Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About pmalcakdoj
pmalcakdoj
Path Finder
Member since:
04-10-2017
06-05-2020
Community Statistics
| Posts | 16 |
| Solutions | 3 |
| Karma Given | 14 |
| Karma Received | 19 |
| Member Since | 04-10-2017 |
Activity Feed
- Got Karma for Re: How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for Re: How do you filter out dates from being segmented in segmenters.conf?. 06-05-2020 12:50 AM
- Got Karma for Re: How do you filter out dates from being segmented in segmenters.conf?. 06-05-2020 12:50 AM
- Got Karma for Re: How can we enforce auto for Schedule Window?. 06-05-2020 12:50 AM
- Got Karma for Re: How to restrict a user role to have access only to limited set of views in search app?. 06-05-2020 12:50 AM
- Got Karma for Re: How to restrict a user role to have access only to limited set of views in search app?. 06-05-2020 12:50 AM
- Got Karma for Re: How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for Re: How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for Re: How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for Re: How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for Re: How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for Re: How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for Re: How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for How come I'm unable to logout in Splunk SAML SSO?. 06-05-2020 12:50 AM
- Got Karma for Re: tstats web datamodel unable to use status in eval. 06-05-2020 12:50 AM
- Karma Re: How to restart Universal Forwarder from a Deploy Server? for klemaned. 06-05-2020 12:49 AM
- Got Karma for Re: With Splunk DB Connect v3, How do I reindex data when I have a rising column input?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 4 |
04-11-2019
12:06 PM
1 Karma
it seems that you cannot perform eval logic inside tstats (not sure why)
eval logic works fine when inside stats, but not tstats
... View more
03-18-2019
07:51 AM
1 Karma
I haven't done any work in that particular area, so I'm not sure either.
I do echo the same sentiment as above: splunk's capabilities logic is a magic blackbox.
One potential solution to the original question could be to use CSS/JS to hide/remove the Schedule Window option from UI.
It's a bandaid fix at best, I know.
... View more
02-28-2019
02:06 PM
8 Karma
The problem lies with the way splunk stores the nameID attribute. This is a case sensitivity issue.
When you first login, ADFS sends a login saml response that contains nameID like contoso\PMalcak
Splunk then stores it as "/opt/splunk/etc/users/_reserved/contoso_pmalcak.some_guid_here"
When you go to logout, splunk has already lost any knowledge of case sensitivity
Upon logout, splunk sends ADFS a saml logout request that contains nameID like contoso\pmalcak
ADFS uses nameID in case sensitive manner and as such is unable to process the logout request.
Until Splunk fixes this bug, this has to be corrected on ADFS side.
I am told the following from my ADFS guy who has figured out how to correct this:
- can't fix it in ADFS v2 or v3 since in ADFS 2.0 and 3.0 it did not support $_.Tolower()
==============================
Potential Fix #1 (did not work for us):
1) Compile a Custom Attribute store .dll per the MS article.
https://docs.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)
2) Add the custom attribute store to ADFS
Rule 1
use custom Rules for the relying party agreement.
Rule 1 take the widnows account name from the pipeline and call the custome attribute store
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(store = "StringProcessing", types = ("http://schema.local/windowsaccountname/lower"), query = "toLower", param = c.Value);
Rule 2 Issue lower case windows account name as nameID
@RuleTemplate = "MapClaims"
@RuleName = "Name_id"
c:[Type == "http://schema.local/windowsaccountname/lower"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
==============================
Potential Fix #2 (did work for us):
not proud of and shameful method with out the custom String Processing Attribute Store.
Rule 1- 26 Feeding into each other
@RuleName = "Convert Upper A to lower"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(Type = "http://schema.local/windowsaccountname/lower/A", Value = RegExReplace(c.Value, "A", "a"));
@RuleName = "Convert Upper B to lower"
c:[Type == "http://schema.local/windowsaccountname/lower/A"]
=> add(Type = "http://schema.local/windowsaccountname/lower/B", Value = RegExReplace(c.Value, "B", "B"));
.........Repeat for each letter
.......................
Rule 27
@RuleTemplate = "MapClaims"
@RuleName = "Name_id "
c:[Type == "http://schema.local/windowsaccountname/lower/Z" ]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
I have no way of validating if any of the above is correct, but... he says that's what he did on his end... and logout now magically started to work, so I wasn't gonna question it.
Hopefully this helps some other lost soul banging their head against the wall
... View more
02-28-2019
01:45 PM
4 Karma
Splunk is configured to use SAML auth with ADFS v4.
Login works fine, but logout throws an error: "Failed to validate SAML logout response received from IDP"
_internal shows:
"No extra status code found in SamlResponse, Not a valid status. Could not evaluate xpath expression /samlp:LogoutResponse/samlp:Status/samlp:StatusMessage or no matching nodes foundNo value found in SamlResponse for key=/samlp:LogoutResponse/samlp:Status/samlp:StatusMessageCould not evaluate xpath expression /samlp:LogoutResponse/samlp:Status/samlp:StatusDetail/Cause or no matching nodes foundNo value found in SamlResponse for key=/samlp:LogoutResponse/samlp:Status/samlp:StatusDetail/Cause"
... View more
02-20-2019
08:22 AM
you would need to capture all segments with capture groups and then reorder them in the FORMAT field with "$2 $0 $1 ..." backreferences
... View more
02-13-2019
02:37 PM
haha, glad I could help
... View more
02-13-2019
01:02 PM
2 Karma
I ran into same limitation myself.
The "single capture group" setting is set in stone.
You've got 2 options (that I know of):
- if possible, use syslog-ng to rewrite your data before it is ingested by splunk (rearrange your event so that all the "junk" data you don't want segmented is at the beginning of your event)
- use index-time TRANSFORMS-foo to rewrite your _raw so that your "junk" data is discarded or placed at the beginning of your event
I haven't tried the second option, but according to (https://wiki.splunk.com/Community:HowIndexingWorks), index-time segmentation should be happening in annotator processor, which comes after regexreplacement processor , so it should work.
... View more
02-11-2019
06:24 AM
That's correct - no "fast way".
And I agree, doing it one-by-one is rather tedious.
Normally, in custom apps, this isn't a big problem as you know what you put in those custom apps.
The problem is the search app. It is heavily integrated within splunk and you can't simply deny users access to it, or many other things would break as well.
... View more
02-08-2019
10:20 AM
2 Karma
You were half-way there.
The reason why your first approach fails is because [views] stanza functions counter-intuitively to splunk's usual config inheritance. What I mean by that is: [views/my_custom_view] does NOT inherit whatever setting you configured in [views] .
Instead... in order for user to be able to access/see a view, he/she needs read access in both [views/my_custom_view] and [views]
This behavior is documented at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Defaultmetaconf
It states:
To access/use an object, users must have read access to:
- the app containing the object
- the generic category within the app (eg [views])
- the object itself
If any layer does not permit read access, the object will not be accessible.
... View more
05-17-2018
07:46 AM
When splunk releases newer version, I backup/archive the entire $SPLUNK_HOME path before I perform the upgrade. The size of that archive gets out of hand rather quickly if you don't change your $SPLUNK_DB path. With default settings, you will be zipping up all of your indexes every time you do this since indexes are located inside the $SPLUNK_HOME by default.
I pointed my $SPLUNK_DB to be outside of splunk installation. This has several benefits:
- my $SPLUNK_HOME zip files are 700MB (as opposed to several TB due to size of my indexes)
- you can store your indexes on separate mount point (HDD for OS, SSD for splunk indexes)
- you can have indexes at the root of the partition instead of buried many folders deep (on Windows, path length is limited)
Your path will not work for people that have changed the $SPLUNK_DB location.
Mine is more accurate
... View more
05-04-2018
06:52 AM
1 Karma
Small correction on the path of rising column file... it is at: $SPLUNK_DB/modinputs/server/splunk_app_db_connect folder/YourInputName
by default, $SPLUNK_DB points to $SPLUNK_HOME/var/lib/splunk
by default, $SPLUNK_HOME points to /opt/splunk
.....but not always.
By the way, you can change the path of $SPLUNK_DB variable in your splunk-launch.conf file
... View more
04-25-2018
04:19 PM
If you name the files exactly like Splunk does, it will work.
If your source files are in C:\temp for example, use:
msiexec.exe /i splunkforwarder... CERTFILE=C:\temp\server.pem ROOTCACERTFILE=C:\temp\cacert.pem ... /quiet
If they are called server.pem and cacert.pem respectively, they will overwrite the default splunk-generated ones.
Passwords is where this gets interesting. You have couple options:
provide installer with CERTPASSWORD=super_secret_pw
server.pem needs to have its priv key encrypted with super_secret_pw
do not provide installer with CERTPASSWORD flag at all
server.pem will need to have its priv key encrypted with "password" (because reasons)
don't provide installer with CERTPASSWORD and swap the encrypted sslPassword in local\server.conf for your cleartext password (it will be encrypted on next restart)
My preferred method is to give installer CERTFILE=C:\temp\server.pem with encrypted priv key and omitting CERTPASSWORD entirely. You'll want to stop splunk from launching with LAUNCHSPLUNK=0 so that system\local\server.conf isn't generated yet. This gives you opportunity to replace splunk.secret with your own (known) version and copy/paste your encrypted sslPassword. This way, neither your priv key nor cleartext password is ever revealed to whoever runs the installer script.
To answer your second question:
If splunk finds server.conf in one of the apps BEFORE fist launch (hence the importance of LAUNCHSPLUNK=0), it will NOT create system\local\server.conf. I took advantage of this and created few apps that get copy/pasted alongside the install. You'll have to be careful with naming them because of settings precedence, but crafted correctly, you can create your own defaults that live in apps and have system/local completely empty.
Name your defaults app zzzSystemLocalReplacement. Leave this app unmanaged by DS. Because it starts with "zzz" it will be matched as a last resort. Then, you can use deployment server to push down different app with new SSL certs when the time comes. New SSL cert app will then take higher precedence and become your effective configuration.
This procedure has few key advantages:
system\local is totally empty
you have a way to provide your forwarders a "default" config
DS has ability to push new apps and trump these defaults WITHOUT overwriting them (so you can always fall back on your defaults config if you forget a setting or typo something)
... View more
04-04-2018
12:47 PM
That's what I decided to do as well. At least on linux, I can script this.
Here are the important bits for anyone who stumbles onto this post in future (work in progress):
# Repack Splunk UF installer to include needed files
# (passwd, splunk.secret, splunk-launch.conf...)
cd /tmp
FINALFOLDER="splunk_UF_install"
SOURCEFILES="splunk_UF_source_files"
SPLUNKUF=$(ls splunkforwarder-*.tgz)
# unpack Splunk UF
if [ -f $SPLUNKUF ]; then
# Prep staging folder
if [ -d $FINALFOLDER ]; then
rm -rf $FINALFOLDER
fi
mkdir $FINALFOLDER
cp $SPLUNKUF $FINALFOLDER/
tar -xf /tmp/$FINALFOLDER/$SPLUNKUF -C /tmp/$FINALFOLDER/
rm /tmp/$FINALFOLDER/$SPLUNKUF
echo "[OK] extraction of Splunk UF from $SPLUNKUF successful"
else
echo "[ERROR] extraction of Splunk UF failed ($SPLUNKUF does not exist)"
exit 1
fi
# copy over needed files
cp /tmp/$SOURCEFILES/passwd /tmp/$FINALFOLDER/splunkforwarder/etc/
cp /tmp/$SOURCEFILES/splunk.secret /tmp/$FINALFOLDER/splunkforwarder/etc/auth/
cp /tmp/$SOURCEFILES/splunk-launch.conf /tmp/$FINALFOLDER/splunkforwarder/etc/
cp -r /tmp/$SOURCEFILES/my_targetDeploymentServer_app /tmp/$FINALFOLDER/splunkforwarder/etc/apps/
cp -r /tmp/$SOURCEFILES/my_ssl_config_app /tmp/$FINALFOLDER/splunkforwarder/etc/apps/
touch /tmp/$FINALFOLDER/splunkforwarder/etc/splunk.version
echo "[OK] modifications DONE"
# tar the splunkforwarder dir
cd /tmp/$FINALFOLDER && tar -czf splunkforwarder.tgz splunkforwarder && cd /tmp
rm -rf /tmp/$FINALFOLDER/splunkforwarder
echo "[OK] splunkforwarder compressed successfully"
# Add instructions and final tar
cp /tmp/$SOURCEFILES/install_instructions.txt /tmp/$FINALFOLDER/
tar -czf $FINALFOLDER.tgz $FINALFOLDER/splunk_UF_install_instructions.txt $FINALFOLDER/splunkforwarder.tgz
echo "[OK] overall package created successfully"
# Cleaning up
rm -rf /tmp/$FINALFOLDER
rm -rf /tmp/$SOURCEFILES
echo "[OK] Cleanup done. Exiting..."
exit 0
... View more
11-09-2017
01:48 PM
Splunk reports the available space as: Total Size - (Used + Reserved)
By default, ext3/4 filesystem dedicates 5% of total space to be reserved.
So if your partition total size is 1TB and the partition is completely empty, Splunk (DMC) will report it as 50GB out of 1000GB used.
... View more
10-12-2017
11:39 AM
When maxHotBuckets=1, maxHotSpanSecs is ignored.
NOTE: If you set maxHotBuckets to 1, Splunk attempts to send all events to the single hot bucket and maxHotSpanSeconds will not be enforced.
Because of this, hot bucket will now only be rolled due to size (ie. 400000MB in your case)
... View more
07-07-2017
11:15 AM
I didn't use powershell but this is how I solved the password issue:
silent install msi with flags AGREETOLICENSE=Yes LAUNCHSPLUNK=0 SERVICESTARTTYPE=auto
remove ca.pem, cacert.pem
remove *.conf from system/local/
remove everything from var/
create a blank file called ftr in $SPLUNK_HOME
copy over your splunk.secret to auth folder (use same splunk.secret file)
copy over your passwd file to etc folder (use same passwd file)
copy over an app with deploymentclient.conf in it pointing to your DS
splunk start --accept-license --answer-yes --no-prompt
The idea being that if all forwarders use the same splunk.secret seed file, the hashed passwords will be identical across. Then, you can push out apps that already have the hashed passwords in conf files without sending cleartext over the wire.
Similarly, overwriting default passwd file with my own, not only do I get rid of the default changeme password as a security precaution, I also automatically create all the accounts I need in one go.
No more cleartext passwords. No more wondering if you typoed a password and having no way to check.
Single master admin password that works on all of my splunk machines and easy visual verification that the password hashes are correct.
Cheers
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma from
Karma given to
