Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About ilhwan
ilhwan
Path Finder
Member since:
12-23-2019
02-05-2025
Community Statistics
| Posts | 34 |
| Solutions | 2 |
| Karma Given | 3 |
| Karma Received | 2 |
| Member Since | 12-23-2019 |
Activity Feed
- Got Karma for SolarWinds add-on not working. 03-04-2025 05:49 AM
- Posted update to Splunk Add-on for Infoblox? on Getting Data In. 02-04-2025 10:45 AM
- Posted Re: dealing with UF user change (linux) on Getting Data In. 10-28-2024 02:19 PM
- Posted dealing with UF user change (linux) on Getting Data In. 10-28-2024 11:08 AM
- Posted Re: does monitoring console log to an index? on Splunk Enterprise. 10-07-2024 08:46 AM
- Posted Re: does monitoring console log to an index? on Splunk Enterprise. 10-03-2024 02:03 PM
- Posted Re: does monitoring console log to an index? on Splunk Enterprise. 10-03-2024 09:32 AM
- Posted does monitoring console log to an index? on Splunk Enterprise. 10-02-2024 03:21 PM
- Posted Re: Splunk Add-on for SolarWinds - Alerts input not working on Splunk Enterprise. 03-15-2024 01:16 PM
- Posted SolarWinds add-on not working on Getting Data In. 03-15-2024 07:04 AM
- Posted Re: how can I tell if a data model is being used? on Splunk Search. 02-14-2024 08:35 AM
- Karma Re: how can I tell if a data model is being used? for richgalloway. 02-14-2024 08:35 AM
- Posted how can I tell if a data model is being used? on Splunk Search. 02-13-2024 10:09 AM
- Posted Re: Can I add UBA servers as deployment server clients? on Deployment Architecture. 10-25-2023 03:57 PM
- Posted Can I add UBA servers as deployment server clients? on Deployment Architecture. 10-25-2023 06:41 AM
- Posted Can I add a local CA to the certificate store? on Splunk Enterprise. 05-02-2023 01:36 PM
- Posted Re: Is there a row limit to lookup tables? on Splunk Search. 02-01-2023 10:39 AM
- Karma Re: Is there a row limit to lookup tables for gcusello. 02-01-2023 10:39 AM
- Karma Re: Is there a row limit to lookup tables? for scelikok. 02-01-2023 10:39 AM
- Posted Re: Is there a row limit to lookup tables on Splunk Search. 02-01-2023 10:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-04-2025
10:45 AM
I'm struggling to get data in from Infoblox using Splunk Add-on for Infoblox. I looked at the documentation and realized it doesn't support the current versions. I'm using Infoblox NIOS 9.0.3. The Splunk documentation says it supports Infoblox NIOS 8.4.4, 8.5.2, 8.6.2. Specifically, it's not parsing correctly, and everything goes into sourcetype=infoblox:port. Are there any more current ways to get data in from Infoblox? Can I get Splunk support to help me since it's a Splunk-supported Add-on?
... View more
Labels
- Labels:
-
data
10-28-2024
02:19 PM
I'd rather chown the old version and make it match the new one. I think I tried that on one of my update tests, and it complained a lot before failing. That's kinda why I'm thinking of uninstalling the old one and installing it fresh.
... View more
10-28-2024
11:08 AM
I haven't upgraded UF in a while, and I'm having some trouble figuring out how I should proceed with bringing it up to date. I see that the current version has changed the user from splunk to splunkfwd. I also see that updating an existing UF keeps the user as splunk (this seems to work but not always). This will means that new installations will use a different username than updated UF. This is a problem for me because I use scripts to make the permission changes to give splunk access to the appropriate log files. I'm not finding a lot of guidance on how to keep this sane. How have other organizations dealt with this? I'm tempted to uninstall UF and do a fresh install on every system. That will force me to manage splunk servers differently than other linux servers, but that has to be less complicated than trying to keep track of which systems use splunk and which use splunkfwd.
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
10-07-2024
08:46 AM
Thanks for the suggestion, but I don't see a magnifying glass on any of the panels on the overview screen like on normal dashboard panels. I'm logged in as admin.
... View more
10-03-2024
02:03 PM
Is it possible to see the SPL queries that MC uses for those dashboards?
... View more
10-02-2024
03:21 PM
I've been asked to generate an uptime report for Splunk. I don't see anything obvious in the monitoring console, so I thought I'd try to see if I could build a simple dashboard. Does the monitoring console log things like
... View more
Labels
- Labels:
-
administration
03-15-2024
01:16 PM
Are you saying that the add-on is not worth using?
... View more
03-15-2024
07:04 AM
1 Karma
I'm on Splunk Enterprise 9.1.3, and I've configured the add-on (no proxy) with the SolarWinds server name, port, and credentials. I've configured the inputs, and I see nothing. Running tcpdump shows no traffic to the SolarWinds server or the configured port. This is what I see in the log: 2024-03-14 19:55:48,630 +0000 log_level=ERROR, pid=3098123, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=113 | [stanza_name="ics_query"] Failed to index data
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 109, in index_data
self._do_safe_index()
File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 129, in _do_safe_index
self._client = self._create_data_client()
File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 99, in _create_data_client
self._data_loader.get_event_writer())
File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/ta_cloud_connect_client.py", line 20, in __init__
from ..core.pipemgr import PipeManager
File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/__init__.py", line 1, in <module>
from .engine import CloudConnectEngine
File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/engine.py", line 6, in <module>
from .http import HttpClient
File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/http.py", line 26, in <module>
'http_no_tunnel': socks.PROXY_TYPE_HTTP_NO_TUNNEL,
AttributeError: module 'socks' has no attribute 'PROXY_TYPE_HTTP_NO_TUNNEL' I'd appreciate any help in getting this working.
... View more
Labels
- Labels:
-
heavy forwarder
02-14-2024
08:35 AM
Thank you for that suggestion. Now I'm even more confused. The events are coming in as sourcetype=cef, and there are a lot more differences than I would have expected, including what's in system/default... I've got some digging to do.
... View more
02-13-2024
10:09 AM
I have a distributed environment with 2 independent search heads. I run the same search on both, and one shows a field that the other does not. I can't figure out why. I can't find any data models that mention the index or sourcetype I'm searching. Is there a way to show me if a data model is being used in my search? The logs are coming from an IBM i-series system using syslog through sc4s.
... View more
Labels
- Labels:
-
field extraction
10-25-2023
03:57 PM
I see. I was thinking it wasn't UF because every other instance of UF I've seen used /opt/splunkforwarder.
... View more
10-25-2023
06:41 AM
Splunk PS installed UBA a while back, and I just noticed that we are not getting OS logs from those servers into Splunk Enterprise. Since we have a 10 node cluster, I was trying to find a quicker way to manage them. Is there a reason I shouldn't connect the Splunk Enterprise running on all of those nodes to the deployment server?
... View more
Labels
- Labels:
-
deployment server
05-02-2023
01:36 PM
Does Splunk have a certificate store I can add a local CA certificate to? I have a TA on a HF that's trying to pull events over https, and it's complaining about the certificate because it's signed by our local CA.
... View more
Labels
- Labels:
-
administration
-
configuration
02-01-2023
10:39 AM
Thanks for your reply. This is the search I'm running: index=cisco sourcetype=cisco:asa eventtype=cisco_vpn_start host!=shr-vpn-cell-fw01 | lookup vpnlist.csv NetworkAddress AS src_ip OUTPUTNEW isvpn | stats count by src_ip, isvpn, Username I'm definitely not using inputlookup, but I seem to be running into a limit on the number of rows. Now I've converted the lookup to a KV lookup as @gcusello suggested, but I'm having trouble getting that working.
... View more
02-01-2023
10:26 AM
Thank you for the links. I converted my lookup to a KV lookup, and it keeps telling me that my lookup table is invalid. I thought I could just keep the same .csv file, I'll have to figure out how to fix that.
... View more
02-01-2023
08:30 AM
My boss asked me to generate a report of people connecting to our network from public VPN providers. I'm using this file from github as a lookup table. I added a column to make it a valid .csv. The first couple of rows look like this:
NetworkAddress,isvpn 1.12.32.0/23,1 1.14.0.0/15,1
I added my own IP address to confirm that the lookup was working. It works if I add as the first row but not as the last row.
Is there a row limit? The file is only 425K, so I don't think I'm running into a file size limit, but it has 22682 rows.
... View more
Labels
- Labels:
-
lookup
11-07-2022
10:25 AM
1 Karma
I just figured it out. I had to set the token to a blank string since I use it in the search later. <input type="dropdown" token="my_action" searchWhenChanged="true">
<label>Action</label>
<choice value="*">any</choice>
<choice value="allowed">allowed</choice>
<choice value="blocked">blocked</choice>
<prefix>action=</prefix>
<change>
<condition label="blocked">
<unset token="is_not_blocked"></unset>
<set token="my_dest_ip">""</set>
</condition>
<condition label="allowed">
<set token="is_not_blocked">true</set>
</condition>
<condition label="*">
<set token="is_not_blocked">true</set>
</condition>
</change>
<default>*</default>
</input>
... View more
11-07-2022
10:20 AM
I tried that without success. This is what the input panel looks like: <input type="dropdown" token="my_action" searchWhenChanged="true">
<label>Action</label>
<choice value="*">any</choice>
<choice value="allowed">allowed</choice>
<choice value="blocked">blocked</choice>
<prefix>action=</prefix>
<change>
<condition label="blocked">
<unset token="is_not_blocked"></unset>
<unset token="my_dest_ip"></unset>
</condition>
<condition label="allowed">
<set token="is_not_blocked">true</set>
</condition>
<condition label="*">
<set token="is_not_blocked">true</set>
</condition>
</change>
<default>*</default>
</input>
... View more
11-07-2022
08:57 AM
I am trying to only include dest_ip in my search if action is not "blocked. These are the input panels:
<input type="dropdown" token="my_action" searchWhenChanged="true">
<label>Action</label>
<choice value="*">any</choice>
<choice value="allowed">allowed</choice>
<choice value="blocked">blocked</choice>
<prefix>action=</prefix>
<change>
<condition label="blocked">
<unset token="is_not_blocked"></unset>
</condition>
<condition label="allowed">
<set token="is_not_blocked">true</set>
</condition>
<condition label="*">
<set token="is_not_blocked">true</set>
</condition>
</change>
<default>*</default>
</input>
<input type="text" token="my_dest_ip" searchWhenChanged="true" depends="$is_not_blocked$">
<label>Destination IP address (CIDR okay)</label>
<default>*</default>
<prefix>dest_ip=</prefix>
<initialValue>*</initialValue>
</input>
This is the search:
<panel>
<title>Network Connections by Source</title>
<table>
<title>Count of network connections by source - click on a line for list of sessions from that source</title>
<search>
<query>index=proxy $my_host$ $my_src_ip$ $my_dest_ip$ $my_url$ $my_action$
| lookup dnslookup clientip as src_ip OUTPUT clienthost as Host
| stats count by src_ip Host action
| table src_ip, Host action count
| sort -count
| rename src_ip as "Source_IP" action as Action count as "Count"</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="drill_client_ip">$row.Source_IP$</set>
<set token="drill_url">*</set>
<set token="drill_dest_ip">*</set>
<set token="drill_action">$row.Action$</set>
</drilldown>
</table>
</panel>
The input panel for my_dest_ip disappears when I select "blocked" in the action panel, but the search still includes dest_ip=*. What am I not understanding?
... View more
11-04-2022
04:15 PM
Thank you. I was confused by the wording. I thought my search had to output a report or a dashboard.
... View more
11-04-2022
02:47 PM
That is part of the search I run manually to update the lookup table. I'm trying to figure out how to schedule it to run monthly.
... View more
11-04-2022
01:18 PM
I have a search that writes to a lookup table. I would like to run this search once a month and update (overwrite) the lookup table. I see that I can schedule reports, dashboards, and alerts. Is it possible to do it with a search that writes to a lookup table file?
... View more
Labels
- Labels:
-
lookup
10-11-2022
06:28 AM
It works now. I had to go back into the lookup definition and remove the WILDCARD match type. I don't understand how to use that match type, but I have my solution now. Thanks for your help.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-05-2025
02:40 PM
|
