About splunkcol

splunkcol · ‎01-20-2024

Hi, forgive my English, I'm using a translator. About the problem it is better that you send a ticket to Splunk directly, it seems to be a bug in the end I gave up because whenever they ask about the version of splunk they always make the excuse that they do not support old versions of Splunk, in this case although it is true that I was using an old version of Splunk clearly the problem was the add-on.

splunkcol · ‎01-04-2024

I currently find myself collecting logs using the windows universal forwarder, my client has requested a copy of the logs that have been collected from the windows sources for the last 2 months. Is there any way to access this information or the only way is to run a query like index=main |fields _raw

splunkcol · ‎12-13-2023

Thank you very much for your valuable help, you are right the field below should be optional but for some reason it is a mandatory field. I will send a ticket

splunkcol · ‎12-13-2023

I have configured the APP for microsoft 365 which was working properly but it stopped working and after checking it was found that one of the keys or certificates had expired. I contacted the administrator asking him for the "Client Secret" and he gave me the information but he also asks for the "Cloud App Security Token" field and I really have no idea what information I should ask the administrator for. I would be grateful if you could explain me if it is possible. Thanks

splunkcol · ‎11-25-2023

@tscroggins Thank you very much for your valuable help

splunkcol · ‎11-25-2023

Hello I have installed the add-on "Alien Vault Check OTX". I would like to know if out of this command where I can query an IP, HASH or domain for indicators of compromise, could someone give me an idea if it is possible to associate it for example to the src_ip or dest_ip field of my firewall logs? https://apps.splunk.com/app/5422/#/details

splunkcol · ‎10-18-2023

Hello, I was given the administration of a Splunk Enterprise Security and I am not familiarized, I have always used manual queries from "Search & reporting" I have the knowledge level of Fundamentals 1 and 2. Splunk ES currently works and I can see noticeable events from paloalto firewalls but recently configured fortinet logs and these are already coming in under an index called fortinet, when doing a normal query with index=fortinet I can see events but I see nothing from Splunk ES. Exactly what do I need to do to get the fortinet events to be taken into account by Splunk ES and start logging notable events?

splunkcol · ‎09-05-2023

The problem turned out to be that since I have the Add-on on a Heavy Forwarder and in this Splunk I only place the Forwarding license, it turns out that the DB Connect already needs something called KVStore or something like that works that is only available with a paid license. After asking for support I was provided with a free license and the problem was solved.

splunkcol · ‎07-20-2023

Hello again, I am back to ask for your help, I feel that DB Connect is a headache, I am very confused about its configuration in the part where the errors appear in red at the top where I understand that a step must be done at the driver level. I just need these errors that appear at the top to disappear to be able to configure the identities, connections and inputs where I have no doubt, my problem is basically in these errors that appear at the top. The documentation is only clear for those who have already done the process but for those who are just starting with these first configurations it is very confusing, they are texts full of hyperlinks to other documents and you end up with 5 or 10 other related documents. To start removing these errors, what should I do next? Note: As far as possible please do not share with me links to documentation, I have read them and I have not helped at all, if there is someone who could explain to me as simple as possible I would appreciate it.

splunkcol · ‎07-07-2023

Hi I need to run this query, I don't know what I'm missing but when I run it the src_ip field doesn't show me anything, I don't know what I'm missing. Can you help me? index=main source="WinEventLog:*" EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7 | table _time, host, user, New_Process_Name, Process_Command_Line | rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando" Someone tried to help me and suggested this query but I don't know if it is correct but it doesn't show me the value of the src_ip field. index=main source="WinEventLog:*" (EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7) | table _time, host, user, New_Process_Name, Process_Command_Line | rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando" | join type=inner src_ip [ search index=main source="WinEventLog:*" EventCode=4624 | table EventCode, src_ip ]

splunkcol · ‎05-18-2023

I currently have a Heavy Forwarder that forwards logs to Splunk Cloud but the heavy forwarder version is at version 8.0.6 and I have started to have problems with this add-on (DB Connect) as I can connect to the database, splunk detects the table but does not read the tables contents to ingest them. After asking for support I was told that I had an outdated version of DB Connect in version 3.4.0 and I should update it to version 3.12.2. I just updated it and I still have problems with the add-in, I guess now I should focus on updating the version of Splunk that I use as Fowarder to the latest version. I would be grateful if you could let me know if I need to upgrade Splunk from version 8.0.6 splunk 9.x to Splunk 9.x: 1. login via ssh 2. Stop the splunk service from /opt/splunk/bin 3. Back up the splunk folder using the command tar -czvf splunk.tar.gz splunk and delete the uncompressed folder. 4. Download version 8.1.x or 8.2.x first before upgrading to version 9.x (as recommended in the documentation). 5. Proceed with the installation of the 8.1.x or 8.2.x version. 6. I download version 9.x and install it. Please let me know if I have omitted anything or if there are any errors in the list I have described.

splunkcol · ‎05-18-2023

After investigating, the elasticsplunk plug-in has indeed disappeared. After version 8.1 splunk moved from Python 2 to python 3 since then all apps should be on that version of python. What I did was to install a version prior to Splunk 8.1 and copied and pasted the elasticsplunk folder that I got from a github repository and it worked correctly. In this case I have clear that I can not ask for support because I am working with a very old version of splunk and for which there is no support anymore.

splunkcol · ‎04-26-2023

Hello, I have noticed that the Elasticsplunk app no longer exists https://splunkbase.splunk.com/app/3493 I do not know if you know what the reason is or if it was updated by another APP I would appreciate if you could inform me. At this moment I need to use that APP or the one that allows me to use the query with the "ess" command. If possible it would help me a lot which are the configuration files that I have to modify both on splunk and Elasticsearch side.

splunkcol · ‎04-26-2023

@jinnypt Hello, I have noticed that the Elasticsplunk app no longer exists https://splunkbase.splunk.com/app/3493 I do not know if you know what the reason is or if it was updated by another APP I would appreciate if you could inform me. At this moment I need to use that APP or the one that allows me to use the query with the "ess" command. If possible it would help me a lot which are the configuration files that I have to modify both on splunk and Elasticsearch side.

splunkcol · ‎04-19-2023

Hi, I have installed the virustotal add-on for Splunk. When I enter the dashboards that are already pre-built I find that the data is related to .csv files. When I enter one of the panels to see how the query is constructed I see that it is indeed a list of IP address values and a reputation level given by virustotal. | inputlookup vt_ip_cache | search vt_detections > 0 | where "1" = "1" OR _first_seen_in_events >= relative_time(now(), "1") | stats count I am currently on a license of X amount of GB which I am using to ingest logs from many windows machines and some Azure services so I am getting the firewall logs in Elasticsearch and I use the command | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="*" fields="SourceIP" Each query independently brings me results, but what I need is to correlate the virustotal source logs on the IP addresses where the field is called vt_id and show only the ones that match the logs from the paloalto under the SourceIP field I am not very skilled with this type of queries and for this reason I ask for your help, I managed to build this query, which does not bring me results either because there are no matches or because it is incorrect, what do you think? | inputlookup vt_ip_cache | search vt_detections > 0 |table vt_id vt_collections_names |append [| ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="*" fields="SourceIP" |table SourceIP] |where vt_id==SourceIP |table SourceIP vt_id vt_collections_names Would you help me to adjust or improve it? thanks

splunkcol · ‎04-18-2023

thank you very much

splunkcol · ‎04-18-2023

Hi, I currently have an outdated version of DBConnect and need to go through the upgrade process. I have several questions. 1. To perform the upgrade process I must necessarily make a backup of the entire splunk installation? 2- If I enter https://splunkbase.splunk.com/app/2686 it allows me to download a tgz file, with this file I can enter through the graphical interface of splunk and load it? 3. If there is an old version already installed, will this affect the existing inputs, connections and identities? 4. How would you perform or recommend me to perform this upgrade process? thanks

splunkcol · ‎04-05-2023

Hi, thanks for your help, I no longer get connection error. Now I have another problem, when I enter the SQL query and press the "Execute SQL" button it should show a preview of the records but it is not showing anything. The strange thing is that if it detects the fields "catalog", "schema" and "Table" with this I understand that there are no connection or authentication problems but I do not understand why it fails to display the table data. Any suggestions on what I should check? Translated with www.DeepL.com/Translator (free version)

splunkcol · ‎04-03-2023

I have a Splunk cloud implementation where the client side there is a Heavy Forwarder type server that collects that forwards logs to Splunk Cloud. In that Heavy Forwarder there is also the DBConnect plugin to get the data from a database. My question is if for some reason the hostname of the database changes and I put the hostname of the new database and the respective port as it is a new database for Splunk it would download it completely? the configuration was made in "Rising" mode so that it only discards the new logs, but as for the add-on it would be a new database, then it would download the complete database? If it is a database with logs more than 5 years old, is there any method to bring them into splunk since it will obviously exceed the daily license?

splunkcol · ‎03-27-2023

Hello, thank you very much for replying Do you know what "Search peer SSL config check" and "MongoDB TLS and DNS validation check" refers to?

splunkcol · ‎03-27-2023

Hello everyone, I am again asking for your valuable help. I received this notification by mail, which I do not understand at all. I refer to the link you share for documentation and I am still lost. I don't know if I don't know anything or if Splunk assumes that everyone knows the tool from top to bottom. Hello Splunk Admin, The Upgrade Readiness App detected 2 apps with deprecated jQuery on the https://xxxxxx.splunkcloud.com:443 instance. The Upgrade Readiness App detects apps with outdated Python or jQuery to help Splunk admins and app developers prepare for new releases of Splunk in which lower versions of Python and jQuery are removed. For more details about your outdated apps, see the Upgrade Readiness App on your Splunk instance listed above. To address the issues detected by the Upgrade Readiness App, work with app developers to update their apps to use only Python 3 or higher and jQuery 3.5 or higher. For more information about addressing issues with outdated apps, removing lower versions of Python or jQuery, and how to manage these emails, see https://docs.splunk.com/Documentation/URA.

splunkcol · ‎03-16-2023

Hi, I am currently receiving an alert where the license consumption is exceeding 80%. I need to know which index is consuming more license in the last 30 days or last 7 days. This query shows the total license consumption but I need to know which index or sourcetype is generating the most license consumption. `sim_licensing_summary_base` | `sim_licensing_summary_no_split("")` | append [| search (index=summary source="splunk-entitlements") | bin _time span=1d | stats max(ingest_license) as license by _time] | stats values(*) as * by _time | rename license as "license limit" | fields - volume

splunkcol · ‎03-02-2023

Hello I am currently managing a hybrid between Splunk and ELK (Elastisearch Logstash Kibana). Logs supporting syslog protocol are sent to ELK and logs from other sources directly to windows via agent. A plugin called Elasticsplunk has been installed and is stored in the path /splunk/splunk/etc/apps/elasticsplunk/. Currently I am getting the following error message and I would like you to please help me if you know in which configuration file I increase the timeout External search command 'ess' returned error code 1. Script output = "error_message=ConnectionTimeout at "/var2/splunk/splunk/etc/apps/elasticsplunk/bin/elasticsearch/connection/http_urllib3.py", line 155 : ConnectionTimeout caused by - ReadTimeoutError(HTTPConnectionPool(host=u'localhost', port=9200): Read timed out. (read timeout=60)) ".”

splunkcol · ‎03-01-2023

Hello to all I would like to know the default time set for hot, warm, cold and frozen buckets. I also want to know what the retention policy is. When I go to "Settings" -> "Monitoring Console" -> "Indexing" -> "Indexes and Volumes" -> "Index Detail: Instance" I find the following retention policy When I enter the path $SPLUNK_HOME/etc/system/local/default/web.conf I can see some information about the buckets thanks if someone can solve my question

splunkcol · ‎02-20-2023

Hi, I hope that asking this question will not cause controversy. I currently manage a hybrid between Splunk and ELK, some of the sources come directly to Splunk where we pay for the licensing but as there are sources that send very large volumes of information (As we know Splunk is very good but very expensive), we send them to ELK and what we do is that from Splunk we use this type of queries to display data from ELK | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="src_ip:198.7.62.204" fields="*" now, making clear that these logs are not arriving directly to Splunk, and what Splunk is doing is an external query to ELK I would like to know if it is possible to correlate two sources, in this case I need to correlate the palalto logs type THREAT with the type TRAFFIC This is what I have tried but it does not work | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="Type:TRAFFIC AND Threat_ContentType:end AND Action:allow AND NOT SourceLocation:172.16.0.0-172.31.255.255 AND NOT SourceLocation:192.168.0.0-192.168.255.255 AND NOT SourceLocation:Colombia" fields="GeneratedTime,Threat_ContentType,Action,SourceIP,DestinationIP,DestinationPort,NATDestinationIP,SourceLocation,DestinationLocation,SourceZone,DestinationZone" |table GeneratedTime Threat_ContentType Action SourceIP DestinationIP DestinationPort NATDestinationIP SourceLocation DestinationLocation SourceZone DestinationZone * | append [ ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="type:THREAT" fields="threat" |table threat ] |table threat Action *

Posts	196
Solutions	13
Karma Given	92
Karma Received	14
Member Since	‎07-15-2020

Online Status	Offline
Date Last Visited	‎07-09-2024 06:42 PM

Copy windows logs in raw mode

Expired key microsoft 365 app

Alien Vault Check OTX

Splunk ES fortinet new source

How do I Download and Setup DB Connect?

How to show 2 eventcode fields?

Upgrading Splunk 8.0.x to 9.0.x

Does the Elasticsplunk app no longer exist?

VT4Splunk APP correlation with paloalto

Upgrade DBConnect version

Re: Expired key microsoft 365 app

Copy windows logs in raw mode

Re: Expired key microsoft 365 app

Expired key microsoft 365 app

Re: Alien Vault Check OTX

Alien Vault Check OTX

Splunk ES fortinet new source

Re: How do I Download and Setup DB Connect?

How do I Download and Setup DB Connect?

How to show 2 eventcode fields?

Upgrading Splunk 8.0.x to 9.0.x

Re: Does the Elasticsplunk app no longer exist?

Does the Elasticsplunk app no longer exist?

Re: elasticsplunk convert to python3

VT4Splunk APP correlation with paloalto

Re: Upgrade DBConnect version

Upgrade DBConnect version

Re: If DBConnect host changes, will it download th...

If DBConnect host changes, will it download the co...

Re: jQuery Upgrade Readiness Scan Notification

What is this jQuery Upgrade Readiness Scan Notific...

How to check index that consumes more license?

Will increasing Elasticsplunk application timeout ...

What is the Default bucketing time and retention p...

Hybrid Splunk and ELK correlation?