Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About joshuamcqueen
joshuamcqueen
Path Finder
Member since:
08-02-2012
06-05-2020
Community Statistics
| Posts | 27 |
| Solutions | 1 |
| Karma Given | 8 |
| Karma Received | 19 |
| Member Since | 08-02-2012 |
Activity Feed
- Got Karma for Re: exit_code=255 ERROR dispatchRunner. 06-05-2020 12:49 AM
- Karma Re: Is it possible to access properties from a custom config file (props.conf) in a Simple XML extension? for kbarker302. 06-05-2020 12:48 AM
- Karma Re: How to write regex to capture multiple groups and replace parentheses with periods from DNS Logs? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Enterprise Security: How to add swimlanes of custom sourcetypes to Identity Investigator dashboard? for jcoates_splunk. 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Enterprise Security: How to add swimlanes of custom sourcetypes to Identity Investigator dashboard?. 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd. 06-05-2020 12:47 AM
- Got Karma for TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd. 06-05-2020 12:47 AM
- Got Karma for TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd. 06-05-2020 12:47 AM
- Karma Re: Display images in dashboard - dynamically from search for sideview. 06-05-2020 12:46 AM
- Karma Re: Display images in dashboard - dynamically from search for Genti. 06-05-2020 12:46 AM
- Karma Re: ERROR DistBundleRestHandler - Problem untarring file for clocker_splunk. 06-05-2020 12:46 AM
- Karma Why is the dispatch.finalizeRemoteTimeline causing searches to take extremely long to finish? for mjones414. 06-05-2020 12:46 AM
- Karma Re: Splunk 6 Web Framework - Python SDK - How to get logged in username? for ineeman. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 7 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 |
05-30-2019
12:33 PM
Hi there!
I REALLY like your app -- thanks for taking the time to develop/share with the community.
One question I had was around REST endpoint:
/services/pdf export
I dug through the python code and saw it accepts two pieces of data:
data = [
('DashboardURL', dashboard_url),
('ScheduleParam', schedule_param),
]
But I couldn't figure out how to get it working. Can you please share a working example?
Thanks!
... View more
03-16-2018
08:47 AM
1 Karma
Solution: Rename the app and deploy to search heads.
... View more
03-16-2018
08:47 AM
Yup! Renaming must have fixed it on our end too. Haven't seen the "red triangle of doom" pop back up yet. Marking as solved.
... View more
03-15-2018
01:05 PM
I am having the exact same issue you describe. All nodes are Splunk 7.0.2.
Very simple app -- just a dashboard and some panels -- yet sometimes it works, sometimes it doesn't.
Setup: 1 SH --> 3 Indexers. No clustering.
Did you figure it anything out?
... View more
10-20-2014
08:20 PM
7 Karma
Hey Splunkers,
Question about notable events. I know how to modify a correlation drill-down searches (and pass tokens into it). But lately my security analysts have been asking, "can we pass those same tokens into a dashboard?"
So can you? Is there any customization you can do to ES to specify a correlation search to drilldown into a dashboard INSTEAD of a search? This could save our analysts a LOT of time. Thanks!!
... View more
08-26-2014
10:39 AM
Hey Splunkers,
Working on configuring Enterprise Security and need a hand with New Domain Analysis Dashboard. Here's whats up:
Under "Domain Type" when I select
"Newly Seen" -- I see plenty of
results and all but the bottom panel
populate correctly.
Under "Domain
Type" when I select "Newly
Registered" -- none of the panels
populate.
My hunch is that whatever mechanism that calls the "whois" doesn't work correctly. I went into "SA-NetworkProtection\bin" and chmoded all the python files to execute. Permissions look right.
The problem (I think) is that my ES search head has no internet access. Pretty sure I need to open up the mechanism that makes the whois work. Any advice on this? Documentation? Instructions?
As always, thanks in advance!
... View more
08-25-2014
08:05 AM
VERY Helpful. Would have never figured this out on my own.
Thank you for showing me this example. I'll work on implementing this soon -- provide more information, questions as they come up.
... View more
08-25-2014
06:50 AM
1 Karma
Hey Splunkers,
Our securty team really likes the Identity Investigator dashboard. Only things is -- it would be GREAT to add a few more swimlanes of custom sourcetypes (for example, our DNS, Proxy...etc).
I see you can edit, remove, rename the default sourcetypes, but is there anyway to add a new one?
Looked at the code underneath and everything seems pretty hard-coded. Is there a best-practices approach?
Thanks!
... View more
08-21-2014
12:04 PM
There is a blog article that talks about this approach: http://stratumsecurity.com/2012/07/03/splunk-security/
... View more
08-21-2014
11:26 AM
Stumped on a regex problem and need a hand. Basically, I have DNS logs that come in like this:
8/21/2014 9:32:20 AM 0E5C PACKET 000000298F0CA280 UDP Rcv 10.2.56.13 136b Q [0001 D NOERROR] PTR (2)25(2)21(1)5(2)10(7)in-addr(4)arpa(0)
8/21/2014 9:32:20 AM 0E60 PACKET 000000298EE81DF0 UDP Rcv 10.2.4.60 7d30 Q [0001 D NOERROR] A (14)usca-cdst-sw01(3)domain(3)com(0)
8/21/2014 9:32:20 AM 0E60 PACKET 00000029936FBF70 UDP Rcv 10.2.4.60 ce83 Q [0001 D NOERROR] A (14)usca-edge-sw01(3)domain(3)com(0)
8/21/2014 9:32:20 AM 0E60 PACKET 00000029936FBF70 UDP Rcv 10.2.4.60 db29 Q [0001 D NOERROR] A (14)usxo-core-vg02(3)domain(3)com(0)
8/21/2014 9:32:20 AM 0E60 PACKET 000000298EE81DF0 UDP Rcv 10.2.4.60 42b1 Q [0001 D NOERROR] A (14)brca-rvrb-wo01(3)bru(3)domain(3)com(0)
Towards the end of each event, you'll see something like, "(14)ussp-usrv-rt01(3)domain(3)com(0)"
Basically, I'm trying to write regex to convert this into "ussp-usrv-rt01.domain.com"
My strategy was to capture everything after NOERROR]\s+\w+\s+ to end of line, then replace the parenthesis with a period. Having trouble getting it just right.
Any suggestions? Thanks!
... View more
06-26-2014
07:25 AM
Thanks or the info. Is this warning harmless? Can it be affecting performance? Is there anyway to suppress?
... View more
06-25-2014
10:35 PM
3 Karma
Hey Splunkers,
I'm getting an error in _internal that I can't seem to figure out. Every enabled app that has a csv lookup is throwing this error in splunkd.log. These happen quite frequently -- adding up to 100,000 a day! 😞
Environmont Details: Splunk 6.1. Enterprise Security 3.1
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=identities_expanded.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=pci_domains.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=pci_domains_from_assets.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=assets.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=identities.csv in lookups.conf, cannot enumerate fields list
Why would Splunk complain about every csv lookup in my environment??? I don't get any syantax errors when I start splunk. Any help would be greatly appreciated. Thanks!
... View more
12-16-2013
07:46 PM
Both of these work: Thanks for the help!
request.user.realname
request.user.name
... View more
12-13-2013
07:33 AM
1 Karma
I came up with a solution, though it's not very pythonic. Basically I take the XML of the REST response and grab the specific strings. It works but it's kinda ugly.
import re
response = service.get('/services/authentication/current-context')
result = re.search('<s:key name="username">(.*)</s:key>', response.body)
username = result.group(1)
result = re.search('<s:key name="realname">(.*)</s:key>', response.body)
realname = result.group(1)
print username
print realname
... View more
12-12-2013
06:41 PM
Hey Splunk Gurus,
I'm writing a custom Splunk 6 web framework application and I'm trying to get the username server-side.
I know this sounds very (very!) simple, but I can't seem to get it. The username keeps coming up blank.
Starting with a completely new app, I enter the following:
@render_to('my_app:home.html')
@login_required
def home(request):
service = request.service
logger.debug(service.username)
return {
"message": service.username,
}
I couldn't get that to work, so I said "screw it -- I'll just use REST". That got me close but no cigar:
josh_rest = service.get('/services/authentication/current-context')
logger.debug(josh_rest.body) #this displays the XML
I did end up getting the XML for the REST endpoint (which does indeed contain the logged in username!) but I can't figure out how to use splunklib.data.load() to parse it effectively.
I even saw this in the documentation (but it doesn't work for me)
Anyhow, if you have any insight into how to get the username, please let me know. Thanks!!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
