Activity Feed
- Posted Re: Expired key microsoft 365 app on Getting Data In. 01-20-2024 08:11 PM
- Karma Re: Copy windows logs in raw mode for dtburrows3. 01-04-2024 12:57 PM
- Posted Copy windows logs in raw mode on Splunk Search. 01-04-2024 10:09 AM
- Posted Re: Expired key microsoft 365 app on Getting Data In. 12-13-2023 10:16 AM
- Karma Re: Expired key microsoft 365 app for isoutamo. 12-13-2023 10:16 AM
- Posted Expired key microsoft 365 app on Getting Data In. 12-13-2023 08:32 AM
- Got Karma for Re: Alien Vault Check OTX. 11-25-2023 08:17 PM
- Posted Re: Alien Vault Check OTX on Splunk Search. 11-25-2023 08:15 PM
- Karma Re: Alien Vault Check OTX for tscroggins. 11-25-2023 08:11 PM
- Posted Alien Vault Check OTX on Splunk Search. 11-25-2023 04:03 PM
- Posted Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Tagged Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Tagged Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Posted Re: How do I Download and Setup DB Connect? on Getting Data In. 09-05-2023 01:46 PM
- Got Karma for Re: The maximum number of concurrent historical searches on this instance has been reached.. 08-02-2023 07:04 AM
- Got Karma for Re: The maximum number of concurrent historical searches on this instance has been reached.. 08-02-2023 07:04 AM
- Posted How do I Download and Setup DB Connect? on Getting Data In. 07-20-2023 12:45 PM
- Posted How to show 2 eventcode fields? on Splunk Search. 07-07-2023 04:10 PM
- Karma Re: Upgrading Splunk 8.0.x to 9.0.x for gcusello. 05-19-2023 06:11 AM
- Posted Upgrading Splunk 8.0.x to 9.0.x on Splunk Search. 05-18-2023 08:33 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-20-2024
08:11 PM
Hi, forgive my English, I'm using a translator. About the problem it is better that you send a ticket to Splunk directly, it seems to be a bug in the end I gave up because whenever they ask about the version of splunk they always make the excuse that they do not support old versions of Splunk, in this case although it is true that I was using an old version of Splunk clearly the problem was the add-on.
... View more
01-04-2024
10:09 AM
I currently find myself collecting logs using the windows universal forwarder, my client has requested a copy of the logs that have been collected from the windows sources for the last 2 months. Is there any way to access this information or the only way is to run a query like index=main |fields _raw
... View more
Labels
- Labels:
-
stats
12-13-2023
10:16 AM
Thank you very much for your valuable help, you are right the field below should be optional but for some reason it is a mandatory field. I will send a ticket
... View more
12-13-2023
08:32 AM
I have configured the APP for microsoft 365 which was working properly but it stopped working and after checking it was found that one of the keys or certificates had expired. I contacted the administrator asking him for the "Client Secret" and he gave me the information but he also asks for the "Cloud App Security Token" field and I really have no idea what information I should ask the administrator for. I would be grateful if you could explain me if it is possible. Thanks
... View more
11-25-2023
04:03 PM
Hello I have installed the add-on "Alien Vault Check OTX". I would like to know if out of this command where I can query an IP, HASH or domain for indicators of compromise, could someone give me an idea if it is possible to associate it for example to the src_ip or dest_ip field of my firewall logs? https://apps.splunk.com/app/5422/#/details
... View more
10-18-2023
07:45 AM
Hello, I was given the administration of a Splunk Enterprise Security and I am not familiarized, I have always used manual queries from "Search & reporting" I have the knowledge level of Fundamentals 1 and 2. Splunk ES currently works and I can see noticeable events from paloalto firewalls but recently configured fortinet logs and these are already coming in under an index called fortinet, when doing a normal query with index=fortinet I can see events but I see nothing from Splunk ES. Exactly what do I need to do to get the fortinet events to be taken into account by Splunk ES and start logging notable events?
... View more
09-05-2023
01:46 PM
The problem turned out to be that since I have the Add-on on a Heavy Forwarder and in this Splunk I only place the Forwarding license, it turns out that the DB Connect already needs something called KVStore or something like that works that is only available with a paid license. After asking for support I was provided with a free license and the problem was solved.
... View more
07-20-2023
12:45 PM
Hello again, I am back to ask for your help, I feel that DB Connect is a headache, I am very confused about its configuration in the part where the errors appear in red at the top where I understand that a step must be done at the driver level.
I just need these errors that appear at the top to disappear to be able to configure the identities, connections and inputs where I have no doubt, my problem is basically in these errors that appear at the top.
The documentation is only clear for those who have already done the process but for those who are just starting with these first configurations it is very confusing, they are texts full of hyperlinks to other documents and you end up with 5 or 10 other related documents.
To start removing these errors, what should I do next?
Note: As far as possible please do not share with me links to documentation, I have read them and I have not helped at all, if there is someone who could explain to me as simple as possible I would appreciate it.
... View more
Labels
- Labels:
-
heavy forwarder
07-07-2023
04:10 PM
Hi I need to run this query, I don't know what I'm missing but when I run it the src_ip field doesn't show me anything, I don't know what I'm missing.
Can you help me?
index=main source="WinEventLog:*" EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7 | table _time, host, user, New_Process_Name, Process_Command_Line | rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando"
Someone tried to help me and suggested this query but I don't know if it is correct but it doesn't show me the value of the src_ip field.
index=main source="WinEventLog:*" (EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7)
| table _time, host, user, New_Process_Name, Process_Command_Line
| rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando"
| join type=inner src_ip [ search index=main source="WinEventLog:*" EventCode=4624 | table EventCode, src_ip ]
... View more
05-18-2023
08:33 PM
I currently have a Heavy Forwarder that forwards logs to Splunk Cloud but the heavy forwarder version is at version 8.0.6 and I have started to have problems with this add-on (DB Connect) as I can connect to the database, splunk detects the table but does not read the tables contents to ingest them. After asking for support I was told that I had an outdated version of DB Connect in version 3.4.0 and I should update it to version 3.12.2. I just updated it and I still have problems with the add-in, I guess now I should focus on updating the version of Splunk that I use as Fowarder to the latest version. I would be grateful if you could let me know if I need to upgrade Splunk from version 8.0.6 splunk 9.x to Splunk 9.x: 1. login via ssh 2. Stop the splunk service from /opt/splunk/bin 3. Back up the splunk folder using the command tar -czvf splunk.tar.gz splunk and delete the uncompressed folder. 4. Download version 8.1.x or 8.2.x first before upgrading to version 9.x (as recommended in the documentation). 5. Proceed with the installation of the 8.1.x or 8.2.x version. 6. I download version 9.x and install it. Please let me know if I have omitted anything or if there are any errors in the list I have described.
... View more
05-18-2023
08:22 PM
After investigating, the elasticsplunk plug-in has indeed disappeared. After version 8.1 splunk moved from Python 2 to python 3 since then all apps should be on that version of python. What I did was to install a version prior to Splunk 8.1 and copied and pasted the elasticsplunk folder that I got from a github repository and it worked correctly. In this case I have clear that I can not ask for support because I am working with a very old version of splunk and for which there is no support anymore.
... View more
04-26-2023
09:22 PM
Hello,
I have noticed that the Elasticsplunk app no longer exists https://splunkbase.splunk.com/app/3493 I do not know if you know what the reason is or if it was updated by another APP I would appreciate if you could inform me.
At this moment I need to use that APP or the one that allows me to use the query with the "ess" command.
If possible it would help me a lot which are the configuration files that I have to modify both on splunk and Elasticsearch side.
... View more
04-26-2023
09:18 PM
@jinnypt Hello, I have noticed that the Elasticsplunk app no longer exists https://splunkbase.splunk.com/app/3493 I do not know if you know what the reason is or if it was updated by another APP I would appreciate if you could inform me. At this moment I need to use that APP or the one that allows me to use the query with the "ess" command. If possible it would help me a lot which are the configuration files that I have to modify both on splunk and Elasticsearch side.
... View more
04-19-2023
11:24 AM
Hi, I have installed the virustotal add-on for Splunk. When I enter the dashboards that are already pre-built I find that the data is related to .csv files. When I enter one of the panels to see how the query is constructed I see that it is indeed a list of IP address values and a reputation level given by virustotal. | inputlookup vt_ip_cache | search vt_detections > 0 | where "1" = "1" OR _first_seen_in_events >= relative_time(now(), "1") | stats count I am currently on a license of X amount of GB which I am using to ingest logs from many windows machines and some Azure services so I am getting the firewall logs in Elasticsearch and I use the command | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="*" fields="SourceIP" Each query independently brings me results, but what I need is to correlate the virustotal source logs on the IP addresses where the field is called vt_id and show only the ones that match the logs from the paloalto under the SourceIP field I am not very skilled with this type of queries and for this reason I ask for your help, I managed to build this query, which does not bring me results either because there are no matches or because it is incorrect, what do you think? | inputlookup vt_ip_cache | search vt_detections > 0 |table vt_id vt_collections_names
|append
[| ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="*" fields="SourceIP" |table SourceIP]
|where vt_id==SourceIP
|table SourceIP vt_id vt_collections_names Would you help me to adjust or improve it? thanks
... View more
Labels
- Labels:
-
count
-
field extraction
-
subsearch
04-18-2023
08:53 AM
Hi, I currently have an outdated version of DBConnect and need to go through the upgrade process. I have several questions. 1. To perform the upgrade process I must necessarily make a backup of the entire splunk installation? 2- If I enter https://splunkbase.splunk.com/app/2686 it allows me to download a tgz file, with this file I can enter through the graphical interface of splunk and load it? 3. If there is an old version already installed, will this affect the existing inputs, connections and identities? 4. How would you perform or recommend me to perform this upgrade process? thanks
... View more
Labels
- Labels:
-
heavy forwarder
-
Linux
04-05-2023
09:39 AM
Hi, thanks for your help, I no longer get connection error. Now I have another problem, when I enter the SQL query and press the "Execute SQL" button it should show a preview of the records but it is not showing anything. The strange thing is that if it detects the fields "catalog", "schema" and "Table" with this I understand that there are no connection or authentication problems but I do not understand why it fails to display the table data. Any suggestions on what I should check? Translated with www.DeepL.com/Translator (free version)
... View more
04-03-2023
02:02 PM
I have a Splunk cloud implementation where the client side there is a Heavy Forwarder type server that collects that forwards logs to Splunk Cloud.
In that Heavy Forwarder there is also the DBConnect plugin to get the data from a database.
My question is if for some reason the hostname of the database changes and I put the hostname of the new database and the respective port as it is a new database for Splunk it would download it completely? the configuration was made in "Rising" mode so that it only discards the new logs, but as for the add-on it would be a new database, then it would download the complete database?
If it is a database with logs more than 5 years old, is there any method to bring them into splunk since it will obviously exceed the daily license?
... View more
Labels
- Labels:
-
configuration
-
using Splunk Cloud
03-27-2023
01:04 PM
Hello, thank you very much for replying Do you know what "Search peer SSL config check" and "MongoDB TLS and DNS validation check" refers to?
... View more
03-27-2023
09:20 AM
Hello everyone,
I am again asking for your valuable help.
I received this notification by mail, which I do not understand at all.
I refer to the link you share for documentation and I am still lost.
I don't know if I don't know anything or if Splunk assumes that everyone knows the tool from top to bottom.
Hello Splunk Admin,
The Upgrade Readiness App detected 2 apps with deprecated jQuery on the https://xxxxxx.splunkcloud.com:443 instance. The Upgrade Readiness App detects apps with outdated Python or jQuery to help Splunk admins and app developers prepare for new releases of Splunk in which lower versions of Python and jQuery are removed. For more details about your outdated apps, see the Upgrade Readiness App on your Splunk instance listed above.
To address the issues detected by the Upgrade Readiness App, work with app developers to update their apps to use only Python 3 or higher and jQuery 3.5 or higher.
For more information about addressing issues with outdated apps, removing lower versions of Python or jQuery, and how to manage these emails, see
https://docs.splunk.com/Documentation/URA.
... View more
Labels
- Labels:
-
administration
-
configuration
03-16-2023
11:41 AM
Hi, I am currently receiving an alert where the license consumption is exceeding 80%.
I need to know which index is consuming more license in the last 30 days or last 7 days.
This query shows the total license consumption but I need to know which index or sourcetype is generating the most license consumption.
`sim_licensing_summary_base`
| `sim_licensing_summary_no_split("")`
| append
[| search (index=summary source="splunk-entitlements")
| bin _time span=1d
| stats max(ingest_license) as license by _time]
| stats values(*) as * by _time
| rename license as "license limit"
| fields - volume
... View more
Labels
- Labels:
-
using Splunk Cloud
03-02-2023
12:40 PM
Hello I am currently managing a hybrid between Splunk and ELK (Elastisearch Logstash Kibana).
Logs supporting syslog protocol are sent to ELK and logs from other sources directly to windows via agent.
A plugin called Elasticsplunk has been installed and is stored in the path /splunk/splunk/etc/apps/elasticsplunk/.
Currently I am getting the following error message and I would like you to please help me if you know in which configuration file I increase the timeout
External search command 'ess' returned error code 1. Script output = "error_message=ConnectionTimeout at "/var2/splunk/splunk/etc/apps/elasticsplunk/bin/elasticsearch/connection/http_urllib3.py", line 155 : ConnectionTimeout caused by - ReadTimeoutError(HTTPConnectionPool(host=u'localhost', port=9200): Read timed out. (read timeout=60)) ".”
... View more
03-01-2023
01:24 PM
Hello to all
I would like to know the default time set for hot, warm, cold and frozen buckets. I also want to know what the retention policy is.
When I go to "Settings" -> "Monitoring Console" -> "Indexing" -> "Indexes and Volumes" -> "Index Detail: Instance"
I find the following retention policy
When I enter the path $SPLUNK_HOME/etc/system/local/default/web.conf I can see some information about the buckets
thanks if someone can solve my question
... View more
02-20-2023
07:25 PM
Hi, I hope that asking this question will not cause controversy.
I currently manage a hybrid between Splunk and ELK, some of the sources come directly to Splunk where we pay for the licensing but as there are sources that send very large volumes of information (As we know Splunk is very good but very expensive), we send them to ELK and what we do is that from Splunk we use this type of queries to display data from ELK | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="src_ip:198.7.62.204" fields="*"
now, making clear that these logs are not arriving directly to Splunk, and what Splunk is doing is an external query to ELK I would like to know if it is possible to correlate two sources, in this case I need to correlate the palalto logs type THREAT with the type TRAFFIC
This is what I have tried but it does not work
| ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="Type:TRAFFIC AND Threat_ContentType:end AND Action:allow AND NOT SourceLocation:172.16.0.0-172.31.255.255 AND NOT SourceLocation:192.168.0.0-192.168.255.255 AND NOT SourceLocation:Colombia" fields="GeneratedTime,Threat_ContentType,Action,SourceIP,DestinationIP,DestinationPort,NATDestinationIP,SourceLocation,DestinationLocation,SourceZone,DestinationZone"
|table GeneratedTime Threat_ContentType Action SourceIP DestinationIP DestinationPort NATDestinationIP SourceLocation DestinationLocation SourceZone DestinationZone *
| append [ ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="type:THREAT" fields="threat" |table threat ]
|table threat Action *
... View more
Labels
- Labels:
-
join
