Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About MHibbin
MHibbin
Influencer
Member since:
11-03-2011
01-31-2025
Community Statistics
| Posts | 562 |
| Solutions | 87 |
| Karma Given | 241 |
| Karma Received | 362 |
| Member Since | 11-03-2011 |
Activity Feed
- Got Karma for Re: How to Manipulate Multiple Lookup Results. 08-28-2024 10:37 AM
- Got Karma for Re: How to Manipulate Multiple Lookup Results. 08-28-2024 10:36 AM
- Got Karma for Re: Table Column Headings. 10-25-2023 12:03 PM
- Got Karma for Re: REST API: Why am I hitting a limit of 100 exported results?. 05-11-2023 01:01 PM
- Got Karma for Re: Changing table column header names. 06-15-2022 08:25 AM
- Got Karma for Re: Scripted input stream mode. 11-23-2021 02:34 PM
- Got Karma for Re: How to export logs to Excel or text file. 07-14-2021 08:58 AM
- Got Karma for Re: Getting rid of "other" in pie chart. 08-07-2020 09:34 AM
- Got Karma for How do you migrate historic data from on-prem Splunk Enterprise to Splunk Cloud?. 06-05-2020 12:50 AM
- Karma Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"? for ekost. 06-05-2020 12:47 AM
- Got Karma for Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?. 06-05-2020 12:47 AM
- Karma Updated Splunk Visio Stencil or Deployment Icons for Drainy. 06-05-2020 12:46 AM
- Karma Re: Updated Splunk Visio Stencil or Deployment Icons for ChrisG. 06-05-2020 12:46 AM
- Karma Re: Does Splunk support Redhat chkconfig? for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Reasonable Search performance? for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Gaps in graphs for dwaddle. 06-05-2020 12:46 AM
- Karma Re: mastering splunk for MarioM. 06-05-2020 12:46 AM
- Karma Re: mastering splunk for araitz. 06-05-2020 12:46 AM
- Karma Re: SplunkWeb Certificates Issue for araitz. 06-05-2020 12:46 AM
- Karma Re: Logging for Splunk - Best Practices or Tips? for ziegfried. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
10-10-2018
07:29 AM
Thanks @kmorris & @adonio, our on-premise solution is running on very very old hardware, some of which is unsupported, so management keen to get that closed down rather than running for another year.
Environment is not clustered.
... View more
10-10-2018
02:02 AM
1 Karma
Hey there,
Has anyone taken the challenge of migrating historic indexed data from on-premise Splunk Enterprise to Splunk Cloud?
Happy with doing heavy lifting, etc., just trying to plan out the process of getting moved over.
Thanks,
Matt
... View more
08-22-2015
07:26 AM
It turns out the correlation searches didn't like the eventtype, I have temporary work around and will have to revisit this at a later date.
... View more
08-22-2015
07:24 AM
Thanks @ekost & @jbrodsky, I have just configured a test instance with version 3.3.1 and this solution appears to be working correctly.
In our current version the log_review.conf file does not have the same contents (namely missing table_attributes and event_attributes )
Looks like I will have to schedule in some upgrade work!
Thanks for your help.
Best,
Matt
... View more
08-20-2015
08:47 AM
@ekost,
My correlation search is generating all the fields required (i.e. I could add them to the title/description as variables), however I would like them to appear under "Additional Fields", where there is currently items such as:
Destination
Destination Expected
Destination Requires AntiVirus
Process
User
Obviously these are fields that are referenced in the CIM; I would like to add ones, e.g:
IOC Source
IOC Description
IOC Classification
IOC Date
Etc,
The intention is that I we can add these fields to the notables/events in Incident Review, so that the review is more streamlined and also so that we can create workflow actions on the IOC themselves (e.g. Open Source checks, checks on other systems internally, etc.) for each instance.
We do have other use cases, not just IOC information.
Hope this is a bit clearer.
Thanks,
Matt
... View more
08-19-2015
09:08 AM
Thanks @esix,
My log_review.conf file only has the following:
[notable_editing]
allow_urgency_override=true
[comment]
minimum_length=20
is_required=false
I also used btool to identify any other instances, however, that was the only one.
So don't really have much to go on.
... View more
08-19-2015
08:47 AM
1 Karma
Hi,
We have a requirement to add some additional fields to events under "Incident Review" for IOCs (I have looked at some of the mappings in notables2.html ), however, they don't give us quite enough flexibility.
How do I add these additional fields under the heading "Additional Fields" (e.g. dest displays as "Destination")?
I have had a look at the following however changing the HTML or log_review.conf did not appear to make any difference:
http://answers.splunk.com/answers/183891/configuring-additional-fields-for-a-notable-event.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
Thanks,
MHibbin
... View more
08-19-2015
08:28 AM
@jbrodsky
what is the expected format of this? - I haven't found any documentation on this yet.
I have added some field names as their own stanzas, however, it is not generating in Incident Review.
How do you map the field names to the meaningful names (i.e. like the defaults; e.g. dest maps to Destination)?
... View more
06-10-2015
02:26 AM
There may be an easier way (I like to take obscure routes) but I would:
Create a custom command that maintains an eventtype(s)
Link that custom command to the form
Have the script to a comma-seperated list and update the eventtype(s).
HTH,
MHibbin
... View more
06-08-2015
02:12 PM
Scheduled searches,
16 cores,
Custom DM,
Not accelerated 🙂
... View more
06-08-2015
02:00 PM
Hi,
I've hit a bit of a road block trying to set up some custom correlation searches, which are very similar to others that work successfully.
The data model is configured and generates events; and I have a pivot search that generates events. When setting up others, this worked fine, however, on the last two I've tried setting, it appears to not be generating events. The time frame is the last 60 minutes, and the notable has some variables.
The inspector shows that it is not able to find events (considering the search runs fine in flashtimeline). I know it is a bit ambiguous, but is there anything obvious I could be missing?
hmmm....
Thanks. 🙂
... View more
01-14-2015
07:39 AM
1 Karma
Just come across this blog article:
http://blogs.splunk.com/2011/08/02/splunk-rest-api-is-easy-to-use/
At the moment I have appended my URI with ?output_mode=json&count=0 , which seems to work.
Still, I am curious to know what was wrong in the first place, unless this is the correct method, and I have misread the documentation.
... View more
01-14-2015
07:25 AM
Hi,
I am trying to get some results out of Splunk using the REST API, I have the following in my script:
uri = "/services/search/jobs/" + str(sid) + "/results"
data = urllib.urlencode({"count":"0", "output_mode":"csv"})
response, content = h.request(base_url + uri, "get", data)
However, it is only downloading 100 results (101 rows including header).
I'm probably overlooking something as I've only started really using the interface. Any thoughts, on why I'm still getting the default number of results.
Thanks,
MHibbin
... View more
10-28-2013
04:05 AM
Hi,
I've configured Splunk to forward data to a third party system we use.
I can see on the packet captures that the traffic is being sent to the host, however, I am seeing more data than I would like going to this host. I would only like our ASA traffic to go to this host, however, I am seeing all sorts of data being sent. I was not expecting this based on the following configuration files:
outputs.conf -
[syslog]
defaultGroup = syslog_out
[syslog:syslog_out]
server=1.2.3.4:514
type=udp
priority = NO_PRI
props.conf -
[cisco_asa]
TRANSFORMS-routing=syslog_routing
transforms.conf
[syslog_routing]
REGEX="^[^\%]+\%ASA"
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_out
N.B: the regex is there as I thought it might be an issue with just using " . " for the "cisco_asa" sourcetype (not that it should matter).
I've clearly missed something here, so any help would be grateful.
Thanks,
mhibbin
... View more
10-18-2013
03:53 AM
... Who wouldn't want Splunk all over there undies.... so wrong. -.-
... View more
10-15-2013
03:08 AM
have you looked in the splunk logs for anything?
have you restarted splunk? - does it complain about dirty indexes
is this a historical problem? or recent one? - any changes around the time of occurrence?
... View more
10-14-2013
07:32 AM
3 Karma
@adityapavan18, again I'm not sure, as I only one indexer to play around with at the moment, but perhaps the following, seems odd to me that it has the server field if it is localized to one server...
| eventcount summarize=false index=* report_size=true | eval MB=(size_bytes/1024)/1024 | stats sum(MB) by index, server
... View more
10-14-2013
03:59 AM
2 Karma
The eventcount command may be what you need:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Eventcount
Haven't tried it against multiple indexers however.
This command requires a " | " before the command to run.
Hope this helps.
... View more
10-11-2013
05:18 AM
I would configure this setting to true and following the backoff setting in the outputs.conf.spec file:
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Outputsconf
... View more
10-11-2013
05:04 AM
2 Karma
I would set up a forwarder on some utility server somewhere near the firewalls, and configure the outputs.conf file to send to your two indexer.
You will need to make sure you turn off the autoLB feature in the outputs.conf file to stop the forwarder switching between the two.
Outputs.conf.spec:
"http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Outputsconf"
Example configuration on UF:
inputs.conf:
[udp://514]
disabled = false
sourcetype = syslog
connection_host = none
outputs.conf:
[tcpout]
defaultGroup=indexers
[tcpout:indexers]
server=<indexer1>:9997, <indexer2>:9997
autoLB=false
Restart of Splunkd on the forwarder.
Hope this helps,
MHibbin
... View more
10-02-2013
10:20 AM
1 Karma
The following link for the tutorialdata.zip file:
http://docs.splunk.com/Documentation/Splunk/latest/PivotTutorial/GetthetutorialdataintoSplunk#Download_the_sample_data_file
The following link for the prices.csv.zip file:
http://docs.splunk.com/Documentation/Splunk/latest/PivotTutorial/AddlookupfilestoSplunk#Download_the_lookup_file
Hope this helps,
Matt
... View more
10-02-2013
09:54 AM
Glad that worked for you. I would say that may be one for support.
... View more
10-01-2013
12:10 PM
1 Karma
Try running the installation file from an elavated Command Prompt, using the msiexec /i command - try that with acceptlicense parameter /quiet flag, etc.
... View more
09-30-2013
06:14 AM
Upgrading from 4.3.4 to 5.0.4, couldn't see anything in the logs other than the inputs starting up.
I'll try the logging.
... View more
09-27-2013
02:38 AM
Hi guys,
I have started upgrading our Windows forwarders, and have seen issues with the regmon process (splunk-regmon.exe)maxing out the CPU usage on the hosting server. The only workaround I have at the moment is to disable the input script at the system level. This is not ideal as we monitor the changes in the registry.
This has had the same effect on Windows 2003, 2008 R2, and 2012.
Is this a known issues (I have checked the release notes, but couldn't see anything)? Is there a work-around that can enable us to use this feature without maxing out the CPU?
If it is a bug, where do I find the submission form? - it's been a long time since I've looked at the form.
Thanks,
MHibbin
... View more
