Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mikefg
mikefg
Path Finder
Member since:
07-24-2019
yesterday
Community Statistics
| Posts | 27 |
| Solutions | 3 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 07-24-2019 |
Activity Feed
- Posted UF Batch Import Unreadable File Type Error on Splunk Enterprise. yesterday
- Posted Re: Get data from an MS SQL audit file using DB Connect or UF? on Splunk Enterprise. Thursday
- Posted Re: Get data from an MS SQL audit file using DB Connect or UF? on Splunk Enterprise. Thursday
- Posted Re: Get data from an MS SQL audit file using DB Connect or UF? on Splunk Enterprise. Thursday
- Tagged Re: Get data from an MS SQL audit file using DB Connect or UF? on Splunk Enterprise. Thursday
- Posted Get data from an MS SQL audit file using DB Connect or UF? on Splunk Enterprise. Thursday
- Got Karma for indexes best practice?. 4 weeks ago
- Got Karma for Re: VMware esxilogs sourcetype vmw-syslog hyphen problem. 4 weeks ago
- Posted How to filter out registry key in HKU WinRegMon? on Archive2. 05-27-2020 02:56 PM
- Tagged How to filter out registry key in HKU WinRegMon? on Archive2. 05-27-2020 02:56 PM
- Posted Re: Dell Network Switch Addon on All Apps and Add-ons. 03-05-2020 11:00 AM
- Posted Dell Network Switch Addon on All Apps and Add-ons. 03-04-2020 08:41 PM
- Tagged Dell Network Switch Addon on All Apps and Add-ons. 03-04-2020 08:41 PM
- Posted Re: coldToFrozen script ERROR import command not found on Archive. 01-17-2020 02:30 PM
- Posted Re: coldToFrozen script ERROR import command not found on Archive. 01-13-2020 09:35 PM
- Posted Re: coldToFrozen script ERROR import command not found on Archive. 01-13-2020 03:00 PM
- Posted MS SQL Audit Logs DB Connect vs UF Event Logs on All Apps and Add-ons. 01-13-2020 08:54 AM
- Tagged MS SQL Audit Logs DB Connect vs UF Event Logs on All Apps and Add-ons. 01-13-2020 08:54 AM
- Tagged MS SQL Audit Logs DB Connect vs UF Event Logs on All Apps and Add-ons. 01-13-2020 08:54 AM
- Tagged MS SQL Audit Logs DB Connect vs UF Event Logs on All Apps and Add-ons. 01-13-2020 08:54 AM
yesterday
I have some SQL audit files filename.sqlaudit that I want to import using batch. I have the configuration all done and working for test files like a .txt file, but the .sqlaudit file will not import. Running '.\splunk.exe list inputstatus' give me 'type = unreadable file type'. I have the Splunk Add-on for Microsoft SQL Server installed on the search head, so that should parse the file once it's imported, correct? How do I get the UF to process the file?
... View more
Labels
Thursday
Using the MS SQL addon I see this reference to audit logs 'uses the sys.fn_get_audit_file function via DB Connect.' https://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/Datatypes
... View more
Thursday
Please see my reply above. The audit files are being created per Splunk instructions, but how do I get them into Splunk?
... View more
Thursday
Thank you, I have been through this article and either I'm missing something or the article is missing something. Following the steps to 'Create audit objects in Microsoft SQL Server for the Splunk Add-on for Microsoft SQL Server' I now have audit files being written to disk. CREATE SERVER AUDIT MSSQL_Database_Audit TO FILE ( FILEPATH = 'C:\\SQLAudit' ) ; However, I do not see steps in the article for how to get the file data into Splunk.
... View more
- Tags:
- i
Thursday
I have an MS SQL server writing audit data to a .sqlaudit file. I need to get this data into Splunk. I have DB Connect installed, but I'm not sure how to ingest the .sqlaudit file data. Do I use DB Connect or the UF?
... View more
- Tags:
- Splunk DB Connect
Labels
05-27-2020
02:56 PM
I need to filter out a registry key in HKU. The value I'm trying to match occurs in the middle of the registry string and I'm having trouble getting regex to work. Are there any Splunk-specific examples for how to match a string in the middle of a string and exclude it? This will go into inputs.conf on the Windows machine UF at [WinRegMon] proc =
For example the value abcdef is in the middle of registry key HKU\.default\software\classes\local settings\abcdef\morestring"
... View more
- Tags:
- splunk-enterprise
03-05-2020
11:00 AM
Already getting logs, but thanks for confirming there is no addon.
... View more
03-04-2020
08:41 PM
I'm getting logs from my Dell switches, but I can't find a suitable addon. Is there a current Dell or other addon that works for Dell networking n2000 / n4000 gear?
... View more
- Tags:
- splunk-enterprise
Labels
01-17-2020
02:30 PM
Got it working. Combination of indent problems (python), windows to linux fixed by using dos2unix, missing ssl fixed by moving _hashlib.so, and removing unneeded parts of the script lines 25-55.
... View more
01-13-2020
09:35 PM
# This is an example script for archiving cold buckets. It must be modified
# to suit your individual needs, and we highly recommend testing this on a
# non-production instance before deploying it.
#import sys, os, gzip, shutil, subprocess, random
# Mike - import socket so we can get hostname
import sys, os, gzip, shutil, subprocess, random, socket
### CHANGE THIS TO YOUR ACTUAL ARCHIVE DIRECTORY!!!
#ARCHIVE_DIR = os.path.join(os.getenv('SPLUNK_HOME'), 'frozenarchive')
# Mike - static path to nfs mount and combine with hostname for full path
ARCHIVE_DIR = os.path.join('/mnt/nfs/splfrozen', socket.gethostname())
# For new style buckets (v4.2+), we can remove all files except for the rawdata.
# We can later rebuild all metadata and tsidx files with "splunk rebuild"
def handleNewBucket(base, files):
print('Archiving bucket: ' + base)
for f in files:
full = os.path.join(base, f)
if os.path.isfile(full):
os.remove(full)
# For buckets created before 4.2, simply gzip the tsidx files
# To thaw these buckets, be sure to first unzip the tsidx files
def handleOldBucket(base, files):
print('Archiving old-style bucket: ' + base)
for f in files:
full = os.path.join(base, f)
if os.path.isfile(full) and (f.endswith('.tsidx') or f.endswith('.data')):
fin = open(full, 'rb')
fout = gzip.open(full + '.gz', 'wb')
fout.writelines(fin)
fout.close()
fin.close()
os.remove(full)
# This function is not called, but serves as an example of how to do
# the previous "flatfile" style export. This method is still not
# recommended as it is resource intensive
def handleOldFlatfileExport(base, files):
command = ['exporttool', base, os.path.join(base, 'index.export'), 'meta::all']
retcode = subprocess.call(command)
if retcode != 0:
sys.exit('exporttool failed with return code: ' + str(retcode))
for f in files:
full = os.path.join(base, f)
if os.path.isfile(full):
os.remove(full)
elif os.path.isdir(full):
shutil.rmtree(full)
else:
print('Warning: found irregular bucket file: ' + full)
if __name__ == "__main__":
if len(sys.argv) != 2:
sys.exit('usage: python coldToFrozenExample.py <bucket_dir_to_archive>')
if not os.path.isdir(ARCHIVE_DIR):
try:
os.mkdir(ARCHIVE_DIR)
except OSError:
# Ignore already exists errors, another concurrent invokation may have already created this dir
sys.stderr.write("mkdir warning: Directory '" + ARCHIVE_DIR + "' already exists\n")
bucket = sys.argv[1]
if not os.path.isdir(bucket):
sys.exit('Given bucket is not a valid directory: ' + bucket)
rawdatadir = os.path.join(bucket, 'rawdata')
if not os.path.isdir(rawdatadir):
sys.exit('No rawdata directory, given bucket is likely invalid: ' + bucket)
files = os.listdir(bucket)
journal = os.path.join(rawdatadir, 'journal.gz')
if os.path.isfile(journal):
handleNewBucket(bucket, files)
else:
handleOldBucket(bucket, files)
if bucket.endswith('/'):
bucket = bucket[:-1]
indexname = os.path.basename(os.path.dirname(os.path.dirname(bucket)))
destdir = os.path.join(ARCHIVE_DIR, indexname, os.path.basename(bucket))
while os.path.isdir(destdir):
print('Warning: This bucket already exists in the archive directory')
print('Adding a random extension to this directory...')
destdir += '.' + str(random.randrange(10))
shutil.copytree(bucket, destdir)
... View more
01-13-2020
03:00 PM
I've tested against bin/splunk cmd python and the import and ARCHIVE_DIR statements work fine.
... View more
01-13-2020
08:54 AM
I will be working on gathering MS SQL audit logs and I should have the option of using DB Connect or using the UF to collect from event logs. To maintain best SQL performance is either a better option?
Splunk 7.3.3, Windows Server 2016, MS SQL 2016 SP2. Any differences for Server and SQL 2019? We'll be migrating to 2019 in the coming months.
... View more
01-10-2020
04:58 PM
I added socket to the import string so I can get the server hostname to append to the ARCHIVE_DIR path. Getting 2 BucketMover errors.
import sys, os, gzip, shutil, subprocess, random, socket
ARCHIVE_DIR = os.path.join('/path/to/nfsmnt', socket.gethostname())
Error 1. import: command not found
Error 2. syntax error near unexpected token '(' ARCHIVE_DIR = os.path.join('/path/to/nfsmnt', socket.gethostname())
Can I use import socket in this script?
Splunk Enterprise v 7.3.3
... View more
- Tags:
- coldtofrozenscript
01-08-2020
08:17 AM
I'm working moving a retired index to frozen (indexer cluster). I've set the maxWarmDBCount = 0 for the index and all buckets have been moved to colddb on all indexers. There are some remaining files and directories in db - 'CreationTime' file, GlobalMetaData dir, _splunktemps dir. Are these needed for anything? Or am I good to go with the next step (coldToFrozen.py)?
... View more
10-18-2019
02:40 PM
I'm running a single search head, indexer cluster, and syslog-ng. What is the recommendation?
1) PA -> syslog-ng+HF -> idxcluster
2) PA -> syslog-ng+UF -> idxcluster
Mike
... View more
10-04-2019
07:01 AM
In answering my own question - this can be accomplished, but the results aren't great.
I used the SplunkTAvcenter, SplunkTAesxilog, TA-VMW-FieldExtractions, and SA-VMWIndex pieces of the app. Where these are installed and configured will depend on your splunk environment setup, so I won't get into that here.
The esxi logs are okay, I can see web logins and ssh logins, but the fields aren't all extracted for every event so most of the information I'm looking is usually scattered in different fields.
The vcenter logs are less than okay, but after doing a little more reading this may be more of an issue with VMware than anything e.g. 127.0.0.1 for a login event ip address.
... View more
10-02-2019
09:57 AM
1 Karma
Looking at internal logs using ' index=internal "vmw" ' I saw that there was a file that couldn't be found. The file is specified in props.conf at DATETIMECONFIG = /etc/apps/SplunkTAesxilogs/default/syslogdatetime.xml which references the 'apps' directory. I'm using indexer clustering, so the app is installed at 'slave-apps' not 'apps'. I created a local/props.conf on my cluster master and changed the path to DATETIMECONFIG = /etc/slave-apps/SplunkTAesxilogs/default/syslog_datetime.xml and now it's working.
... View more
10-01-2019
03:49 PM
I'm working on getting VMware logs into Splunk and ran into a problem with the hyphen in the vmw-syslog sourcetype in SplunkTAesxilogs. When I remove the hyphen or just use syslog as the sourcetype it works fine. I'm not a regex expert, so I'm assuming the regex in transforms.conf for [setsyslogsourcetype] isn't quite right or maybe [setsyslogsourcetype_sections], but I'm not sure how to adjust it.
... View more
09-30-2019
09:17 AM
There are a lot of pieces to the VMware App, but I am only interested in parsing logs for now. What pieces do I need to just do basic syslog parsing for vCenter and ESXi? SplunkTAesxilogs and SplunkTAvcenter?
... View more
09-23-2019
07:50 AM
Correction to my post - we do have AzureAD.
The answer is yes, you get ClientIP and can iplocation that value to get Country.
Following the steps was fairly straightforward, but the documentation is a bit behind the current interface meaning the specific steps and screenshots don't always match (Microsoft).
One more catch - the Splunk input setup may not allow you to select the index you want to use, I just edited the inputs.conf file for what I wanted.
... View more
