Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About nmohammed
nmohammed
Builder
Member since:
03-02-2015
01-27-2025
Community Statistics
| Posts | 151 |
| Solutions | 10 |
| Karma Given | 6 |
| Karma Received | 27 |
| Member Since | 03-02-2015 |
Activity Feed
- Posted Re: timestamp assignment not working ELB logs Splunk Add-on for AWS on Getting Data In. 01-27-2025 11:42 AM
- Posted Re: timestamp assignment not working ELB logs Splunk Add-on for AWS on Getting Data In. 01-24-2025 10:26 AM
- Posted timestamp assignment not working ELB logs Splunk Add-on for AWS on Getting Data In. 01-23-2025 02:32 PM
- Posted Re: Easy question.. how do I get just the HTTP response from this log? on Security. 08-21-2024 01:59 PM
- Posted Re: Json logs not parsing properly. on Dashboards & Visualizations. 08-21-2024 01:46 PM
- Posted Re: Updating Windows UF to 9.2.0.1 via SCCM - 1603 errors on Installation. 08-21-2024 12:29 PM
- Posted Re: Universal Forwarder not sending Directory Service and other logs. on Getting Data In. 08-21-2024 12:18 PM
- Posted Re: Change Index for some of the logs coming from HEC on Splunk Search. 08-19-2024 02:05 PM
- Posted Re: What is this Splunk dashboard javascript error? on Dashboards & Visualizations. 08-19-2024 01:20 PM
- Posted Re: Palo Alto custom JavaScript error caused an issue loading your dashboard. on All Apps and Add-ons. 08-19-2024 01:15 PM
- Got Karma for Re: Why does Splunk fails to start with error message "The certificate generation script did not generate the expected certificate file"?. 11-10-2023 03:26 AM
- Posted Re: How to replicate CSV(lookup) from heavy forwarder to Search Head/Indexer? on Getting Data In. 03-01-2023 05:38 PM
- Got Karma for Re: Why am unable to uninstall Splunk universal forwarder?. 01-25-2023 02:33 PM
- Got Karma for Re: extract all "cause by". 01-08-2022 10:51 PM
- Got Karma for Re: How to display limited results from a field. 11-04-2021 12:39 PM
- Got Karma for Re: How to display limited results from a field. 11-04-2021 12:39 PM
- Got Karma for Re: How to display limited results from a field. 11-04-2021 12:39 PM
- Posted Re: Extracting Account Name: on Splunk Search. 10-28-2021 04:50 PM
- Got Karma for Re: How to split the call based on TimeTaken. 10-26-2021 07:40 PM
- Karma Re: find related events for bowesmana. 10-26-2021 04:48 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-27-2025
11:42 AM
on HEC - I tried the following by moving the TIME definitions under the source (for all 3 sources) in props.conf and removed them from sourcetype. Restarted Splunk, but still did not work. [source::http:aws-lblogs]
EXTRACT-elb = ^\s*(?P<type>\S+)(\s+(?P<timestamp>\S+))(\s+(?P<elb>\S+))(\s+(?P<client_ip>[\d.]+):(?P<client_port>\d+))(\s+(?P<target>\S+))(\s+(?P<request_processing_time>\S+))(\s+(?P<target_processing_time>\S+))(\s+(?P<response_processing_time>\S+))(\s+(?P<elb_status_code>\S+))(\s+(?P<target_status_code>\S+))(\s+(?P<received_bytes>\d+))(\s+(?P<sent_bytes>\d+))(\s+"(?P<request>[^"]+)")(\s+"(?P<user_agent>[^"]+)")(\s+(?P<ssl_cipher>\S+))(\s+(?P<ssl_protocol>\S+))(\s+(?P<target_group_arn>\S+))(\s+"(?P<trace_id>[^"]+)")(\s+"(?P<domain_name>[^"]+)")?(\s+"(?P<chosen_cert_arn>[^"]+)")?(\s+(?P<matched_rule_priority>\S+))?(\s+(?P<request_creation_time>\S+))?(\s+"(?P<actions_executed>[^"]+)")?(\s+"(?P<redirect_url>[^"]+)")?(\s+"(?P<error_reason>[^"]+)")?
EVAL-rtt = request_processing_time + target_processing_time + response_processing_time
priority = 1
SHOULD_LINEMERGE = false
TIME_PREFIX = ^.*?(?=20\d\d-\d\d)
TIME_FORMAT =
MAX_TIMESTAMP_LOOKAHEAD = 28
[aws:elb:accesslogs]
... View more
01-24-2025
10:26 AM
Thanks @isoutamo , As I understand ; Since these definitions are used only at search time , then I only need the add-on installed on the search Head. On the HEC I will put the props.conf with the TIME PREFIX related regex , so time will be extracted from the incoming logs and sent to the indexers.
... View more
01-23-2025
02:32 PM
We're sending AWS ELB Access logs (Classic ELB, NLB and ALB) using Lambda to HEC. I have installed the Splunk add-on for AWS on SH and HEC . The add-on has regexes to parse the access logs and all the fields extractions from REGEX for access logs seems to be working fine. However, we're having issues with the timestamp of the event, which is also extracted as "timestamp" field and the _time is getting assigned as ingestion time instead of actual time from the event. I tried to add timestamp PREFIX in the props.conf in Splunk_TA_AWS for the aws:elb:access logs sourcetype, however, it doesn't work. Sample events - NLB - tls 2.0 2025-01-15T23:59:54 net/loadbalancerName/guid 10.xxx.xxx.1:32582 10.xxx.x.xx:443 1140251 85 3546 571 - arn:aws:acm:us-west-2:026921344628:certificate/guid - ECDHE-RSA-XXXX-GCMXXX tlsv12 - example.io - - - 2025-01-15T23:40:54 ALB - https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.086 0.048 0.037 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012" 1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-" TID_123456 ELB - 2018-12-31T00:08:01.715269Z loadbalancerName 187.xx.xx.xx:48364 - -1 -1 -1 503 0 0 0 "GET http://52.x.xxx.xxx:80/ HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" - - props.conf ## Classic Load Balancer ##
[source::http:lblogs]
EXTRACT-elb = ^\s*(?P<timestamp>\S+)(\s+(?P<elb>\S+))(\s+(?P<client_ip>[\d.]+):(?P<client_port>\d+))(\s+(?P<backend>\S+))(\s+(?P<request_processing_time>\S+))(\s+(?P<backend_processing_time>\S+))(\s+(?P<response_processing_time>\S+))(\s+(?P<elb_status_code>\S+))(\s+(?P<backend_status_code>\S+))(\s+(?P<received_bytes>\d+))(\s+(?P<sent_bytes>\d+))(\s+"(?P<request>[^"]+)")(\s+"(?P<user_agent>[^"]+)")(\s+(?P<ssl_cipher>\S+))(\s+(?P<ssl_protocol>\S+))
EVAL-rtt = request_processing_time + backend_processing_time + response_processing_time
sourcetype = aws:elb:accesslogs
## Application Load Balancer ##
[source::http:aws-lblogs]
EXTRACT-elb = ^\s*(?P<type>\S+)(\s+(?P<timestamp>\S+))(\s+(?P<elb>\S+))(\s+(?P<client_ip>[\d.]+):(?P<client_port>\d+))(\s+(?P<target>\S+))(\s+(?P<request_processing_time>\S+))(\s+(?P<target_processing_time>\S+))(\s+(?P<response_processing_time>\S+))(\s+(?P<elb_status_code>\S+))(\s+(?P<target_status_code>\S+))(\s+(?P<received_bytes>\d+))(\s+(?P<sent_bytes>\d+))(\s+"(?P<request>[^"]+)")(\s+"(?P<user_agent>[^"]+)")(\s+(?P<ssl_cipher>\S+))(\s+(?P<ssl_protocol>\S+))(\s+(?P<target_group_arn>\S+))(\s+"(?P<trace_id>[^"]+)")(\s+"(?P<domain_name>[^"]+)")?(\s+"(?P<chosen_cert_arn>[^"]+)")?(\s+(?P<matched_rule_priority>\S+))?(\s+(?P<request_creation_time>\S+))?(\s+"(?P<actions_executed>[^"]+)")?(\s+"(?P<redirect_url>[^"]+)")?(\s+"(?P<error_reason>[^"]+)")?
EVAL-rtt = request_processing_time + target_processing_time + response_processing_time
priority = 1
sourcetype = aws:elb:accesslogs
## Network Load Balancer ##
[source::http:lblogs]
EXTRACT-elb-nlb = ^\s*(?P<type>\S+)(\s+(?P<log_version>\S+))(\s+(?P<timestamp>\S+))(\s+(?P<elb>\S+))(\s+(?P<listener>\S+))(\s+(?P<client_ip>[\d.]+):(?P<client_port>\d+))(\s+(?P<destination_ip>[\d.]+):(?P<destination_port>\d+))(\s+(?P<connection_time>\S+))(\s+(?P<tls_handshake_time>\S+))(\s+(?P<received_bytes>\d+))(\s+(?P<sent_bytes>\d+))(\s+(?P<incoming_tls_alert>\S+))(\s+(?P<chosen_cert_arn>\S+))(\s+(?P<chosen_cert_serial>\S+))(\s+(?P<tls_cipher>\S+))(\s+(?P<tls_protocol_version>\S+))(\s+(?P<tls_named_group>\S+))(\s+(?P<domain_name>\S+))(\s+(?P<alpn_fe_protocol>\S+))(\s+(?P<alpn_be_protocol>\S+))(\s+(?P<alpn_client_preference_list>\S+))
sourcetype = aws:elb:accesslogs
[aws:elb:accesslogs]
TIME_PREFIX = ^.*?(?=20\d\d-\d\d)
TIME_FORMAT =
MAX_TIME_LOOKAHEAD
... View more
Labels
- Labels:
-
props.conf
08-21-2024
01:46 PM
Try adding a limits.conf with the following [kv]
maxchars = 40000
... View more
08-21-2024
12:29 PM
What does you msiexec command look like that you're using to install the Splunk UF ?
... View more
08-21-2024
12:18 PM
Do you have any other app or add-on configured with the inputs. Run the following to see all inputs that may be present on your forwarder $SPLUNK_HOME$/bin/splunk btool inputs list --debug
... View more
08-19-2024
02:05 PM
Try this : [hecpaloalto_in]
INGEST_EVAL = index=if(match(sourcetype, "pan:logs"), "palo_alto", "aws")
... View more
08-19-2024
01:20 PM
@marcoscala were you able to fix the Palo Alto Splunk app throwing JS errors ?
... View more
08-19-2024
01:15 PM
@shawno were you able to fix the error ?
... View more
03-01-2023
05:38 PM
@mbachhav - did you get this done ? I am running into similar challenge and thinking best way of getting this from HF to SHC/Indexer
... View more
10-28-2021
04:50 PM
Try this - "Account\sName:\s(?P<account_name>.+)\sAccount Domain"
... View more
10-26-2021
04:47 PM
1 Karma
index=star env=prod |
chart count(eval(time <100)) AS "<100ms", count(eval(time >100 AND time <200)) AS "<200ms", count(eval(time >200 AND time <300)) AS "<300ms"
| stats count by time try that query and select pie chart under visualizations.
... View more
10-26-2021
04:37 PM
1 Karma
Can you share the exception with multiple Caused by : ? meanwhile, you can try this - base search
| rex field=_raw "Caused by:\s*(?P<exception_cause>.*)"
... View more
10-26-2021
02:03 PM
@Sharzi try this to return records where DB is NOT "unknown" base_search [ inputlookup myLookup | fields TenantName, tenantId | where tenantId!="Unknown" AND TenantName=TenantName] | lookup myLookup tenantId TenantName output TenantName, tenantId, Region, DB |
| table _time TenantName tenantId Region Status DB updated reply to correct spellings and missing fields
... View more
10-21-2021
01:47 PM
@gitingua can you share your search query that you're trying for this result ?
... View more
10-21-2021
01:14 PM
1 Karma
you could probably do the lookups at the end of the tstats search & all transforms | tstats ...
| search [| inputlookup field1 lookup1.csv | ... ] | search [| inputlookup lookup2.csv | ... ]
... View more
10-21-2021
12:54 PM
@Susha Is your forwarder sending disk space data and are you able to see any data in index=os ? breakdown the search query into individual parts and check index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com
| strcat host '@' Filesystem Host_FileSystem
... View more
10-21-2021
12:47 PM
@pavanae can you share your search query ? But you should be able to search the host like following - | inputlookup answers-571895.csv
| where Host="*"
... View more
10-21-2021
12:37 PM
1 Karma
It should work, I tried it out with csv file you shared. It can either be permissions (but you're able to see contents of lookup using inputlookup). Check the fieldnames (case-sensitive) & also spell-check Try another way (replace with your filename) - | inputlookup answers-571716.csv
| where failcode="g-ab" OR failcode="c-cd" OR failcode="d-dd"
... View more
10-21-2021
10:01 AM
1 Karma
are you able to see the contents of the lookup file created ? run the following command | inputlookup myfile.csv
... View more
10-20-2021
05:35 PM
1 Karma
file1.csv -- > csv based lookup file2.csv --> cidr based lookup (I've renamed "IP Address" field to ip_address) Add a new lookup definition, name it "file2" and select file2.csv Check on advanced options. In "Match type" type in "CIDR(ip_address)" . | inputlookup file1.csv
| fields src_ip, username
| lookup file2 "ip_address" as src_ip output ASN, Other
... View more
10-20-2021
04:46 PM
Hi @gitingua try this out, assuming you've these files uploaded as lookups | inputlookup file1.csv
| appendcols
[inputlookup file2.csv
| fields ASN,Other ]
| table username,src_ip,ASN,Other
... View more
10-20-2021
04:10 PM
1 Karma
@MikeB inputlookup can be used to fetch results. | inputlookup myfile.csv
| where failcode IN ("g-ab", "c-cd", "d-dd")
... View more
10-20-2021
04:07 PM
@GRC Sample log events data will help to work further on your request.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-27-2025
06:50 PM
|
Karma from
