Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About abhijittikekar
abhijittikekar
Builder
Member since:
08-30-2013
02-08-2021
Community Statistics
| Posts | 161 |
| Solutions | 8 |
| Karma Given | 27 |
| Karma Received | 22 |
| Member Since | 08-30-2013 |
Activity Feed
- Posted REST API Modular Input - JSON response gets truncated on All Apps and Add-ons. 02-08-2021 10:06 AM
- Posted How can we add original fields after using stats count? on Splunk Search. 01-19-2021 07:02 PM
- Tagged How can we add original fields after using stats count? on Splunk Search. 01-19-2021 07:02 PM
- Posted Splunk stream not adding all forwarders that match the regex for Group on All Apps and Add-ons. 01-14-2021 07:24 AM
- Posted Using Splunk Stream Aggregation with Network Resolution Data Model on Splunk Enterprise Security. 01-07-2021 01:36 PM
- Posted Lookup Error in latest Splunk Security Essentials App on All Apps and Add-ons. 12-07-2020 09:45 AM
- Posted Splunk ES cannot see data from Custom lookup on Splunk Enterprise Security. 12-04-2020 08:30 AM
- Got Karma for Is it possible to deploy a single app to SHC via Deployer?. 11-04-2020 04:56 PM
- Got Karma for LINE_BREAKER settings works when adding input manually but not through props.conf. 10-25-2020 04:17 PM
- Posted Re: LINE_BREAKER settings works when adding input manually but not through props.conf on Getting Data In. 10-23-2020 05:21 AM
- Got Karma for Re: LINE_BREAKER settings works when adding input manually but not through props.conf. 10-22-2020 09:33 PM
- Got Karma for LINE_BREAKER settings works when adding input manually but not through props.conf. 10-22-2020 09:33 PM
- Posted Re: LINE_BREAKER settings works when adding input manually but not through props.conf on Getting Data In. 10-22-2020 01:03 PM
- Posted LINE_BREAKER settings works when adding input manually but not through props.conf on Getting Data In. 10-22-2020 09:38 AM
- Karma Re: Enable All Splunk Enterprise Security Features for woodcock. 06-05-2020 12:50 AM
- Got Karma for DBConnect Behavior. Not pulling rows as per fetch size.. 06-05-2020 12:50 AM
- Got Karma for Java Invalid Parameter Error when using DBConnect Rising Column. 06-05-2020 12:50 AM
- Got Karma for Re: Can you help me improve the performance of a custom search?. 06-05-2020 12:50 AM
- Got Karma for Is it possible to search against all datamodels for all available sourcetypes in a single query?. 06-05-2020 12:50 AM
- Got Karma for Splunk web stuck at Loading page... 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 1 | |||
| 0 |
02-08-2021
10:06 AM
Hi, I am testing this Add-on to retrieve data from REST API. Connection is good and it pulls the data but every event gets truncated around the same line. Also the response doesn't seem end properly(a complete page where next can be requested). It seems as if a limit has been reached. I changed the Add-on logging level to DEBUG but do not see any error messages. Is there anything else I can check? Splunk Version - 7.2.4.2 Add-on Version - 1.9.8 Thanks, ~ Abhi
... View more
Labels
- Labels:
-
troubleshooting
01-19-2021
07:02 PM
Hi, We have a use-case where responses(host_addr) returned from DNS queries are passed through AbuseIPDB API to check for any potential matches. Since the API has a set limit we dont want to query an IP more than once. To achieve this, stats is used to get distinct values and then it is passed through the API. It works well but due to the use of "stats", we lose all the other crucial fields from the original data, e.g. src_ip, query etc. Here's a sample query: <Base Search> | stats count by host_addr | table host_addr | abuseip ipfield=host_addr | sort - AbuseConfidence Could eventstats come to the rescue here? If so, what could be a potential syntax of that search? From the other examples I saw, eventstats sees to be more useful when performing a actual stats function like sum etc. End goal is to create something like | table src_ip, query, host_addr, LastReportedAt, AbuseConfidence but also keeping API limits in check(Using only unique values of host_addr). Any pointers on this will be appreciated. Thanks, ~ Abhi
... View more
- Tags:
- eventstats
- stats
01-14-2021
07:24 AM
Hi, We are using Splunk Stream to pull logs from DNS Servers. All the target Servers have similar naming convention and do show up under preview based on the Regex Rule for the group. But one of them never becomes part of the group. This Server(003) ends up under defaultgroup. Preview lists all matched assets 003 is not added to the group Description for defaultgroup reads "Used when there is no matching group found for a given stream forwarder ID", but in this case 003 clearly matches a group along with others. Are there any other parameters apart from the name which might be playing a role here? Thanks, ~ Abhi
... View more
- Tags:
- Splunk Stream
Labels
- Labels:
-
configuration
-
troubleshooting
01-07-2021
01:36 PM
Hi, We are using Splunk Stream to get DNS logs into Splunk and it maps seamlessly with the Network Resolution Data model as well. To get cleaner data, I created another DNs stream but this time with some aggregation as shown below. Intent is to get concise summaries of DNS events without overwhelming the Indexers. Now instead of field "query", data is coming as field values(query) which no longer maps to Network Resolution Data Model. DNS.query now reads unknown. Has anyone come across this issue? Would renaming the field resolve the issue or is there a better way to fix the mapping? Thanks, ~ Abhi
... View more
Labels
- Labels:
-
using Enterprise Security
12-07-2020
09:45 AM
After Upgrading to SSE Version 3.2.2, we are getting the following error while loading the MITRE Map. Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table. Has anyone come across this while using the App? Thanks, ~ Abhi
... View more
Labels
- Labels:
-
administration
-
troubleshooting
12-04-2020
08:30 AM
Splunk Version - 7.2.4.2 Splunk ES Version - 5.3.0 Hi, I am trying to add a custom lookup within ES to define Category/Priority for certain assets. Followed this article to the letter to create lookup Table & Definitions with correct permissions. https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Createlookups Lookup was also formatted as required. I was able to add the Lookup definition under Configure > Data Enrichment > Identity Management but still the new Categories do not show up under any search for the asset nor are they being used by ES for Correlations. I do see another location Configure > Content > Content Management > Create New Content > Managed Lookup but when I try to add a new Managed Lookup, this new lookup definition is not listed in the drop-down. Could this be causing ES not to read/merge the data from this new custom lookup? What is the difference between adding lookup under these two locations? Note: As a test, I added the same data in the built-in assets.csv lookup and now at least ES Asset Center can see the updated Categories for those assets but it still doesn't get added when running Searches/Data Model correlations etc. Thanks, ~ Abhi
... View more
Labels
- Labels:
-
using Enterprise Security
10-23-2020
05:21 AM
Hi @samcyber20 App that we pushed on the endpoints to collect these logs does not have any props.conf. Only inputs.conf with one stanza as I mentioned above. Does it need a props as well with any of the entries that I added on the Indexer side? Thanks, ~ Abhi
... View more
10-22-2020
01:03 PM
1 Karma
Hi @richgalloway , Yes. Both Indexer and the Search Head were restarted after making the props.conf change. Thanks, ~ Abhi
... View more
10-22-2020
09:38 AM
2 Karma
Hi, I am trying to add Snort data into Splunk by monitoring barnyard2.alert file using Universal Forwarders. [monitor:///var/log/barnyard2/barnyard2.alert]
sourcetype=snort_unified2
index=snort As explained here https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-line-breaking-a-single-IDS-Alert-event-into-two/m-p/287641#M54947 , I added same settings to props.conf(Indexer and SH) but Splunk still ends up breaking each line as a separate event, as shown below: props.conf [snort_unified2]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\[\*\*\]
TIME_PREFIX = ^([^\r\n]+[\r\n]+){2}
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %m/%d-%H:%M:%S.%6N
category = Network & Security But when I try these settings by manually adding same input it works just fine. Any ideas on what could be going wrong with props.conf? Thanks, ~Abhi
... View more
Labels
- Labels:
-
props.conf
05-21-2020
08:04 AM
Hi,
We are using the latest version for TA-dmarc add-on for Splunk (3.2.1). Connection seems to be successful and debug logs show that add-on is able to read the messages:
2020-05-21 09:00:54,162 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | get_dmarc_messages: successfully connected to x.y.com
2020-05-21 09:00:54,769 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX
2020-05-21 09:00:54,916 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX match subject "Report domain:"
For new messages I can also see Add-on writing the data.
2020-05-21 09:30:54,469 DEBUG pid=131084 tid=MainThread file=base_modinput.py:log_debug:286 | write_part_to_file: saved file /tmp/tmpEH0vFq/test.com!xyz.com!1589932800!1590019200!star.xml from uid 48
But I do not see anything showing up under index=dmarc (This is the index set in the config).
I do see the following repeated:
2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 (body: {})
2020-05-21 09:00:54,942 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 HTTP/1.1" 200 389
2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005052
2020-05-21 09:00:50,982 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-21 09:00:51,953 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-21 09:00:52,712 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-21 09:00:54,026 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | Success creating temporary directory /tmp/tmptGt5ME
2020-05-21 09:00:54,026 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | Start processing imap server x.y.com with use_ssl True
2020-05-21 09:00:54,162 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | get_dmarc_messages: successfully connected to x.y.com
2020-05-21 09:00:54,769 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX
2020-05-21 09:00:54,916 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | get_dmarc_messages: 5 messages in folder INBOX match subject "Report domain:"
2020-05-21 09:00:54,917 INFO pid=165192 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2020-05-21 09:00:54,917 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/config/TA_dmarc_checkpointer (body: {})
2020-05-21 09:00:54,918 INFO pid=165192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-21 09:00:54,927 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/config/TA_dmarc_checkpointer HTTP/1.1" 200 5241
2020-05-21 09:00:54,928 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.010589
2020-05-21 09:00:54,928 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/config/ (body: {'offset': 0, 'count': -1, 'search': 'TA_dmarc_checkpointer'})
2020-05-21 09:00:54,931 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/config/?offset=0&count=-1&search=TA_dmarc_checkpointer HTTP/1.1" 200 4439
2020-05-21 09:00:54,932 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003590
2020-05-21 09:00:54,934 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_25 (body: {})
2020-05-21 09:00:54,937 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_25 HTTP/1.1" 200 388
2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003830
2020-05-21 09:00:54,938 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 (body: {})
2020-05-21 09:00:54,942 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_28 HTTP/1.1" 200 389
2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005052
2020-05-21 09:00:54,943 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_31 (body: {})
2020-05-21 09:00:54,947 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_31 HTTP/1.1" 200 340
2020-05-21 09:00:54,948 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004498
2020-05-21 09:00:54,948 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_38 (body: {})
2020-05-21 09:00:54,952 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_38 HTTP/1.1" 200 388
2020-05-21 09:00:54,953 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004457
2020-05-21 09:00:54,953 DEBUG pid=165192 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_42 (body: {})
2020-05-21 09:00:54,956 DEBUG pid=165192 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-dmarc/storage/collections/data/TA_dmarc_checkpointer/x.y.com_dmarc%40xyz.com_42 HTTP/1.1" 200 340
2020-05-21 09:00:54,957 DEBUG pid=165192 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.004431
2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids on imap set([25, 42, 28, 38, 31])
2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids on imap set([25, 42, 28, 38, 31])
2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids in checkp set([25, 42, 28, 38, 31])
2020-05-21 09:00:54,958 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | filter_seen_messages: uids new set([])
2020-05-21 09:00:54,958 INFO pid=165192 tid=MainThread file=base_modinput.py:log_info:293 | Ended processing imap server x.y.com
2020-05-21 09:00:54,959 DEBUG pid=165192 tid=MainThread file=base_modinput.py:log_debug:286 | Success deleting temporary directory /tmp/tmptGt5ME
How can I troubleshoot this further?
Thanks,
~ Abhi
... View more
10-11-2019
09:03 AM
we are running into same issue. Has anyone encountered this situation before? Any way to re-direct these files elsewhere?
... View more
09-20-2019
10:38 AM
1 Karma
All,
We are working on setting up a Input for SQL Server. DBX Version is 3.1.4.
Table currently contains roughly 2M rows and there is a Auto-increment column(int) that we are using for Rising column. Under "Fetch Size" for both Connection as well as Input I've set 5000 rows. Max Rows is left at 0.
When the Input is saved, first query pulls around 21K rows. Next time when it runs(Every 5 minutes), DBX pulls only 344 Rows each time. I am not able to figure out how to have it retrieve more than that. We are also noticing that after 2nd run time, the Rising column isin't rising anymore and DBConnect keeps pulling same 344 rows over and over at each interval.
I read that Fetch Size might not be considered depending on the driver but if that is the case here can anything else be done to fetch all the rows from DB? We are using MS-SQL Server Using jTDS Driver . At this point our main goal is to get all the rows from DB into Splunk to Analyze the data.
[UPDATE]
Screenshot from modinputs. Rising Column stops after few entries.
Thanks in Advance,
~ Abhi
... View more
04-10-2019
11:17 AM
To test, I edited the checkpoint value manually and set it to the current time. After saving, the input started working properly and checkpoint was getting updated with the latest data but after a while it again went back to the old checkpoint value I had set.
... View more
04-10-2019
10:33 AM
Hi,
I am using DB Connect V2(Configured on Indexer) to pull data from MSSQL Database with timestamp as the Rising Column. Data in the preview looks good but once the input is saved, each query pulls everything from the checkpoint timestamp onward instead of pulling only the rows that were added after the last updated checkpoint.
SELECT COLUMN1,
COLUMN2,
COLUMN3,
COLUMN4,
TIMESTAMP
FROM <Table_Name>
WHERE TIMESTAMP > ?
ORDER BY TIMESTAMP DESC
Is there anything else I am missing in the configuration?
~ Abhi
... View more
04-04-2019
06:35 AM
Thank you.
We have defined the custom groups to identify these servers but it would have been nice to create new roles so that it doesn't club such servers as a Search Head under Overview.
~ Abhi.
... View more
04-03-2019
04:06 PM
[update]
It started working by changing WebSSL to true in web.conf
[settings]
enableSplunkWebSSL = 1
Since we are doing SSL on the LB URL, local https setting was conflicting and hence we had to change individual cluster members to http. Does anyone know if this is a bug where http gets stuck at Loading? This was working earlier and only change was upgrade of Splunk ES.
~ Abhi
... View more
04-03-2019
04:00 PM
1 Karma
Hi,
Has anyone come across the following issue where Splunk web loads but gets stuck at Loading prompt?
This was noticed after we upgraded ES app via deployer(5.0.0 -> 5.2.2). But we are also having some SHC related issue so not sure if this is anything related to a setting in Splunk ES app or completely unrelated.
Splunk version is on 7.2.4.2
Any help is appretiated..
Thanks,
~ Abhi
... View more
- Tags:
- splunk-enterprise
04-03-2019
06:16 AM
Hi,
Does anyone know a way to add a custom Server role in monitoring console? We have a staging instance which we use only for deploying/configuring apps before they are moved to Deployer. Existing roles do not have anything that matches Staging so we end up selecting Search Head role for this server.
Just wondering if this can be done so that Console can be more consistent with current setup.
Thanks,
~ Abhi
... View more
04-03-2019
06:11 AM
Hi,
We have a Search Head Cluster with 3 members. Originally when the cluster was setup there was a 4th member that was eventually removed and turned into a Stand-alone SH. If we check the shcluster-status, only the 3 current members are listed and command run on 4th clearly says that clustering is not enabled. But for some reason, Monitoring Console still thinks the 4th member is part of the cluster although it doesn't have any clustering data on it.
Not sure where this information is coming from but is there a way to clean this up?
Thanks in advance,
~ Abhi
... View more
03-06-2019
07:44 AM
Hi,
I want to extract the sub-fields that are part of the Message field content. e.g.
Message=Account locked out
Client Computer : xxxxxxx
Account DN : CN=,OU=,OU=,OU=,OU=,DC=x,DC=y,DC=z
Object Class : user
Object GUID : CN=,OU=,OU=,OU=,OU=,DC=,DC=,DC= Request ID : {0637DFC03183}
Here everything is the value of "Message" field. We would like them to be their own field:value pair, e.g.
Message=Account locked out
Client Computer = xxxxxxx
Account DN = CN=,OU=,OU=,OU=,OU=,DC=x,DC=y,DC=z
Splunk does this by default for other known WinEventLog sources, e.g. Security or Application. but it doesn't parse the Message value in this particular case so we end up with the entire Message content dumped into one single value.
~ Abhi
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-08-2021
10:02 PM
|
