Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About norbertt911
norbertt911
Path Finder
Member since:
07-16-2020
03-06-2024
Community Statistics
| Posts | 40 |
| Solutions | 1 |
| Karma Given | 9 |
| Karma Received | 7 |
| Member Since | 07-16-2020 |
Activity Feed
- Got Karma for How to disable TLS1.0 and TLS1.1 for webhook port?. 2 weeks ago
- Posted Re: Running splunk on Rocky Linux distro on Installation. 03-06-2024 07:21 AM
- Posted Re: Moment.js not available in splunk 9.1.x+ on Splunk Enterprise. 02-23-2024 08:52 AM
- Posted Re: Microsoft Teams Add-on for Splunk: handling of 404 error on All Apps and Add-ons. 01-12-2024 03:09 AM
- Posted Re: Moment.js not available in splunk 9.1.x+ on Splunk Enterprise. 12-14-2023 06:20 AM
- Posted Re: Why is moment.js not available in splunk 9.1.x+? on Splunk Enterprise. 11-06-2023 09:46 AM
- Posted Re: Why is moment.js not available in splunk 9.1.x+? on Splunk Enterprise. 11-06-2023 08:22 AM
- Posted Re: Sparklines Going Off the Page on Dashboards & Visualizations. 09-21-2023 07:42 AM
- Posted Re: Help with json field with backslash separated values? on Getting Data In. 05-11-2023 12:49 AM
- Karma Re: json field with backslash separated values for enzomialich. 05-11-2023 12:49 AM
- Posted Re: json field with backslash separated values on Getting Data In. 05-11-2023 12:41 AM
- Posted How to split json field with backslash separated values? on Getting Data In. 05-10-2023 05:00 AM
- Posted Re: Why is server Certificate Hostname Validation is disabled? on Splunk Enterprise. 04-17-2023 12:55 AM
- Karma Re: Alert for high amount of events for ITWhisperer. 03-21-2023 03:20 AM
- Posted Re: Alert for high amount of events on Splunk Search. 03-21-2023 01:44 AM
- Karma Re: Alert for high amount of events for somesoni2. 03-21-2023 01:36 AM
- Posted Re: Alert for high amount of events on Splunk Search. 03-20-2023 02:22 PM
- Posted Re: Alert for high amount of events on Splunk Search. 03-20-2023 08:45 AM
- Posted How to set an alert for high amount of events? on Splunk Search. 03-20-2023 06:21 AM
- Posted Re: Python upgrade readiness app: Why Integrity check failing after update? on Installation. 03-14-2023 03:21 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 |
03-06-2024
07:21 AM
Hello, Do you have experience with Splunk - Rocky Linux since that? We should migrate our Centos7 soon and one of the candidates is Rocky 9. But the system requirements page https://docs.splunk.com/Documentation/Splunk/9.2.0/Installation/Systemrequirements does not list its kernel version (5.14) anymore. (same for RHEL) I believe it will work, but since I need to migrate a physical production server, I want to reduce the risk as much as I can...
... View more
02-23-2024
08:52 AM
Hello, 1.0.40 working fine for me. - clear your browser cache or use a different browser/incognito mode Note: the configuration changed. You need to set a new API key even for the Overview dashboards....
... View more
01-12-2024
03:09 AM
Hi, I still have no 100% working workaround. I tried to create an Alert on my search head> when the subscription failed, triggering a curl script to disable - re-enable the inputs. I learned two important things there: Order you should disable the webhook, then the subscription input then the call record input. Enable the webhook, and enable the subscription. This will update the subscription, but sometimes doesn't work correctly - in this case, you should clear the KV store first - and the webhook is Exit! So you should disable the webhook again, enable it then enable the call record input. This method above, if you do manually solving the issue all the time. But the second thing: Scripted disable/enable works 50-50%. Seems the call record is not correctly reset by the script. so currently, I have an alert to myself: "Go monkey and reset it manually" 🙂
... View more
12-14-2023
06:20 AM
Hi All, I opened a ticket at Cisco support and they promised that the app will be updated soon. KR
... View more
11-06-2023
09:46 AM
... I tested it if you copy back the moment.js from /opt/splunk/quarantined_files/share/splunk/search_mrsparkle/exposed/js/contrib/ to /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/ The Cisco app works. But this is a hack and Splunk will complain about the file integrity. I think Cisco needs to update its app.
... View more
11-06-2023
08:22 AM
Hello, First of all, I'm far far away from Java scripting. But maybe those who know this could help: Seems to me Splunk removed the moment.js after the update. For me, it's still can be found in /opt/splunk/quarantined_files/share/splunk/search_mrsparkle/exposed/js/contrib/ folder. The new(?) version is supposed to be here: /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/moment/lang/ , but it seems now "localised" Or I'm totally wrong 🙂 Please share your thoughts, I faced the same issue with Cisco Cloud Security App Regards, Norbert
... View more
09-21-2023
07:42 AM
Try: Your search | chart sparkline(count,1min) count by field (more than 1min will generate a shorter sparkline) BR. Norbert
... View more
05-11-2023
12:49 AM
... and finally I found it. I can't explain why, but if I replace the \n with any random character, the do the split it's works. ...| rename "extensionAttribute.value" AS value | search value="*" AND NOT value="No Base*" | eval value=replace(value,"\\n",";") | makemv delim=";" value | mvexpand value | table value
... View more
05-11-2023
12:41 AM
Thanks, first of all I just realised that the separator is not just a backslash, but "\n" - new line. anyway my results are same like with split. makemv do the job too with any delimiter except the \n (\\n,\\\\n or any variation).
... View more
05-10-2023
05:00 AM
Hi,
I have a json field where multiple values listed separated by backslash in raw (space in list view) like this:
"value": "audit_retention_configure\nos_airdrop_disable......\nsystem_settings_wifi_menu_enable\n"
In list view the extraction looks ok, but the whole list shown as a single value. I would like to split it.
I did this:
Mysearch
| rename "extensionAttribute.value" AS value
| search value="*" AND NOT value="No Base*"
| eval values=split(value,"X")
| mvexpand values
| table values
If i set X="\" (unbalanced quotes), or "\\", or " " (space), there is no change in the result, if I set forexample "_", it will split the field by _ like a charm...
Please advise what should I do for
audit_retention_configure nos_airdrop_disable . . . nsystem_settings_wifi_menu_enable
result.
... View more
Labels
- Labels:
-
field extraction
-
JSON
04-17-2023
12:55 AM
Hi, As far as I understand the root problem of this issue that Splunk cannot determinate that your SSL certificate issuer is trustable or not. I play ed a lot with this - I using CA trusted wildcard certificate. And end up this configuration in server.conf: sslVerifyServerCert = true cliVerifyServerName = true serverCert = $SPLUNK_HOME/etc/auth/mycert/cert-with-key.pem (-> servercert+middle-chain cert+root cert+ private key) sslRootCAPath = /etc/ssl/certs/ca-bundle.crt sslRootCAPath is the path of your OS trusted CA bundle. You may need to add Your issuer to this list manually. (the root cert only). Depending by OS, but same process: https://ubuntu.com/server/docs/security-trust-store Now I have no such warning, and seems everything working fine. (May could work if you pointing the your root cert only with sslRootCAPath, but that not tested ) KR.
... View more
03-21-2023
01:44 AM
I tuning a bit, but BIG thanks for the concept! index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m limit=5 sum(events) by series | untable _time series count | sort _time 0 series | streamstats current=t time_window=5m count(eval(count>X)) as rollingHighCount by series | where rollingHighCount=5
... View more
03-20-2023
02:22 PM
I mean with the "strange", that your search returns totally different results than my search 🙂 My goal is: to monitor the number of events per series per minute - the flow itself. On top of that if there is a peak, like 3-4x more events per minute than usual for a longer period (5-10 minutes), raise an alert. This suddenly increased traffic on network devices/firewalls could be a good indicator of an attack or some issue.
... View more
03-20-2023
08:45 AM
Hi, This returns with a strange result. (If I do not remove the | timechart... line from the original search, there is no result.) But, then the result somehow not including my firewalls, where the event per minute is over 100000... Running this every 5 minutes will show the "top list" of the series in that five minutes, but I really looking for the peaks. Running my original search every 3 hours will show the peaks pretty well: But I want to have an email alert in case the events per minute go over a limit. For example, if the "normal" is 100000/min, but then it goes up 250000/min and then back to 100000/min that's OK I do not want to have an alert. But if it stays on the 250000/min level (that is set as X) for more than 5 minutes continuously, I would like to have the alert. ( and I check the behavior later)
... View more
03-20-2023
06:21 AM
Hello Splunkers,
I would like to have to set an alert if a sudden high amount of events are received.
I have this base search:
index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m limit=5 sum(events) by series
So I have the number of events by a source per minute. I like to trigger an alert if there are more than X events in 5 consecutive minutes from one source.
Thanks for your hints in advance
... View more
03-14-2023
03:21 AM
Yes, seems that solves this issue. One note: should remove the .orig manifest file before restarting, or it will be applied. Thanks!
... View more
03-08-2023
01:02 PM
index="windows_events" Eventtype=4697 OR Eventtype=4698 |stats count by Hostname
... View more
02-13-2023
03:19 AM
Hello,
The Splunk add-on builder won't load, it has the header, but the rest is blank. (9.0.3 enterprise + 4.1.1 app)
- Reinstall not helps
-Nothing in splunkd.log, add-on builder logs
- I found this event in web_service.log, but I don't know what should I do with it:
File "/opt/splunk/etc/apps/splunk_app_addon-builder/bin/splunk_app_add_on_builder/solnlib/utils.py", line 169, in extract_http_scheme_host_port raise ValueError(http_url + " is not in http(s)://hostname:port format") ValueError: splunk."mydomain"."ext" is not in http(s)://hostname:port format
note: I changed the real hostname.
Everything else is ok, all other apps are works fine. I reach the server on https://splunk."mydomain"."ext":8000 . splunk."mydomain"."ext" format set in server. conf as serverName and in web. conf for mgmtHostPort (with :"port")
Any ideas?
Thanks in advance,
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
12-13-2022
10:29 AM
1 Karma
Hello,
I'm using the MS Teams add-on to collect call records. (https://splunkbase.splunk.com/app/4994)
The webhook port that opened for the collect offers TLS 1.0 and TLS 1.1. How can I disable it?
The server.conf and web.conf already contain the
sslVersions=tls1.2
stanza, and all other ports are not offered the deprecated protocols...
... View more
- Tags:
- tls
Labels
- Labels:
-
SSL
12-06-2022
02:05 AM
1 Karma
Figured out! Thanks for the tip! index=logons action=failure | stats dc(action) as failures by username | where failures > 20 | map maxsearches=50 search=" search index=users user=\"$username$\" | appendpipe [ stats count | eval user=\"$username$\" | where count=0 | fields - count ] | spath memberOf{}.displayName output=groupName | eval username=\"$username$\", failures=\"$failures$\" | lookup support.csv group as groupName output support" | eval support = if(isnull(support) OR support="", "central@example.com", support) | table username, failures, support
... View more
12-06-2022
12:58 AM
Maybe I was misunderstood. The groupName part is fine (there are many values). There is a problem if Username does not exist. If the index=users search returns with no result... In this case, how I can tell Splunk: "Okay, forget the map part, take the base search result and add central@example.com as value to support field"
... View more
12-05-2022
07:12 AM
Hi Splunkers,
I use many alerts where the result contains the username. Then a map search looks for this user, in the user list index, checks the group memberships, and will send the alert to the corresponding IT department. (there are many countries and there is a lookup that tells the support email by the user's country group). If the user is not a member of any country-group support email eval to the central one.
That is working fine... until the user is in the user's index. If the user cannot be found there, the whole search is not working.
Example:
index=logons action=failure | stats dc(action) as failures by username | where failures > 20 | map maxsearches=50 search=" search index=users user=\"$username$\" | spath memberOf{}.displayName output=groupName | eval username=\"$usernam$\", failures=\"$failures$\" | lookup support.csv group as groupName output support" | eval support = if(isnull(support) OR support="", "central@example.com", support) | table username, failures, support
So if a user failed to log in more than 20 times the alert triggers and sends an email to support - assigned by the group membership, if there is no membership, it will send to central IT.
If the user cannot be found in index=users for some reason, the alert will not trigger at all. I would like it if the alert triggers and send to central@example.com (since a not existing user, has no group ...) with the username from the base search included.
... View more
11-12-2022
06:13 AM
Hi, Your process is correct, but the topic is not about this. You just describe how to use a custom/third-party SSL certificate for the web GUI, but cliVerifyServerName is different from that.
... View more
09-30-2022
02:34 AM
Hello, I have JSON source where one of the fields has an escape character in the field name. Well actually I cannot see that in highlighted mode or in the extracted field list, it appears as "Report Refresh Date", just in raw view: "\ufeffReport Refresh Date". Naturally, the searches are not working with what appears as the "Report Refresh Date". If I select the field it appears as " 'red dot' Report Refresh Date", the search work, but can not be saved - it's "forget" the red dot, as any copy/ paste attempt does out of the search bar. How can I rid of this? By adding FIELDALIAS-alias1 = "\ufeffReport Refresh Date" AS "Report_Refresh_Date" to props.conf would help?
... View more
Labels
- Labels:
-
JSON
-
props.conf
09-07-2022
02:15 AM
Hello, I have the same issue and the remediation you shared is correct. But... in my case the app runs like 2 days flawlessly, then the webhook fails > subscription fails > no callrecords anymore. Maybe somebody found a way to make this app stable. I played with the intervals, but no help. I will try to disable and enable the webhook and subscription input by a crone job from CLI, but that is so "homemade"... The app is installed on an HWF and it runs when it runs... I have no idea why go fail randomly... The bad part is that when it stops collecting the CR, it will be lost. No way to fetch the "historical" logs... Appreciate your advice...
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-06-2024
11:13 AM
|
Karma from
Karma given to
