Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About edoardo_vicendo
edoardo_vicendo
Communicator
Member since:
09-19-2016
4 weeks ago
Community Statistics
| Posts | 60 |
| Solutions | 4 |
| Karma Given | 44 |
| Karma Received | 8 |
| Member Since | 09-19-2016 |
Activity Feed
- Posted Re: Why am I unable to monitor $SPLUNK_HOME/var/log/splunk/audit.log on my Linux Universal Forwarders? on Getting Data In. 4 weeks ago
- Posted Re: Splunk Universal Forwarders audit logs merged - audit.conf configuration on Getting Data In. 4 weeks ago
- Posted Re: What happened to Answers? The change is for the worse on Feedback. 07-02-2020 09:37 AM
- Karma Re: List all Splunk Servers with a REST search command for soutamo. 07-02-2020 09:20 AM
- Karma Re: List all Splunk Servers with a REST search command for richgalloway. 07-02-2020 09:20 AM
- Karma Re: List all Splunk Servers with a REST search command for richgalloway. 07-02-2020 09:19 AM
- Karma Re: List all Splunk Servers with a REST search command for soutamo. 07-02-2020 09:19 AM
- Posted Re: List all Splunk Servers with a REST search command on Splunk Search. 07-02-2020 02:56 AM
- Posted Re: List all Splunk Servers with a REST search command on Splunk Search. 07-02-2020 02:46 AM
- Posted Splunk Universal Forwarders audit logs merged - audit.conf configuration on Getting Data In. 07-02-2020 02:06 AM
- Posted Re: List all Splunk Servers with a REST search command on Splunk Search. 07-02-2020 01:14 AM
- Posted Re: List all Splunk Servers with a REST search command on Splunk Search. 07-02-2020 01:09 AM
- Posted List all Splunk Servers with a REST search command on Splunk Search. 07-01-2020 09:31 AM
- Posted Re: Why am I unable to monitor $SPLUNK_HOME/var/log/splunk/audit.log on my Linux Universal Forwarders? on Getting Data In. 06-25-2020 09:05 AM
- Karma Re: Monitoring file is not indexing anymore - WatchedFile - File too small to check seekcrc, probably truncated for jawaharas. 06-25-2020 08:47 AM
- Karma Re: Monitoring file is not indexing anymore - WatchedFile - File too small to check seekcrc, probably truncated for spunk311z. 06-25-2020 08:47 AM
- Karma Re: How to compare two strings and find the difference for woodcock. 06-05-2020 12:50 AM
- Karma Re: How come my fields are not showing in additional field under incident review in Splunk Enterprise Security? for harsmarvania57. 06-05-2020 12:50 AM
- Karma Re: "invalid key in stanza" error after restarting the forwarder using Splunk_TA_nix (Splunk Add-on for Unix and Linux) in eventgen.conf on forwarders running on AIX operating system for ragedsparrow. 06-05-2020 12:50 AM
- Karma Re: "invalid key in stanza" error after restarting the forwarder using Splunk_TA_nix (Splunk Add-on for Unix and Linux) in eventgen.conf on forwarders running on AIX operating system for woodcock. 06-05-2020 12:50 AM
4 weeks ago
Here my answer on another thread to solve, once audit.log was ingested, the issue with merged events: https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarders-audit-logs-merged-audit-conf/m-p/507005/thread-id/86283/highlight/false#M86666
... View more
4 weeks ago
I have been able to solve this with Splunk support. So basically there are 2 options: OPTION 1 - enable UF audit.log monitoring + force local processing on UF This option increase a little bit the cpu consumption on UF because you have to parse the events directly on UF, but it will be enabled only for this specific sourcetype and usually few audit events per day on each UF are generated. On UF: myapp/local/inputs.conf # Specific configuration to enable monitoring Splunk Universal Forwarder audit logs
# by default they are sent to null queue
#*nix
[monitor://$SPLUNK_HOME/var/log/splunk/audit.log]
index = _audit
sourcetype = audittrail
source = audittrail
#Windows
[monitor://$SPLUNK_HOME\var\log\splunk\audit.log]
index = _audit
sourcetype = audittrail
source = audittrail myapp/local/props.conf [audittrail]
SHOULD_LINEMERGE = false
force_local_processing = true OPTION 2 - enable UF audit.log monitoring + enable HF event parsing This has been tested only on *nix On UF (local/inputs.conf) [monitor://$SPLUNK_HOME/var/log/splunk/audit.log]
index = _audit
sourcetype = ufw_audittrail
source = ufw_audittrail on HF (local/props.conf) [ufw_audittrail]
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
TIME_PREFIX = ^ Best Regards, Edoardo
... View more
07-02-2020
09:37 AM
Where is it possible to suggest for improvements on the new UI? Is this thread the correct place? Thanks a lot, Edoardo
... View more
07-02-2020
02:56 AM
In the meanwhile I found this, if executed from the Monitoring Console it reports all the Splunk Servers: | rest /services/server/status count=0 splunk_server=* | dedup splunk_server | table splunk_server Now need to check if the same REST call can be done from the Search Head to the Monitoring Console (that in my deployment is in a different server).
... View more
07-02-2020
02:46 AM
@soutamo Thank you, I know how to do a SPL REST call, the point is that I don't know which is (or which are) the REST calls to be done to list all the servers within a Splunk deployment
... View more
07-02-2020
02:06 AM
Hi All, As indicated here (https://community.splunk.com/t5/Getting-Data-In/Why-am-I-unable-to-monitor-SPLUNK-HOME-var-log-splunk-audit-log/m-p/506185#M86203), I have been able to get the audit.log from our Universal Forwarders with audittrail sourcetype. Unfortunately sometimes those events read from $SPLUNK_HOME/var/log/splunk/audit.log are merged in a unique event (even if each event is in a new line and starts with a timestamp). In our deployment we have Universal Forwarders sending data to Heavy Forwarders that then send them to Indexers: UF --> HF --> IDX What I tried to do is to deploy a props.conf on the HF to indicate the following: [audittrail]
SHOULD_LINEMERGE = false
SEDCMD = s/\d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}\.\d{3}.* INFO AuditLogger - //g But even the SEDCMD is not applied. And I can see with the following command that the configuration are properly read in the HF: splunk btool props list --debug Due to that I tried adding this props.conf directly on the UF and it is working (but it is not a good solution for us because we don't want to force the local processing on the UF). [audittrail]
SHOULD_LINEMERGE = false
SEDCMD = s/\d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}\.\d{3}.* INFO AuditLogger - //g
force_local_processing = true I believe the issue is related to the fact that the audit logs from UF are sent to HF indexQueue instead of parsingQueue. I tried also to add the audit.conf file both in UF and HF as follow without any luck: [default]
queueing=false Reading further on Splunk documentation (https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Auditconf) : queueing = <boolean>
* Whether or not audit events are sent to the indexQueue.
* If set to "true", audit events are sent to the indexQueue.
* If set to "false", you must add an inputs.conf stanza to tail the
audit log for the events reach your index.
* Default: true My questions are: Do you know what does it means "If set to "false", you must add an inputs.conf stanza to tail the audit log for the events reach your index." Do you have any idea on how to apply on the HF the props.conf to the audit events coming from the UF without having to deploy it directly on UF with force_local_processing=true Thanks a lot, Edoardo
... View more
07-02-2020
01:14 AM
@soutamo Thank you for the very useful documentation, I'll keep in mind. Unfortunately it does not solve my problem
... View more
07-02-2020
01:09 AM
@richgalloway Thanks for your feedback. Do you think that from the Search Head, with the SPL rest command, is it possible to perform a rest call to the Monitoring console to get the values showed on "Instances" view?
... View more
07-01-2020
09:31 AM
I know this has been probably asked before, but I didn't found an answer yet. Is there any way to know which are all the Splunk Servers (Search Heads, Indexers, Deployment Server, Master Node etc..) in a distributed environment with a REST call made via SPL? It would be grateful if the query does not have to be run from the Server instance where the Monitoring Console is enabled. Basically I would need to have the same result you can get clicking on "Instances" in the Monitoring Console. Thanks a lot, Edoardo
... View more
Labels
06-25-2020
09:05 AM
Hi, I tried with the posted solution but unfortunately it was not successful, therefore I worked directly with the Splunk support team to solve this, here below our findings. Basically the audit.log from the Splunk Universal Forwarders is not indexed due to the fact that there is a default configuration that send it to null queue: default/props.conf [source::.../var/log/splunk/audit.log(.\d+)?]
TRANSFORMS = send_to_nullqueue
sourcetype = splunk_audit even overwriting it with a local stanza was not working. local/props.conf [source::.../var/log/splunk/audit.log(.\d+)?]
TRANSFORMS = nostanza
sourcetype = splunk_audit In order to solve it, it is needed to bypass the default configuration that is sending to null queue with a monitor stanza in inputs.conf, therefore I created a specific app in the Deployment Server and deployed to all the Splunk Universal Forwarders (*nix and Windows): myapp/local/inputs.conf # Specific configuration to enable monitoring Splunk Universal Forwarder audit logs
# by default they are sent to null queue
#*nix
[monitor://$SPLUNK_HOME/var/log/splunk/audit.log]
index = _audit
sourcetype = audittrail
source = audittrail
#Windows
[monitor://$SPLUNK_HOME\var\log\splunk\audit.log]
index = _audit
sourcetype = audittrail
source = audittrail In this way the Splunk Universal Forwarders audit logs will be indexed in the same index and with the same source and sourcetype of the one coming from Splunk Enterprise servers (Search Heads, Indexers, Master Node, Deployment Server, Heavy Forwarders, License Master etc...). NOTE: sourcetype --> it need to be audittrail otherwise data are not ingested source --> it need to be different from $SPLUNK_HOME/var/log/splunk/audit.log otherwise data are not ingested I hope this can help you! Best Regards, Edoardo
... View more
05-07-2020
06:21 AM
I faced the same issue during Splunk ES upgrade in a test environment with a machine having few resources (8 CPU 8GB RAM).
We have solved the problem increasing the resources to (16 CPU and 16GB RAM).
Even with increased resources we hit 1 timeout, clicking again to restart the process it then finalized the installation.
I believe that if it wouldn't have worked I would have followed the solution proposed by @jwelchsplunk adding the essadmin (I mean I even tried that but if I add the ess_admin, after saving it show I have the power role instead)
... View more
01-30-2020
06:57 AM
I struggled a little bit mee too on those backlists in [monitor://] stanza.
The point is that you should write a regular expression and not the absolute path
Try this balcklist setting in your stanza, it should work
[monitor:///var/log]
disabled=0
blacklist=\/var\/log\/gitlab\/.*
... View more
11-06-2019
05:36 AM
1 Karma
it worked also for me, thanks for your solution
... View more
11-05-2019
07:04 AM
For your info, I didn't came up with a solution on Powershell that's why we have re-written the script in VBScript and it is working properly.
I will leave the answer open just to see if someone encountering the same issue has been able to solve it.
... View more
11-05-2019
07:00 AM
@MuS
Thanks a lot for your feedback!
... View more
11-05-2019
06:59 AM
1 Karma
@woodcock
Thanks a lot I have followed one of your previous solutions (see https://answers.splunk.com/answers/567851/how-can-i-compare-mvfields-and-get-a-diff.html) and it worked fine
... View more
11-04-2019
09:56 AM
1 Karma
Hi all,
In the middle of a search, I have two string fields, one is called A and the other B (both have the ";" as delimiter but the number of values inside is variable):
A=test;sample;example
B=test;sample;example;check
I would like to compare the two string and have the difference as result in a new field called C (so suppose C=check).
Is there any way to achieve that (like doing an Excel VLOOKUP without performing a sub-search that can affect the search performance)?
Thanks a lot,
Edoardo
... View more
10-10-2019
07:42 AM
1 Karma
Hi All,
I have a strange behavior with a scheduled Powershell script.
The .ps1 script simply execute in a Try Catch statement:
Get-ADUser -Properties * - Filter * | Select-Object AccountExpirationDate, AccountExpires, @{L = "AuthenticationPolicy; E = {$_.AuthenticationPolicy -join";"}} etc.. for all the requested objects
Note: The Hash Table is needed to avoid having System.Object[] for some fields, as described at the following link:
https://community.spiceworks.com/topic/2144503-how-to-get-everything-and-i-mean-everything-about-your-ad-users-into-a-csv
The problem is the following:
Once the script is deployed from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields
At the first scheduled attempt (and for the next ones), the script runs but generates an output containing most of all the fields, but the majority of them are empty. The only one with values are: DistinguishedName, GivenName, Name, ObjectGuid, SamAccountName, SID, UserPrincipalName, PropertyCount
If the script is deployed again from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields
for info here the inputs.conf
[powershell://myscriptedinput]
script = . "$SplunkHome\etc\apps\myapp\bin\myscript.ps1"
index = myindex
sourcetype = mysourcetype
schedule = 0 6 * * *
disabled = 0
Do you have any idea why this could happen?
Thanks a lot,
Edoardo
... View more
08-28-2019
05:52 AM
Hello All,
I know this is a very generic questions, but is there anybody that can provide an high level estimation of the the volume of data per server/node in MBytes/day integrating Splunk with Red Hat OpenShift using the new Splunk Connect for Kubernetes (see Splunk Connect for OpenShift – Logging Part)?
The aim is to log:
Splunk Kubernetes objects
Splunk Kubernetes logging
Splunk Kubernetes metrics
We would then visualize everything that has been ingested thanks to "Splunk App for Infrastructure" already built by Splunk.
Thanks a lot,
Edoardo
... View more
08-18-2019
03:52 AM
Hello All,
I am trying to download the "User Behavior Analytics" documentation in PDF clicking on "Download manual as PDF" but some pages are cut respect to what can be found on the website, see for example this link:
link text
at page 9 and 10 the table is cut missing some information.
For instance the same happens at page 4 and 5 clicking on "Download topic as a PDF".
I tried with different browsers and OS but the issue is still present, is there any way to fix it?
I know you can consult the documentation directly with a Browser but it would be great to have it also in PDF format.
Another question, do you think it could be feasible to provide it in Kindle or E-Reader format, so that it can be read off-line with an E-ink device?
Thanks a lot,
Edoardo
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
4 weeks ago
|
Karma given to
