Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About abhijittikekar
abhijittikekar
Contributor
Member since:
08-30-2013
06-05-2020
Community Statistics
| Posts | 152 |
| Solutions | 8 |
| Karma Given | 27 |
| Karma Received | 18 |
| Member Since | 08-30-2013 |
Activity Feed
- Karma Re: Enable All Splunk Enterprise Security Features for woodcock. 06-05-2020 12:50 AM
- Got Karma for DBConnect Behavior. Not pulling rows as per fetch size.. 06-05-2020 12:50 AM
- Got Karma for Java Invalid Parameter Error when using DBConnect Rising Column. 06-05-2020 12:50 AM
- Got Karma for Re: Can you help me improve the performance of a custom search?. 06-05-2020 12:50 AM
- Got Karma for Is it possible to search against all datamodels for all available sourcetypes in a single query?. 06-05-2020 12:50 AM
- Got Karma for Splunk web stuck at Loading page... 06-05-2020 12:50 AM
- Karma dbconnect 3.X -jtds****.tmp file issue for splunk24. 06-05-2020 12:49 AM
- Karma Why am I getting an error while entering API credentials? for dmarcantonionw. 06-05-2020 12:49 AM
- Karma Notice: Sophos Central App for Splunk is retiring... for nickhillscpl. 06-05-2020 12:49 AM
- Karma Re: Sophos Central App for Splunk unable to make connection to API for nickhillscpl. 06-05-2020 12:49 AM
- Karma Re: Why is my search unable to match csv data against indexed events? for jkat54. 06-05-2020 12:49 AM
- Karma Re: Why is my search unable to match csv data against indexed events? for somesoni2. 06-05-2020 12:49 AM
- Got Karma for Re: Why is my search unable to match csv data against indexed events?. 06-05-2020 12:49 AM
- Got Karma for Re: Why is my search unable to match csv data against indexed events?. 06-05-2020 12:49 AM
- Got Karma for Is there any way to speed up eStreamer eNcore data collection?. 06-05-2020 12:49 AM
- Got Karma for Unable to see all events Indexed by splunk via eStreamer eNcore.. 06-05-2020 12:49 AM
- Got Karma for What versions of these 2 apps are compatible: Splunk Common Information Model (CIM) add-on and the Cisco eStreamer eNcore Add-on for Splunk?. 06-05-2020 12:49 AM
- Karma Re: Why cant Enterprise Security App see data from a specific index despite having correct tags? for mdessus_splunk. 06-05-2020 12:48 AM
- Karma Re: Why we are unable to add a cluster member via CLI to our existing search head cluster? for dolivasoh. 06-05-2020 12:48 AM
- Karma Re: How to remove "missing" forwarders from the Distributed Management Console? for hexx. 06-05-2020 12:48 AM
05-21-2020
08:04 AM
Hi,
We are using the latest version for TA-dmarc add-on for Splunk (3.2.1). Connection seems to be successful and debug logs show that add-on is able to read the messages:
2020-05-21 09:00:54,162 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | get_dmarc_messages: successfully connected to x.y.com
2020-05-21 09:00:54,769 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX
2020-05-21 09:00:54,916 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX match subject "Report domain:"
For new messages I can also see Add-on writing the data.
2020-05-21 09:30:54,469 DEBUG pid=131084 tid=MainThread file=base_modinput.py:log_debug:286 | write_part_to_file: saved file /tmp/tmpEH0vFq/test.com!xyz.com!1589932800!1590019200!star.xml from uid 48
But I do not see anything showing up under index=dmarc (This is the index set in the config).
I do see the following repeated:
2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 (body: {})
2020-05-21 09:00:54,942 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 HTTP/1.1" 200 389
2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005052
2020-05-21 09:00:50,982 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-21 09:00:51,953 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-21 09:00:52,712 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-21 09:00:54,026 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | Success creating temporary directory /tmp/tmptGt5ME
2020-05-21 09:00:54,026 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | Start processing imap server x.y.com with use_ssl True
2020-05-21 09:00:54,162 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | get_dmarc_messages: successfully connected to x.y.com
2020-05-21 09:00:54,769 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX
2020-05-21 09:00:54,916 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX match subject "Report domain:"
2020-05-21 09:00:54,917 INFO pid=165192 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2020-05-21 09:00:54,917 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/config/TA_dmarc_checkpointer (body: {})
2020-05-21 09:00:54,918 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-21 09:00:54,927 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/config/TA_dmarc_checkpointer HTTP/1.1" 200 5241
2020-05-21 09:00:54,928 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.010589
2020-05-21 09:00:54,928 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/config/ (body: {'offset': 0, 'count': -1, 'search': 'TA_dmarc_checkpointer'})
2020-05-21 09:00:54,931 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/config/?offset=0&count=-1&search=TA_dmarc_checkpointer HTTP/1.1" 200 4439
2020-05-21 09:00:54,932 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003590
2020-05-21 09:00:54,934 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_25 (body: {})
2020-05-21 09:00:54,937 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_25 HTTP/1.1" 200 388
2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003830
2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 (body: {})
2020-05-21 09:00:54,942 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 HTTP/1.1" 200 389
2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005052
2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_31 (body: {})
2020-05-21 09:00:54,947 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_31 HTTP/1.1" 200 340
2020-05-21 09:00:54,948 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004498
2020-05-21 09:00:54,948 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_38 (body: {})
2020-05-21 09:00:54,952 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_38 HTTP/1.1" 200 388
2020-05-21 09:00:54,953 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004457
2020-05-21 09:00:54,953 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_42 (body: {})
2020-05-21 09:00:54,956 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_42 HTTP/1.1" 200 340
2020-05-21 09:00:54,957 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004431
2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids on imap set([25, 42, 28, 38, 31])
2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids on imap set([25, 42, 28, 38, 31])
2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids in checkp set([25, 42, 28, 38, 31])
2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids new set([])
2020-05-21 09:00:54,958 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | Ended processing imap server x.y.com
2020-05-21 09:00:54,959 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | Success deleting temporary directory /tmp/tmptGt5ME
How can I troubleshoot this further?
Thanks,
~ Abhi
... View more
10-11-2019
09:03 AM
we are running into same issue. Has anyone encountered this situation before? Any way to re-direct these files elsewhere?
... View more
09-20-2019
10:38 AM
1 Karma
All,
We are working on setting up a Input for SQL Server. DBX Version is 3.1.4.
Table currently contains roughly 2M rows and there is a Auto-increment column(int) that we are using for Rising column. Under "Fetch Size" for both Connection as well as Input I've set 5000 rows. Max Rows is left at 0.
When the Input is saved, first query pulls around 21K rows. Next time when it runs(Every 5 minutes), DBX pulls only 344 Rows each time. I am not able to figure out how to have it retrieve more than that. We are also noticing that after 2nd run time, the Rising column isin't rising anymore and DBConnect keeps pulling same 344 rows over and over at each interval.
I read that Fetch Size might not be considered depending on the driver but if that is the case here can anything else be done to fetch all the rows from DB? We are using MS-SQL Server Using jTDS Driver . At this point our main goal is to get all the rows from DB into Splunk to Analyze the data.
[UPDATE]
Screenshot from modinputs. Rising Column stops after few entries.
Thanks in Advance,
~ Abhi
... View more
04-10-2019
11:17 AM
To test, I edited the checkpoint value manually and set it to the current time. After saving, the input started working properly and checkpoint was getting updated with the latest data but after a while it again went back to the old checkpoint value I had set.
... View more
04-10-2019
10:33 AM
Hi,
I am using DB Connect V2(Configured on Indexer) to pull data from MSSQL Database with timestamp as the Rising Column. Data in the preview looks good but once the input is saved, each query pulls everything from the checkpoint timestamp onward instead of pulling only the rows that were added after the last updated checkpoint.
SELECT COLUMN1,
COLUMN2,
COLUMN3,
COLUMN4,
TIMESTAMP
FROM <Table_Name>
WHERE TIMESTAMP > ?
ORDER BY TIMESTAMP DESC
Is there anything else I am missing in the configuration?
~ Abhi
... View more
04-04-2019
06:35 AM
Thank you.
We have defined the custom groups to identify these servers but it would have been nice to create new roles so that it doesn't club such servers as a Search Head under Overview.
~ Abhi.
... View more
04-03-2019
04:06 PM
[update]
It started working by changing WebSSL to true in web.conf
[settings]
enableSplunkWebSSL = 1
Since we are doing SSL on the LB URL, local https setting was conflicting and hence we had to change individual cluster members to http. Does anyone know if this is a bug where http gets stuck at Loading? This was working earlier and only change was upgrade of Splunk ES.
~ Abhi
... View more
04-03-2019
04:00 PM
1 Karma
Hi,
Has anyone come across the following issue where Splunk web loads but gets stuck at Loading prompt?
This was noticed after we upgraded ES app via deployer(5.0.0 -> 5.2.2). But we are also having some SHC related issue so not sure if this is anything related to a setting in Splunk ES app or completely unrelated.
Splunk version is on 7.2.4.2
Any help is appretiated..
Thanks,
~ Abhi
... View more
- Tags:
- splunk-enterprise
04-03-2019
06:16 AM
Hi,
Does anyone know a way to add a custom Server role in monitoring console? We have a staging instance which we use only for deploying/configuring apps before they are moved to Deployer. Existing roles do not have anything that matches Staging so we end up selecting Search Head role for this server.
Just wondering if this can be done so that Console can be more consistent with current setup.
Thanks,
~ Abhi
... View more
04-03-2019
06:11 AM
Hi,
We have a Search Head Cluster with 3 members. Originally when the cluster was setup there was a 4th member that was eventually removed and turned into a Stand-alone SH. If we check the shcluster-status, only the 3 current members are listed and command run on 4th clearly says that clustering is not enabled. But for some reason, Monitoring Console still thinks the 4th member is part of the cluster although it doesn't have any clustering data on it.
Not sure where this information is coming from but is there a way to clean this up?
Thanks in advance,
~ Abhi
... View more
03-06-2019
07:44 AM
Hi,
I want to extract the sub-fields that are part of the Message field content. e.g.
Message=Account locked out
Client Computer : xxxxxxx
Account DN : CN=,OU=,OU=,OU=,OU=,DC=x,DC=y,DC=z
Object Class : user
Object GUID : CN=,OU=,OU=,OU=,OU=,DC=,DC=,DC= Request ID : {0637DFC03183}
Here everything is the value of "Message" field. We would like them to be their own field:value pair, e.g.
Message=Account locked out
Client Computer = xxxxxxx
Account DN = CN=,OU=,OU=,OU=,OU=,DC=x,DC=y,DC=z
Splunk does this by default for other known WinEventLog sources, e.g. Security or Application. but it doesn't parse the Message value in this particular case so we end up with the entire Message content dumped into one single value.
~ Abhi
... View more
02-20-2019
07:07 AM
Hi,
We have an alert set to sent email each time a Firewall failover occurs. Alert condition is pretty straightforward.
sourcetype=<Source Type> m=144 OR m=145
m=144 is "Primary firewall has transitioned to Active" where m=145 is "Secondary firewall has transitioned to Active". "host" field lets us know the firewall in question. Alert is working as expected. We get one alert when the secondary becomes active and then another when Primary takes over.
Is there a way to create an condition such that once it detects Secondary is Active(i.e. m=145), Splunk will send one alert and then continue to do so at a set frequency(Say once every 2 hours etc) until it sees a m=144 event type, i.e. Primary is now Active , coming from the same firewall(host field). Looks like I'll have to use some correlation command like transaction to achieve this.
Any ideas?
Thanks,
~ Abhi
... View more
02-12-2019
08:14 AM
For ES Threat Intel downloads, go to Configure -> Data Enrichment -> Intelligence Downloads. This screen shows you the feed status(Enabled or not) and also the URL it will reach out to download the Intel.
... View more
01-31-2019
07:35 AM
1 Karma
Hi,
I am trying to setup a new input on Splunk DBConnect (V 3.1.4) to connect and retrieve data from MSSQL Server using MS-SQL Server Using jTDS Driver . Identity and Connection were setup successfully and a simple select * from <View Name> gets the data into the Preview Data pane. But as soon as I select any Rising Column and execute the query, following error is show.
Tried different types for rising column(int, datetime etc) but they all end up with the error show above. In another thread it was mentioned that permissions on /opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect might be a reason but those seem fine to me, although the folder itself is empty. There is no checkpoint value stored.
What could be causing this issue? Anything wrong with the version I am using?
Thanks,
~ Abhi
... View more
01-25-2019
07:55 AM
Hi,
I am trying to determine total license usage in GB by a certain group of assets where hostname starts with "xyz". There are a total of 24 such hosts that are currently sending data in Splunk, but I tried two different searches to get license count and both reported a different number of hosts.
Following query gave results for 10 hosts.
index=_internal host=<License Master> source=*license_usage.log* type="Usage" h=xyz* | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | eval b=b/(1024*1024*1024) | timechart span=1d sum(b) AS volumeB by h fixedrange=false useother=f
Whereas the following gave data only for 7 of them.
index=_internal source=*metrics.log group="tcpin_connections" hostname=xyz* | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | stats sum(kb) as KB by sourceHost | eval KB = round(KB)
We have just one license master and both queries above were run for a 24 Hour window. How can I get the total sum of data sent by these hosts(xyz*) in the last 24 hours?
Thanks,
~ Abhi
... View more
01-21-2019
04:51 PM
Hi mgalos,
As per my understanding, tags define what ES searches/dashboards/datamodels can see. Apart from having correct tags, the data should be normalized as per CIM(https://docs.splunk.com/Documentation/CIM/4.12.0/User/Overview#WhytheCIM_exists), which means that field names need to follow a certain format(Usually for commonly used data sources like Windows Events, the TA's accompanying ES should do this for you).
Once the tags are in place and ES can see fields as per CIM, data should start populating. You can get more details on CIM ,data models and their respective Tag/field requirements here. https://docs.splunk.com/Documentation/CIM/4.12.0/User/Howtousethesereferencetables
To search data from a sourcetype against a specific Data Model, use the following search:
| datamodel Authentication search | search sourcetype=WinEventLogs
Try this with your Windows Logs against Alert and Authentication datamodels and see if you get any data.
... View more
01-16-2019
07:59 AM
1 Karma
Hi,
While tuning Splunk ES whenever there is a need to see if a datamodel can see required fields from a specific sourcetype, we use the following search
| datamodel Malware search | search sourcetype=<sourcetype>
sourcetype=* works but we still need to specify a datamodel. I was wondering if it is possible to search across all the Datamodels & All sourcetypes at once in a single query? If it is then maybe we can stats by datamodel, sourcetype to get a full picture.
Thanks,
~ Abhi
... View more
01-16-2019
07:51 AM
Hi Lakshman,
Tried using that EXTRACT (Under props.conf) but it did not create any new field.
Thanks,
~ Abhi
... View more
01-16-2019
06:59 AM
Hi Mary,
I tried applying the EXTRACT directly on _raw but results were quite different. It ended up matching few other strings in the RAW text before it could reach the "threat" part.
e.g.
cat={"appCerts": null, "id": "e3f4c2a10a24", "origin": null, "endpoint_type": "server", "name": "Manual cleanup required: 'Mal
cat={"expiration_date": "02
cat={"customer_name": "xxxxxxx", "threat": "ML
Thanks,
~ Abhi
... View more
01-16-2019
06:54 AM
Hi,
I could not find any extractions in props/transforms that are specific to "threat" field. Could it be possible that Splunk is applying some default key:value settings on thw raw data to extract this field. It is definitely part of the RAW event.
{ [-]
appCerts: null
appSha256: null
core_remedy_items: null
created_at: 2019-01-15T23:04:44.229Z
customer_id: 9beb-578eabb1179c
customer_name:
endpoint_id: 7dac66fc3eaf
endpoint_type: server
expiration_date: 02/27/2019
group: MALWARE
id: e3f4c2a10a24
location:
name: Manual cleanup required: 'Mal/Generic-S' at 'xxxxxxxx'
origin: null
severity: high
source: n/a
source_info: { [+]
}
threat: Mal/Generic-S
type: Event::Endpoint::Threat::CleanupFailed
user_id: null
when: 2019-01-15T23:04:39.000Z
}
As raw text
{"appCerts": null, "id": "e3f4c2a10a24", "origin": null, "endpoint_type": "server", "name": "Manual cleanup required: 'Mal/Generic-S' at 'xxxxx'", "created_at": "2019-01-15T23:04:44.229Z", "location": "", "core_remedy_items": null, "source": "n/a", "group": "MALWARE", "endpoint_id": "7dac66fc3eaf", "source_info": {"ip": "x.x.x.x"}, "user_id": null, "customer_id": "578eabb1179c", "type": "Event::Endpoint::Threat::CleanupFailed", "appSha256": null, "customer_name": "", "when": "2019-01-15T23:04:39.000Z", "expiration_date": "02/27/2019", "severity": "high", "threat": "Mal/Generic-S"}
Tried using EVAL with split but it adds both values(before and after delimiter) to the field. Not sure how to just keep the first part.
e.g. If I do | eval cat= split(threat,"/") on threat=Mal/Generic-S then i'll end up with cat=Mal & cat=Generic-S
Thanks,
~ Abhi
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma from
Karma given to
