About ghostdog920

ghostdog920 · ‎02-16-2023

I am working on a dashboard for my help desk and would like to embed a website, https://status.twilio.com/ so that staff can easily view from the vendor if they are experiencing outages all from a single pane of glass. I can see in the old versions of splunk with html dashboards how to do this but not with the new version of dashboards and am not having much luck trying to figure this out. I attempted the below via a drill down but clearly not getting what I want, which is the content to hopefully display as an embeded page within the dashboard. Granted my drill down doesnt work either. Below is my code for the panel itself where i am trying to get this working. Not being a coder and not familiar with XML i realize i am asking for quite a bit of help. Any insight anyone can offer is greatly appreciated. { "type": "splunk.table", "options": { "count": 100, "dataOverlayMode": "none", "drilldown": "none", "percentagesRow": false, "rowNumbers": false, "totalsRow": false, "wrap": true }, "dataSources": {}, "title": "Twilio Status", "description": "", "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "https://status.twilio.com/" } } ], "context": {}, "showProgressBar": false, "showLastUpdated": false }

ghostdog920 · ‎07-01-2021

Finally got this all straightened out. Needed to use cef utils for splunk along with a separate syslog destination from my panorama with custom cef events setup for the config section to get what i wanted.

ghostdog920 · ‎06-15-2021

Having a strange issue and not sure what my culprit/problem is. Have a panorama to syslogng to Heavy Forwarder to Indexer with a single search head. I see the parsing (I think) where fields are found and values= but they are truncating. Specifically, my raw event has this in it: before_change_detail="Emergency by IP { static [ ""Jim CentOS"" ]; } " after_change_detail=Emergency by IP { } but when i look at the field values, this is what i get: Any ideas on why my field values are getting cut short?

ghostdog920 · ‎08-07-2020

It is! Thank you so much!

ghostdog920 · ‎08-07-2020

So the mvindex basically says for that field, choose in this case, the 2nd value for the field as the only value for that field?

ghostdog920 · ‎08-07-2020

I am having a problem with what i believe is writing a regex to clean up some events before i report on them in dashboard. I am pulling specific security events from windows and each event should return a username and a domain. I am getting those results, but with each, it is also returning a second data item "-". That is throwing things off/making it look ugly and i havent had much luck ripping it out. Hoping someone can assist and possibly explain what the solution is doing? I tried to do an eval replace for the field where "-" is replaced with "" but then none of my events showed up so clearly that was wrong. A sample event looks like this to help clarify what i am getting: I basically need to drop the first line from both the "Account" and also "Account_Domain" so that i would only get service. and PF as values. As always, help is greatly appreciated.

ghostdog920 · ‎05-07-2019

Got this working (or at least not erroring) after I appended the index|rename as needed. I get a raw event dump and the regex fields still aren't listed in the "interesting fields" section as I would expect, but perhaps they wouldn't be?

ghostdog920 · ‎05-06-2019

Thanks everyone for the responses. I was out of the office Friday and also today so will get back to playing with this tomorrow and let you know the status.

ghostdog920 · ‎05-02-2019

So sorry, thought i responded back. I tried this: index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$" And i got this output: Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?- The search job has failed due to an error. You may be able view the job in the Job Inspector. Thoughts on where i messed up?

ghostdog920 · ‎05-02-2019

Tried this: index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$" And got this: Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?- The search job has failed due to an error. You may be able view the job in the Job Inspector.

ghostdog920 · ‎05-02-2019

Still no go. Thanks for all your help with this though as i wouldn't have gotten this far without you.

ghostdog920 · ‎05-02-2019

Is this legible enough?

ghostdog920 · ‎05-02-2019

ghostdog920 · ‎05-02-2019

Ok, unfortunately I do not see those "fields" if you will on the left side nav bar, nor does the table output anything other than the headers with no data.

ghostdog920 · ‎05-02-2019

WIth this expression, and excuse my ignorance, the rex creates extractions that go where? Or maybe a better way to ask is if i do that and don't see fields created for the attributes, how do i reference those rex values for a table (as an example)?

ghostdog920 · ‎05-02-2019

Can definitely elaborate. Basically we are using Nessus to scan the environment for SSL certificates with the idea of creating a report to identify certs that will be expiring. So the output from nessus is say 10 columns (what i am calling fields) comma delimited that Splunk picks up on. Unfortunately one of those columns houses the elements that individually house about 10 attributes i really want to pull out as fields. I.E. Subject Name:, Common Name:, Country:, State/province:, Issue Date:, etc.

ghostdog920 · ‎05-02-2019

I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this: Subject Name: Country: US State/Province: Virginia Locality: Glen Allen I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving? Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field.

ghostdog920 · ‎02-22-2019

I am trying to setup the splunk addon for tenable to pull scan reports from our nessus pro box. I have setup the addon on a heavy forwarder with the information needed but i never see anything come over. My fear in researching is that this functionality doesn't work as smoothly based on issues i have seen others have. I wondered if anyone has successfully gotten this working and how? My settings are: (please note that my heavy forwarder performs no indexing functionality, so the "nessus" index is only created on my actual indexer. Hoping this isn't the problem.) Metrics Nessus Host Scans Nessus Server URL https://nessuspro:8834 Start Date 1999/01/01 Batch Size 100000 Interval 43200 Index nessus Status Enabled

ghostdog920 · ‎01-18-2019

Figured it out. On the regular expression build wizard of creating a new field i just need to include additional different samples so the expression could build.

ghostdog920 · ‎01-18-2019

New to field extractions but hoping this is an easy one that i just can't figure out for myself. I have a syslog server sending raw logs and want to extract a new field that consists of all the data (string) between and so that i can use it in a search. So for example, if i had a raw log that said: Jan 18 10:58:38 10.0.254.51 <134>Jan 18 10:58:38 from="something@something.com" to="someone@someone.com" RE: [EXTERNAL] Files for Review#012 #012 I want to extract a field called "subject" that would consist of only "RE: [EXTERNAL] Files for Review". Of course as messages flow through, the subject will change among them, but that's the just of it. It is already identifying a From and To field so my end result I am trying to create will be a table that will consist of: "From" "To" "Subject" I tried rex field=_raw "\" : "<(?.*)>" but it did not like that. Any help is greatly appreciated!

ghostdog920 · ‎12-18-2018

No I did not. but wanted to post the info in case someone else was looking for it. thanks monkeyK

ghostdog920 · ‎12-04-2018

Sorry, thanks for catching that.

ghostdog920 · ‎12-04-2018

Figured it out with some google searching help. Posting the results in case anyone else needs this. Palo Alto Custom Log Format, Confi, All Fields actionflags="$actionflags", admin="$admin", after-change-detail="$after-change-detail", before-change-detail="$before-change-detail", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", client="$client", cmd="$cmd", host="$host", path="$path", receive_time="$receive_time", result="$result", seqno="$seqno", serial="$serial", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys" Palo Alto Custom Log Format, HIP Match, All Fields actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", machinename="$machinename", matchname="$matchname", matchtype="$matchtype", receive_time="$receive_time", repeatcnt="$repeatcnt", seqno="$seqno", serial="$serial", src="$src", srcuser="$srcuser", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys" Palo Alto Custom Log Format, Traffic, All Fields action="$action", actionflags="$actionflags", app="$app", bytes="$bytes", bytes_received="$bytes_received", bytes_sent="$bytes_sent", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", elapsed="$elapsed", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", outbound_if="$outbound_if", packets="$packets", padding="$padding", pkts_received="$pkts_received", pkts_sent="$pkts_sent", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", start="$start", subtype="$subtype", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys" Palo Alto Custom Log Format, Threat, All Fields action="$action", actionflags="$actionflags", app="$app", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", contenttype="$contenttype", direction="$direction", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", misc="$misc", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", number-of-severity="$number-of-severity", outbound_if="$outbound_if", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", severity="$severity", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", subtype="$subtype", threatid="$threatid", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys" Palo Alto Custom Log Format, System, All Fields actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", eventid="$eventid", module="$module", number-of-severity="$number-of-severity", object="$object", opaque="$opaque", receive_time="$receive_time", seqno="$seqno", serial="$serial", severity="$severity", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

ghostdog920 · ‎11-30-2018

I am trying to setup a custom log format so that the before change and after change detail for a config change are included in the splunk log rather than a 0 value. I tried a CEF format, but it isn't working and it is also causing all pan:config events to be identified as pan:traps. I tried a few things unsuccessfully but wondered if anyone has any experience or examples of how to create a valid custom log that splunk can get. On a side note, can splunk interpret CEF log events, or do i have to install one of the CEF addons? Going to need this later for my traps endpoint security manager. Thanks in advance.

ghostdog920 · ‎11-19-2018

I am setting up a new splunk environment and running into a few questions i am hoping i can get answers for. My environment consists of three on prem enterprise instances. A single search head, single indexer, and single heavy forwarder. I am setting up the heavy forwarder as some of the splunk apps we want to use require it for "pre parsing". With that in mind, i have the three instances configured and am ready to add my first data input. I want to send my palo alto panorama logs to the heavy forwarder instance. I tried just setting up the syslog entry to port 514 and then create a syslog data input on the heavy forwarder to listen on that port. But nothing is coming across. In researching i think this is wrong, and what i need to do is: High level steps Install and configure a syslog-ng server Configure logging format for data to be received from the Palo Alto Networks appliance Configure Palo Alto Networks appliance logging, and output to the syslog-ng server Configure receiving of data on the Splunk platform indexer cluster Install a Splunk universal forwarder on the same host as the syslog-ng server Install the Splunk Add-on for Palo Alto Networks on the Splunk universal forwarder Install the Splunk Add-on for Palo Alto Networks across the Splunk platform deployment Configure the universal forwarder to monitor syslog-ng logs, and forward data to the Splunk platform Validate your data Can someone confirm this is the correct process? If so i just need to go through and build a fourth linux box to act as the syslog-ng.

Posts	36
Solutions	3
Karma Given	2
Karma Received	0
Member Since	‎04-05-2017

Online Status	Offline
Date Last Visited	‎02-16-2023 04:52 PM

How to get Splunk Enterprise v9 embed website into...

Palo/Splunk Parsing Issue - Field values are Trunc...

Help With Event Cleanup - Remove "-"

Multi Valued Field Help

Splunk Addon for Tenable/ Nessus Pro 8

Field Extraction Between Keywords Help

Palo Alto Custom Log Format

First Time Setup with Heavy Forwarder Help - Speci...

WIll you help me with the following error in the S...

Drill Down Help for Dashboard with \ in variable

How to get Splunk Enterprise v9 embed website into...

Palo/Splunk Parsing Issue - Field values are Trunc...

Palo/Splunk Parsing Issue - Field values are Trunc...

Re: Help With Event Cleanup - Remove "-"

Re: Help With Event Cleanup - Remove "-"

Help With Event Cleanup - Remove "-"

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Multi Valued Field Help

Splunk Addon for Tenable/ Nessus Pro 8

Re: Field Extraction Between Keywords Help

Field Extraction Between Keywords Help

Re: Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format

Palo Alto Custom Log Format

First Time Setup with Heavy Forwarder Help - Speci...