Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- About treinke
treinke
Builder
Member since:
05-05-2010
08-05-2024
Community Statistics
| Posts | 147 |
| Solutions | 16 |
| Karma Given | 117 |
| Karma Received | 68 |
| Member Since | 05-05-2010 |
Activity Feed
- Got Karma for Re: How to timechart the count of a field by day?. 08-21-2024 11:44 AM
- Got Karma for Re: Upgrade Splunk using RPM. 07-20-2023 09:42 AM
- Got Karma for BSides Splunk 2022 - The Call for Papers is now Open!. 08-22-2022 11:47 PM
- Karma Re: how to replace using SED command ? for horsefez. 05-24-2022 08:26 AM
- Karma Announcing Our New Splunk Community MVPs Program for jhupka_splunk. 02-09-2022 03:54 PM
- Got Karma for BSides Splunk 2022 - The Call for Papers is now Open!. 02-03-2022 07:10 PM
- Got Karma for BSides Splunk 2022 - The Call for Papers is now Open!. 12-15-2021 10:42 AM
- Got Karma for BSides Splunk 2022 - The Call for Papers is now Open!. 12-15-2021 09:24 AM
- Karma What's Happening With the Splunk Community @.conf21! for sensitive-thug. 10-15-2021 05:22 AM
- Karma Dungeons & Data Monsters: 3.0 — Updates and Our 2.0 One-Shot Adventure for bjennewein. 10-15-2021 05:21 AM
- Karma The 2021 Splunkie Award Nominations are now OPEN! for kaelas. 08-11-2021 06:39 AM
- Karma Re: Inserting whitespace in an app's nav menu? for John_Mark. 07-07-2021 07:23 AM
- Got Karma for Re: Splunk Security Cloud Makes Security Offerings Easier to Buy/Use In The Cloud. 06-22-2021 01:35 PM
- Karma Splunk Security Cloud Makes Security Offerings Easier to Buy/Use In The Cloud for bjennewein. 06-22-2021 01:23 PM
- Got Karma for Re: How can I find out which email server Splunk uses?. 06-19-2021 01:22 PM
- Posted Dashboard Studio - Remove the _tc column in table on Dashboards & Visualizations. 06-03-2021 10:18 AM
- Karma Re: BSides Splunk Conference 2021 (May 3rd & 4th) for sensitive-thug. 04-19-2021 10:25 AM
- Karma BSides Splunk Conference 2021 (Nerd Alert!) for sensitive-thug. 02-23-2021 10:48 AM
- Karma Re: termsOfServiceDirectory which web.conf should this stanza be placed in, in a distributed environment. Using btool for Yorokobi. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk integration with service now ticketing tool. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 4 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 4 | |||
| 0 | |||
| 1 | |||
| 2 |
06-03-2021
10:18 AM
Trying to get a nice list of the top 10 countries a firewall is blocking. If I run the search in the search app, it comes back with the columns of Country and count. I use Dashboard Studio and I use the same search as a data source and I get Country, count, and _tc. I am guessing I am missing a flag to not show the total count. Splunk Search: (index=netfw OR index=netproxy) (sourcetype="pan:threat" OR sourcetype="pan:traffic") action="dropped" (src_ip!=10.0.0.0/8 AND src_ip!=172.16.0.0/12 AND src_ip!=192.168.0.0/16) | iplocation src_ip | top limit=10 Country showperc=false | fields Country,count Studio Visualization: { "type": "splunk.table", "options": { "showRowNumbers": true }, "dataSources": { "primary": "ds_69PTFLxT" }, "title": "Top 10 Blocked Countries", "showProgressBar": true, "context": {}, "showLastUpdated": false }
... View more
Labels
- Labels:
-
table
05-06-2019
08:05 PM
Two things to check:
Is the KVStore working?
Then check the internal logs index="_internal" (sourcetype=cloudgateway_app_internal_log OR sourcetype="splunk_app_cloudgateway_message_processor.log")
... View more
05-05-2019
05:41 PM
check the internal logs for any errors within the cloudgateway application.
index="_internal" sourcetype="*cloudgateway*" error
... View more
03-14-2019
04:54 AM
1 Karma
There is the app to help you connect to MS Teams: https://splunkbase.splunk.com/app/3375/.
Right click on the channel you want the alert to go to and select Connectors. On the right, choose Configure on "Incoming Webhook". Give the incoming webhook a name. I tend to use the alert name as the webhook name. Upload a custom image if you want. Then click Create. That will generate the URL you need to enter in to the Splunk app.
When you setup up the alert in Splunk, make sure the "Microsoft Teams Webhook Alert Connector" app is installed, use the Microsoft Teams action and paste in the webhook URL.
*Note - You need to format the alert in to tables for best results.
... View more
10-10-2017
11:49 AM
2 Karma
If you have access to your internal index. You can try the following:
index=_internal source="*/python.log" "Sending email"
You should see a field called server.
server="localhost"
... View more
11-04-2016
07:36 AM
You are going to be looking at multiple Windows events to handle this. There is also an issue in Windows that if someone disconnects and doesn't logout. Below is a great resource on the Window Events around login/logout.
https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/64
... View more
11-04-2016
07:32 AM
That is correct. You will need to look how to send the syslog to a collector for your make and model of switches. Also check on the log level of the switch. It might send more information than you want.
As hlange said, check to see if there is a prebuild app or TA for your brand of switch. Typically they help to do the parsing of the logs to help you in understanding what you are getting from the logs.
... View more
11-04-2016
06:27 AM
Windows or Linux?
... View more
11-04-2016
06:24 AM
1 Karma
Typically you can monitor the switch and look for the link state of the port. If the link state goes from down to up, someone connected something in to that port.
Typically you can send this information to a syslog server and then collect the syslog information in to Splunk.
... View more
08-11-2016
07:30 PM
also, we have a few of our meetings on YouTube.
https://www.youtube.com/c/splunk402
... View more
08-11-2016
07:29 PM
6 Karma
skoelpin,
Running a user group is amazing. You learn from the group. I have been running the Eastern Nebraska user group for over 3 years now. Don't worry about numbers of people attending. Getting a core group of 5 or 10 people attending is the goal. I try to introduce my group to different ways of using Splunk. I love to try to get some hands on activities during the meetings. This could be loading your first Splunk server, getting data in to Splunk, what are all of these .conf files, how to search, building reports, building dashboards, building an app, etc. I would suggest jumping on the Splunk Slack instance. You can sign up through my groups site at: www.splunk402.com/chat. Let us know any other questions you have.
-Tony Reinke
... View more
07-25-2016
05:55 AM
Below is a sample of the code I have used. I noticed you have an extra close tag (>) between you iframe tag and your close iframe tag.
<row>
<panel>
<title>Testing HTML</title>
<html>
<iframe src="http://www.splunk.com" height="200" width="1000" style="border:none;"></iframe>
</html>
</panel>
</row>
... View more
07-20-2016
06:31 AM
1 Karma
I am using 6.4.2 and use the following in XML of the dashboard. I simply call the HTML tag and then use the standard iframe commands inside a panel. Hope this helps.
<row>
<panel>
<title>Testing HTML</title>
<html>
<iframe src="http://www.splunk.com" height="200" width="1000" style="border:none;"></iframe>
</html>
</panel>
</row>
... View more
06-30-2016
06:18 AM
Does Splunk nativity support 2 factor?
No
Are their products that you can add to Splunk to make it support 2 factor?
Yes. I have used Duo in the past to handle multiple different 2 factor (https://duo.com/docs/splunk). It does look like they require being in legacy mode to handle the 2 factor passing of accounts.
... View more
03-31-2016
05:12 AM
Then to combine the fields that were extracted you can use the eval command to join different fields together.
... View more
03-31-2016
05:01 AM
Typically I add a statement in props.conf to let Splunk know it is XML.
[yoursourcetype]
KV_MODE = xml
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
... View more
02-01-2016
10:51 AM
are you seeing the packets with tcpdump/wireshark on the Splunk server?
... View more
10-21-2015
02:10 PM
3 Karma
I think what you are trying to do would be something like this:
(sourcetype=iis host=Server1) OR (source="WinEventLog:*" index="wineventlog" host=Server1)
This would give you the results from either search.
... View more
10-21-2015
01:23 PM
you are adding an ip address to limit the input selection. if you added [udp://514] to the inputs.conf file, you are saying any ip address on UDP port 514. This is really more like [udp://*:514] . When you add the ip address in to the stanza, you are narrowing down the parameters. So [udp://123.456.789:514] is saying from this ip on this port, do the following the in the stanza.
... View more
10-13-2015
06:10 AM
In your indexes.conf file, you can point where the path to the index is.
More information on the indexes.conf file at:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf
Example:
homePath = $SPLUNK_DB/MyIndex/db
coldPath = $SPLUNK_DB/MyIndex/colddb
thawedPath = $SPLUNK_DB/MyIndex/thaweddb
... View more
08-12-2015
07:34 AM
Are you going to define the indexes and host? Are you saying show me the sourcetypes for index=A OR index=B and host=AA Or host=BB? Or are you looking for in the last 60 minutes show me all of the indexes getting data by any host and then also show me the sourcetypes that were logged?
... View more
Take a look in Settings - Searches, reports, and alerts. Adjust the owner to yourself and then look in the table below. If you still don't see it, change the app context to All.
... View more
06-25-2015
06:10 AM
What error are you getting?
... View more
06-24-2015
06:57 AM
1 Karma
The documentation for the installation of the JDBC drivers is at: http://docs.splunk.com/Documentation/DBX/2.0.4/DeployDBX/Installdatabasedrivers
For Microsoft SQL, the Microsoft JDBC Drivers 4.1 and 4.0 for SQL Server is what you will want.
http://www.microsoft.com/download/details.aspx?id=11774
The steps to install them are here:
http://docs.splunk.com/Documentation/DBX/2.0.4/DeployDBX/Installdatabasedrivers#Microsoft_SQL_Server
... View more
06-16-2015
11:54 AM
What does your props.conf file look like? I was having this issue with some of my SendGrid logs. Example of some of the logs:
[{"response":"550 5.1.1 User Unknown ","sg_event_id":"1234567890","sg_message_id":"7410258963","event":"deferred","email":"user1@abc.local","attempt":"23","timestamp":1432305797,"smtp-id":"<random@server.local>"}]
[{"email":"user2@abc.local","timestamp":1432305792,"smtp-id":"<random@server.local>","sg_event_id":"2345678901","sg_message_id":"4108529637","event":"processed"}]
[{"email":"user3@abc.local","timestamp":1432305793,"smtp-id":"<random@server.local>","sg_event_id":"3456789012","sg_message_id":"1085296374","event":"processed"},
{"email":"user4@abc.local","timestamp":1432305793,"smtp-id":"<random@server.local>","sg_event_id":"4567890123","sg_message_id":"0852963741","event":"processed"},
{"email":"user5@abc.local","timestamp":1432305793,"smtp-id":"<random@server.local>","sg_event_id":"5678901234","sg_message_id":"852963710","event":"processed"},
{"email":"user6@abc.local","timestamp":1432305793,"smtp-id":"<random@server.local>","sg_event_id":"6789012345","sg_message_id":"5296374108","event":"processed"},
{"email":"user7@abc.local","timestamp":1432305795,"smtp-id":"<random@server.local>","response":"250 Message Queued (No RCPTS) ","sg_event_id":"7890123456","sg_message_id":"2963741085","event":"delivered"},
{"email":"user8@abc.local","smtp-id":"<random@server.local>","timestamp":1432305796,"response":"250 Backend Replied [7531598520.abcd.server.local]: 2.0.0 Ok: queued as A1B2C3D4 (Mode: n ","sg_event_id":"8901234567","sg_message_id":"9637410852","event":"delivered"},
{"email":"user9@abc.local","timestamp":1432305796,"smtp-id":"<random@server.local>","response":"250 Message Queued (No RCPTS) ","sg_event_id":"9012345678","sg_message_id":"637410852963","event":"delivered"},
{"email":"user0@abc.local","timestamp":1432305796,"smtp-id":"<random@server.local>","response":"250 Message Queued (No RCPTS) ","sg_event_id":"0123456789","sg_message_id":"3741085296","event":"delivered"}]
My props.conf for this sourcetype:
[sendgrid_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = timestamp
category = Structured
disabled = false
pulldown_type = true
Now it shows up in the nice JSON format.
... View more
