About irom77

irom77 · ‎09-18-2023

I updated JSON and can see documentation updated as well summary.data.*.result string that key "result" is available per action test {"identifier": "list_zones", "result_data": [{"data": [{"result":... But still in VPE I can see only 'status' and 'message' I haven't found anything special in existing apps

irom77 · ‎09-18-2023

I set I set "action_result.data" in the app's json file (short one like below), but it didn't help and was gone when I tried to edit it again. { "data_path": "action_result.data", "data_type": "string" }, Is it something I have to update manually all the time after making any changes?

irom77 · ‎09-16-2023

I've created app action 'my_action_name' which results I can collect in playbook just fine. phantom.collect2(container=container, datapath=["my_action_name:action_result.data"], action results=results) but I don't see action_result.data datapath neither in app documentation nor I can pick it up in VPE . I have only 'status' and 'message' available

irom77 · ‎10-05-2022

I am working on custom command with couple of external modules which I installed in my 'lib' directory pip3 install -r requirements.txt --target=lib After installing my custom command into Splunk (install from file) I keep getting ModuleNotFoundError even all modules live in app 'lib' directory i.e. ModuleNotFoundError: No module named 'importlib_metadata' What I am doing wrong ? Had no issue before but I was only using 'requests' module so far, now trying a lot more, here is my requirements.txt requests>=2.0.0resilient resilient-lib

irom77 · ‎09-24-2022

I have created custom command *| cloudcidrlookup cloud=azure* but how to change it to be just *| cloudcidrlookup azure* ? @Configuration() class CloudCidrLookup(GeneratingCommand): cloud = Option(require=False) ... def generate(self): if self.cloud=='azure': ... dispatch(CloudCidrLookup, sys.argv, sys.stdin, sys.stdout, __name__)

irom77 · ‎09-21-2022

I am trying helloworld app from BlogProjects/splunk-custom-search-command-python/hello_world at master · CptOfEvilMinions/BlogProjects · GitHub. Compressed and Installed it from file (hello_world.spl). Then restarted Splunk... But when trying "index="zeek" sourcetype="bro:conn:json" | helloworld" getting Unknown search command 'helloworld'. # ls -l /opt/splunk/etc/apps/hello_world/ total 4 drwxr-xr-x 2 splunk splunk 28 Sep 21 06:44 bin drwxr-xr-x 2 splunk splunk 43 Sep 21 06:44 default drwxr-xr-x 7 splunk splunk 140 Sep 21 06:44 lib drwxr-xr-x 2 splunk splunk 6 Sep 21 06:44 local drwx------ 2 splunk splunk 24 Sep 21 06:44 metadata -rw-r--r-- 1 splunk splunk 46 Sep 21 06:44 README.md # ls -l /opt/splunk/etc/apps/hello_world/bin total 4 -rwxr-xr-x 1 splunk splunk 491 Sep 21 06:44 hello_world.py # cat /opt/splunk/etc/apps/hello_world/default/commands.conf [helloworld] python.version = python3 chunked = true

irom77 · ‎09-15-2022

Restarting UF did the thing...

irom77 · ‎09-14-2022

Looks like I have correct rights (and running 8.2.6): [ec2-user@f1 ~]$ getfacl /var/log/ getfacl: Removing leading '/' from absolute path names # file: var/log/ # owner: root # group: root user::rwx user:splunk:r-- group::r-x mask::r-x other::r-x [ec2-user@f1 ~]$ getfacl /var/log/random.log getfacl: Removing leading '/' from absolute path names # file: var/log/random.log # owner: root # group: root user::rw- user:splunk:r-- group::r-- mask::r-- other::r--

irom77 · ‎09-14-2022

/var/log/ has default permissions.. So how I can monitor it without changing permissions on the dir ?

irom77 · ‎09-14-2022

I have cluster of indexers i1, i2 and i3 and not seeing any data coming from universal forwarder f1 to custom index network. I can see index=_internal host="f1" on search head sh but nothing in network index. I am filling up file random.log on f1 [ec2-user@f1 log]$ sudo /opt/splunkforwarder/bin/splunk btool inputs list monitor:///var/log/*.log [monitor:///var/log/*.log] _rcvbuf = 1572864 disabled = 0 host = $decideOnStartup index = network [ec2-user@f1 log]$ cat /var/log/random.log Success 655 Error 78 Forwarder seems connected to Indexers [ec2-user@f1 log]$ sudo tail -f /opt/splunkforwarder/var/log/splunk/splunkd.log 09-14-2022 12:59:15.389 +0000 INFO AutoLoadBalancedConnectionStrategy [2938 TcpOutEloop] - Connected to idx=10.0.7.4:9997, pset=0, reuse=0. using ACK. 09-14-2022 12:59:45.300 +0000 INFO AutoLoadBalancedConnectionStrategy [2938 TcpOutEloop] - Connected to idx=10.0.7.2:9997, pset=0, reuse=0. using ACK. ^C [ec2-user@f1 log]$ sudo /opt/splunkforwarder/bin/splunk list forward-server Active forwards: 10.0.7.2:9997 10.0.7.4:9997 Configured but inactive forwards: 10.0.7.3:9997 This is how it looks on one of indexers [ec2-user@i1 ~]$ sudo /opt/splunk/bin/splunk list index | grep network network /opt/splunk/etc/network/db /opt/splunk/etc/network/colddb /opt/splunk/etc/network/thaweddb [ec2-user@i1 ~]$ sudo ls -l /opt/splunk/etc/network/db total 4 -rw------- 1 splunk splunk 10 Sep 14 11:45 CreationTime drwx--x--- 2 splunk splunk 6 Sep 14 11:45 GlobalMetaData

Posts	10
Solutions	1
Karma Given	7
Karma Received	1
Member Since	‎09-13-2022

Online Status	Offline
Date Last Visited	‎09-18-2023 10:45 AM

Application action datapath 'action_result.data' m...

Splunk custom command ModuleNotFoundError ?!

Custom command with argument as string not stanza-...

Unknown search command 'helloworld' from helloworl...

Why are cluster of indexers not getting data into ...

Re: Application action datapath 'action_result.dat...