Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About parkertctr
parkertctr
Path Finder
Member since:
09-04-2019
03-07-2025
Community Statistics
| Posts | 18 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 09-04-2019 |
Activity Feed
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-16-2022 08:14 AM
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-15-2022 12:29 PM
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-10-2022 12:17 PM
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-10-2022 11:49 AM
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-10-2022 10:59 AM
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-10-2022 10:32 AM
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-10-2022 10:32 AM
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-10-2022 10:21 AM
- Posted Re: Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-10-2022 10:02 AM
- Posted Third Party server certificates not working- Is it not in the correct format? on Deployment Architecture. 08-10-2022 08:26 AM
- Karma Re: Download Splunk Version 7.2.1 for richgalloway. 06-08-2022 11:41 AM
- Posted Re: Download Splunk Version 7.2.1 on Installation. 04-28-2022 09:02 AM
- Posted Is Splunk version 7.2.1 available to be downloaded and where can I find it? on Installation. 04-27-2022 11:54 AM
- Posted SentinelOne Add-On Upgrade: Does the app need to be installed on the heavy forwarder or the search head? on All Apps and Add-ons. 03-03-2022 08:30 PM
- Tagged SentinelOne Add-On Upgrade: Does the app need to be installed on the heavy forwarder or the search head? on All Apps and Add-ons. 03-03-2022 08:30 PM
- Tagged SentinelOne Add-On Upgrade: Does the app need to be installed on the heavy forwarder or the search head? on All Apps and Add-ons. 03-03-2022 08:30 PM
- Posted Sumo Transaction States to Splunk Query on Splunk Search. 02-02-2022 09:52 AM
- Posted Re: case match command on Splunk Search. 01-21-2022 01:39 PM
- Posted case match command on Splunk Search. 01-21-2022 11:09 AM
- Tagged case match command on Splunk Search. 01-21-2022 11:09 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-16-2022
08:14 AM
Thanks, we are good to go now. downloaded the new cert from the CA, received an error about encryption, removed the password and then fixed the absolute path in the web.conf.
... View more
08-15-2022
12:29 PM
So far, we requested a new certificate from the CA. Tried again and still having issues. Do we need to update the server.conf with the new path for the CA provided server certificates that are in the my certs directory? /etc/auth/mycerts/.... This is one of the error messages: 08-15-2022 14:12:19.559 -0500 WARN SSLCommon [19496 TelemetryMetricBuffer] - Received fatal SSL3 alert. ssl_state='error', alert_description='unknown CA'. 08-15-2022 14:12:19.838 -0500 ERROR X509Verify [19496 TelemetryMetricBuffer] - Server X509 certificate (CN=DoD WCF Intermediate CA 1,OU=WCF PKI,OU=DoD,O=U.S. Government,C=US) failed validation; error=20, reason="unable to get local issuer certificate"
... View more
08-10-2022
12:17 PM
Yes everything matches. I think I am going to inform the customer to request a new cert from the CA and go from there.
... View more
08-10-2022
11:49 AM
We are receiving an error message "Received fatal SSL3 alert. ssl_state='error', alert_description='unknown CA'
... View more
08-10-2022
10:59 AM
Working changing it.
... View more
08-10-2022
10:32 AM
Also, checked all the logs to see any errors related to ssl or certs. Nothing.. but splunk us starting
... View more
08-10-2022
10:32 AM
Tracking thanks
... View more
08-10-2022
10:21 AM
So it looks like splunk is starting but the web browser is not
... View more
08-10-2022
10:02 AM
Thanks. Yes I have been dealing with cert issues on another platform. The certs were in the proper formats. Let me double check if splunk start versus the web. We did check the logs and it did not have anything significantly sticking out regarding ssl. I will try again. more to follow. Hmm what do you recommend in checking if the certs are in PKCS#1 versus PKCS#8?
... View more
08-10-2022
08:26 AM
My customers certificates expired and they followed the procedures for submitting and requesting a third party certificate. The CA returned a CA certificate that was already combined. So the customer did not have to combine their certificates. When trying to start splunk, it will not start. When comparing all the certificates from previous ones, one thing we noticed was the private key had a heading "--BEGIN RSA PRIVATE KEY -- ", instead of "--BEGIN PRIVATE KEY--" and two new lines after, stating "Proc-Type" and "DEK-Info". The customer is on Splunk v8.2.7, Windows 64bit. The keys are DoD CA60
I am wondering if the private key is not in the correct format. Should the customer re-submit a request to generate a new key from the CA?
... View more
Labels
- Labels:
-
Windows
04-27-2022
11:54 AM
Is splunk version 7.2.1 available to be downloaded and where can I find it? It is not listed in the older releases section.
... View more
03-03-2022
08:30 PM
According to the SentinelOne Upgrade Documentation for v3.6, they are suggesting the following:
Distributed deployment (8.x)
Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk)
Search Head:
(Pre-requisite) Splunk CIM Add-on
SentinelOne App (sentinelone_app_for_splunk)
Indexer: TA-sentinelone_app_for_splunk (TA-sentinelone_app_for_splunk)Question: Does the "IA-sentinelone_app" need to be installed on the HF? Can the TA-sentinelone be installed on the HF instead? Note: The customer does not want index time extractions.
... View more
Labels
- Labels:
-
installation
-
upgrade
02-02-2022
09:52 AM
Good Day, I am trying to come up with ideas to translate a Sumo Trasactional search with (States) Conditions to a Splunk Query. If anyone can provide some other options, please let me know. Here is my sample Sumo search: _sourceCategory=prod/app/m/* and "statement" and ("Search Keys" or "STATUS=ERROR" or Error) | parse "[ID=*]" as MID nodrop | transactionize MID (merge MID takeFirst, _raw join with "\n\n") | transaction on ORGID, EVENT, ORDER, FACILITY with "*A request to obtain a channel subscription failed*" as NO_SUB, with "*M cannot be discontinued*" as NO_DC, with "*Person not found*" as NO_PERSON | (NO_SUB + NO_DC + NO_PERSON) as Total | fields ORGID, EVENT, ORDER, FACILITY, Total, NO_SUB, NO_DC,NO_PERSON | sort by Total, ORGID, EVENT, ORDER //| sort by ORGID, EVENT Splunk Search so far: index=hhh_m_prod sourcetype=mirth* MID=* CID=* acctnumber=* facility=* orgid=* "Statement" ("Search Keys" OR "STATUS=ERROR" OR "Error") | fillnull value="NULL" | transaction MID | eval NO_DC=if(match(_raw, "M cannot be discontinued*"), "Yes", "No") | eval NO_SUB=if(match(_raw, "A request to obtain a channel subscription failed*"), "Yes", "No") | eval NO_PERSON=if(match(_raw, "Person not found*"), "Yes", "No") | transaction ORGID EVENT ORDER FACILITY | eval Total=sum(NO_SUB, NO_DC, NO_PERSON | table ORGID, EVENT, ORDER, FACILITY, Total, NO_SUB, NO_DC,NO_PERSON | sort by Total ORGID EVENT ORDER | sort by ORGID, EVENT ** I am lost for ideas in running the conditional transaction statements... Should I use more eval statements, or setup a transactiontypes.conf?
... View more
Labels
- Labels:
-
eval
-
transaction
01-21-2022
11:09 AM
I am trying to use the case match command with more than one option. I keep getting an error message regarding the parenthesis.. nothing is working.. Do not understand whats missing from the syntax. Here is the search --> | eval state_ack_error=case(match(_raw, "ACK\-CODE\=AA"), 1, match(_raw matches "STATUS\=SENT"), 1, 1=1, 0) Error message: Error in 'eval' command: The expression is malformed.
... View more
Labels
- Labels:
-
eval
12-15-2021
08:50 AM
Requesting assistance with removing characters from logs during search time. Sample Data: "{"log":"{\"@t\"😕"2021-12-15T16:26:36.1571090Z\",\"@m\"😕"\\\"http\\\" \\\"GET\\\" \\\"/api/v1/" Trying to remove the extra \ \\ that came with the data via HEC.
... View more
- Tags:
- props.conf
- regex
- sed
Labels
- Labels:
-
field extraction
-
props.conf
09-04-2019
02:27 PM
Good Day, I am new to SPL searches for AWS logs and I do not have access to the aws:config:rule logs. Can someone assist with creating a search query to find if "the AWS ELB Logging is enabled/disabled"?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-07-2025
04:44 PM
|
