Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dieguiariel
dieguiariel
Path Finder
Member since:
08-04-2020
10-18-2024
Community Statistics
| Posts | 26 |
| Solutions | 1 |
| Karma Given | 10 |
| Karma Received | 0 |
| Member Since | 08-04-2020 |
Activity Feed
- Posted Re: Migrate Indexer Cluster to stand alone indexer on Deployment Architecture. 09-19-2024 06:41 AM
- Karma Re: Migrate Indexer Cluster to stand alone indexer for richgalloway. 09-19-2024 06:38 AM
- Karma Re: Migrate Indexer Cluster to stand alone indexer for PickleRick. 09-19-2024 06:38 AM
- Posted Migrate Indexer Cluster to stand alone indexer on Deployment Architecture. 09-18-2024 01:07 PM
- Tagged Migrate Indexer Cluster to stand alone indexer on Deployment Architecture. 09-18-2024 01:07 PM
- Tagged Migrate Indexer Cluster to stand alone indexer on Deployment Architecture. 09-18-2024 01:07 PM
- Posted Lost one indexer on cluster on Other Admin. 11-13-2023 06:53 AM
- Posted Re: Is there a way to use whitelist or blacklist within linux log files? on Getting Data In. 06-05-2023 05:47 AM
- Karma Re: Is there a way to use whitelist or blacklist within linux log files? for gcusello. 06-05-2023 05:45 AM
- Posted Re: Is there a way to use whitelist or blacklist within linux log files? on Getting Data In. 06-02-2023 06:20 AM
- Tagged Re: Is there a way to use whitelist or blacklist within linux log files? on Getting Data In. 06-02-2023 06:20 AM
- Posted Is there a way to use whitelist or blacklist within linux log files? on Getting Data In. 06-01-2023 01:07 PM
- Posted Re: Showing more data after dc count with the right order on Splunk Search. 03-15-2023 06:02 AM
- Karma Re: Showing more data after dc count with the right order for richgalloway. 03-15-2023 06:01 AM
- Karma Re: Showing more data after dc count with the right order for ITWhisperer. 03-15-2023 06:01 AM
- Posted Why is it showing more data after dc count with the right order? on Splunk Search. 03-15-2023 05:21 AM
- Posted Re: Report Grouping by user sorting by time for each user on Alerting. 03-07-2023 10:13 AM
- Posted Re: Report Grouping by user sorting by time for each user on Alerting. 03-07-2023 08:52 AM
- Posted How to report grouping by user sorting by time for each user? on Alerting. 03-07-2023 07:27 AM
- Posted Re: How to use stats dc and get last time of occurrence? on Splunk Search. 02-01-2023 03:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-19-2024
06:41 AM
Thank you both for your replies, i was afraid of making a mess keeping a "cluster" with just one node. I have SF and Rf=2, im a aware that probably the searches will trigger a warning about a missing node in the cluster but the searches will be performed only for historical reasons. Thank you again! This is a really good community, and Splunk is really an excellent product, im really sad that i had to let this go.
... View more
09-18-2024
01:07 PM
Hi, we are decomisioning our splunk infra, our company was purchased and the new management want to free resources :(. We have 3 search heads (stand alone) + 2 indexers (clustered). They ask me to break the indexer cluster to free storage, cpu and mem, i've found docs about removing nodes but keeping the cluster. We want to keep just one search head (the one with license master) and one indexer. Is there documentation to "break" the cluster and keep just one indexer in stand alone mode? (we need to keep info for "auditing reasons"). I know i can just put one in maintenance mode and power off but this procedure is intended to reboot/replace in some time the "faulty" indexer, not to keep it down for ever and ever. Regards.
... View more
- Tags:
- cluster
- stand alone
Labels
- Labels:
-
indexer clustering
11-13-2023
06:53 AM
Hi, on the weekend we had an electric problem on our secondary datacenter and currently dont have energy. One indexer was on that datacenter, it was on cluster with another indexer. There are any tasks that i must do in the meantime? the estimated recovery time for the datacenter is 3 to 4 days, maybe put the indexers on maintenance mode? i've read this https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Whathappenswhenapeergoesdown but only talks about what happens with bucket fixing Regards.
... View more
06-05-2023
05:47 AM
tried the solution and works perfectly. Also is saving license. The files were created on: $SplunkHOME/etc/system/local/ Thanks!
... View more
06-02-2023
06:20 AM
Hi Giuseppe, thanks one more cuestion, reading the doc it says: You can eliminate unwanted data by routing it to the nullQueue, the Splunk equivalent of the Unix /dev/null device. When you filter out data in this way, the data is not forwarded and doesn't count toward your indexing volume. so, when applied this on the indexer, has impact on the daily license?, lets say that the events filtered out are around 2gb daily, i'll save 2 gb? Regards.
... View more
- Tags:
- nullqueue
06-01-2023
01:07 PM
Hi! from the documentation
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Whitelistorblacklistspecificincomingdata
the whitelist and blacklist option only works with the filenames of logs.
Is there an option for data within the log file?
eg:
from this extract fo /var/log/messages:
May 28 18:00:01 xxxxxxxxxx kernel: type=1110 audit(1685311201.838:180500): pid=19649 uid=0 auid=0 ses=24140 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_localuser,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' May 28 18:00:01 xxxxxxxxxx CROND[19681]: (root) CMD (/usr/lib64/sa/sa1 1 1) May 28 18:00:01 xxxxxxxxxx kernel: type=1104 audit(1685311201.905:180501): pid=19649 uid=0 auid=0 ses=24140 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_localuser,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' May 28 18:00:01 xxxxxxxxxx kernel: type=1106 audit(1685311201.941:180502): pid=19649 uid=0 auid=0 ses=24140 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' May 28 18:00:01 svr-spl-mat-01 systemd: Removed slice User Slice of root. May 28 18:00:02 svr-spl-mat-01 snmpd[1359]: Connection from UDP: [ xxxxxxxxxx]:50765->[ xxxxxxxxxx]:161 May 28 18:00:02 svr-spl-mat-01 snmpd[1359]: Connection from UDP: [ xxxxxxxxxx]:50765->[ xxxxxxxxxx]:161 May 28 18:00:02 svr-spl-mat-01 snmpd[1359]: Connection from UDP: [10.138.211.15]:50765->[ xxxxxxxxxx]:161
i will like to blacklist all the snmpd events.
the file used is just an example, the real file is from an application but with sensitive data that i dont want to get into splunk.
Regards.
... View more
Labels
- Labels:
-
Linux
-
monitor
-
universal forwarder
03-15-2023
06:02 AM
Hi! thank yoy both for the answer, it worked with list!
... View more
03-15-2023
05:21 AM
Hi! im working on an alert for access from different countries for certain users in a short time period. The alert and the search works fine but i will like to show more info when the alert triggers (source ip and time).
Here a sample of the event:
09:09:55,377 INFO [XX.XXX.XXXXXXX.cbapi.dao.login.LoginDAOImpl] (default task-34878) Enviamos parámetros: [authTipoPassword=E, authDato=4249929, authTipoDato=D, nroDocEmpresa=80097256-2, tipoDocEmpresa=D, authCodCanal=999, authIP=45.170.128.191, esDealer=N, dispositivoID=40ee57e1-e5eb-4b14-b7ef-9f0f8ccdf6c
2, dispositivoOS=null ]
Here the search:
index="XXXX" host="XXX.XXX.-*" sourcetype=XXXXXXCBAPI* authDato authIP dao.login.LoginDAOImpl authIP=* authCodCanal=999 | iplocation authIP | eval Country = if(isnull(Country) OR Country="", "Unknown", Country) | stats dc(Country) AS count values(Country) AS country values(authIP) as authIP latest(_time) AS latest BY authDato | where count > 1 | eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | sort - latest
With this i get a result like this:
authdato | count | Country | authIP | latest
2363494 | 2 | Argentina | 170.51.250.39 | 2023-03-15 09:09:09
Paraguay | 170.51.55.186 the thing is.. the ip address aren't aligned with the country for that ip, neither the time is aligned with the last Country or ip address.
Ive tried several things but still can't figure out how to correctly present the results (in the right order i mean)
... View more
03-07-2023
10:13 AM
thanks! this worked perfectly!
... View more
03-07-2023
08:52 AM
Thanks! tried with | sort 0 authdato -_time but still is sorted first by authdato. The goal is to get first, the last login event (lets say is for user X) and then all the other login events for X user. After the next recent login for other user (lets say Y user) all of his logins. After the next recent login for other user (lets say A user) and all of his logins. Kind of the lastlog command from linux but for each user show the other logins too. Example user | time X 12:23:00 X 11:45:34 X 10:34:36 then show the next most recent user login Y 12:08:45 Y 11:40:06 Y 11:05:56 after the next login for A user A 12:01:33 A 11:50:32 A 09:34:00 and so on.
... View more
03-07-2023
07:27 AM
Hi! i have a report for users login in from different countries in the last 24 hours:
index="accesslogs" sourcetype=apilogs authIP=* | iplocation authIP | stats count(authIP) AS ipCount by authDato, authIP, _time, Country, City, | where ipCount>=1 | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") | table authDato, Country, City, authIP, _time | dedup authIP | eventstats dc(Country) as COUNT by authDato | where COUNT > 1
The results has this format:
authdato | Country | City | authIP | _time
246423 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 12:10:06
246423| Brazil | Sao Paulo | xxx.xxx.xxx.xxx | 2023-03-07 10:10:34
246423 | Argentina | Caseros | xxx.xxx.xxx.xxx | 2023-03-06 10:10:34
1004629 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 10:05:34
1004629 | Argentina | Tucuman | xxx.xxx.xxx.xxx | 2023-03-06 16:34:06
1422262 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 12:42:32
1422262 | Brazil | Uberlandia | xxx.xxx.xxx.xxx | 2023-03-07 09:46:32
the goal is to detect compromised accounts (user A cant connect on the same day from different countries).
This report is sorted by authDato (its our username).
I need to sort it by _time (newest event first), but i need the report still grouped by authdato:
Like:
1422262 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 12:42:32
1422262 | Brazil | Uberlandia | xxx.xxx.xxx.xxx | 2023-03-07 09:46:32
246423 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 12:10:06
246423| Brazil | Sao Paulo | xxx.xxx.xxx.xxx | 2023-03-07 10:10:34
246423 | Argentina | Caseros | xxx.xxx.xxx.xxx | 2023-03-06 10:10:34
1004629 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 10:05:34
1004629 | Argentina | Tucuman | xxx.xxx.xxx.xxx | 2023-03-06 16:34:06
... View more
Labels
- Labels:
-
alert condition
02-01-2023
03:58 AM
hi sorry i didnt explain myself correctly, it shows the lasttime of lastocurrence of the grouped events, but i will like to show the last time of ocurrence of every item on the grouped list like this: include the lastest time of ocurrence for 3546316, the latest time of 6320818 and so on. dispositivoID dispositivoOS authIP count AuthDato latest 062FC4DB-034D-4CA3-B6BD-72C5A471F0AA iOS XXX.XXX.XXX.XXX 3 3546319 6320818 7154705 2023-01-31 18:59:37 2023-01-31 17:45:36 2023-01-31 16:32:24
... View more
01-31-2023
09:50 AM
Thanks! how can i get the value of "latest" on the results? The table shows only dispositivoID dispositivoOS authIP Country City count AuthDato is it possible to get the latest time next to AuthDato?
... View more
01-31-2023
06:20 AM
Hi! im trying to detect multiple user access from the same source (same mobile device). Im feeding splunk with logs from a mobile app like this:
09:50:14,524 INFO [XXXXXXXXXXXX] (default task-XXXXXX) [ authTipoPassword=X, authDato=XXXXX, authTipoDato=X, nroDocEmpresa=X, tipoDocEmpresa=X, authCodCanal=XXX, authIP=XXX.XXX.XXX.XXX, esDealer=X, dispositivoID=XXXXXXXXXX, dispositivoOS=XXXXX ]
im using the following search
search XXXX | stats dc(authDato) as count,values(authDato) as AuthDato by dispositivoID dispositivoOS authIP | where count > 1 | sort - count
and get almost all the info i wanted (like two different users - authDato - from same deviceID (dispositivoID), but i would like to enrich the data with the last time of ocurrence for the event.
Is there a way to include this information?
Thanks in advance.
... View more
04-12-2022
08:51 AM
Just to thank for this, for several weeks i've been trying to pinpoint a trouble with one esa (we have two, the logs from one were indexed correctly but we couldn't find the logs from the other). This thread made me realize that that the ip from the trouble one was XXX.XXX.X20.19 so splunk was indexing the events on 2019. Side effect was the number of small buckets, first we thougth there were separate problems but it was the same reason. With this solution the events are indexed correctly and the alert for the number of small buckets desapeared. From other thread (about small buckets: "The main cause of this issue is most likely going to be because the timestamps on the data you are feeding in are all over the place. Splunk wants to be mostly chronological, so the buckets contain data from a certain window of time." ) Thanks!
... View more
- Tags:
- to
02-11-2021
07:30 AM
Hi! im trying to blacklist events with code 4672 and with SubjectUserSid DOMAIN\SRV-XXX-AAA-99$ ive tried this line: blacklist2 = $XmlRegex="<EventID>4672<\/EventID>.*<Data Name='SubjectUserSid'>DOMAIN\\SRV\-XXX\-AAA\-99\$" but it isnt working. Example: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-02-11T15:18:48.860247900Z'/><EventRecordID>350156866</EventRecordID><Correlation ActivityID='{af83069e-fb2f-000b-110a-83af2ffbd601}'/><Execution ProcessID='188' ThreadID='41464'/><Channel>Security</Channel><Computer>srv-xxx-aaa--99.DOMAIN.LOCAL</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>DOMAIN\SRV-XXX-AAA-99$</Data><Data Name='SubjectUserName'>SRV-XXX-AAA-99$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x88feea93</Data><Data Name='PrivilegeList'>SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege</Data></EventData></Event> i've test this on regex101, has a match but in splunk isn't working. any suggestion will be appreciated.
... View more
11-30-2020
11:56 AM
Thank you!!! it works perfectly!
... View more
11-30-2020
10:37 AM
Hi! im traying to extract a field named hostname from checkpoint logs, but i couldn't with the wizards: sample: time=1606760596|hostname=CHKHOST|product=Mobile Access|action=Log In|ifdir=inbound|loguid={0x5fc53894,0x0,0x250a000a,0x2e9b}|origin=10.0.X.X|originsicname=CN\=FW01,O\=CHKHOST.localdomain|sequencenum=293|time=1606760596|version=5|auth_encryption_methods=AES-256 + SHA1 + Group 2|auth_method=RADIUS|client_build=986100611|client_name=Endpoint Security VPN|client_version=E81.10|cvpn_category=Session|device_identification={85FAD095-E5AB-43BA-AA8C-B205F783226E}|domain_name=localdomain|event_type=Login|failed_login_factor_num=0|host_ip=192.168.X.X|host_type=PC|hostname=NB-0237|lastupdatetime=1606760596|login_option=Standard|login_timestamp=1606760596|mac_address=40:5b:d8:64:5b:29|methods:=3DES + SHA1|office_mode_ip=10.193.0.89|os_bits=64bit|os_build=18363|os_edition=Enterprise|os_name=Windows|os_version=10|proto=6|proxy_src_ip=0.0.0.0|s_port=0|service=443|session_timeout=43200|session_uid={5FC53894-0000-0000-0A00-0A259B2E0000}|src=181.121.X.X|status=Success|suppressed_logs=0|tunnel_protocol=IPSec|user=agimenez|user_dn=agimenez|user_group=VPN_Group| if you see there are two hostname fields, one with the checkpoint hostname and the other with the device connecting to the vpn. I need the second value. In smart mode or verbose mode, splunk only detects the first hostname field. How can i parse the second field? Ive tried field extraction wizard with regular expression only selecting the second hostname and i get this error: The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings. When i try using delimieters, selecting pipe, i get this error: has exceeded the configured depth_limit, consider raising the value in limits.conf. any help would be appreciated.
... View more
Labels
- Labels:
-
field extraction
08-17-2020
05:44 AM
Hi!, it didn't work. Finally i fixed like this: blacklist1 = $XmlRegex="<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe" because i've needed filter this process from both event codes. Don't know why didn't work the first way. Thanks anyway.
... View more
08-12-2020
01:08 PM
Hi, ive successfully blacklisted the windows event 4658 with this line_ blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe" ive tried to do the same for event 4656 blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe" but isn't working. Any ideas? inputs.conf: [WinEventLog://Security] disabled = 0 index = winevents whitelist1 = 1102,4616,4647,4656-4658,4660,4663,4670,4672 whitelist2 = 4673,4674,4698-4702,4704,4705,4715,4719,4720 whitelist3 = 4722,4725,4726,4732,4733,4735,4738-4740,4767 whitelist3 = 4779,5140,5145 blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe" blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe" Raw event example <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4656</EventID><Version>1</Version><Level>0</Level><Task>12801</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-08-12T19:47:25.544399300Z'/><EventRecordID>1397935969</EventRecordID><Correlation/><Execution ProcessID='716' ThreadID='728'/><Channel>Security</Channel><Computer>svr-apl-cit-01.BANCOREGIONAL.LOCAL</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SVR-APL-CIT-01$</Data><Data Name='SubjectDomainName'>BANCOREGIONAL</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>Key</Data><Data Name='ObjectName'>\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SamSs</Data><Data Name='HandleId'>0x584</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='AccessList'>%%1537 %%1538 %%1539 %%1540 %%4432 %%4433 %%4434 %%4435 %%4436 %%4437 </Data><Data Name='AccessReason'>-</Data><Data Name='AccessMask'>0xf003f</Data><Data Name='PrivilegeList'>-</Data><Data Name='RestrictedSidCount'>0</Data><Data Name='ProcessId'>0x1ec0</Data><Data Name='ProcessName'>C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe</Data><Data Name='ResourceAttributes'>-</Data></EventData></Event> Thanks in advance.
... View more
Labels
- Labels:
-
regex
08-10-2020
08:32 AM
Yes, i've successfully blacklisted and whitelisted events with eventcoodes just with inputs.conf, but i couldn't "filter" the text inside the event, i need one eventcode but i don't need the text inside the event that begins with "this event is generated..." Only pushing the complete TA from windows i been able to do that. I get the event but not the part with "This event is generated..."
... View more
08-07-2020
10:47 AM
i've manually edit the universal forwarder files on the windows machine but seems that this regex need the Windows addon, without it doesnt make any difference.
... View more
08-07-2020
10:45 AM
Thanks, ive installed the addon, create a serverclass with some windows and deploy the app to the servers and its working. It seems that this has changed also the format of logs to xml. thanks!
... View more
08-05-2020
08:49 AM
So this regex must be on the universal forwarder app folder? I will try this too. Thanks for your reply
... View more
08-05-2020
08:48 AM
Hi, thanks for your response, I have a master server and an indexer server separately. I've installed the deployment server on the master. The Splunk Add-on for Windows must be installed in this case on both? (based on https://docs.splunk.com/Documentation/WindowsAddOn/8.0.0/User/Install ) And later push the addon to the universal forwarders with the deployment server. I will try this.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-18-2024
12:20 PM
|
Karma given to
