×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mcronkrite
Splunk Employee
Member since: ‎09-26-2013
Thursday
Community Statistics
Posts 109
Solutions 17
Karma Given 436
Karma Received 100
Member Since ‎09-26-2013
Activity Feed
Topics I've Started
View All

Re: Segregate data base on IP Address

by Splunk Employee in Splunk Search
‎04-17-2016 10:00 AM
‎04-17-2016 10:00 AM
In the inputs.conf file you can easily setup these filters at your forwarders inputs.conf. By setting the index at the forwarder you have the least compute load on your indexers. Use a deployment server to send custom inputs.conf to different fowarders/ Most easily just setting a value for index = foo in all the inputs.conf stanza that you want to send to foo Then deploy this inputs.conf as an app foo/ to the fowarders that match that IP or host addreses. For the systems that you want to send to index=bar, do the same thing, create an inputs.conf that has index=bar set for all the data you want to go to bar. Then create an app called bar/ and deploy that to the hosts which should report to index=bar. Your deployment server controls what systems get Foo vs Bar app. This way to can dynamically change groups and scale your deployment without having to touch each system individually. Check out the spec file for inputs.conf because there are many options for customizing where to send your data. host_regex = acceptFrom = whitelist = blacklist = Check out the Getting Data In docs about white and black listing for mapping to different indexes. http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata Check out the Routing and Data Filtering section http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad ... View more

Re: Questions on Splunk and Syslog-ng Server

by Splunk Employee in Getting Data In
‎04-17-2016 09:54 AM
1 Karma
‎04-17-2016 09:54 AM
1 Karma
Q: What are the Splunk requirements to receive the data from Syslog-ng server? A: Put a Universal Forwarder on your Syslog-NG server and monitor the syslog folder. Q: What are the Syslog requirements to get the data from the cisco network devices? A: Configure your cisco devices to send to your syslog device(s) Q: What are the Configuration requirements to establish a communication between syslog and cisco devices, and how to configure it? A: Cisco configuration screen has a setting to output to syslog, enter the address of you syslog-ng server, and the delegated port you have selected to listen on. Many people used to choose 514, but that is reserved port, so now days people usually configure 10514 for cisco:asa 20514 for cisco:ios , etc etc Q: Configuring the separate log files for routers, switches and firewalls. A:In your cisco log config you set the syslog-ng address and port. You should have a port for each devices type (routers 30514, switches 20514, firewall 10514) This way you can manage the folders and log easily. Q: What is the list of the port numbers that listen to Splunk and syslog server? A: The connection between syslog-ng and splunk is the universal fowarder. The universal fowarder outputs to splunk on :9997 by default. The splunk indexer will listen for universal fowarder on :9997. The universal forwarder will monitor the log that syslog-ng creates and send the to splunk. ... View more

Re: How to prevent users from writing to indexes?

by Splunk Employee in Security
‎04-08-2016 06:43 AM
6 Karma
‎04-08-2016 06:43 AM
6 Karma
Limit the access to the indexes that the user can access via their role, and then take away the capability from that role to do any writes. You can also prevent the index from being written to from the Search Head by updating the local search head indexes.conf to have: isReadOnly = true|false * Set to true to make an index read-only. * If true, no new events can be added to the index, but the index is still searchable. * Must restart splunkd after changing this parameter; index reload will not suffice. * Defaults to false Depending on what you are trying to prevent, either Users being malicious, or users making mistakes. Using a deployment server to manage forwarders really cuts down on end users being able to change the configs. To help prevent routing errors with, then also edit the inputs.conf on the indexers and explicitly prevent the search heads from being able to write data to your indexes. (don't block them from writing to _internal though!): > acceptFrom = <network_acl> ... * Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces * Each rule can be in the following forms: 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3") 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32") 3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com") 4. A single '*' which matches anything * Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network. * Defaults to "*" (accept from anywhere) ... View more

Re: How to use the sendemail command to send resul...

by Splunk Employee in Splunk Search
‎04-07-2016 03:31 AM
‎04-07-2016 03:31 AM
Have you tried: https://answers.splunk.com/answers/186045/how-can-i-use-a-combination-of-map-and-sendemail-t.html https://answers.splunk.com/answers/213340/how-to-get-splunk-sendemail-command-to-send-multip.html ... View more

Re: How to edit my search to pull the first instan...

by Splunk Employee in Splunk Search
‎04-06-2016 06:27 PM
‎04-06-2016 06:27 PM
| stats earliest(_time) as connect_start, latest(_time) as connectstop by user,src_ip try adding this to end ... View more

Re: Is there a unique ID assigned to each forwarde...

by Splunk Employee in Getting Data In
‎04-05-2016 04:46 PM
‎04-05-2016 04:46 PM
You can add any value you want as an indexed field. You need to setup a WRITE_META in a props/transform like this. props.conf [mysourcetype] TRANSFORMS-add_hostfwd = add_indexedfield transforms.conf [add_indexedfield] WRITE_META = true DEST_KEY = _meta FORMAT = host_forwarder::$1 DEFAULT_VALUE = 123 fields.conf [host_forwarder] INDEXED = true http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configureindex-timefieldextraction But You shouldn't run multiple forwarders on the same host, instead use index and sourcetypes in your inputs to segregate data or accept data from different inputs. The universal forwarder can listen on many ports, so lots of options around using the multiple instances. ... View more

Re: Is there documentation on best practice for wh...

by Splunk Employee in Splunk Enterprise Security
‎04-04-2016 03:25 PM
‎04-04-2016 03:25 PM
Turn everything on if you want all the dashboards in ES to light up. Adjust the interval if you need to calm down the data rates. [monitor:///var/log] disabled = false [monitor:///etc] disabled = false [monitor:///home/.../.bash_history] disabled = false [monitor:///Library/Logs] disabled = false [monitor:///root/.bash_history] disabled = false [monitor:///var/adm] disabled = false [script://./bin/bandwidth.sh] disabled = false [script://./bin/cpu.sh] disabled = false [script://./bin/df.sh] disabled = false [script://./bin/hardware.sh] disabled = false [script://./bin/interfaces.sh] disabled = false [script://./bin/iostat.sh] disabled = false [script://./bin/lastlog.sh] disabled = false [script://./bin/lsof.sh] disabled = false [script://./bin/netstat.sh] disabled = false [script://./bin/openPorts.sh] disabled = false [script://./bin/openPortsEnhanced.sh] disabled = false [script://./bin/package.sh] disabled = false [script://./bin/passwd.sh] disabled = false [script://./bin/protocol.sh] disabled = false [script://./bin/ps.sh] disabled = false [script://./bin/rlog.sh] must be super user to run disabled = true [script://./bin/selinuxChecker.sh] disabled = false [script://./bin/service.sh] disabled = false [script://./bin/sshdChecker.sh] needs /etc/ssh/sshd_config disabled = false [script://./bin/time.sh] disabled = false [script://./bin/top.sh] disabled = false [script://./bin/update.sh] disabled = false [script://./bin/uptime.sh] disabled = false [script://./bin/usersWithLoginPrivs.sh] disabled = false [script://./bin/version.sh] disabled = false [script://./bin/vmstat.sh] disabled = false [script://./bin/vsftpdChecker.sh] disabled = false [script://./bin/who.sh] disabled = false ... View more

Re: Records count in dashboard charts is not match...

by Splunk Employee in Dashboards & Visualizations
‎04-02-2016 04:40 PM
‎04-02-2016 04:40 PM
Which App Search Context are you using. For example if you are in the Green Search and Reporting an do a search vs being in the Blue Palo Alto App. Apps have different permissions on fields. So your query might be referencing a fields from Palo Alto that does not have global scope. Also are you in Fast, Smart or Verbose mode? Fast mode means only the | stats fields are brought back. Smart mode means the fields that you have explicitly downloaded apps for apply, when in the right app context. And Verbose means no fields are explicitly setup and Splunk is learning the key values on the fly. Are you running as the same user in both cases? ... View more

Re: How to trigger an alert based on the number of...

by Splunk Employee in Alerting
‎04-02-2016 04:34 PM
‎04-02-2016 04:34 PM
When you run the Splunk Search that you want an alert for go to the top right and save as. There is an option for Save as Alert. The options include the count of the rows and lots of other options. Here is an example: http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Alertexamples ... View more

Re: Splunk Enterprise Security: How to configure d...

by Splunk Employee in Splunk Enterprise Security
‎04-02-2016 02:26 PM
‎04-02-2016 02:26 PM
get the latest CIM app, and then go to setup, it has a gui there to limit the indexes ... View more

Re: Splunk Enterprise Security: How to configure d...

by Splunk Employee in Splunk Enterprise Security
‎04-02-2016 02:20 PM
11 Karma
‎04-02-2016 02:20 PM
11 Karma
Yes, using SSD will absolutely help overall performance. Your indexes should be volume mananged such that the Hot Warm path should pretty much always be the fastest storage possible, and sized for your most common search ranges, and data model acceleration time ranges. Yes, checking out the max_time and backfill_time, these can also be limited to your specific time ranges for your use cases, like 7 days or 30 days. http://docs.splunk.com/Documentation/ES/4.1.0/Install/Datamodels Some other easy performance tweaks: Upgrade to the latest CIM App. Go to Manage Apps - Splunk_TA_CIM - Setup For the data models that you use, e.g. Authentication, Web. Add the specific indexes that are related to the data. In Enterprise Security, check out Audit - Data Model Audit, and see which ones are taking a long time. Change the retention time for large models to reduce the size. Usually 7 days or 30 days is sufficient for most use cases. And you can also go to Settings - Data Inputs and set the modular input to turn off Enforce Acceleration. Finally, If you are seeing some that are taking a long time to build, then you might be running a lot of correlation searches at the same time, which the data model is trying to finish. This is usually because of a CPU bottleneck. https://wiki.splunk.com/Community:TroubleshootingSearchQuotas Look at max_searches_per_cpu settings in limits.conf This is where usually the bottle neck is check if you have more cores that can be utilized, and have the splunk user get more searches per cpu. http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf base_max_searches = * A constant to add to the maximum number of searches, computed as a multiplier of the CPUs. *** Defaults to 6** max_searches_per_cpu = * The maximum number of concurrent historical searches per CPU. The system-wide limit of historical searches is computed as: max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches * Note: the maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier x max_hist_searches * Defaults to 1 More tweaks, make sure you have setup your environment correctly, by disabling Transparent Huge Pages http://docs.splunk.com/Documentation/Splunk/6.2.5/ReleaseNotes/SplunkandTHP ... View more

Re: Error msg="A script exited abnormally" status=...

by Splunk Employee in All Apps and Add-ons
‎03-30-2016 10:16 AM
6 Karma
‎03-30-2016 10:16 AM
6 Karma
So turns out that if you run the scripts directly you can find out what the actually error is. In my case the system was a new Centos 7 build and didn't have the following commands installed, sar, netstat, etc etc. The way to find it is by running this for each of the scripts not working. bash -x ../bin/vmstat.sh ... View more

Re: Permissions on indexes and sourcetypes

by Splunk Employee in Getting Data In
‎12-30-2015 07:25 AM
‎12-30-2015 07:25 AM
Yes, you retrict the acl on the indexers inputs.conf acceptFrom = ... * Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces Inputs Conf Spec ... View more

Re: How can I use a combination of map and sendema...

by Splunk Employee in Splunk Search
‎12-22-2015 10:39 AM
‎12-22-2015 10:39 AM
Also look at https://answers.splunk.com/answers/27658/map-command-breaks-when-scheduled.html ... View more

Re: How can I use a combination of map and sendema...

by Splunk Employee in Splunk Search
‎12-22-2015 10:15 AM
‎12-22-2015 10:15 AM
this is the right approach - thx ... View more

Re: How can I use a combination of map and sendema...

by Splunk Employee in Splunk Search
‎12-22-2015 10:15 AM
1 Karma
‎12-22-2015 10:15 AM
1 Karma
Other people wondering about this here - xposting for linking https://answers.splunk.com/answers/213340/how-to-get-splunk-sendemail-command-to-send-multip.html ... View more

Re: How to get Splunk sendemail command to send mu...

by Splunk Employee in Reporting
‎12-22-2015 10:14 AM
1 Karma
‎12-22-2015 10:14 AM
1 Karma
https://answers.splunk.com/answers/186045/how-can-i-use-a-combination-of-map-and-sendemail-t.html this is the best way I've found ... View more

Re: How do I put my DLP events into the Alerts dat...

by Splunk Employee in Splunk Enterprise Security
‎12-15-2015 11:43 AM
‎12-15-2015 11:43 AM
A DLP alert is more akin to an intrusion detection alert. Except the opposite direction. I would clone the Intrusion Detection data model, and call it DLP. Then map the fields to CIM model. CIM_IntrusionDetection ... View more

Re: Splunk Enterprise Security: How to modify the ...

by Splunk Employee in Splunk Enterprise Security
‎12-08-2015 10:32 AM
‎12-08-2015 10:32 AM
Look at your data that is tagged Malware, and Attack. This is what is being collected to include. So you need to modify the event type for the tags, malware and attack, and add to that search to exclude the data you don't want. ... View more

Re: Add intelligence to file_intel

by Splunk Employee in Splunk Enterprise Security
‎11-28-2015 07:47 AM
‎11-28-2015 07:47 AM
Yes absolutely, in fact, that's the default threat list style. The csv files have to have two fields, ip and description, url and description, or domain and description. http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists ... View more

Re: PIVOT vs DATAMODEL vs TSTATS

by Splunk Employee in Splunk Search
‎11-27-2015 06:28 AM
11 Karma
‎11-27-2015 06:28 AM
11 Karma
One reason to stay away from the | pivot approach to querying data models is that it performs an ad-hoc acceleration request. When you do | pivot you are asking for an ad-hoc data model acceleration to be performed. So it becomes an effective | tstats command. One reason to use | datamodel command is that it is re-applying the search time extractions at run time, so you can test your field mappings. So do your initial work with | datamodel to validate data , use | tstats in final dashboards to take advantage of acceleration. One note about | pivot and | tstats , if you open a search in pivot and modify the search to how you want to save it in a dashboard. When you do a "Save to Dashboard Panel" in the WebUI you will get a dashboard panel that uses | pivot version of the query. If you instead go to the Job Inspector and scroll through (near the bottom) you can get the | tstats version instead of the same query instead. ProTip: Copy this |tstats search instead of the | pivot that to your final dashboard. ... View more

PIVOT vs DATAMODEL vs TSTATS

by Splunk Employee in Splunk Search
‎11-27-2015 06:21 AM
2 Karma
‎11-27-2015 06:21 AM
2 Karma
Why do some splunk users say that the | pivot command isn't for ninjas? Which is better then, pivot, datamodel, tstats? ... View more

Re: How to view threatlist via REST

by Splunk Employee in Splunk Enterprise Security
‎11-26-2015 05:25 PM
‎11-26-2015 05:25 PM
Try this search: | 'all_threat_intel' | fields ip,url,domain,threat_key That is the macro all_threat_intel, so enclose that term in back ticks `` ... View more

Re: How to integrate the Threat intelligence feeds...

by Splunk Employee in Splunk Enterprise Security
‎11-24-2015 12:26 PM
‎11-24-2015 12:26 PM
ES is not supported when other apps are installed. So you will want to avoid adding any non-Splunk Certified app add-ons to the ES installation. That being said, you can download the ThreatConnect integration and inspect the app for content that might want to add. In the latest versions of ES, the threat intelligence setup is a wizard that you go through. What you want to do is find what data feed source the Threat Connect app looks at and mirror that in your own configuration by Configuring a Threat list in ES. Check out how to do that here. http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists TL:DR; don't install a new app e.g. 1893, instead look at the app configs to find out the threat feed source and use the above url to set it up in ES. ... View more

Re: Native Password Complexity in Splunk

by Splunk Employee in Security
‎11-18-2015 10:30 AM
‎11-18-2015 10:30 AM
https://answers.splunk.com/answers/143631/splunk-configuration-of-password-encryption-and-complexity.html ... View more
Contact Me
Online Status
Offline
Date Last Visited
Thursday
Karma from
Karma given to