cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
joe_kraxner
Explorer
Member since: ‎06-24-2014
3 weeks ago
Community Statistics
Posts 9
Solutions 1
Karma Given 3
Karma Received 8
Member Since ‎06-24-2014
Activity Feed
View All

Re: How do you add an additional “Drill-down Searc...

by in Splunk Enterprise Security
4 weeks ago
4 weeks ago
Just released in Splunk Enterprise Security 7.2.0, this is now a feature. Splunk Idea ESSID-I-67: Ability to configure multiple drill-down searches for notable ... View more

Re: Does Splunk have an app or add-on for Pulse Se...

by in All Apps and Add-ons
‎10-28-2019 08:55 AM
‎10-28-2019 08:55 AM
There is now the Pulse Connect Secure Add-on for Splunk but has some minor issues based on my current experience with it. It looks like the author is actively working on it so maybe it'll get better. ... View more

Re: API for Splunkbase

by in Getting Data In
‎03-02-2019 04:32 PM
‎03-02-2019 04:32 PM
I needed to do something similar. There is a great app I discovered a couple weeks ago, Analysis Of SplunkBase Apps for Splunk (https://splunkbase.splunk.com/app/2919/) that exceeded my expectations and needs. I highly recommend it. ... View more

Re: How to update a deployment server deployment-a...

by in Deployment Architecture
‎02-26-2019 04:32 PM
1 Karma
‎02-26-2019 04:32 PM
1 Karma
For future reference (as I'm asked a lot), the syntax is: Standard Apps: tar -zxf /some/location/splunk-db-connect_314.tgz -C /opt/splunk/etc/apps/ Deployment Server: tar -zxf /some/location/splunk-db-connect_314.tgz -C /opt/splunk/etc/deployment-apps/ I hope this helps with future us. ... View more

Re: "Bad allocation" error while searching

by in Dashboards & Visualizations
‎11-27-2018 06:22 AM
‎11-27-2018 06:22 AM
Hi Tom, Do you recall what your paging (page) file or virtual memory setting are set to? I'm having a similar issue to what you are describing and I'm wondering if this could be an issue with the available RAM and virtual memory for memory-intensive searches. Thanks. ... View more

Re: What do backticks do in searches?

by in Splunk Enterprise Security
‎01-29-2015 05:45 AM
1 Karma
‎01-29-2015 05:45 AM
1 Karma
I believe those are ticks (`) not single quotes ('). ... View more

Re: What do backticks do in searches?

by in Splunk Enterprise Security
‎01-29-2015 05:45 AM
‎01-29-2015 05:45 AM
I believe those are ticks (`) not single quotes ('). ... View more

Re: Splunk App for Enterprise Security: How to fix...

by in Splunk Enterprise Security
‎12-17-2014 09:04 PM
1 Karma
‎12-17-2014 09:04 PM
1 Karma
The Splunk for Palo Alto Networks App (https://apps.splunk.com/app/491/) wants to sourcetype the PAN logs as "pan_log" but this conflicts with what ES is requiring just "pan". Digging into the ES TA-paloalto I see a reference for pan_log and "Added per SOLNESS-2728 for compatibility with SplunkforPaloAltoNetworks app". One could modify the apps, it's your warranty. 🙂 Now as far as your questions on sourcetyping: What is the best way to workaround this? Since you can't change the data in Splunk once it's written to disk (index), your previous data is stuck with that sourcetype. One caveat is if you have the data you can re-index if your kick the Fishbucket for the file (http://docs.splunk.com/Documentation/Splunk/6.2.0/Troubleshooting/CommandlinetoolsforusewithSupport#btprobe). Do I need to manually override the sourcetype name (if so, I lose access to previous data?)? I make it a bit easy on myself since I have several other syslog data sources and use rsyslog with a fairly static configuration (see below). You will not lose the old data, it will still have the same previously written sourcetype. (or) Will a simple "rename" fix it? I'm not sure I know the exact answer to this. From my experience, the ES app includes the necessary props and transforms that require to be sourcetyped as "pan" or "pan_log" so the pan:traffic and pan:threat sub-sourcetyping can be performed. This is done at the input phase. Also, where should this be done (at the indexer, or in ES)? Preferribly applying the sourcetype is done at input time (usually a UF or whereever you're specifying the inputs.conf). My setup: I am using rsyslog [1] to collect my PAN firewall logs for ES and having them written to a location such as the following: /data/splunk/logs/syslog/pan/acme-fw-01/2014-12-17_21.log Config: #rsyslog config snippet: /etc/rsyslog.d/splunk.conf # Template $template PAN,"/data/splunk/logs/syslog/pan/%fromhost%/%$year%-%$month%-%$day%_%$HOUR%.log" # Palo Alto Networks Firewall if $fromhost-ip == '10.0.4.1' or $fromhost-ip == '10.0.5.1' then -?PAN & ~ Then I configure an input such as the following to force the sourcetype as "pan": #From inputs.conf [monitor:///data/splunk/logs/syslog/pan/] sourcetype=pan index=firewalls host_segment=6 whitelist = \.log$ Hope this helps. ... View more

How do you add an additional “Drill-down Search” i...

by in Splunk Enterprise Security
‎11-07-2014 03:13 PM
5 Karma
‎11-07-2014 03:13 PM
5 Karma
When you expand the details of a Notable Event in Enterprise Security (ES) 3.x there is a heading called “Contributing Events” that presents a link for the “drill-down search” configured in the Correlated Search that generated the Notable Event. Does anyone know if it is possible to add an additional “Drill-down Search” to provide another drill-down or alternative search in support of the Notable event? Thank you. ... View more
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma given to
View All