Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About pfabrizi
pfabrizi
Path Finder
Member since:
02-15-2017
06-05-2020
Community Statistics
| Posts | 208 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 9 |
| Member Since | 02-15-2017 |
Activity Feed
- Got Karma for How does DUO authentication for SPLUNK work?. 01-06-2026 08:03 AM
- Got Karma for How do I configure email settings on a search head (SH) cluster?. 06-18-2025 10:46 AM
- Got Karma for Re: How to create an If Statement in Props.conf?. 06-05-2020 12:49 AM
- Got Karma for Re: Universal forwarder deprecated for Windows 2008 on Splunk 7.0.0?. 06-05-2020 12:49 AM
- Got Karma for What is considered a full back up of Search Head?. 06-05-2020 12:49 AM
- Got Karma for LookUp Functionalility. 06-05-2020 12:49 AM
- Got Karma for Re: Universal forwarder is listening to the wrong port for the splunkd process. 06-05-2020 12:49 AM
- Got Karma for SSL certificate for Splunk Web process -- can you verify these steps I'm taking?. 06-05-2020 12:49 AM
- Got Karma for How would you use an internal signed certificate with a Search Head (SH) cluster?. 06-05-2020 12:49 AM
- Posted Why is our alarm not launching all tasks? on Reporting. 12-13-2018 09:33 AM
- Posted Can I tab delimit a report file on Splunk Search. 12-03-2018 11:56 AM
- Posted SPLUNK will Not Start on All Apps and Add-ons. 11-28-2018 02:33 PM
- Posted Can you help me with the following query using the coalesce command? on Splunk Search. 11-26-2018 12:53 PM
- Posted Re: Lookup File Lookup in props\transform on All Apps and Add-ons. 11-19-2018 08:23 AM
- Posted Lookup File Lookup in props\transform on All Apps and Add-ons. 11-15-2018 05:48 AM
- Posted How does a LOOKUP and Report command work in a PROPS.CONF ? on Getting Data In. 10-19-2018 09:19 AM
- Posted Why aren't lookups replicating on search head (SH) cluster? on Deployment Architecture. 10-04-2018 09:28 AM
- Posted Re: How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:55 AM
- Posted How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:17 AM
- Tagged How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
08-20-2018
05:00 AM
I have a UF running on a linux device, with a TCP input. The input is coming from a Graylog forwarder and all the windows events coming with a 'winlogbeat_ preface.
I want to black list windows events coming by event code and normally I use a blacklist -= EventCode="xxxx" Message=....
however the eventcode comes in as winlogbeat_event_id,
I did try this:
blacklist1= winlogbeat_event_id = "4662"
This doesn't appear to work.
Can someone help with this?
Is there any log that shows events being whitelisted or blacklisted?
Thank You!
... View more
08-16-2018
03:04 AM
so when I run ./splunk show shcluster-status on a member it shows me the members and the captain and the members as up. When I try to run this command on my sh master\deployer it tell me search head master in not enabled.
I can see that my apps are under /opt/splunk/etc/shcluster/apps.
any thoughts?
Thank You!
... View more
08-15-2018
11:48 AM
I had to update a props.conf and I am trying to push it via my Index cluster master and my sh cluster deployer.
what is the command to push from my index cluster?
when I try pushing from SH cluster deployer I get this error:
Error while deploying apps to target=https://txxxxxxx2:8089 with members=2: No captain found amongst members
I used command ./splunk apply shcluster-bundle -target https://txxxxxx2:8089.
THis worked last week when I pushed a new app.
Thanks!
... View more
- Tags:
- splunk-enterprise
07-16-2018
10:40 AM
We are moving off our current SIEM to SPLUNK and one of the reports from our current siem writes to windows share. Can I do this with SPLUNK?
Thanks!
... View more
- Tags:
- splunk-enterprise
07-15-2018
02:14 PM
I am using the UF to try and collect logs from a custom windows application. Below is my inputs.conf stanza. How I am not seeing the logs. How can I see if they are getting collected and how can see if they are getting to the indexer?
[WinEventLog://Quest File Access Audit]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
... View more
07-12-2018
09:14 AM
can I use this in a props.conf?
if so what would the command look like?
thanks!
... View more
07-12-2018
07:57 AM
I have a event field that comes in as a string that is comma separated.
field look like https://google.con,https://Microsoft.com,https://splunk.com
In my props I have an eval:
EVAL-urls = split(urls, ",")
when searched we only see the https://google.com is the urls field.
How can I make this multivalued ?
Thanks!
... View more
- Tags:
- splunk-enterprise
07-10-2018
10:25 AM
I built a scripted process to perform an upgrade. When i issue the splunk start command I get the license agreement and have to answer a few questions. Is there a way to bypass this? I have an enterprise license and I am on linux going from 6.6.3 to 7.0.4.
Here is the message I see. This forces me to run the process interactively and I would like to make this a scheduled process
command: /trvapps/splunk/bin/splunk start
SPLUNK SOFTWARE LICENSE AGREEMENT
Thanks!
... View more
- Tags:
- splunk-enterprise
07-02-2018
06:30 PM
I am 6.6.3 and we want to upgrade to 7.0.4 but I am having difficultly find the url for the install. Can someone point me in the correct direction?
Thanks!
... View more
- Tags:
- splunk-enterprise
06-28-2018
05:40 PM
Hi Amiftah,
So I would just add this to my inputs.conf?
source=_json
sourcetype=box
thanks!
... View more
06-28-2018
01:40 PM
We are trying to pull in slack data using function1 which is not work as we are using the new api. We had a call with slack and they suggested to create a custom app. In the interim what we would like to is create a script that fetches the slack events and writes to a file and then use a file monitor to retrieve the events.
Slack returns the data in json, so how would I setup the file monitor to read json? Or would I just format the data in the script that retrieves slack?
Thanks!
... View more
06-28-2018
06:44 AM
I am using Graylog to forward my windows events, all the events field names start with winlogbeat, but some are
_event_data_targetname and some are _event_data_Subjectname. This appears to be different based on windows event type.
Can I do a
if winlogbeats_event_data_targetnamedomain not null then
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_TargetDomainName as Account_Domain
else
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_SubjectDomainName as Account_Domain
Thanks!
... View more
06-28-2018
06:13 AM
That is what I thought.
Thank You!
... View more
06-28-2018
04:51 AM
I am forwarding windows events from graylog to a UF and then UF to Indexer.
I have a props.conf to create field alias from the Graylog fields. Once I have these I want to eliminate the gray log fields from being indexed.
Here is Props.conf.
FIELDALIAS-winlogbeat_as_host = winlogbeat_fields_collector_node_id as host
FIELDALIAS-winlogbeat_as_eventid = winlogbeat_event_id as EventCode
FIELDALIAS-winlogbeat_as_processname = winlogbeat_event_data_ProcessName as Process_Name
FIELDALIAS-winlogbeat_as_logonid = winlogbeat_event_data_TargetLogonId as Logon_ID
FIELDALIAS-winlogbeat_as_user = winlogbeat_event_data_TargetUserName as user
FIELDALIAS-winlogbeat_as_src_user = user as src_user
FIELDALIAS-winlogbeat_as_action = winlogbeat_keywords as action
FIELDALIAS-winlogbeat_as_security_id = winlogbeat_event_data_TargetUserSid as Security_ID
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_TargetDomainName as Account_Domain
FIELDALIAS-winlogbeat_as_logontype = winlogbeat_event_data_LogonType as Logon_Type
FIELDALIAS-winlogbeat_as_srcip = winlogbeat_event_data_IpAddress as src_ip
FIELDALIAS-winlogbeat_as_src = winlogbeat_computer_name as src
FIELDALIAS-winlogbeat_as_destip = src_ip as dest_ip
How would I eliminate the winlogbeat fields from being indexed?
Thanks!
... View more
06-26-2018
04:25 AM
I am using Graylog (winlogbeats) to forward windows events to a Linux based UF. I have a props.conf on my indexer and SH to set field alias since Graylog forwards fields with a winlogbeats preface. I have 2 questions:
if I want to whitelist\blacklist on the UF would I look for the fields with windlogbeats?
so instead of this: blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
would I replace it with this: blacklist1 = Winlogbeat_EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
should I or should I not put the props.conf on the linux UF?
it looks like this:
[graylog:windows]
SHOULD_LINEMERGE = false
TIME_FORMAT=%Y-%b-%d %H:%M:%S
TZ = UTC
FIELDALIAS-winlogbeat_as_host = winlogbeat_fields_collector_node_id as host
FIELDALIAS-winlogbeat_as_eventid = winlogbeat_event_id as EventCode
FIELDALIAS-winlogbeat_as_processname = winlogbeat_event_data_ProcessName as Process_Name
FIELDALIAS-winlogbeat_as_logonid = winlogbeat_event_data_SubjectLogonId as Logon_ID
FIELDALIAS-winlogbeat_as_user = winlogbeat_user_data_SubjectDomainName as user
FIELDALIAS-winlogbeat_as_src_user = winlogbeat_user_data_subjectDomainName as src_user
FIELDALIAS-winlogbeat_as_action = winlogbeat_keywords as action
FIELDALIAS-winlogbeat_as_security_id = winlogbeat_user_data_SubjectUserSid as Security_ID
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_user_data_SubjectDomainName as account_domain
Thanks!
... View more
- Tags:
- splunk-enterprise
06-22-2018
08:33 AM
I got the slack add-on from Function 1 and I put it on my forwarder. I had to use a legcy token, but when I start I get this error:
An error occurred updating credentials. Please ensure your user account has admin_all_objects and/or list_storage_passwords capabilities. Details: 'NoneType' object has no attribute 'storage_passwords'
all I configured was the token and max_days.
... View more
- Tags:
- splunk-enterprise
06-20-2018
07:47 AM
OK, I changed the port to 9996. I see it listening on that port. I no longer get the error messages but I am not seeing any data flow to indexer.
am I missing anything? This is running on a Linux UF.
This is my inputs.conf
[tcp://9996]
index=wineventlog
I see these messages in the metrics.log but don't know what they mean.
06-20-2018 10:35:13.269 -0400 INFO Metrics - group=tcpin_connections, 10.xx.xx.4:51718:9996, connectionType=raw, sourcePort=51718, sourceHost=server.doamin.net, sourceIp=10.xx.xx.4, destPort=9996, kb=0.00, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=0.01, _tcp_Kprocessed=2.14, _tcp_eps=0.00, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00
... View more
06-19-2018
03:10 PM
Hi SSIEVENT,
I was just thinking that and in the process to tell the Graylog folks to send under another port. I am using a UF, so I have no UI, but i should be able to setup a inputs.conf with a tcp listener.
Thank You!
... View more
06-19-2018
04:20 AM
Sorry, I wasn't seeing this yesterday but I am today.
06-19-2018 07:16:00.830 -0400 ERROR TcpInputProc - Message rejected. Received unexpected message of size=842019128 bytes from src=10.00.0.7:52640 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
I am going to go back to our Graylog folks and see if they can decrease the payload, is this correct?
Thanks!
... View more
06-19-2018
04:16 AM
I have Graylog forwarding to a UF over port 9997 and I see events streaming in but not being picked up by SPLUNK. I have a inputs.conf set to [splunktcp:9997] . I tried to setup a syslog.conf to tream to a file but realized that is port 514 and 9997. Can any one provide some debugging hints?
How can I see if the events are getting picked up by the UF and just not forwarding?
I looked in the Metrics.log but see nothing, is that the correct place to look?
Thanks!
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
