Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gazoscreek
gazoscreek
Explorer
Member since:
09-08-2020
07-31-2023
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 09-08-2020 |
Activity Feed
- Posted Splunk Ingest Actions - Using Eval Expression Syntax on Getting Data In. 03-10-2023 08:59 AM
- Posted Re: Auditing changes in _configracker index via json path data.changes{}.properties{} ? on Splunk Search. 03-06-2023 02:32 PM
- Karma Re: Auditing changes in _configracker index via json path data.changes{}.properties{} for yuanliu. 03-06-2023 02:28 PM
- Karma Re: Auditing changes in _configracker index via json path data.changes{}.properties{} for ITWhisperer. 03-06-2023 02:28 PM
- Posted Auditing changes in _configracker index via json path data.changes{}.properties{} ? on Splunk Search. 03-03-2023 08:31 AM
- Tagged Auditing changes in _configracker index via json path data.changes{}.properties{} ? on Splunk Search. 03-03-2023 08:31 AM
- Posted Any ideas on Auditing Content Library? on Splunk Search. 02-14-2023 08:58 AM
- Tagged Any ideas on Auditing Content Library? on Splunk Search. 02-14-2023 08:58 AM
- Tagged Any ideas on Auditing Content Library? on Splunk Search. 02-14-2023 08:58 AM
- Posted Re: SA-ldapsearch stopped working after upgrade to Splunk 9 on All Apps and Add-ons. 10-20-2022 03:20 PM
- Tagged Why did SA-ldapsearch stop working after upgrade to Splunk 9? on All Apps and Add-ons. 10-20-2022 10:21 AM
- Posted Why did SA-ldapsearch stop working after upgrade to Splunk 9? on All Apps and Add-ons. 10-20-2022 08:12 AM
- Got Karma for How to return the daily event count of every index?. 04-07-2022 09:32 AM
- Posted Re: How to return the daily event count of every index? on Dashboards & Visualizations. 04-07-2022 09:31 AM
- Posted How to return the daily event count of every index? on Dashboards & Visualizations. 04-07-2022 08:51 AM
- Got Karma for Enterprise Security - Mitre Metrics. 01-19-2022 11:38 PM
- Posted Enterprise Security - Mitre Metrics on Splunk Enterprise Security. 12-09-2021 08:46 AM
- Posted Re: Splunk Add-on for Microsoft cloud services on Getting Data In. 06-24-2021 02:45 PM
- Posted Splunk AddOn Microsoft Cloudservices Memory Leak? on All Apps and Add-ons. 05-25-2021 12:37 PM
- Posted Splunk AddOn for Microsoft Cloudservices Python 3 Compatibility on Splunk Enterprise. 09-08-2020 03:05 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 |
03-10-2023
08:59 AM
In configuring Rules for Splunk Ingest Actions I have a sourcetype configured for numerous "Filter with Regular expression" stanzas that is properly dropping events ... However, I'd like to have the same sourcetype drop messages where host=foo-* ... I might be able to use the eval expression to do that, but I'm not sure how to construct it in a format acceptable to the UI, and functionally appropriate. eval true = if(match(host,"^foo-"),true,null()) I'm sure that's wrong, but there really are no examples that I've been able to find other than "true()"
... View more
Labels
- Labels:
-
heavy forwarder
03-06-2023
02:32 PM
Thank you @yuanliu & @ITWhisperer ... this was quite helpful ... the isnotnull doesn't seem to work where the values appear to be empty, but this did: index=_configtracker component=ConfigChange earliest=-6h host=mysearchheads* data.path="/opt/splunk/etc/apps/*" | spath path=data.changes{}.properties{} | mvexpand data.changes{}.properties{} | spath input=data.changes{}.properties{} | table data.changes{}.stanza, name, old_value, new_value | regex old_value="[A-Za-z0-9]" | regex new_value="[A-Za-z0-9]" Thank you very much.
... View more
03-03-2023
08:31 AM
The configtracker index contains a json path of: data.changes{}.properties{} In that path, there are numerous objects ... data changes properties
+ ( contains name, old_value, new_value )
+ ( contains name, old_value, new_value ) + ( contains name, old_value, new_value ) I've tried numerous ways of parsing data.changes{}.properties{} ... but am still finding myself unable to display the name, old_value, and new_value of each object beneath data->changes->properties ... Ultimately, I'd like to be able to render a table of "name" where an old_value exists so that we can alert on changed correlation searches in ES. ie: where "name" = search (and both old_value and new_value are not empty) { [-] name: search new_value: `sysmon` foo old_value: `sysmon` bar } or: where "name" = cron_schedule (and both old_value and new_value are not empty) { [-] name: cron_schedule new_value: 6-56/10 * * * * old_value: */10 * * * * } or: where a search schedule was enabled { [-] name: enableSched new_value: 1 old_value: 0 }
... View more
- Tags:
- json
Labels
- Labels:
-
fields
02-14-2023
08:58 AM
I need to provide audit details on our ES Content Library. Using rest, I can identify searches that have been updated and when they were updated, but the rest call only reports on the owner of the search, not the person who made the change.
| rest splunk_server=local /servicesNS/-/-/saved/searches | fields title search eai:acl.owner eai:acl.app alert_type updated cron_schedule auto_summarize.suspend_period dispatch.earliest_time dispatch.latest_time id | convert timeformat="%Y-%m-%dT%H:%M:%S+00:00" mktime(updated) | where updated >= relative_time(now(), "-4h")
Looking at conf.log I can see when a search was written:
index="_internal" source="/opt/splunk/var/log/splunk/conf.log" earliest=-30h WRITE_STANZA | stats values(data.optype_desc) values(data.payload.children.action.correlationsearch.label.value) values(data.payload.children.search.value)
Neither of these searches tell me who was the individual writing the search.
Any other ideas as to how I can accomplish this? Thank you.
... View more
Labels
- Labels:
-
other
10-20-2022
03:20 PM
We were able to resolve this by deploying an ssl.conf in the app with the following flag disabled: sslVerifyServerCert = false
... View more
10-20-2022
08:12 AM
We recently upgraded to Splunk 9.0.0 on our platform and the Splunk Add-On for Active Directory stopped working. We connect to our Active Directory instance using SSL ... and we're getting errors like this one now
2022-10-20 08:05:03,580, Level=ERROR, Pid=5668, File=search_command.py, Line=390, Abnormal exit: (LDAPSocketOpenError('socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)'),)
What needs to be changed in order to make this work with Splunk 9? ... (We still have an instance running 8.2.6 and the AddOn still works perfectly fine there with the exact same configuration)
( we're using the most recent version {3.0.5} of SA-ldapsearch )
Thank you
... View more
- Tags:
- sa-ldapsearch
Labels
- Labels:
-
troubleshooting
04-07-2022
09:31 AM
Perfect solution. Thank you so much!
... View more
04-07-2022
08:51 AM
1 Karma
Does anyone have a solution for a query that will return the daily event count of every index, index by index, even the ones that have ingested zero events?
| tstats count WHERE index=* OR index=_* by index ... only returns indexes that have > 0 events.
... View more
Labels
- Labels:
-
other
12-09-2021
08:46 AM
1 Karma
When I configure a correlation search with an Annotation of MiTRE ATT&CK and create a notable, I don't see any evidence of the Annotation in the notable. Anyone have any ideas how I can search my platform to report on triggered notables by Mitre Attack?
... View more
Labels
06-24-2021
02:45 PM
Hello ... Did you ever get this resolved? I'm running into the same issue. It seems to have something to do with the event_hub_namespace parameter in the config file, but I've not been successful at figuring out what the problem is. Thank you.
... View more
05-25-2021
12:37 PM
We're seeing severe memory issues with the Splunk AddOn for Microsoft Cloudservices where a single python process can consume well over 200Gb of memory, ultimately being reaped by the OOM Killer. These are Azure Firewall collections. Rather critical to our logging infrastructure and we have no information as to why this is happening. It doesn't happen to all collections, but does happen to many ... You can see below, one child process consuming > 60Gb ... and Splunkd having grown to 275Gb of virtual memory. splunk 17311 125 67318812 62146568 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/mscs_storage_blob.py splunk 15910 227 274447324 82630100 splunkd -p 8089 restart Splunk version 8.0.4.1 Splunk_TA_microsoft-cloudservices version 4.1.2
... View more
Labels
- Labels:
-
administration
-
troubleshooting
09-08-2020
03:05 PM
Anyone know when this AddOn will be made to work on 8.0.4 and above? Just had to back out of a Splunk upgrade because the add-on was spewing out pretty much nothing but python errors.
... View more
Labels
- Labels:
-
configuration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-31-2023
04:16 PM
|
