Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ilhwan
ilhwan
Path Finder
Member since:
12-23-2019
3 weeks ago
Community Statistics
| Posts | 20 |
| Solutions | 2 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 12-23-2019 |
Activity Feed
- Posted Re: Is there a row limit to lookup tables? on Splunk Search. 02-01-2023 10:39 AM
- Karma Re: Is there a row limit to lookup tables for gcusello. 02-01-2023 10:39 AM
- Karma Re: Is there a row limit to lookup tables? for scelikok. 02-01-2023 10:39 AM
- Posted Re: Is there a row limit to lookup tables on Splunk Search. 02-01-2023 10:26 AM
- Posted Re: Is there a row limit to lookup tables on Splunk Search. 02-01-2023 08:46 AM
- Posted Is there a row limit to lookup tables? on Splunk Search. 02-01-2023 08:30 AM
- Got Karma for Re: help with depends. 11-07-2022 10:28 AM
- Posted Re: help with depends on Dashboards & Visualizations. 11-07-2022 10:25 AM
- Posted Re: help with depends on Dashboards & Visualizations. 11-07-2022 10:20 AM
- Posted Help with depends- How to only include dest_ip in my search if action is not "blocked"? on Dashboards & Visualizations. 11-07-2022 08:57 AM
- Posted Re: Can I schedule a search that writes to a lookup table? on Splunk Search. 11-04-2022 04:15 PM
- Posted Re: Can I schedule a search that writes to a lookup table? on Splunk Search. 11-04-2022 02:47 PM
- Posted Can I schedule a search that writes to a lookup table? on Splunk Search. 11-04-2022 01:18 PM
- Posted Re: Help using lookup tables to select search results on Splunk Search. 10-11-2022 06:28 AM
- Posted Re: Help using lookup tables to select search results on Splunk Search. 10-11-2022 06:08 AM
- Posted Re: Help using lookup tables to select search results on Splunk Search. 10-10-2022 01:45 PM
- Posted Help using lookup tables to select search results on Splunk Search. 10-10-2022 11:53 AM
- Posted Re: How to change host with props.conf and transforms.conf on Getting Data In. 03-11-2022 10:36 AM
- Posted Re: How to change host with props.conf and transforms.conf on Getting Data In. 03-11-2022 10:09 AM
- Posted Re: How to change host with props.conf and transforms.conf on Getting Data In. 03-10-2022 11:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-01-2023
10:39 AM
Thanks for your reply. This is the search I'm running: index=cisco sourcetype=cisco:asa eventtype=cisco_vpn_start host!=shr-vpn-cell-fw01 | lookup vpnlist.csv NetworkAddress AS src_ip OUTPUTNEW isvpn | stats count by src_ip, isvpn, Username I'm definitely not using inputlookup, but I seem to be running into a limit on the number of rows. Now I've converted the lookup to a KV lookup as @gcusello suggested, but I'm having trouble getting that working.
... View more
02-01-2023
10:26 AM
Thank you for the links. I converted my lookup to a KV lookup, and it keeps telling me that my lookup table is invalid. I thought I could just keep the same .csv file, I'll have to figure out how to fix that.
... View more
02-01-2023
08:30 AM
My boss asked me to generate a report of people connecting to our network from public VPN providers. I'm using this file from github as a lookup table. I added a column to make it a valid .csv. The first couple of rows look like this:
NetworkAddress,isvpn 1.12.32.0/23,1 1.14.0.0/15,1
I added my own IP address to confirm that the lookup was working. It works if I add as the first row but not as the last row.
Is there a row limit? The file is only 425K, so I don't think I'm running into a file size limit, but it has 22682 rows.
... View more
Labels
- Labels:
-
lookup
11-07-2022
10:25 AM
1 Karma
I just figured it out. I had to set the token to a blank string since I use it in the search later. <input type="dropdown" token="my_action" searchWhenChanged="true">
<label>Action</label>
<choice value="*">any</choice>
<choice value="allowed">allowed</choice>
<choice value="blocked">blocked</choice>
<prefix>action=</prefix>
<change>
<condition label="blocked">
<unset token="is_not_blocked"></unset>
<set token="my_dest_ip">""</set>
</condition>
<condition label="allowed">
<set token="is_not_blocked">true</set>
</condition>
<condition label="*">
<set token="is_not_blocked">true</set>
</condition>
</change>
<default>*</default>
</input>
... View more
11-07-2022
10:20 AM
I tried that without success. This is what the input panel looks like: <input type="dropdown" token="my_action" searchWhenChanged="true">
<label>Action</label>
<choice value="*">any</choice>
<choice value="allowed">allowed</choice>
<choice value="blocked">blocked</choice>
<prefix>action=</prefix>
<change>
<condition label="blocked">
<unset token="is_not_blocked"></unset>
<unset token="my_dest_ip"></unset>
</condition>
<condition label="allowed">
<set token="is_not_blocked">true</set>
</condition>
<condition label="*">
<set token="is_not_blocked">true</set>
</condition>
</change>
<default>*</default>
</input>
... View more
11-07-2022
08:57 AM
I am trying to only include dest_ip in my search if action is not "blocked. These are the input panels:
<input type="dropdown" token="my_action" searchWhenChanged="true">
<label>Action</label>
<choice value="*">any</choice>
<choice value="allowed">allowed</choice>
<choice value="blocked">blocked</choice>
<prefix>action=</prefix>
<change>
<condition label="blocked">
<unset token="is_not_blocked"></unset>
</condition>
<condition label="allowed">
<set token="is_not_blocked">true</set>
</condition>
<condition label="*">
<set token="is_not_blocked">true</set>
</condition>
</change>
<default>*</default>
</input>
<input type="text" token="my_dest_ip" searchWhenChanged="true" depends="$is_not_blocked$">
<label>Destination IP address (CIDR okay)</label>
<default>*</default>
<prefix>dest_ip=</prefix>
<initialValue>*</initialValue>
</input>
This is the search:
<panel>
<title>Network Connections by Source</title>
<table>
<title>Count of network connections by source - click on a line for list of sessions from that source</title>
<search>
<query>index=proxy $my_host$ $my_src_ip$ $my_dest_ip$ $my_url$ $my_action$
| lookup dnslookup clientip as src_ip OUTPUT clienthost as Host
| stats count by src_ip Host action
| table src_ip, Host action count
| sort -count
| rename src_ip as "Source_IP" action as Action count as "Count"</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="drill_client_ip">$row.Source_IP$</set>
<set token="drill_url">*</set>
<set token="drill_dest_ip">*</set>
<set token="drill_action">$row.Action$</set>
</drilldown>
</table>
</panel>
The input panel for my_dest_ip disappears when I select "blocked" in the action panel, but the search still includes dest_ip=*. What am I not understanding?
... View more
11-04-2022
04:15 PM
Thank you. I was confused by the wording. I thought my search had to output a report or a dashboard.
... View more
11-04-2022
02:47 PM
That is part of the search I run manually to update the lookup table. I'm trying to figure out how to schedule it to run monthly.
... View more
11-04-2022
01:18 PM
I have a search that writes to a lookup table. I would like to run this search once a month and update (overwrite) the lookup table. I see that I can schedule reports, dashboards, and alerts. Is it possible to do it with a search that writes to a lookup table file?
... View more
Labels
- Labels:
-
lookup
10-11-2022
06:28 AM
It works now. I had to go back into the lookup definition and remove the WILDCARD match type. I don't understand how to use that match type, but I have my solution now. Thanks for your help.
... View more
10-11-2022
06:08 AM
Yes, that makes sense. It did just occur to me to trim the query down (except that I was thinking about split() instead of rex). However, your second query still gives me the same error: basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0) There must be a problem with my lookup table. I did remove the wildcard lines, and it looks like this now: domain_name,type microsoft.com,microsoft google.com,google nwngms.com,ot gasco.com,it
... View more
10-10-2022
01:45 PM
Is there a way I can enter wildcard domains to compare against?
... View more
10-10-2022
11:53 AM
I have a lookup table named ics_special_domains that contains this:
domain_name,type microsoft.com,microsoft *.microsoft.com,microsoft google.com,google *.google.com,google nwngms.com,ot *.nwngms.com,ot gasco.com,it *.gasco.com,it
I'm trying to use this in a search to filter on specific types, but I'm trying a basic search first. This is the most basic search I'm trying:
index=ics_dns ( query_type="A" OR query_type="AAAA" ) | lookup ics_special_domains domain_name as query{} outputnew type as domain_type | where domain_type="microsoft"
It returns this error:
basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0)
I'd appreciate any help figuring this out.
... View more
Labels
- Labels:
-
lookup
03-11-2022
10:36 AM
I got it to work. The problem was props.conf. I had to not use a wildcard in the sourcetype. This is what is working for me. props.conf: [rubrik:archivebandwidth] TRANSFORMS-hostoverride = hostoverride [rubrik:archiveusage] TRANSFORMS-hostoverride = hostoverride [rubrik:clusteriostats] TRANSFORMS-hostoverride = hostoverride [rubrik:eventfeed] TRANSFORMS-hostoverride = hostoverride [rubrik:mvsummary] TRANSFORMS-hostoverride = hostoverride [rubrik:nodeiostats] TRANSFORMS-hostoverride = hostoverride [rubrik:nodestats] TRANSFORMS-hostoverride = hostoverride [rubrik:orgcapacityreport] TRANSFORMS-hostoverride = hostoverride [rubrik:runwayremaining] TRANSFORMS-hostoverride = hostoverride [rubrik:storagesummary] TRANSFORMS-hostoverride = hostoverride transforms.conf: [hostoverride] DEST_KEY = MetaData:Host REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\" FORMAT = host::$1
... View more
03-11-2022
10:09 AM
That captures the entire rest of the line instead of just the field I'm interested in. This is what I'm trying now: [hostoverride] DEST_KEY = MetaData:Host REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\" FORMAT = host::$1
... View more
03-10-2022
11:44 AM
Yes, it's on the HF that has the add-on. It's in the local directory.
... View more
03-09-2022
10:42 AM
I have an add-on running on a heavy forwarder that is using the name of the HF as the host. I'm trying to change the host to something more useful. All of the events are of the sourcetype rubrik:*.
Here is a sample event:
{"_time": "2022-03-07T23:31:00.000Z", "clusterName": "my-host", "locationId": "XXXmaskedXXX", "locationName": "XXXmaskedXXX", "type": "Outgoing", "value": 0}
I would like to use "my-host" as the host. This is what I'm trying with no success.
props.conf:
[rubrik:*] TRANSFORMS-myhost = hostoverride
transforms.conf:
[hostoverride] DEST_KEY = MetaData:Host REGEX = \"clusterName\"\:\s\"(.+)\".+ FORMAT = host::$1
... View more
Labels
- Labels:
-
heavy forwarder
-
host
-
props.conf
-
transforms.conf
05-21-2021
01:06 PM
We had a system integrator install and configure SC4S, and I'm trying to understand the configuration afterwards. I've been going through this document, and I'm confused by something pretty early on. The document says I should see the following in env_file: SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://splunk.smg.aws:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94
#Uncomment the following line if using untrusted SSL certificates
#SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no Instead, this is what I see: SPLUNK_HEC_URL=<***my urls***>
SPLUNK_HEC_TOKEN=<***my token***>
#Uncomment the following line if using untrusted SSL certificates
SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no This clearly works, but I'd like to understand why. Is "SPLUNK_HEC_URL" functionally equivalent to "SC4S_DEST_SPLUNK_HEC_DEFAULT_URL" and likewise "SPLUNK_HEC_TOKEN"? Is the documentation old, or is my sc4s old?
... View more
Labels
- Labels:
-
configuration
02-15-2021
12:17 PM
I'm using the Splunk Add-on for Symantec Blue Coat ProxySG add-on. I'm receiving the logs (from ASG version 6.7.3.14) and seeing most of the data as expected. The problem is that everything before "-splunk_format" is getting dropped. If I look at the raw log using "show source" in splunk search, it looks like this: - splunk_format - c-ip=172.16.186.28 cs-bytes=20058 cs-categories="News" cs-host=data.api.cnn.io cs-ip=172.30.50.202 cs-method=CONNECT cs-uri-port=443 cs-uri-scheme=tcp cs-User-Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0" cs-username=iho dnslookup-time=0 duration=285 rs-status=0 s-action=TCP_TUNNELED s-ip=172.30.50.202 service.name="Explicit HTTP" service.group="Standard" s-supplier-ip=172.30.50.202 s-supplier-name=172.30.50.202 sc-bytes=680861 sc-filter-result=OBSERVED sc-status=200 time-taken=285209 c-url="tcp://data.api.cnn.io:443/" cs-headerlength=213 cs-threat-risk=unavailable r-ip=151.101.53.67 s-connect-type=Direct s-icap-status=ICAP_NOT_SCANNED s-sitename=http.proxy s-source-port=32401 s-supplier-country=Unavailable sr-Accept-Encoding=identity x-cookie-date=Sat,%2013-Feb-21%2016:41:27%20GMT x-cs-connection-negotiated-cipher=none x-exception-category-review-message="<br><br>Your request was categorized by Blue Coat Web Filter as 'News'. <br>If you wish to question or dispute this result, please click <a href=%22http://sitereview.bluecoat.com/sitereview.jsp?referrer=136&url=tcp://data.api.cnn.io:443/%22>here</a>." x-exception-sourceline=0 x-rs-connection-negotiated-cipher=none cs-uri-path=/ c-uri-pathquery=/ If I use tcpdump on the server running sc4s, I see this: <111>1 2021-02-13T16:47:43 ShrSecGatPd01 bluecoat - splunk_format - c-ip=172.16.186.28 rs-Content-Type="-" cs-auth-groups=- cs-bytes=1418 cs-categories="Technology/Internet;Web Ads/Analytics" cs-host=mcdp-sadc1.outbrain.com cs-ip=172.30.50.202 cs-method=CONNECT cs-uri-port=443 cs-uri-scheme=tcp cs-User-Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0" cs-username=iho dnslookup-time=0 duration=7 rs-status=0 rs-version=- s-action=TCP_TUNNELED s-ip=172.30.50.202 service.name="Explicit HTTP" service.group="Standard" s-supplier-ip=172.30.50.202 s-supplier-name=172.30.50.202 sc-bytes=1850 sc-filter-result=OBSERVED sc-status=200 time-taken=7161 x-exception-id=- x-virus-id=- c-url="tcp://mcdp-sadc1.outbrain.com:443/" cs-Referer="-" c-cpu=- connect-time=- cs-auth-groups=- cs-headerlength=229 cs-threat-risk=unavailable r-ip=66.225.223.159 r-supplier-ip=- rs-time-taken=- rs-server=- s-connect-type=Direct s-icap-status=ICAP_NOT_SCANNED s-sitename=http.proxy s-source-port=55231 s-supplier-country=Unavailable sc-Content-Encoding=- sr-Accept-Encoding=identity x-auth-credential-type=- x-cookie-date=Sat,%2013-Feb-21%2016:47:43%20GMT x-cs-certificate-subject=- x-cs-connection-negotiated-cipher=none x-cs-connection-negotiated-cipher-size=- x-cs-connection-negotiated-ssl-version=- x-cs-ocsp-error=- x-cs-Referer-uri=- x-cs-Referer-uri-address=- x-cs-Referer-uri-extension=- x-cs-Referer-uri-host=- x-cs-Referer-uri-hostname=- x-cs-Referer-uri-path=- x-cs-Referer-uri-pathquery=- x-cs-Referer-uri-port=- x-cs-Referer-uri-query=- x-cs-Referer-uri-scheme=- x-cs-Referer-uri-stem=- x-exception-category=- x-exception-category-review-message="<br><br>Your request was categorized by Blue Coat Web Filter as 'Technology/Internet;Web Ads/Analytics'. <br>If you wish to question or dispute this result, please click <a href=%22http://sitereview.bluecoat.com/sitereview.jsp?referrer=136&url=tcp://mcdp-sadc1.outbrain.com:443/%22>here</a>." x-exception-company-name=- x-exception-contact=- x-exception-details=- x-exception-header=- x-exception-help=- x-exception-last-error=- x-exception-reason="-" x-exception-sourcefile=- x-exception-sourceline=0 x-exception-summary=- x-icap-error-code=- x-rs-certificate-hostname=- x-rs-certificate-hostname-category=- x-rs-certificate-observed-errors=- x-rs-certificate-subject=- x-rs-certificate-validate-status=- x-rs-connection-negotiated-cipher=none x-rs-connection-negotiated-cipher-size=- x-rs-connection-negotiated-ssl-version=- x-rs-ocsp-error=- cs-uri-extension=- cs-uri-path=/ cs-uri-query="-" c-uri-pathquery=/ What do I need to edit to get it to parse out the timestamp and hostname?
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
