Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mcmaster
mcmaster
Communicator
Member since:
04-19-2011
08-05-2022
Community Statistics
| Posts | 41 |
| Solutions | 7 |
| Karma Given | 4 |
| Karma Received | 17 |
| Member Since | 04-19-2011 |
Activity Feed
- Got Karma for Re: LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded -Audit.log. 01-30-2024 06:52 AM
- Got Karma for Re: Splunk REST API | Validate SPL. 03-13-2023 06:41 AM
- Posted Re: Add-on: Can't upload new version of my add-on to Splunk cloud on Deployment Architecture. 08-05-2022 07:21 AM
- Posted Re: slim validate complains about undefined setting python.version even though it is valid on Splunk Dev. 04-27-2022 11:43 AM
- Posted Re: Does anyone have guidance on getting existing Add-on ready for the updated Splunk Add-On Builder 4.x? on Splunk Dev. 04-19-2022 02:10 PM
- Posted Re: Updating managed lookup via api in cloud on Splunk Dev. 04-18-2022 01:33 PM
- Posted Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap on Splunk Dev. 04-18-2022 01:02 PM
- Posted Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap on Splunk Dev. 04-18-2022 12:22 PM
- Posted Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap on Splunk Dev. 04-18-2022 11:04 AM
- Posted Re: Updating managed lookup via api in cloud on Splunk Dev. 04-18-2022 11:00 AM
- Posted Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap on Splunk Dev. 04-18-2022 10:35 AM
- Posted Re: TA-MS-AAD Azure Add On on Splunk Dev. 04-18-2022 08:58 AM
- Posted Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap on Splunk Dev. 04-18-2022 08:47 AM
- Got Karma for Re: How to collect debug logs for apps on Splunk Cloud. 04-11-2022 06:34 PM
- Posted Re: Splunk REST API | Validate SPL on Splunk Dev. 04-11-2022 01:57 PM
- Posted Re: How to collect debug logs for apps on Splunk Cloud on Splunk Dev. 04-11-2022 01:45 PM
- Posted Re: How the retrieve HEC host and port using Javascript? on Splunk Dev. 04-11-2022 01:41 PM
- Posted Re: Is there a way to migrate current running config from local account to some other account (AD)? on Splunk Dev. 04-11-2022 08:52 AM
- Posted Re: How to Export Data via Webhooks? on Splunk Dev. 04-11-2022 08:48 AM
- Posted Re: How to access lookup with Splunk JS SDK on Splunk Dev. 04-11-2022 08:42 AM
Topics I've Started
No posts to display.
08-05-2022
07:21 AM
The "Export" link in add-on builder is for exporting the development environment so that it can be reimported into another development system. If you click "Validate & Package", this will take you to the interface for validating your package (which will upload it to AppInspect) where you can then download a package that has been properly formatted for publishing on Splunkbase.
... View more
04-27-2022
11:43 AM
Hey there! There's no official solution right now, probably the best course of action for now is to follow the recommendation of updating the spec files within the slim installation path. This is a currently known issue but there's no ETA on a fix. Hope this helps.
... View more
04-19-2022
02:10 PM
Hey @jabezds - This answer has steps on how to migrate to a new version of add-on builder. To summarize here: Export the app from any Add-on Builder Import the app into Add-on Builder v4.1.0 or newer Download the app packaged from Add-on Builder v4.1.0 or newer Give that a shot and see if it works for you.
... View more
04-18-2022
01:33 PM
You may need to put in a support request to have your IP address added to the allowlist for API access to your cloud instance, but otherwise yes it should work with a cloud instance. https://docs.splunk.com/Documentation/SplunkCloud/8.2.2201/RESTTUT/RESTandCloud
... View more
04-18-2022
01:02 PM
That's normal, as Splunk will try any configured LDAP servers first before trying local users. Are there any other logs for that user?
... View more
04-18-2022
12:22 PM
You can look for AuthenticationManagerSplunk in $SPLUNK_HOME/var/log/splunk/splunkd.log or you can search "index=_internal sourcetype=splunkd component=AuthenticationManagerSplunk". This is what those logs look like for me with an incorrect password: 04-18-2022 15:19:57.814 -0400 WARN AuthenticationManagerSplunk [315578 TcpChannelThread] - Login failed. Incorrect login for user: user 04-18-2022 15:19:57.816 -0400 WARN AuthenticationManagerSplunk [315578 TcpChannelThread] - Login: user user attempted login with incorrect password. Login attempt=1
... View more
04-18-2022
11:04 AM
There's no restriction there but that was my next question - are you able to verify the permissions on the local user to ensure they have all the same permissions as the AD user? Also since you're passing the password in the curl command, make sure there aren't any special characters in the password that the shell might be interpreting. As a test, any user should be able to query this REST endpoint, so that would help you eliminate password issues: curl -k -u user:temp1234 https://localhost:8089/services/authentication/current-context If that command fails, there's an issue with the credentials you're providing.
... View more
04-18-2022
11:00 AM
Hey @FuzzySteve , Unfortunately there's no built-in way to do what you're trying to do. You could script the conversion of a .csv file into SPL to generate a lookup, or if you have the Lookup Editor app installed (https://splunkbase.splunk.com/app/1724/) it provides a REST API endpoint that you might be able to use to update the lookup. Here's an example: curl -k -u admin:password -X POST -d namespace=search -d lookup_file=users.csv -d contents='[["username", "email"], ["admin", "admin@example.com"]]' https://localhost:8089/servicesNS/nobody/lookup_editor/data/lookup_edit/lookup_contents The contents value is just a JSON array of arrays - the outer array makes up the "rows" of the CSV file and the inner arrays make up the "columns".
... View more
04-18-2022
10:35 AM
I'm able to use that same command with a Splunk local user on my test instance, so I don't know if that's the issue. I assume you're able to login as the local user and run the search interactively, right?
... View more
04-18-2022
08:58 AM
Hi @bubbleup, If testacct doesn't exist yet, you'll need to do something like this curl -k -u 'admin:password' -XPOST -d name=testacct -d username=myazidhere -d password=lslslslslsslsl https://localhost:8089/servicesNS/nobody/TA-MS-AAD/admin/TA_MS_AAD_account Try that and see if it works for you.
... View more
04-18-2022
08:47 AM
Hi @jemina, To use the endpoints with /servicesNS/ you need to specify an app AND a user. For login, you can just use /services/auth/login but you could also try /servicesNS/$username/$app/auth/login or even /servicesNS/-/$app/auth/login. Try those out and see if they work.
... View more
04-11-2022
01:57 PM
1 Karma
You can use /services/search/parser to validate SPL: smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar" https://localhost:8089/services/search/parser | jq .
{
"remoteSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
"normalizedSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
"remoteTimeOrdered": true,
"eventsSearch": "search index=foo sourcetype=bar",
"eventsTimeOrdered": true,
"eventsStreaming": true,
"reportsSearch": "",
"isStreamingSearch": true,
"canSummarize": false,
"commands": [
{
"command": "search",
"rawargs": "index=foo sourcetype=bar",
"pipeline": "streaming",
"args": {
"search": [
"(index=foo sourcetype=bar)"
]
},
"isGenerating": true,
"streamType": "SP_STREAM"
}
]
}
smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar | bizzbuzz" https://localhost:8089/services/search/parser | jq .
{
"messages": [
{
"type": "FATAL",
"text": "Unknown search command 'bizzbuzz'."
}
]
}
smcmaster@splunk ~ % Successful parsing (such as the first example) results in 200, failure (such as the second example) results in a 400.
... View more
04-11-2022
01:45 PM
1 Karma
Those log files are indexed in Splunk Cloud just as they are in Splunk Enterprise, so if you're following that documentation you should be in the clear. Logs can be access by the Splunk admin in the same way as if it were running on-prem.
... View more
04-11-2022
01:41 PM
HEC details are meant to be configurable by the application sending data to HEC. Splunk may or may not be aware of the appropriate name/address/port (e.g. the HEC receiver may actually be a heavy forward, or a load balancer in front of an index cluster).
... View more
04-11-2022
08:52 AM
Answer below assumes you mean ownership of configuration objects within Splunk. If you mean something else (e.g. OS-level file ownership of configuration files) then this may not apply. If you have command line access to system and read/write access to the configuration files, the easiest option is to modify all of the local.meta files and replace references to the local account with the AD account. Doing so will require you to restart Splunk for the changes to take effect. Alternatively, it is possible to do via the REST API, but you'll need to enumerate all of the configuration objects owned by that user and then update each one individually to the new user.
... View more
04-11-2022
08:48 AM
Using a webhook like this is the option with the least coding required. If you're in need of something more realtime, you could also write an application to poll for results via the REST API at a more frequent interval. Or, you can use real-time searches (either as a saved search with a webhook attached or using an external application for polling), but these can have a significant impact on Splunk's performance if you're not careful, so I'd caution against that option. If the search you're using with the webhook action is performant enough (restricted to a narrow dataset, no subsearches, etc) you may be able to increase the frequency at which it runs - even down to as low as every minute. This can still have some negative impact on the scheduler depending on how many other searches you're running though. Unfortunately there's no one-size-fits-all answer here. Is it possible to have the application you're integrating with query Splunk when needed, instead of pushing notifications from Splunk into the application?
... View more
04-11-2022
08:42 AM
You have two options in general for this You can use an inputlookup search, as you suggested You can create a custom rest endpoint to return the lookup contents to you Running an inputlookup search is probably simpler, so if that option works for you, I'd suggest that.
... View more
04-07-2022
07:20 AM
1 Karma
If this is a custom app and one you're not intending to publish to Splunkbase, one option is that you could bundle the anaconda environment in its own tgz within the app, and create a custom setup process that will extract that environment. It's clunky but that's an option.
... View more
08-06-2019
06:59 AM
Hey there -
We're not officially supporting the Unified2 TA, as we've moved on from it and use Suricata now. That said, it should still work in the latest UF, as it relies on the system Python rather than Splunk's built-in Python. It was indeed intended to replace barnyard2.
If you try it with the newest UF and it doesn't work, we can provide some best effort help if you need it.
... View more
01-21-2019
08:21 AM
You're absolutely right. I'll open an internal dev request and get that fixed ASAP.
Thanks for the report.
... View more
01-19-2018
12:15 PM
1 Karma
Disclaimer: This is VERY VERY VERY unsupported.
I know this is old but it popped up and, in case other people want to know, I thought I'd share. The mongodb instance used by Splunk for kvstore requires client SSL to authenticate. If you have the mongodb client installed on the syste, you can authenticate as such:
mongo --sslAllowInvalidCertificates --ssl localhost:8191/local --username __system --password $(cat $SPLUNK_HOME/var/lib/splunk/kvstore/mongo/splunk.key)
... View more
09-24-2016
12:36 PM
I wish I had thought to search for this before I tracked this bug down and patched it myself 🙂
... View more
We just encountered this issue, not with an admin role, but with a role configured for some internal monitoring uses (but still on Splunk Cloud). Edit your role, and you should see that in the "Restrict search terms" box, it's filled in with "index!=*_archive". For whatever reason (and I really think this is a bug), when you run this search (even as an admin), you get zero results:
index=_internal index!=*_archive
You'll notice the admin role has "*" in the search terms. When we removed the search terms restriction on the custom, limited role, we were able to search the _internal index.
Hope this helps you too. Maybe jbailey can confirm if this is a bug.
... View more
04-13-2016
05:34 AM
Hey guys sorry for the delay in getting back to you. We'll be releasing a new version of the app to correct this issue. Thanks for the patience and persistence in getting this figured out.
... View more
03-30-2016
09:49 AM
Thank you so much for the detailed error report! Can you confirm what version of Nessus you're running?
... View more
