Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jhillenburg
jhillenburg
Path Finder
Member since:
09-06-2013
06-05-2020
Community Statistics
| Posts | 20 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 4 |
| Member Since | 09-06-2013 |
Activity Feed
- Got Karma for Re: Why are real time searches not running and getting error "status skipped, reason="Real time searches pending""?. 06-05-2020 12:48 AM
- Karma Re: How to remove columns from search results table? for pradeepkumarg. 06-05-2020 12:47 AM
- Got Karma for Has anyone tried monitoring and searching interactive Windows Active Directory logon events?. 06-05-2020 12:47 AM
- Got Karma for How to restrict search access to certain hosts or fields on a per-user basis?. 06-05-2020 12:47 AM
- Got Karma for Dedup using time range. 06-05-2020 12:47 AM
- Posted How to use email or User Principle Name (UPN) instead of the Active Directory login? on Security. 03-16-2017 11:21 AM
- Tagged How to use email or User Principle Name (UPN) instead of the Active Directory login? on Security. 03-16-2017 11:21 AM
- Tagged How to use email or User Principle Name (UPN) instead of the Active Directory login? on Security. 03-16-2017 11:21 AM
- Tagged How to use email or User Principle Name (UPN) instead of the Active Directory login? on Security. 03-16-2017 11:21 AM
- Tagged How to use email or User Principle Name (UPN) instead of the Active Directory login? on Security. 03-16-2017 11:21 AM
- Tagged How to use email or User Principle Name (UPN) instead of the Active Directory login? on Security. 03-16-2017 11:21 AM
- Posted Re: Splunk App and Add-on for New Relic: Where are there built-in dashboards? on All Apps and Add-ons. 03-10-2017 10:30 AM
- Posted Splunk App and Add-on for New Relic: Where are there built-in dashboards? on All Apps and Add-ons. 03-10-2017 09:43 AM
- Tagged Splunk App and Add-on for New Relic: Where are there built-in dashboards? on All Apps and Add-ons. 03-10-2017 09:43 AM
- Tagged Splunk App and Add-on for New Relic: Where are there built-in dashboards? on All Apps and Add-ons. 03-10-2017 09:43 AM
- Posted Re: Why are real time searches not running and getting error "status skipped, reason="Real time searches pending""? on Splunk Search. 03-09-2017 08:59 AM
- Posted Re: Why are real time searches not running and getting error "status skipped, reason="Real time searches pending""? on Splunk Search. 03-09-2017 07:18 AM
- Posted Re: Why are real time searches not running and getting error "status skipped, reason="Real time searches pending""? on Splunk Search. 03-09-2017 07:03 AM
- Posted Re: Why are real time searches not running and getting error "status skipped, reason="Real time searches pending""? on Splunk Search. 03-09-2017 06:06 AM
- Posted Re: How to solve issue of Splunk Mobile Access Server only running on IPv6 and not being reachable over IPv4 with our CentOS Machine? on Security. 02-04-2015 09:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 |
03-16-2017
11:21 AM
We currently have our users log into Splunk using their Active Directory (AD) credentials, and specifically the SamAccountName field. In the LDAP strategies pane, there is an option for changing this field. I would like to use email or User Principle Name (UPN). Has anyone done this, and does it present a problem?
Thanks.
... View more
03-10-2017
10:30 AM
I did not have both, and it seems to be functioning properly now that I have installed the app. (I keep NewRelic stuff in a separate index, so I did have to adjust that.) What I now need to do is customize the dashboard for each of our relevant sites.
... View more
03-10-2017
09:43 AM
The Splunk App for New Relic screenshot shows a series of nice dashboard gauges, but these do not appear to be available in the app.
Am I missing something, or are they somewhere else?
If not, what searches could be used to replicate this dashboard?
Thanks.
... View more
03-09-2017
08:59 AM
1 Karma
Thanks. That has helped a lot.
... View more
03-09-2017
07:18 AM
Unless I'm missing something, cron format is the only option if I want this to run more frequently than once an hour, right?
... View more
03-09-2017
07:03 AM
Do you suggest doing the cron scheduling format? One of these is a situation where we're monitoring account lockouts, so our need is for it to be accurate enough to act upon -- say 5 minutes. What about duplicates?
... View more
03-09-2017
06:06 AM
Here's my question: What is the best way to convert a real-time alert to something more manageable, and yet maintain a similar net effect?
... View more
02-04-2015
09:53 AM
What did you use for your /etc/gai.conf? This is what I entered, and no joy.
label::1/128 0
label ::/0 1
label 2002::/16 2
label ::/96 3
label ::ffff:0:0/96 4
precedence ::1/128 50
precedence ::/0 40
precedence 2002::/16 30
precedence ::/96 20
precedence ::ffff:0:0/96 100
#precedence ::ffff:0:0/96 10
... View more
02-03-2015
12:58 PM
I'm trying to determine what this gets me that the other responses don't. Thanks for the response.
... View more
02-03-2015
12:55 PM
Thanks. This seems to be helpful in the same manner as the response from KindaWorking,, above.
... View more
02-03-2015
12:53 PM
What I wanted to do was to pull out the area code. I think another responder below has gotten me a lot closer. However, what you have done has solved a related problem. That, I have one system where the logs easily provide me with the telephone number, but another one where I needed to perform field extract, and your regexp might be helpful. Thanks.
... View more
02-03-2015
12:51 PM
This is great, except that it matches 5-digit extensions beginning with "1".
... View more
02-03-2015
12:19 PM
I disabled the IPv6 stack on CentOS 7 using their recommended method and verified that it is disabled using sysctl -p. Even after this, Splunk Mobile does not respond to external queries. Note that the firewall is disabled as well. This is a stock, basic CentOS 7 install using the wizard and no funny options.
... View more
02-02-2015
12:42 PM
Hi. I have a series of systems (contact center, fax, Cisco CUCM, etc) where phone numbers are returned in the data. The phone numbers can be represented by:
5-digit extension (ie. x22101)
10-digit NANP number (i.e. 3125551212)
11-digit NANP number (ie. 13125551212)
E.164 number (+13125551212)
For the moment, I am not concerned about #1 or #4, but I would like to do two things: Match only callers that have 10 or 11-digit phone numbers, strip the country code "1" when it shows up, and then leave only the area code for area code mapping.
Has anyone done this?
... View more
02-02-2015
10:19 AM
I am seeing this exact same behavior, and am also running on CentOS 7.
... View more
01-28-2015
01:18 PM
What about a way, for the purposes of deduplication (though not display), to round to the nearest one minute? I'm really talking about rounding, not bucketing, which are different things.
... View more
01-27-2015
08:30 AM
1 Karma
Hi. Splunk makes it pretty easy to identify logon/logoff events. However, what I'm really interested in right now are interactive events -- ie. someone who is logging directly into a system using the console or RDP, rather than logon events that are initiated by a service starting or someone unlocking their system. Has anyone tried this before?
Thanks.
... View more
01-20-2015
12:41 PM
That certainly groups them together, though if an administrator were trying to search for the events in the logs, they would not find a precise match. Having a dedup threshold would achieve the most desirable behavior.
... View more
01-20-2015
12:28 PM
1 Karma
Hi. I am creating a search and dashboard to display our last ten locked account events. This seems to work well as I have it configured. One of the things I am doing is using the dedup command to remove extra occurrences of an event, given that the lockout events often show up on multiple Active Directory domain controllers (outlined in green below). I am using the "Account_Name" and _time values for this purpose. This works well except where the events are on different domain controllers at different times. In this case, I would prefer to dedup using a window of time (say 5 seconds), but I cannot find how to do this. Shown in the example below are some entries outlined in red, where they are the same user but at different times, and I would want to be careful to not exclude those events, so a straight dedup does not help.
Code:
EventCodeDescription="A user account was locked out" Account_Name=* NOT "Guest" Account_Domain=* Caller_Computer_Name=* dvc=* source="WinEventLog:Security" _time=* | eval Account_Name=mvindex(Account_Name,1) | dedup Account_Name _time | rename dvc AS "Domain Controller" | rename Account_Domain AS "Domain Name" | rename Caller_Computer_Name AS "Client Host" | rename Account_Name AS "Account Name" | table _time "Account Name" "Client Host" "Domain Controller" "Domain Name" | sort -_time
Thanks.
EDIT: Apparently, I am not allowed to attach images. Please see the Evernote link below:
https://www.evernote.com/shard/s26/sh/9082054d-788a-491f-92c2-66718d443740/cc2de893310866299d291983497de0dc/deep/0/Locked-Accounts---Last-10.png
... View more
01-12-2015
12:43 PM
1 Karma
Hello. I'm new to Splunk. This may become obvious with my next question: I would like to restrict access to certain hosts or fields on a per-user basis. IE. I might want our Help Desk to not be able to access the logs for a certain server, or I may want to give them access to data for a given server but not be able to view a particular field. What methods have people used for this? Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
