Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ACingo17
ACingo17
Explorer
Member since:
05-14-2019
04-09-2023
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 05-14-2019 |
Activity Feed
- Posted Re: Is there an updated blueprint for Splunk Enterprise Security Certified Admin? on Training + Certification Discussions. 04-09-2023 11:54 AM
- Got Karma for Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search. 06-05-2020 12:50 AM
- Posted Re: Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search on All Apps and Add-ons. 11-24-2019 03:12 PM
- Posted Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search on All Apps and Add-ons. 11-19-2019 01:52 PM
- Tagged Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search on All Apps and Add-ons. 11-19-2019 01:52 PM
- Tagged Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search on All Apps and Add-ons. 11-19-2019 01:52 PM
- Tagged Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search on All Apps and Add-ons. 11-19-2019 01:52 PM
- Posted Re: the dashboard of cisco ise app show no results while the indexer or cisco ise app has received log file from ise? on All Apps and Add-ons. 10-28-2019 03:21 PM
- Posted TA-Azure_Monitor is looking for self signed certificate to key chain. Has anyone seen this before? on All Apps and Add-ons. 05-14-2019 12:22 PM
- Tagged TA-Azure_Monitor is looking for self signed certificate to key chain. Has anyone seen this before? on All Apps and Add-ons. 05-14-2019 12:22 PM
- Tagged TA-Azure_Monitor is looking for self signed certificate to key chain. Has anyone seen this before? on All Apps and Add-ons. 05-14-2019 12:22 PM
Topics I've Started
04-09-2023
11:54 AM
Unfortunately, for the Splunk Enterprise Security Certified Admin the blueprint shows to study for glasstables, which is not on the actual class documentation. The only way to study is to use the class documentation for the correct version of Enterprise Security If you check revision history Glass tables are no longer available in Enterprise Security version 6.6.0 or higher. Whomever is in charge of blueprints should be matching the correct versons and correct class documentation. This is just informational as I no longer need an answer
... View more
11-24-2019
03:12 PM
thanks, yes the examples are from the current props and transforms directly from the Splunk Infoblox TA
that is why I find it odd that searchtime extractions don't extract.
I've read the docs multiple times and the TA is working correctly through the indexer tier and just serchtime extractions don't work.
Since this is a TA supported by Splunk I'm going to go the route of support case and realtime screen share troubleshooting
for example -- dns_response , shouldn't this look for the word response and then return what is found after the word ?
... View more
11-19-2019
01:52 PM
1 Karma
Had infoblox syslog onboarded via syslog-ng which prepended date hostname to syslog event
On the searchhead cluster have the correct Splunk_TA_infoblox ver 1.1.0 and the props.conf/transforms.conf has a number of fields that should extract on search but nothing extracts dns_request dns_request_src dns_request_record_type
example: props.conf
[infoblox:dns]
#Reports
REPORT-dns_extract = dns_request, dns_request_src, dns_request_record_type
REPORT-dns_extract_2 = dns_response,dns_incepted,dns_records_extract, dns_response_src,dns_response_dest, dns_response_record_type
REPORT-dns_rpz_extract = dns_rpz_cef_0
REPORT-dns_fields_1 = infoblox_dns_extract_field_0, infoblox_dns_extract_field_1, infoblox_dns_extract_field_2, infoblox_dns_extract_field_3, infoblox_dns_extract_field_4, infoblox_dns_extract_field_5,infoblox_dns_extract_field_6, infoblox_dns_extract_field_8, infoblox_dns_extract_field_9, infoblox_dns_extract_field_10
REPORT-dns_fields_2 = infoblox_dns_extract_field_11, infoblox_dns_extract_field_12, infoblox_dns_extract_field_13, infoblox_dns_extract_field_14, infoblox_dns_extract_field_15, infoblox_dns_extract_field_16, infoblox_dns_extract_field_17
REPORT-dns_rpz_fields_1 = infoblox_dns_rpz_qname_fields
example transforms.conf
[dns_request]
REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)
[dns_response]
REGEX = \S+\s+(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\snamed\[(?\d+)\]\:\s(?:infoblox-responses:\s)?(?\S+)\s(?\S+)\sclient\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+)?[\D]*\s(?\w+):\squery:\s(?\S+)\s(?\w+)\s(?\w+)\s(?response):\s(?\w+)\s(?\S+)\s?(?[\S+\s+]*)?
[dns_records_extract]
REGEX = (?\S+)\s(?\d+)\s(?\S+)\s(?\S+)\s(?\S+)
SOURCE_KEY = dns_record
MV_ADD = true
[dns_incepted]
REGEX = (?[^;]+)
SOURCE_KEY = dns_response_RR_in_TEXT
MV_ADD = true
[dns_request_src]
REGEX = (?.+)
SOURCE_KEY = dns_request_name_serverIP
[dns_response_src]
REGEX = (?.+)
SOURCE_KEY = dns_response_client_ip
[dns_response_dest]
REGEX = (?.+)
SOURCE_KEY = server_ip
[dns_request_record_type]
REGEX = (?.+)
SOURCE_KEY = dns_request_type_name
[dns_response_record_type]
REGEX = (?.+)
SOURCE_KEY = dns_response_type_name
example of event
Nov 19 16:18:20 INFOBLOXHOST named[18123]: 19-Nov-2019 16:18:20.992 client X.X.X.X#58840: view 2: UDP: query: client.cldomain.net IN A response: NOERROR + client.cldomain.net. 60 IN A Y.Y.Y.Y
Does anyone have any experience with this TA and do I need to do custom extractions instead of using the TA ?
... View more
10-28-2019
03:21 PM
i've just started using the Cisco ISE app for the first time and I have all the syslog being indexed correctly into a unique index. I've updated each eventtype to include the index and the dashboards are now populating. Also, checked the TA under eventtype.conf will need to update each one with correct index
... View more
05-14-2019
12:22 PM
I'v installed TA-Azure_Monitor on HF to get Azure Monitor activity log and followed all instructions. When TA is enabled get error in splunkd.log that azure_activity_log.sh has error getting eventhub credentials because it is looking for self signed certificate added to chain. Does anyone know how this is done ?
... View more
