Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About OiskyPoisky
OiskyPoisky
Explorer
Member since:
11-26-2020
02-12-2025
Community Statistics
| Posts | 15 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 11-26-2020 |
Activity Feed
- Posted Creating % Log Drop Alert? on Alerting. 02-13-2023 07:32 AM
- Posted Error Messages on CISA Taxii Input on Splunk Enterprise. 05-04-2021 12:47 PM
- Tagged Error Messages on CISA Taxii Input on Splunk Enterprise. 05-04-2021 12:47 PM
- Tagged Error Messages on CISA Taxii Input on Splunk Enterprise. 05-04-2021 12:47 PM
- Tagged Error Messages on CISA Taxii Input on Splunk Enterprise. 05-04-2021 12:47 PM
- Tagged Error Messages on CISA Taxii Input on Splunk Enterprise. 05-04-2021 12:47 PM
- Tagged Error Messages on CISA Taxii Input on Splunk Enterprise. 05-04-2021 12:47 PM
- Posted Re: How to collect data from lookup into index without overwriting on Splunk Search. 04-14-2021 07:31 AM
- Posted Re: How to collect data from lookup into index without overwriting on Splunk Search. 04-09-2021 07:31 AM
- Posted Re: How to collect data from lookup into index without overwriting on Splunk Search. 04-08-2021 06:54 AM
- Posted Re: How to collect data from lookup into index without overwriting on Splunk Search. 04-08-2021 01:49 AM
- Posted How to collect data from lookup into index without overwriting on Splunk Search. 04-07-2021 09:42 AM
- Posted Invalid Threatlist Stanza on Splunk Search. 12-31-2020 02:45 AM
- Posted Re: Inputlookup - Pulling Mutiple columns on Splunk Search. 12-31-2020 02:36 AM
- Posted Inputlookup - Pulling Mutiple columns on Splunk Search. 12-30-2020 04:17 AM
- Posted Re: Splunk Time Conversion on Splunk Enterprise. 12-29-2020 04:47 AM
- Posted Splunk Time Conversion on Splunk Enterprise. 12-29-2020 03:51 AM
- Posted Re: Alert on stale access keys that have not been rotated on Splunk Enterprise. 12-04-2020 06:29 AM
- Karma Re: Alert on stale access keys that have not been rotated for richgalloway. 12-04-2020 06:29 AM
- Posted Re: Alert on stale access keys that have not been rotated on Splunk Enterprise. 11-26-2020 09:07 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-13-2023
07:32 AM
Hey There Folks,
Im looking at a way to measure a decrease in logging levels by host and eventcode. Ive setup the below query which is fine from a static perspective but very much looking to try and identify that scenario where lets say we see a 50% log drop off in a specific eventcode in the past 24 hour period.
index=wineventlog sourcetype=WinEventLog EventCode=4625
| fields EventCode, host
| stats dc(host) as num_unique_hosts
| where num_unique_hosts < 500
Is there an easy way to convert this over?
Thanks Kindly,
Tom
... View more
Labels
- Labels:
-
alert action
-
alert condition
05-04-2021
12:47 PM
Evening All, Have been working on setting up a Taxii feed pulling observables in from CISA/DHS however seem to be encountering the following error message which looks like an SSL error: ssl.SSLError: [SSL] PEM lib (_ssl.c:3954) I've been digging around but cant seem to find much on this exact error code. Cert and Key files are defined correctly as we use those same cert/key files in a separate technology "MineMeld" which is working as expected. Those files are uploaded into the credential manager and documentation followed under the https://docs.splunk.com/Documentation/ES/6.5.0/Admin/Downloadthreatfeed link. 2021-05-04 19:38:06,931+0000 ERROR pid=16982 tid=MainThread file=threatlist.py:download_taxii:473 | [SSL] PEM lib (_ssl.c:3954) Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 436, in download_taxii taxii_message = handler.run(args, handler_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 171, in run return self._poll_taxii_11(parsed_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11 http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout']) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2 response = urllib.request.urlopen(req, timeout=timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open response = self._open(req, data) File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open '_open', req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain result = func(*args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open return self.do_open(self.get_connection, req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 1318, in do_open h = http_class(host, timeout=req.timeout, **http_conn_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 382, in get_connection key_password=self.key_password) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 437, in __init__ cert_file, key_file, password=key_password) ssl.SSLError: [SSL] PEM lib (_ssl.c:3954) Any thoughts on what this could be at all? Cheers, Tom
... View more
Labels
04-14-2021
07:31 AM
@lekanneer Appreciate the link to that finding - an interesting read sir @bowesmana Apologies, the issues we were having were due to the formatting of the findings and the duplicates however your search does absolutely everything I was looking for here! Thanks Kindly 🙂 Great Success!
... View more
04-09-2021
07:31 AM
Just an additional piece of information the ip_intel file is actually a KV store so im wondering if thats causing some issues.
... View more
04-08-2021
06:54 AM
Thats an interesting suggestion! and one that we probably would have gone for however just going to provide some further context and the driver for this query. The ip_intel lookup file was actually overwritten with blank data a while back caused by installation of an app. So whilst we have put extra checks in place to ensure that doesn't happen again, there is always a possibility. So if the same thing happened here, would just mean ingesting a blank lookup file into the index. Agree this is a trickier way of doing it, although hoping there is some Splunk magic that could be used with the query we have been testing. Any thoughts there at all? | inputlookup ip_intel | dedup ip | stats count by ip threat_key description | fields - count | search NOT [ index=backup_ti source=daily_ip_intel | stats count by ip threat_key description | fields - count] | collect index=backup_ti source=daily_ip_intel
... View more
04-08-2021
01:49 AM
Thanks for the response. So the purpose is just to have a place where the observables are backed up in this index ready to be used if needed. Would also like to build dashboarding based on that index which is a little tricky based on the lookup file itself for capturing metrics, ingestion rate of IoC's etc. The ip_intel file is growing on a daily basis, being fed by various Threat Intel Sources. So When I say "new" this would be new observables/new data ingesting into that file. Ive got a little further with this but getting some errors. | inputlookup ip_intel | dedup ip | stats count by ip threat_key description | fields - count | search NOT [ index=backup_ti source=daily_ip_intel | stats count by ip threat_key description | fields - count] | collect index=backup_ti source=daily_ip_intel So trying to compare the lookup file with whats already in the index. Identify data that is not present in the backup_ti index but is actually there in the lookup file, then pulls that data down into the index.
... View more
04-07-2021
09:42 AM
Afternoon All, Have been playing with a search that will eventually become a saved search within Splunk ES. Idea is for the search to run and pull in observables that are populated in the ip_intel lookup file and then populate an index. So far I have this which works fine: | inputlookup ip_intel append=true | dedup ip | collect index=backup_ti source=daily_ip_intel The problem is, the inputlookup automatically displays all rows within the file. Im looking to have this search run once a day only updating the index with new observables rather than duplicating or overwriting the existing data. Is there a way to do this? The timestamp against the indicators within that file are messy so its not possible to exclude them via a relative time sub search for example.
... View more
12-31-2020
02:45 AM
Morning All, I've setup several internal lookup files and made them part of an Intelligence download. I've added in lookup definitions for each file so Splunk can programatically read them as well. However, Im getting an Invalid Threatlist Stanza error - any thoughts on how to investigate these at all? My only thought is the Threatlist stanza only looks for certain column names within the scope of the lookup file? The columns available in these internal lookups contain the following: category type Event.info comment value Country timestamp count Intelligence Downloads _time stanza disabled type url weight exit_status download_status manager_status run_duration 2020-12-31 10:10:04 222 0 threatlist lookup://222.csv 1 0 Invalid threatlist stanza. 0.0
... View more
Labels
- Labels:
-
lookup
12-30-2020
04:17 AM
Morning Community, Looking at a way to pull multiple columns into an alert Im attempting to build. In the below syntax this gives me hits on the a src IP that appears in the lookupfile which is great however I also want to pull in extra columns associated with the hit on that IP. The lookup file contains columns labelled "tag" "info" and "comment" which would further enhance the usefulness of this alert. index=netscaler sourcetype="citrix:netscaler:syslog" citrix_netscaler_event_name=LOGIN action=success app=SSLVPN | search [| inputlookup my.csv | rename value as src | fields src ] I've tried this and returns no results. index=netscaler sourcetype="citrix:netscaler:syslog" citrix_netscaler_event_name=LOGIN action=success app=SSLVPN | search [| inputlookup my.csv | rename value as src | fields src ] | lookup my.csv info as src.info output info as src.info Any thoughts at all? This article was a little similar to what Im trying to do, except I need the extra columns data from the src IP hits from the 1st part of the alert. https://community.splunk.com/t5/Splunk-Search/Pulling-multiple-Columns-from-an-inputlookup/m-p/424742
... View more
Labels
- Labels:
-
lookup
12-29-2020
04:47 AM
Thanks Kindly! Fiddled around a little but got to this eventually: | eval timestamp=strftime(timestamp, "%Y-%m-%d") Thanks for pushing me in the right direction 🙂
... View more
12-29-2020
03:51 AM
Morning Team, Currently looking at trying to convert what i think is 10 digit Unix/Epoc time into a human readable format but struggling to find the right syntax. "timestamp" field values: 1561012289 1561012304 1561012315 1609193962 Any assistance would be appreciated, happy to provide more info if needed!
... View more
Labels
- Labels:
-
using Splunk Enterprise
12-04-2020
06:29 AM
Hey Rich, Sorry for the delay in responding. Confirming that really helped with being more specific before the first pipe. Much Appreciated 🙂
... View more
11-26-2020
09:07 AM
Hey Rich, I can run this query at max for the past 7 days or so before the search times (using the standard time picker in search) out as its quite intensive on the search head. In my particular query here I know its looking at past 30 days but as the search can only target 7 days worth of information before timing out, Im missing the whole picture? Just wondering if there is a way to make it more efficient by using a tstats based search? although feel like that would need a separate datamodel to pick up on the search fields? Thanks! Tom
... View more
11-26-2020
05:19 AM
Afternoon Team, Was hoping to get some assistance with building an alert in Splunk Enterprise Security that can pick up on old aws keys that were created in the past at a certain point - potentially 6 months for example. The below is a preliminary alert that im building but could use some guidance. We are ingesting events from AWS cloudtrail. index="aws-cloud-trail" responseElements.accessKey.accessKeyId=AKIA* | spath eventName | search eventName=CreateAccessKey userIdentity.type!=AssumedRole | rename responseElements.accessKey.createDate as creationdate | eval creationdate=strptime(creationdate, "%H:%M.%S %p, %a %m/%d/%Y") | where creationdate < (now() - (86400 * 30)) | table sourceIPAddress userName src_user userIdentity.type userAgent action status creationdate responseElements.accessKey.status responseElements.accessKey.accessKeyId Has anyone else come across something similar? Be great to hear from you! Happy to lend more context if needed.
... View more
Labels
- Labels:
-
using Splunk Enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-12-2025
06:07 AM
|
