Activity Feed
- Got Karma for Dashboard Studio - Screens to CRUD KV store records- What is everyone else using?. 09-29-2023 09:16 AM
- Karma Re: Dashboard Studio - Screens to CRUD KV store records- What is everyone else using? for ehowardl3. 12-06-2022 01:42 PM
- Posted Re: Automatically shut off HEC when volume gets too high on Splunk Enterprise. 10-02-2022 07:32 AM
- Posted I can't access kvstore via curl from within splunk cloud - but it is working from powershell and postman? on Splunk Cloud Platform. 09-20-2022 09:44 AM
- Posted Dashboard Studio - Screens to CRUD KV store records- What is everyone else using? on Getting Data In. 09-16-2022 02:15 PM
- Got Karma for Re: Why has iplocation /all just stopped working - was returning timezone?. 09-13-2022 06:33 PM
- Posted Re: Why has iplocation /all just stopped working - was returning timezone? on Splunk Cloud Platform. 09-13-2022 03:27 PM
- Posted Why has iplocation /all just stopped working - was returning timezone? on Splunk Cloud Platform. 09-13-2022 01:20 PM
- Tagged Why has iplocation /all just stopped working - was returning timezone? on Splunk Cloud Platform. 09-13-2022 01:20 PM
- Posted Re: Create table using nested json on Splunk Search. 08-19-2022 06:59 AM
- Posted Re: Getting an intermittent error searching against a kvstore with json using inputlookup and lookup on Splunk Search. 08-18-2022 08:29 PM
- Posted Getting an intermittent error searching against a kvstore with json using inputlookup and lookup- How to fix? on Splunk Search. 08-18-2022 08:02 PM
- Tagged Getting an intermittent error searching against a kvstore with json using inputlookup and lookup- How to fix? on Splunk Search. 08-18-2022 08:02 PM
- Tagged Getting an intermittent error searching against a kvstore with json using inputlookup and lookup- How to fix? on Splunk Search. 08-18-2022 08:02 PM
- Posted Throttling resetting suppresions on Splunk Search. 06-07-2022 01:02 PM
- Tagged Throttling resetting suppresions on Splunk Search. 06-07-2022 01:02 PM
- Tagged Throttling resetting suppresions on Splunk Search. 06-07-2022 01:02 PM
- Karma Re: How to update geoip database for iplocation command? for VatsalJagani. 06-07-2022 10:40 AM
- Posted Re: Timezone interpretation on Alerting. 06-04-2022 08:45 AM
- Posted Re: Timezone interpretation on Alerting. 06-04-2022 07:32 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
1 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
10-02-2022
07:32 AM
Did you get a response on this?
... View more
09-20-2022
09:44 AM
I'm not sure what I've done -
Getting an error when trying to use the webtools curl add on which I'm not getting from postman or powershell
"https://<myhost>.splunkcloud.com:8089/services/server/introspection/kvstore/serverstatus"
HTTPSConnectionPool(host='<myhost>.splunkcloud.com', port=8089): Max retries exceeded with url: /services/server/introspection/kvstore/serverstatus (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fb7520b0990>: Failed to establish a new connection: [Errno 110] Connection timed out'))
Any internal settings from within splunk web likely to have that effect ?
... View more
Labels
- Labels:
-
troubleshooting
09-16-2022
02:15 PM
1 Karma
Does anyone feel like we are going to be able to create modern dashboards which allow us to interact with kvstore data in the same way we were able to in simplexml.. the old school dashboards feel a bit clunky..
The alternative is exposing the datafeeds via rest and using a third party tool such as retool.com to allow the CRUD of kv store items..
The dedicated app to lookup file editing is useful but not great for end user consumption ...
I was wondering what are people using ? Apologies if I missed how to achieve this - most seemed to be old school simplexml dashboards
... View more
Labels
- Labels:
-
JSON
09-13-2022
03:27 PM
1 Karma
Ok I fixed it by updating a new version of the GeoLite2-City database - don't appreciate it stop working in an upgrade though! I had a job reliant on that process
... View more
09-13-2022
01:20 PM
I am on splunk cloud and have been using this functionality which is pretty useful to determine what timezone our users are in. It just seems to have stopped since last Tuesday we just got our environment upgraded to Version:8.2.2203.4 it is returning the fields for timezone and metro but no data
Any ideas ? (where x.x.x.x = ip address) | makeresults 1 | eval src_ip = "x.x.x.x" | iplocation src_ip allfields=true | transpose gives
column
row 1
City
Houston
Continent
North America
Country
United States
MetroCode
Region
Texas
Timezone
_time
1663100176
lat
29.7604
lon
-95.3698
src_ip
x.x.x.x
I've raised a case but interested if anyone else has experienced this
... View more
- Tags:
- iplocation
Labels
- Labels:
-
troubleshooting
08-19-2022
06:59 AM
I think a kvstore with json should do be what you want.. you can use collections.conf or the lookup file editor to define the non-json elements and type, and one for the array - then I would call them out explicitly in the transforms.conf file so you can play nicely with them using lookup and inputlookup>>> The structure you settle on will depend on how you analyze this going forward, but I'd be tempted to start with this (you can view it in https://jsongrid.com/json-grid) { "status": "finished", "duration_array": [ { "status": "A", "duration": 123 }, { "status": "B", "duration": 456 }, { "status": "C", "duration": 678 } ] } To use kvstore, you can define using the collections.conf, and lookup editor or the lookup file editor iin cloud I prefer using the structure I have suggested as you can easily insert new status values, becomes You should be able to refer to the data elements and do whatever you want - unless i'm missing the point
... View more
08-18-2022
08:29 PM
Ok found a bit more... 56 _userContext= nobody 08-19-2022 03:15:09.120 ERROR HttpClientRequest [13376 phase_1] - Caught exception while parsing HTTP reply: Unparsable gzip header in HTTP response 08-19-2022 03:15:09.120 ERROR KVServiceClient [13376 phase_1] - KVServiceClient transaction failed after 0 retries. uri = <blah> 08-19-2022 03:15:09.120 ERROR SSCInputLookup [13376 phase_1] - Failed to call KVServiceClient for Input Lookup: 08-19-2022 03:15:09.120 ERROR SearchOperator:inputcsv [13376 phase_1] - Error in 'inputlookup' command: External lookup table 'inputlookup' returned error code 0. Results might be incorrect.
... View more
08-18-2022
08:02 PM
on splunk cloud 8.2.2202.2
issuing the command as follows I get an error one times out of four -
| inputlookup append=t ethos_vulnaction_generic
Last 30 minutes Error in 'inputlookup' command: External lookup table 'inputlookup' returned error code 0. Results might be incorrect. The search job has failed due to an error. You may be able view the job in the Job Inspector.
| inputlookup append=t ethos_vulnaction_generic
restarted splunk - no luck
Not sure how to decipher job inspector - but this inconsistency - sometimes it work sometimes it doesn't is strange.
kvstore was populated with json, and lookup; does have a filter in it - NOT asset_specific = "true"
I tried removing the filter seeing if this impacted the results but I still get an error about one time in four..
if i do a rest query of the kvstore in json it looks healthy to me... besides if I take this filter out I still get stability issues "asset_specific": true,
A cut down example of the json used to populate the record. I do refer explicitly to the field in the lookup as details.plugin_id which the lookup command seems to like... a snippet of json
{ "action_description": "zulu specific", "asset_specific": true, "details": { "plugin_id": [ "153989" ] } }
... View more
Labels
- Labels:
-
lookup
06-07-2022
01:02 PM
I'm getting a bit annoyed at throttling for each, as although it works - it has a habit of resetting itself if I need to tweak the SPL, or cron time... almost tempted to populate a kvstore and take control... anyone else ? does editing the savedsearches.conf allow you or the advanced edit option allow you to get round what I perceive as annoying behavior
... View more
- Tags:
- alerts
- throttling
Labels
- Labels:
-
Other
06-04-2022
08:45 AM
Got the basis of this working : | makeresults 1 | eval header="{\"content-type\":\"application/json\"}" | eval api_key = "<API_KEY>" | eval tz = "America/Los_Angeles" | eval where = "https://api.ipgeolocation.io/timezone?apiKey=" + api_key + "&tz=" + tz | eval myuser = "nobody" | eval myuri = where | curl method=get urifield=myuri headerfield=header debug=true | table curl* | spath input=curl_message Be interested in suggestions for alternatives though..
... View more
06-04-2022
07:32 AM
Thanks but my starting point is not the time but the ip address - | iplocation allfields=true src_ip Trying to build a table of people and offsets from UTC so I can decide - OK I'm going to send an alert at 10am for all people in Thailand ... or all people on Mountain time. I know it won't be perfect - and I need to get rid of all the noise of VPNs and consider travellers but it's a lot better than sending emails at 2am in the morning
... View more
06-04-2022
07:28 AM
I found this web service which should get me what I want https://ipgeolocation.io/documentation/timezone-api.html - I'd have thought there is a way in Splunk - Basically my starting point is the iplocation -all and I need to interpret the Country/State timezone expression # Get 'America/Los_Angeles' timezone information
$ curl 'https://api.ipgeolocation.io/timezone?apiKey=API_KEY&tz=America/Los_Angeles'
{
"timezone": "America/Los_Angeles",
"timezone_offset": -8,
"date": "2018-12-06",
"date_time": "2018-12-06 02:02:09",
"date_time_txt": "Thursday, December 06, 2018 02:02:09",
"date_time_wti": "Thu, 06 Dec 2018 02:02:09 -0800",
"date_time_ymd": "2018-12-06T02:02:09-0800",
"date_time_unix": 1544090529.989,
"time_24": "02:02:09",
"time_12": "02:02:09 AM",
"week": "49",
"month": "12",
"year": "2018",
"year_abbr": "18",
"is_dst": false,
"dst_savings": 1
}
... View more
06-03-2022
08:52 PM
I have a use case, which is basically about alerting users for vulnerabilities when we need them to take action
This is a centralised pull from tenable so far so good
My issue is how to defer and control the sending of the alert so it doesn't wake up people in various time zones around the world. I don't want them getting alerts at 2am or on Sunday in their timezone, unless Sunday is a workday - that's a whole different matter.
I looked at ip lookup allitems=true and can get the timezone, so that is a step forward
But I can't seem to find out how to convert the Americas/Vancouver timestamp to an offset of UTC which I can play with
I'm sure some of you with global companies must have dealt with this challenge. My understanding is you can get fined in Germany for communicating with employees out of hours. Let just say I manage to determine the correct textual timestamp like Americas\Chicago - how do I translated that to a UTC offset ?
of course if anyone can spot what I'm trying to do and has a better way then I'm all ears
... View more
- Tags:
- alert
- splunk-search
Labels
- Labels:
-
alert action
-
throttling
10-11-2021
06:37 AM
As before I just clicked on upgrade in the management of apps screen and it seems to have emptied the local directory ! restoring from a backup
... View more
10-10-2021
01:32 PM
I'm fairly sure by clicking on the update hint from the manaagement screen /en-US/manager/launcher/apps/local
... View more
10-10-2021
11:26 AM
I got an all-in one setup, and just download the app without pre-testing - my bad
... View more
10-10-2021
08:26 AM
I thought I was following OK practice as these were customisations to collections.conf and transforms.conf and savedsearches.conf in the local directory But it appears the app owner just got rid of them when I upgraded to 5.0.0 to 5.1.0 Working to recover the situation and have pinged the developer. The data should be recreated Was it my fault by adding stanzas to a commercial app ? or should I have been protected if I stuck to local copies ?
... View more
- Tags:
- tenable
Labels
- Labels:
-
upgrade
10-04-2021
06:39 AM
Did you get this resolved? I'm getting this
... View more
06-02-2021
08:40 PM
Ok I was able to get a work around of sorts... I suspect it would be resolved if i used rest to create the item in the first place, as I then would be in charge of explicitly declaring that some of these fields are arrays ( and then I wouldn't have to rely on the magic of tojson to deduce what it can't possibly tell). (I';m using outputlookup to populate the very simple structure) The workaround - was just to accept that the kvstore stores the values, but realizing that reissuing a stats(value) command generates true mv fields which tojson pays attention to allows me to force the array json generation in this context.. and it does that even if there is only one value in the field which is destined to be sent as an array (in this requirement) so before generating sending the json on it's way I issue a stats command for the record to be sent.... inputlookup kvstoreresource where .... stats latest(action_type) as action_type,latest(asset_plugin_count) as asset_plugin_count, values(asset_uuid) as asset_uuid... here I explicitly am giving the tojson command which follows a heads up which fields are to be treated as arrays (the ones where I uses an mv generating command like list, values) and the fields which are just to be treated as single values so when I issue a tojson auto(*) command it takes the queues from the stats command Not sure if this is ideal. but it works and the volume of the integration is tiny - one record per day if that 🙂 I was hoping that kvstore would have understood when it was populated with outputlookup that the single value fields generated with multi values were to be stored and exported as arrays avoiding this overhead
... View more
06-01-2021
04:20 PM
I'm trying to export results as json as part of an integration, but can't seem to enforce the generated json to always be arrays for certain fields which sometimes only has one value.. in those case it reverts to a string and causes headaches downstream. The data has been stored in a kvstore and I'm wanting to fix it pre or post storage in the kvstore before executing the json generating command.. one thing i found is that if I act on the field with mvcombine the functions tojson and makejson seems to realize how to covert it.. but if I do that on fields that are multiple value it messes them up.. and puts a \n in between my values
... View more
- Tags:
- json. export
Labels
- Labels:
-
development
04-18-2021
04:39 PM
bit of an annoyance this one - hopefully there will be a new panel for the new dashboard emulation
... View more
02-13-2021
02:38 PM
sourcetype="0365:*" [ union [ ldapsearch domain=blah basedn="more blah "scope="sub" search="(&(objectCategory=person)(objectClass=user))" attrs="employeeID,mail,physicalDeliveryOfficeName" | eval email=lower(mail) | dedup email | fields + email | rename email as query | format] [ ldapsearch domain=blah basedn="more blah " scope="sub" search="(&(objectCategory=person)(objectClass=user))" attrs="employeeID,mail,physicalDeliveryOfficeName" | eval email=lower(mail) | dedup email | fields + email | rename email as query | format] ] | fields - splunk_server - src_ip - ClientIP - Senderip - SenderIP - host | eval user_id=lower(user_id) | eval src_user = lower(src_user) | eval user=lower(user) | search (user="*") (Operation="*") | fillnull value="Not Found" user Operation dvc | eval myfield = Operation + " | " + user | timechart count by Operation limit=0
... View more
02-13-2021
08:33 AM
This is weird to me - I'm not getting the same information when I create a dashboard from events than when I do it through the spl editor - it's like the same events are not being interpreted the same way. I've never seen this happen like this before.... The events are Microsoft:0365 events and I'm finding when I run it through SPL it works fine but when I transpose the same query to an editor some of the fields like dvc are null... Both the query and dashboard are created under Search and Reporting... so I'm not getting this... The query is a bit of a new venture for me - it's a join between the events and a union on two ldapsearches (to establish the users whose events I want to extract.. but I don't get this...
... View more
- Tags:
- dashboard spl 365
Labels
- Labels:
-
Other
02-25-2020
01:18 PM
I'm getting the same
... View more
01-16-2020
12:42 PM
Ok my bad - I hadn't realized the tags are stored in tags.conf in the user directory under etc\local%username%\oldapplicationdir and they were still there...
... View more