stack trace. Caused by: (?P<Exception>[^\r\n]+) When testing in regex101, it seems to be working well. Captures both instances of "caused by" in the sample trace. https://regex101.com/r/yL1ucO/1 But when used with EXTRACT within props.conf, Splunk only gets the first instance, i.e. "SomeException". 2nd occurrence, "AnotherException" is not captured. Should I be using REPEAT_MATCH with transforms stanza, or is there a way to fix this within props itself?
... View more
- Tags:
- regex
Labels
- Labels:
-
regex
02-01-2024
08:06 AM
Hi, We have a datamodel built against application data. All the tstats searches against the DM were running fine, including the ones using summariesonly=true. I was noticing some discrepancy between data model and raw data when plotting timechart for the exact same time range. Checked on the Data Model and found _time field was not added. But after adding that and re-accelerating the data model, now i cant use summariesonly=true. No results are returned. I do get data back without summariesonly=true. What could have gone wrong here? UPDATE I am able to search using summariesonly=true (Maybe DM needed more time to regenerate) but now I see massive difference in counts between summariesonly=true. Vs false. Data with false closely matches the raw data stats. Before that _time change, even summariesonly=true was matching the counts precisely. I see the _time field is set to "required" in the model but I don't think that would be preventing certain events from going into summary. All events in raw data do have default _time field. Am I missing some key fact here on how summary calculation might have changed with addition of this _time field?
... View more
- Tags:
- data model
Labels
- Labels:
-
tstats
01-31-2024
06:32 AM
We have application data coming from Apache Tomcat's and have a regex in place to extract exception name. But there are some tomcats sending data in a slightly different formats and the extraction doesn't work for them. I have updated regex ready for these different formats, but want to keep the field name same, i.e. exception. How Do I manage multiple extractions against the same sourcetype while keeping the field names same? If I add these regex in transforms, would they end up conflicting with each other? Or should I be creating them into different fields, such as exception1, exception2 and then use coalesce to eventually merge them into a single field?
... View more
- Tags:
- regex
01-11-2024
11:48 AM
Hi all, I am trying to authenticate a user against REST API but when testing via CURL, it is failing when using LB URL(F5). User has replicated across all SHC members and can login via UI. # curl -k https://Splunk-LB-URL:8089/services/auth/login -d username=user -d password='password'
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN" code="incorrect_username_or_password">Login failed</msg>
</messages>
</response> But when I try this same against the SH member directly, it works. # curl -k https://Splunk-SearchHead:8089/services/auth/login -d username=user -d password='password'
<response>
<sessionKey>gULiq_E7abGyEchXyw7rxzwi83Fhdh8gIGjPGBouFUd37GuXF</sessionKey>
<messages>
<msg code=""></msg>
</messages>
</response> Initially I thought it could be something on the LB side but then for "admin" user, LB URL works just fine. # curl -k https://Splunk-LB-URL:8089/services/auth/login -d username=admin -d password='password'
<response>
<sessionKey>gULiq_E7abGyEchXyw7rxzwi83Fhdh8gIGjPGBouFUd37GuXF</sessionKey>
<messages>
<msg code=""></msg>
</messages>
</response> Has anyone come across issue like this? Why would admin work fine on LB but a new local user works only against direct SH and not via load balancer?
... View more
- Tags:
- REST API
Labels
- Labels:
-
search head
-
search head clustering
01-09-2024
07:46 AM
1 Karma
Hi all, We are trying to deploy pre trained Deep Learning models for ESCU. DSDL has been installed and container are loaded successfully. Connection with docker is also in good shape. But when running the ESCU search, I am getting the following error messages. MLTKC error: /apply: ERROR: unable to initialize module. Ended with exception: No module named 'keras_preprocessing'
MLTKC parameters: {'params': {'mode': 'stage', 'algo': 'pretrained_dga_model_dsdl'}, 'args': ['is_dga', 'domain'], 'target_variable': ['is_dga'], 'feature_variables': ['domain'], 'model_name': 'pretrained_dga_model_dsdl', 'algo_name': 'MLTKContainer', 'mlspl_limits': {'handle_new_cat': 'default', 'max_distinct_cat_values': '100', 'max_distinct_cat_values_for_classifiers': '100', 'max_distinct_cat_values_for_scoring': '100', 'max_fit_time': '600', 'max_inputs': '100000', 'max_memory_usage_mb': '4000', 'max_model_size_mb': '30', 'max_score_time': '600', 'use_sampling': 'true'}, 'kfold_cv': None, 'dispatch_dir': '/opt/splunk/var/run/splunk/dispatch/1704812182.86156_AC9C076F-2C37-4E94-9DD0-0AE04AEB7952'} From search.log 01-09-2024 09:56:44.725 INFO ChunkedExternProcessor [47063 ChunkedExternProcessorStderrLogger] - stderr: MLTKC endpoint: https://docker_host:32802
01-09-2024 09:56:44.850 INFO ChunkedExternProcessor [47063 ChunkedExternProcessorStderrLogger] - stderr: POST endpoint [https://docker_host:32802/apply] called with payload (2298991 bytes)
01-09-2024 09:56:45.166 INFO ChunkedExternProcessor [47063 ChunkedExternProcessorStderrLogger] - stderr: POST endpoint [https://docker_host:32802/apply] returned with payload (134 bytes) with status 200
01-09-2024 09:56:45.166 ERROR ChunkedExternProcessor [47063 ChunkedExternProcessorStderrLogger] - stderr: MLTKC error: /apply: ERROR: unable to initialize module. Ended with exception: No module named 'keras_preprocessing'
01-09-2024 09:56:45.167 ERROR ChunkedExternProcessor [47063 ChunkedExternProcessorStderrLogger] - stderr: MLTKC parameters: {'params': {'mode': 'stage', 'algo': 'pretrained_dga_model_dsdl'}, 'args': ['is_dga', 'domain'], 'target_variable': ['is_dga'], 'feature_variables': ['domain'], 'model_name': 'pretrained_dga_model_dsdl', 'algo_name': 'MLTKContainer', 'mlspl_limits': {'handle_new_cat': 'default', 'max_distinct_cat_values': '100', 'max_distinct_cat_values_for_classifiers': '100', 'max_distinct_cat_values_for_scoring': '100', 'max_fit_time': '600', 'max_inputs': '100000', 'max_memory_usage_mb': '4000', 'max_model_size_mb': '30', 'max_score_time': '600', 'use_sampling': 'true'}, 'kfold_cv': None, 'dispatch_dir': '/opt/splunk/var/run/splunk/dispatch/1704812182.86156_AC9C076F-2C37-4E94-9DD0-0AE04AEB7952'}
01-09-2024 09:56:45.167 ERROR ChunkedExternProcessor [47063 ChunkedExternProcessorStderrLogger] - stderr: apply ended with options {'params': {'mode': 'stage', 'algo': 'pretrained_dga_model_dsdl'}, 'args': ['is_dga', 'domain'], 'target_variable': ['is_dga'], 'feature_variables': ['domain'], 'model_name': 'pretrained_dga_model_dsdl', 'algo_name': 'MLTKContainer', 'mlspl_limits': {'handle_new_cat': 'default', 'max_distinct_cat_values': '100', 'max_distinct_cat_values_for_classifiers': '100', 'max_distinct_cat_values_for_scoring': '100', 'max_fit_time': '600', 'max_inputs': '100000', 'max_memory_usage_mb': '4000', 'max_model_size_mb': '30', 'max_score_time': '600', 'use_sampling': 'true'}, 'kfold_cv': None, 'dispatch_dir': '/opt/splunk/var/run/splunk/dispatch/1704812182.86156_AC9C076F-2C37-4E94-9DD0-0AE04AEB7952'} Has anyone run into this before? We have Golden Image CPU running . Following shows up in container logs. Thanks
... View more
Labels
- Labels:
-
troubleshooting
12-19-2023
04:53 AM
@dtburrows3 Thank you!! This worked perfectly. No memory issues either. Do you know if there is a way to apply these using props/transforms or are these strictly in-line search time transformations?
... View more
12-18-2023
07:27 PM
Thanks @dtburrows3 This method worked perfectly. Able to extract the required fields while still keeping associations intact. although running this at scale, I am getting the following message. command.mvexpand: output will be truncated at 2200 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached. Are there any alternatives to mvexpand that would avoid these memory issues?
... View more
12-18-2023
05:02 PM
@dtburrows3 Thank you for the reply. Tried these eval and the fields are getting extracted from the tuples, but it seems the association between them is lost. For this one event, there are total 17 tuples. But after applying evals, resulting stats shows several other combinations between src_ip & dst_ip. Stats for field records{}.properties.flows{}.flows{}.flowTuples{} stats on src_ip,dst_ip after applying eval
... View more
12-18-2023
11:26 AM
Hi, We are ingesting Azure NSG flow logs and visualizing them using app Microsoft Azure App for Splunk https://splunkbase.splunk.com/app/4882 Data is in JSON format with multiple levels/records in a single event. Each record can have multiple flows, flow tuples etc. Adding few screenshots here to give the context. Default extractions for the main JSON fields look fine. But when it comes to values within the flow tuple field, i.e. records{}.properties.flows{}.flows{}.flowTuples{}, Splunk only keeps values from the very first entry. How can I make these src_ip, dest_ip fields also get multiple values(across all records/flow tuples etc) Splunk extracts values only from that first highlighted entry Here is the extraction logic from this app. [extract_tuple]
SOURCE_KEY = records{}.properties.flows{}.flows{}.flowTuples{}
DELIMS = ","
FIELDS = time,src_ip,dst_ip,src_port,dst_port,protocol,traffic_flow,traffic_result Thanks,
... View more
- Tags:
- extraction
- json
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-28-2025
09:04 AM
|
Karma given to
