Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Pmeiring
Pmeiring
Explorer
Member since:
09-29-2020
02-25-2021
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 3 |
| Member Since | 09-29-2020 |
Activity Feed
- Posted Re: Splunk Webhook t to Google hangout not working on All Apps and Add-ons. 02-24-2021 09:53 PM
- Tagged Re: Splunk Webhook t to Google hangout not working on All Apps and Add-ons. 02-24-2021 09:53 PM
- Posted Splunk Webhook t to Google hangout not working on All Apps and Add-ons. 11-27-2020 03:14 AM
- Tagged Splunk Webhook t to Google hangout not working on All Apps and Add-ons. 11-27-2020 03:14 AM
- Tagged Splunk Webhook t to Google hangout not working on All Apps and Add-ons. 11-27-2020 03:14 AM
- Posted Splunk Alert Create alert based on count over past time frame on Splunk Search. 10-29-2020 07:19 AM
- Tagged Splunk Alert Create alert based on count over past time frame on Splunk Search. 10-29-2020 07:19 AM
- Posted Re: Splunk more than one mvcount or if statement in mvcount on Splunk Search. 10-28-2020 04:13 AM
- Got Karma for Splunk more than one mvcount or if statement in mvcount. 10-28-2020 04:00 AM
- Posted Splunk more than one mvcount or if statement in mvcount on Splunk Search. 10-28-2020 03:40 AM
- Got Karma for Re: Extract second instance of IP address. 10-20-2020 01:14 AM
- Posted Re: Extract second instance of IP address on Splunk Search. 10-19-2020 11:46 PM
- Got Karma for Extract second instance of IP address. 10-19-2020 08:42 AM
- Posted Extract second instance of IP address on Splunk Search. 10-19-2020 07:57 AM
- Posted Re: Splunk Count 2 fields in single query on Splunk Enterprise. 10-09-2020 07:06 AM
- Posted Re: Splunk Count 2 fields in single query on Splunk Enterprise. 10-09-2020 06:17 AM
- Posted Splunk Count 2 fields in single query on Splunk Enterprise. 10-09-2020 04:55 AM
- Karma Re: Creating Event / Alert trigger based upon regex count for isoutamo. 10-09-2020 04:18 AM
- Posted Re: Creating Event / Alert trigger based upon regex count on Splunk Enterprise. 09-29-2020 11:05 PM
- Tagged Creating Event / Alert trigger based upon regex count on Splunk Enterprise. 09-29-2020 04:14 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 |
02-24-2021
09:53 PM
Hi All, After some investigations I've found the solution seemed to be associated with python version running on the Splunk server. By using a previous version of python I was able to get the webhook working. <splunk dir>/etc/apps/TA-hangsout-chat-webhook/default/alert_actions.conf [hangsout_chat_alert] python.version = python2 Regards
... View more
- Tags:
- python
11-27-2020
03:14 AM
Hi Community We are currently running into Alert issue with the Hangouts Webhook on Splunk. Unsure how to start troubleshooting the webhook configuration. Any guidance will be greatly appreciated LOG's INFO sendmodalert - Invoking modular alert action=hangsout_chat_alert for search="************" sid="rt_scheduler__****** +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - Traceback (most recent call last): +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - File "/opt/splunk/etc/apps/TA-hangsout-chat-webhook/bin/hangsout_chat_alert.py", line 48, in <module> +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - exitcode = AlertActionWorkerhangsout_chat_alert("TA-hangsout-chat-webhook", "hangsout_chat_alert").run(sys.argv) +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - File "/opt/splunk/etc/apps/TA-hangsout-chat-webhook/bin/hangsout_chat_alert.py", line 15, in __init__ +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - super(AlertActionWorkerhangsout_chat_alert, self).__init__(ta_name, alert_name) +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - File "/opt/splunk/etc/apps/TA-hangsout-chat-webhook/bin/ta_hangsout_chat_webhook/alert_actions_base.py", line 29, in __init__ +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - sys.stdin.read(), self._logger, alert_name) +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - File "/opt/splunk/etc/apps/Splunk_SA_CIM/lib/cim_actions.py", line 157, in __init__ +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - if isinstance(self.sid, basestring) and 'scheduler' in self.sid: +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - NameError: name 'basestring' is not defined +0200 INFO sendmodalert - action=hangsout_chat_alert - Alert action script completed in duration=266 ms with exit code=1 +0200 WARN sendmodalert - action=hangsout_chat_alert - Alert action script returned error code=1
... View more
Labels
- Labels:
-
administration
-
installation
10-29-2020
07:19 AM
Hi Splunk Community I need some assistance with a Splunk alert, the search result provides exactly what I require but the alert can be improved. The search query: source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now | iplocation Calling_Station_ID | where NOT Country="South Africa" | stats count by Country, User_Name | eventstats sum(count) as Country_Count by Country | eventstats sum(count) as Username_Count by User_Name | where NOT (Username_Count >= 10 AND Country_Count >= 10) The search returns users and country, only if the username count is less 10 and the country count is less than 10 in past 30 days, which is exactly what I want. The problem comes in wit h the alert, if I schedule the alert (lets say 10min) the query gets run, it creates alerts for each return value. I only want new events to be returned and not values which =was alerted on 10min ago. Is there any way one can achieve this ? Thank you so much
... View more
- Tags:
- alerts
10-28-2020
04:13 AM
Thanks @ITWhisperer works perfectly
... View more
10-28-2020
03:40 AM
1 Karma
Hi Community, I'm trying to optimize an existing query to only return values only if a condition is met. The existing query: source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded" | stats values(Calling_Station_ID) as Public_IP by UserName | where mvcount(Public_IP) > 1 The output looks something like this: Username Public IP test6849@domain.com 127.229.3.176 127.89.234.34 Example678 127.122.158.253 127.122.181.170 example5645@domain.com 127.96.171.82 127.13.146.208 Example123 127.114.242.14 127.114.243.135 127.114.252.31 test123@domain.com 127.157.205.179 127.157.211.18 Example586 127.94.41.110 127.114.213.249 What I'm trying to achieve is only to have this return IF the Public IP address subnets differ. As an example values I want returned: test6849@domain.com xx.229.3.176 xy.89.234.34 AND not these values - Notice the first 2 subnets are the same (underlined) Username Public IP Example678 xyz.122.158.253 xyz.122.181.170 Example123 127.114.242.14 127.114.243.135 127.114.252.31 I managed to identify the first 2 subnets with regex - but I'm unable to get my query to return values. source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded" | stats values(Calling_Station_ID) as Public_IP by UserName | stats values(Public_IP_octet) as Subnet_count by UserName | where (mvcount(Public_IP) > 1 AND mvcount(Subnet_count) < 2) Any help would be appreciated
... View more
10-19-2020
11:46 PM
1 Karma
Worked like a charm, irrespective of the log format Thanks @inventsekar
... View more
10-19-2020
07:57 AM
1 Karma
Hi All, I'm currently in trying to extract the second IP address in each log as an field, but I'm simply not able to achive the desired results. The log differ quite variably and I'm unable to get a reliable pattern to "use" only the second match on IP address REGEX query to grab match IP address (?P<Public_IP_Test>\d+\.\d+\.\d+\.\d+) Log Example 2020-10-19 14:13:54 12.23.34.45 POST /owa/service.svc action=FindItem&UA=0&ID=-18&AD=1&CorrelationID=e275e3c1-7ccb-4ac9-95a3-58550573648f_160312683455318;&ClientId=***************; 443 testing@domain.com 34.56.78.89 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_3_1+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.0.5+Mobile/15E148+Safari/604.1 https://mail.domain.com/owa/ 200 0 0 124 Any assistance will be greatly appreciated
... View more
Labels
- Labels:
-
field extraction
-
regex
10-09-2020
06:17 AM
Hi Richgalloway, I've tried the "stats count(Country)" but not data is displayed under statistics.
... View more
10-09-2020
04:55 AM
Hi All, I need assistance with counting two fields in a single query. I'm trying modify an existing alert, to exclude white noise. I'm trying to achieve the following, if a country count is more than 10, or an Username field is more than 5, they should be excluded. The query compiles but no data is presented, I suspect the stats count usage is inaccurate. Example of Query - what I'm trying to achieve source="**********.log" "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now | iplocation src_ip | stats count as Country_Count by Country , count as Username_Count by User_Name | where (Username_Count < 5 OR Country_Count < 10) Output of Data - Country Country Country_count United States 8 Eswatini 9 Russia 1 Mozambique 1 Netherlands 1 Zambia 6 Output of Data - Username User_Name Username_Count abc@domain.com 1 abc2@domain.com 1 abc3@domain.com 1 abc4@domain.com 4 abc5@domain.com 1 abc6@domain.com 2
... View more
Labels
- Labels:
-
Analytics Workspace
-
metrics
09-29-2020
11:05 PM
Hi Richgalloway, Thanks for the quick response and being willing to assist. Just to provide a bit more background, The goal is to create an alert/event if a public IP address is repeated more than 30 times. Step 1 - Working Create a new field using extract regex and name the field - Public_IP_Test The goal is to identify and capture the IP address after the string "from " (?s)from\s+(?P<Public_IP_Test>\d+\.\d+\.\d+\.\d+)\s+via\s+ssh Step 2 - Working The new field created in step 1 is available. So my query works as follows host="192.168.68.1" Public_IP_Test="*" failure my gateway: host="192.168.68.1" the new field: Public_IP_Test="*" Must include text called failure: failure At this point everything seems to be in order, when the search query is ran, I see all the logs with my gateway, containing failures and the Public_IP_Test field is capturing the IP's. If I click on the SELECTED FIELD - Public_IP_Test I am presented with a TOP 10 hosts with their IP's, as well as their count. Step 3 - Having Problems The last thing I want to add is, I want my query to display the logs only if a Public IP address has been repeated more than 30 times. In other words I will need to count the newly created field Public_IP_Test host="192.168.68.1" Public_IP_Test="*" failure | stats count as MyTestCount by Public_IP_Test | where MyTestCount > 30 This displays each Public IP and their hit count, but I am unable to save it as a query as I receive this message: You cannot base an event type on a search that includes a pipe operator or a subsearch. Additional example of the logs 9/30/20 7:02:50.000 AM system,error,critical user: login failure for user 666666 from 77.234.44.184 via ssh Public_IP_Test = 77.234.44.184host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 7:02:50.000 AM system,error,critical login failure for user 666666 from 77.234.44.184 via ssh Public_IP_Test = 77.234.44.184host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 6:13:40.000 AM system,error,critical user: login failure for user dircreate from 49.145.0.58 via ssh Public_IP_Test = 49.145.0.58host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 6:13:40.000 AM system,error,critical login failure for user dircreate from 49.145.0.58 via ssh Public_IP_Test = 49.145.0.58host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 5:39:45.000 AM system,error,critical user: login failure for user 888888 from 157.47.108.9 via ssh Public_IP_Test = 157.47.108.9host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 5:39:45.000 AM system,error,critical login failure for user 888888 from 157.47.108.9 via ssh Public_IP_Test = 157.47.108.9host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 5:25:54.000 AM system,error,critical user: login failure for user admin from 47.27.232.96 via ssh Public_IP_Test = 47.27.232.96host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20
... View more
09-29-2020
04:10 PM
Hi All, I'm trying to create a alert/event when a regex field count is above 30. I however cannot save as event "that includes pipe operator". The output show exactly the values I want, but I'm not able to create a alert/event. Is there any alternatives or better ways to create events/alerts for these ? Regex - Public_IP_Test (?s)from\s+(?P<Public_IP_Test>\d+\.\d+\.\d+\.\d+)\s+via\s+ssh Search Query host="192.168.68.1" Public_IP_Test="*" failure | stats count as MyTestCount by Public_IP_Test | where MyTestCount > 30 Output 141.98.10.209 32 141.98.10.210 32 141.98.10.211 32 141.98.10.212 32 141.98.10.213 32 Example of the logs: system,error,critical user: login failure for user pi from 141.98.10.210 via ssh Public_IP_Test = 141.98.10.210 host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none Any help would be greatly appreciated P
... View more
- Tags:
- field count
- regex
Labels
- Labels:
-
using Splunk Enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-25-2021
11:30 AM
|
