Hi, I am looking for a way to track when a new Splunk Forwarder connects along with the version. Was hoping to find some relevant field on Deployment Server (/services/deployment/server/clients) but I could only see lastPhoneHomeTime, nothing for when it first connected to the system. Is it possible to get this information, either from Deployment Server or Forwarder's internal logs?   Thanks, ~ Abhi   ... View more

Hi. I have a data model that consists of two root event datasets. Both accelerated using simple SPL. First dataset I can access using the following   | tstats summariesonly=t count FROM datamodel=model_name where nodename=dataset_1 by dataset_1.FieldName   But for the 2nd root event dataset, same format doesn't work. For that, I get events only by referencing the dataset along with the datamodel.   | tstats summariesonly=t count FROM datamodel=model_name.dataset_2 by dataset_2.FieldName   e.g., the following will not work.   | tstats summariesonly=t count FROM datamodel=model_name where nodename=dataset_2 by dataset_2.FieldName     I am trying to understand what causes splunk search to work differently on these datasets when both are at the same level? Thanks, ~ Abhi ... View more

Hi, We are in the process of migrating all Apps/Config's from an older standalone instance(7.2.4.2) to a newer SHC(8.1.1). A datamodel was also migrated along with the App and appears to be working fine in terms of acceleration statistics. But when I try to access using tstats, format that worked previously returns nothing. | tstats summariesonly=t count FROM datamodel="modelname.dataset" by dataset.field But if I do not mention dataset in the FROM cause, it works just fine. | tstats summariesonly=t count FROM datamodel="modelname" by dataset.field   Could I have missed something during the migration? What could be causing the previous command to not work. ... View more

Hi, I have the following search that works against a datamodel to plot a timechart. How can I use predict command with this output?     | tstats summariesonly=true count FROM datamodel="modelname.dataset" where dataset.field="xyz" by dataset.field, _time span=1h prestats=t | timechart span=1h count by dataset.field usenull=f useother=f     If I try to do following,     | predict dataset.field      search failed with this error. command="predict", Unknown field: dataset.field   What is the correct way to do this?   UPDATE: Turns out, | predict "xyz" works, but this would mean it is working just for that one value of the field.   Thanks ... View more

Hi, I am trying to upload a custom CSV for Threat Intel within ES. It's a collection of multiples types of IOC's, (domain, url, hash etc) and is in the following column format. There are 343 Hash values, 20 domains and 8 URL's. Upload goes without any issues and ES collects domains and URL's right away. But Hash values seem to be ignored. Here are the file details under Threat Artifacts. When I check Threat Intel Audit, it seems to be writing to File Intel as well but hash count never gets populated in ES. What could be going wrong here? Splunk version: 8.1.1 ES Version: 6.4.0 Thanks, ~ Abhi ... View more

Hi all, We have few Custom CSV lookups that have been added to ES for Threat Intel. For the existing data, we can lookup the artifacts and confirm that those are present in ES but when adding new data to those lookups and reducing the "interval" option in Threat Intel Management, they still do not get added to ES. Current setting for the data sources is 43200 seconds (12 hrs) but even after reducing it to few minutes the new entries never make it to ES. In Threat Intel Audit I do see the intel download time change but that doesn't seem to be making any difference. Is there a way to manually force ES to re-read and add updated entries from the lookup? Thanks, ~ Abhi ... View more

Hi, I am testing this Add-on to retrieve data from REST API. Connection is good and it pulls the data but every event gets truncated around the same line. Also the response doesn't seem end properly(a complete page where next can be requested). It seems as if a limit has been reached.   I changed the Add-on logging level to DEBUG but do not see any error messages. Is there anything else I can check? Splunk Version - 7.2.4.2 Add-on Version - 1.9.8 Thanks, ~ Abhi ... View more

Hi, We have a use-case where responses(host_addr) returned from DNS queries are passed through AbuseIPDB API to check for any potential matches.  Since the API has a set limit we dont want to query an IP more than once. To achieve this, stats is used to get distinct values and then it is passed through the API. It works well but due to the use of "stats", we lose all the other crucial fields from the original data, e.g. src_ip, query etc. Here's a sample query: <Base Search> | stats count by host_addr | table host_addr | abuseip ipfield=host_addr | sort - AbuseConfidence Could eventstats come to the rescue here? If so, what could be a potential syntax of that search? From the other examples I saw, eventstats sees to be more useful when performing a actual stats function like sum etc. End goal is to create something like | table src_ip, query, host_addr, LastReportedAt, AbuseConfidence  but also keeping API limits in check(Using only unique values of host_addr). Any pointers on this will be appreciated. Thanks, ~ Abhi   ... View more

Hi, We are using Splunk Stream to pull logs from DNS Servers. All the target Servers have similar naming convention and do show up under preview based on the Regex Rule for the group. But one of them never becomes part of the group. This Server(003) ends up under defaultgroup. Preview lists all matched assets   003 is not added to the group Description for defaultgroup reads "Used when there is no matching group found for a given stream forwarder ID", but in this case 003 clearly matches a group along with others. Are there any other parameters apart from the name which might be playing a role here? Thanks, ~ Abhi ... View more

Hi, We are using Splunk Stream to get DNS logs into Splunk and it maps seamlessly with the Network Resolution Data model as well. To get cleaner data, I created another DNs stream but this time with some aggregation as shown below. Intent is to get concise summaries of DNS events without overwhelming the Indexers.   Now instead of field "query",  data is  coming  as field values(query) which no longer maps to Network Resolution Data Model. DNS.query now reads unknown. Has anyone come across this issue? Would renaming the field resolve the issue or is there a better way to fix the mapping? Thanks, ~ Abhi     ... View more

After Upgrading to SSE Version 3.2.2, we are getting the following error while loading the MITRE Map. Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.       Has anyone come across this while using the App? Thanks, ~ Abhi ... View more

Splunk Version - 7.2.4.2 Splunk ES Version - 5.3.0 Hi, I am trying to add a custom lookup within ES to define Category/Priority for certain assets. Followed this article to the letter to create lookup Table & Definitions with correct permissions. https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Createlookups Lookup was also formatted as required. I was able to add the Lookup definition under Configure > Data Enrichment > Identity Management but still the new Categories do not show up under any search for the asset nor are they being used by ES for Correlations. I do see another location Configure > Content > Content Management > Create New Content > Managed Lookup but when I try to add a new Managed Lookup, this new lookup definition is not listed in the drop-down. Could this be causing ES not to read/merge the data from this new custom lookup? What is the difference between adding lookup under these two locations? Note: As a test, I added the same data in the built-in assets.csv lookup and now at least ES Asset Center can see the updated Categories for those assets but it still doesn't get added when running Searches/Data Model correlations etc. Thanks, ~ Abhi ... View more

Hi, I am trying to add Snort data into Splunk by monitoring barnyard2.alert file using Universal Forwarders.   [monitor:///var/log/barnyard2/barnyard2.alert] sourcetype=snort_unified2 index=snort   As explained here https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-line-breaking-a-single-IDS-Alert-event-into-two/m-p/287641#M54947 , I added same settings to props.conf(Indexer and SH) but Splunk still ends up breaking each line as a separate event, as shown below: props.conf   [snort_unified2] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\[\*\*\] TIME_PREFIX = ^([^\r\n]+[\r\n]+){2} MAX_TIMESTAMP_LOOKAHEAD = 25 TIME_FORMAT = %m/%d-%H:%M:%S.%6N category = Network & Security   But when I try these settings by manually adding same input it works just fine. Any ideas on what could be going wrong with props.conf? Thanks, ~Abhi   ... View more

Hi, We are using the latest version for TA-dmarc add-on for Splunk (3.2.1). Connection seems to be successful and debug logs show that add-on is able to read the messages: 2020-05-21 09:00:54,162 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | get_dmarc_messages: successfully connected to x.y.com 2020-05-21 09:00:54,769 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX 2020-05-21 09:00:54,916 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX match subject "Report domain:" For new messages I can also see Add-on writing the data. 2020-05-21 09:30:54,469 DEBUG pid=131084 tid=MainThread file=base_modinput.py:log_debug:286 | write_part_to_file: saved file /tmp/tmpEH0vFq/test.com!xyz.com!1589932800!1590019200!star.xml from uid 48 But I do not see anything showing up under index=dmarc (This is the index set in the config). I do see the following repeated: 2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 (body: {}) 2020-05-21 09:00:54,942 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 HTTP/1.1" 200 389 2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005052 2020-05-21 09:00:50,982 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2020-05-21 09:00:51,953 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2020-05-21 09:00:52,712 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2020-05-21 09:00:54,026 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | Success creating temporary directory /tmp/tmptGt5ME 2020-05-21 09:00:54,026 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | Start processing imap server x.y.com with use_ssl True 2020-05-21 09:00:54,162 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | get_dmarc_messages: successfully connected to x.y.com 2020-05-21 09:00:54,769 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX 2020-05-21 09:00:54,916 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX match subject "Report domain:" 2020-05-21 09:00:54,917 INFO pid=165192 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling 2020-05-21 09:00:54,917 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/config/TA_dmarc_checkpointer (body: {}) 2020-05-21 09:00:54,918 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2020-05-21 09:00:54,927 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/config/TA_dmarc_checkpointer HTTP/1.1" 200 5241 2020-05-21 09:00:54,928 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.010589 2020-05-21 09:00:54,928 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/config/ (body: {'offset': 0, 'count': -1, 'search': 'TA_dmarc_checkpointer'}) 2020-05-21 09:00:54,931 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/config/?offset=0&count=-1&search=TA_dmarc_checkpointer HTTP/1.1" 200 4439 2020-05-21 09:00:54,932 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003590 2020-05-21 09:00:54,934 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_25 (body: {}) 2020-05-21 09:00:54,937 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_25 HTTP/1.1" 200 388 2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003830 2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 (body: {}) 2020-05-21 09:00:54,942 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 HTTP/1.1" 200 389 2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005052 2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_31 (body: {}) 2020-05-21 09:00:54,947 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_31 HTTP/1.1" 200 340 2020-05-21 09:00:54,948 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004498 2020-05-21 09:00:54,948 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_38 (body: {}) 2020-05-21 09:00:54,952 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_38 HTTP/1.1" 200 388 2020-05-21 09:00:54,953 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004457 2020-05-21 09:00:54,953 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_42 (body: {}) 2020-05-21 09:00:54,956 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_42 HTTP/1.1" 200 340 2020-05-21 09:00:54,957 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004431 2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids on imap set([25, 42, 28, 38, 31]) 2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids on imap set([25, 42, 28, 38, 31]) 2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids in checkp set([25, 42, 28, 38, 31]) 2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids new set([]) 2020-05-21 09:00:54,958 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | Ended processing imap server x.y.com 2020-05-21 09:00:54,959 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | Success deleting temporary directory /tmp/tmptGt5ME How can I troubleshoot this further? Thanks, ~ Abhi ... View more