Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About asucrews
asucrews
Path Finder
Member since:
04-03-2015
06-05-2020
Community Statistics
| Posts | 15 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 04-03-2015 |
Activity Feed
- Karma Re: saved search and collect for niketn. 06-05-2020 12:48 AM
- Posted Re: Splunk App for Infrastructure, CentOS 7, JSON exception caught while processing collectd event: Unexpected character: 'm' on Splunk ITSI. 03-21-2019 10:26 AM
- Posted Re: Splunk App for Infrastructure, CentOS 7, JSON exception caught while processing collectd event: Unexpected character: 'm' on Splunk ITSI. 03-21-2019 09:14 AM
- Posted Re: Splunk App for Infrastructure, CentOS 7, JSON exception caught while processing collectd event: Unexpected character: 'm' on Splunk ITSI. 03-20-2019 03:33 PM
- Posted Re: Splunk App for Infrastructure, CentOS 7, JSON exception caught while processing collectd event: Unexpected character: 'm' on Splunk ITSI. 03-20-2019 03:32 PM
- Posted Re: Splunk App for Infrastructure, CentOS 7, JSON exception caught while processing collectd event: Unexpected character: 'm' on Splunk ITSI. 03-20-2019 03:23 PM
- Posted Splunk App for Infrastructure, CentOS 7, JSON exception caught while processing collectd event: Unexpected character: 'm' on Splunk ITSI. 03-20-2019 01:55 PM
- Tagged Splunk App for Infrastructure, CentOS 7, JSON exception caught while processing collectd event: Unexpected character: 'm' on Splunk ITSI. 03-20-2019 01:55 PM
- Posted Re: saved search and collect on Reporting. 06-10-2017 03:04 PM
- Posted Re: saved search and collect on Reporting. 06-09-2017 07:17 PM
- Posted Re: saved search and collect on Reporting. 06-09-2017 07:14 PM
- Posted Re: saved search and collect on Reporting. 06-09-2017 07:13 PM
- Posted saved search and collect on Reporting. 06-08-2017 04:30 PM
- Tagged saved search and collect on Reporting. 06-08-2017 04:30 PM
- Tagged saved search and collect on Reporting. 06-08-2017 04:30 PM
- Tagged saved search and collect on Reporting. 06-08-2017 04:30 PM
- Posted Re: ARIN Rest API external lookup on Getting Data In. 06-08-2017 04:02 PM
- Posted Re: ARIN Rest API external lookup on Getting Data In. 06-05-2017 10:26 PM
- Posted Re: ARIN Rest API external lookup on Getting Data In. 06-05-2017 04:14 PM
- Posted ARIN Rest API external lookup on Getting Data In. 06-05-2017 01:40 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-21-2019
10:26 AM
I have narrowed it down the issue to write_splunk plugin, when i switch to write_http plugin i start getting data. Not sure if this effect the dashboards but it is now working.
... View more
03-21-2019
09:14 AM
disabled ssl, and change sourcetype to em_metrics. still getting "03-21-2019 09:13:51.651 -0700 ERROR MetricsProcessor - JSON exception caught while processing collectd event: Unexpected character: 'm'"
"03-21-2019 09:13:51.651 -0700 ERROR MetricsProcessor - Failed to parse metrics input, most likely due to incorrect protocol JSON exception caught while processing collectd event: Unexpected character: 'm'"
... View more
03-20-2019
03:33 PM
collectd 5.8.1, http://collectd.org/
by Florian octo Forster
for contributions see `AUTHORS'
... View more
03-20-2019
03:32 PM
Deleted are readded HED per https://docs.splunk.com/Documentation/InfraApp/1.2.3/Install/Install still same error
... View more
03-20-2019
03:23 PM
deleted and recreated HEC . still same error.
Review
Input Type Token
Name SPI_HEC
Source name override N/A
Description N/A
Enable indexer acknowledgements No
Output Group N/A
Allowed indexes em_metrics
Default index em_metrics
Source Type Automatic
App Context splunk_app_infrastructure
... View more
03-20-2019
01:55 PM
Both servers is CentOS 7
One with Splunk Enterprise 7.2.5
Splunk App for Infrastructure 1.2.3
Splunk Add-on for Infrastructure 1.2.3
one with Splunk Universal Forwarder 7.2.5
Error message: 03-20-2019 13:52:05.257 -0700 ERROR MetricsProcessor - JSON exception caught while processing collectd event: Unexpected character: 'm'
03-20-2019 13:52:05.257 -0700 ERROR MetricsProcessor - Failed to parse metrics input, most likely due to incorrect protocol JSON exception caught while processing collectd event: Unexpected character: 'm'
"
Hello, I am trying out Splunk App for Infrastructure and at this time all i am getting is the above error message. And i not sure if something changed in collectd or app. I have read thought the docs online but can't seem to find any thing like this. Has anyone ran in to this issue before.
... View more
06-10-2017
03:04 PM
niketnilay commad got me where i needed to go!
avatar image niketnilay twinspop · yesterday 1
For collect command index="" should be sufficient. However, there are some other considerations as well. You have mentioned that scheduled search is running but have you validated data? If your stats field does not have _time field you will have to create one. Following is just an example your use case might differ (essentially, you just need to come up with 15 min buckets to create just one summary row every 15 min)
| addinfo
| eval _time = info_min_time
| bin span=15m
Also, you should run query for time span which has already completed to avoid duplicate and ensure that all required data is already indexed. Which implies your cron schedule should not be same as earliest and latest.
cron_schedule = */15 * * * *
dispatch.earliest_time = -30m
dispatch.latest_time = -15m
In order to test your collect command you can run the same in test mode directly in search (also change the index to some dummy test index).
| collect testmode=true index="summary_threat_intel_test"
Ideally, you should have picked summaries, but seems like you are trying to move data from one index to another with custom fields. Validate that all fields have values as expected. Check the count of events being migrated every 15m. Also after execution of your search see whether there is an error logged in Splunk's _internal index.
Refer to documentation for collect command (parameters and use cases): http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect
... View more
06-09-2017
07:17 PM
I would love to use auto summaries however the fields need to add that a missing from 6.6.1 and i don't know the need changes to the conf.
... View more
06-08-2017
04:30 PM
Did i mess something or just compeletly don't understand what collect does. Below is may saved search and conf file, it returns results, it saved as report, it is scheduled seach, and it runs. however it is not sending the the index. I am woudnering if i simple do not understand what collect is meat for or did i miss something. Thank you for your time and help!
index="18009" sourcetype="cisco:asa" host="10.0.0.1" src_ip!="10.0.0.*" Built
| lookup dshield cidr as src_ip OUTPUTNEW cidr as src_cidr
| where src_cidr!="NONE"
| iplocation src_ip
| lookup dnslookup clientip as src_ip OUTPUTNEW clienthost as src_host
| lookup cidrv4toasn network as src_ip OUTPUTNEW autonomous_system_number AS ASN
| eval src_host=if(src_host!="",src_host,"No PTR")
| eval _raw="tifid=000001 host="+host+" source="+source+" sourcetype="+sourcetype+" city="+City+" region="+Region+" country="+Country+" src_host="+src_host+" src_asn="+ASN+" msg="+_raw
| addinfo
| collect index="threat_intel"
[dshield hits]
action.email.useNSSubject = 1
action.summary_index._name = threat-intel
action.summary_index.report = "DShield Hits"
alert.track = 0
cron_schedule = */15 * * * *
dispatch.earliest_time = -15m
dispatch.latest_time = now
display.visualizations.charting.chart = bar
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
schedule_window = auto
search = index="18009" sourcetype="cisco:asa" host="10.0.0.1" src_ip!="10.0.0.*" Built\
| lookup dshield cidr as src_ip OUTPUTNEW cidr as src_cidr \
| where src_cidr!="NONE"\
| iplocation src_ip \
| lookup dnslookup clientip as src_ip OUTPUTNEW clienthost as src_host \
| lookup cidrv4toasn network as src_ip OUTPUTNEW autonomous_system_number AS ASN\
| eval src_host=if(src_host!="",src_host,"No PTR")\
| eval _raw="tifid=000001 host="+host+" source="+source+" sourcetype="+sourcetype+" city="+City+" region="+Region+" country="+Country+" src_host="+src_host+" src_asn="+ASN+" msg="+_raw\
| addinfo\
| collect index="threat_intel"
... View more
06-08-2017
04:02 PM
fix it, well sort of , changed it to one input field to get one output field. not sure if there way to to one input to many outpu fields.
... View more
06-05-2017
10:26 PM
After playing with script i think my issue is with for result in r loop, but i not really sure.
... View more
06-05-2017
04:14 PM
I am making procgess but no running in this error "Script for lookup table 'arinrestapi' returned error code 1. Results may be incorrect." I still missing something but I don't understand python enoght or I don't understand what Splunk is doing.
[arinrestapi]
allow_caching = 0
case_sensitive_match = 0
external_cmd = arinrestapi.py src_ip
fields_list = src_ip,abuseemail,company
import csv
import json
import sys
import requests
def abuseEMail(ip):
try:
ipUrl = 'https://whois.arin.net/rest/ip/' + ip +'.json'
r = requests.get(ipUrl)
org = r.json()
orgUrl = org['net']['orgRef']['$'] + '/pocs.json'
r = requests.get(orgUrl)
poc = r.json()
abuseUrl = poc['pocs']['pocLinkRef'][2]['$'] + '.json'
r = requests.get(abuseUrl)
abuse = r.json()
return abuse['poc']['emails']['email']['$']
except:
return ''
def company(ip):
try:
ipUrl = 'https://whois.arin.net/rest/ip/' + ip +'.json'
r = requests.get(ipUrl)
org = r.json()
orgUrl = org['net']['orgRef']['$'] + '/pocs.json'
r = requests.get(orgUrl)
poc = r.json()
abuseUrl = poc['pocs']['pocLinkRef'][2]['$'] + '.json'
r = requests.get(abuseUrl)
abuse = r.json()
return abuse['poc']['companyName']['$']
except:
return ''
def main():
if len(sys.argv) != 2:
print "Usage: python arinRestAPI.py [ip field]"
sys.exit(1)
ipfield = sys.argv[1]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
for result in r:
if result[ipfield]:
result[src_ip] = result[ipfield]
result[abuseemail] = abuseEMail(ipfield)
result[company] = company(ipfield)
w.writerow(result)
main()
... View more
06-05-2017
01:40 PM
Hello,
This is my first time creating a external lookup, and I think am missing something. The error I am getting is "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table." Can someone please review and let me know what i am missing.
/opt/splunk/etc/apps/soc/local/transforms.conf
[arinrestapi]
external_cmd = arinRestAPI.py src_ip
fields_list = abuseemail,company
/opt/splunk/etc/apps/soc/bin/arinRestAPI.py
import csv
import json
import sys
import requests
def abuseEMail(ip):
try:
ipUrl = 'https://whois.arin.net/rest/ip/' + ip +'.json'
r = requests.get(ipUrl)
org = r.json()
orgUrl = org['net']['orgRef']['$'] + '/pocs.json'
r = requests.get(orgUrl)
poc = r.json()
abuseUrl = poc['pocs']['pocLinkRef'][2]['$'] + '.json'
r = requests.get(abuseUrl)
abuse = r.json()
return abuse['poc']['emails']['email']['$']
except:
return ''
def company(ip):
try:
ipUrl = 'https://whois.arin.net/rest/ip/' + ip +'.json'
r = requests.get(ipUrl)
org = r.json()
orgUrl = org['net']['orgRef']['$'] + '/pocs.json'
r = requests.get(orgUrl)
poc = r.json()
abuseUrl = poc['pocs']['pocLinkRef'][2]['$'] + '.json'
r = requests.get(abuseUrl)
abuse = r.json()
return abuse['poc']['company']['$']
except:
return ''
def main():
if len(sys.argv) != 2:
print "Usage: python arinRestAPI.py [ip field]"
sys.exit(1)
ipfield = sys.argv[1]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
for result in r:
if result[ipfield]:
# only ip was provided, add host
result[abuseEMail] = abuseEMail(result[ipfield])
result[company] = copmany(result[ipfield])
main()
... View more
