cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kjstogn
Explorer
Member since: ‎02-08-2020
‎11-03-2021
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎02-08-2020
Activity Feed
View All

Re: How to configure the cluster peers inputs.conf...

by in Splunk Enterprise
‎11-02-2021 10:55 AM
‎11-02-2021 10:55 AM
I think this may help: https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Managesinglepeerconfigurations I get what your saying as if you theoretically have 3 Indexer Peers therefore 3 different inputs.conf allowing Splunk SSL receiving. If it is a small deployment I would manage it on a peer by peer basis and locally configure it in its own app context/repository. Or use the same cert and password throughout (probably not what you want) and use the deployment server to deploy it as an app ... View more

Re: Does Splunk Add-on for Zeek aka Bro work with ...

by in All Apps and Add-ons
‎02-16-2021 03:10 PM
‎02-16-2021 03:10 PM
Currently using it with Zeek version 3.0.8 on Security Onion 16.04.7.1 No issues with with JSON format. The add-on itself is rather lacking in the sourcetypes and covers just the main ones like conn, dns, ssl... definitely add the ones you would like to parse a little more. I personally like the JSON format more than TSV but it does support that fine as well with its sourcetype autotyping/dynamic extraction.  I would beware of the TIME_FORMAT in props.conf as Zeek by default uses epoch but Security Onion has been configured to use ISO8601 If using ISO8601 substitute TIME_FORMAT = %s.%6N for TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6%z ... View more

Passive DNS

by in Splunk Search
‎06-20-2020 09:02 AM
‎06-20-2020 09:02 AM
I am trying to create a passive dns collection based on splunk stream data. My current SPL is this: index=botsv2 sourcetype=stream:dns query=*frothly.local | stats earliest(_time) as firstSeen, latest(_time) as lastSeen by query | eval firstSeen=strftime(firstSeen, "%m/%d/%Y %H:%M:%S") | eval lastSeen=strftime(lastSeen, "%m/%d/%Y %H:%M:%S") What I am trying to accomplish is show how many days as "activeDays" a query was made. Just because its first and last may be seen 30 days apart it may have only been queried a couple times.  Also the stream queries and answers are separate events and how would i join them to create a by query and answers   ... View more
Labels

Can't see newly created indexes on search head in ...

by in Deployment Architecture
‎02-08-2020 05:45 PM
‎02-08-2020 05:45 PM
I have a single indexer and single search head with the indexer attached as a search peer and I created one index called "winevent" on the indexer. I don't understand why the search head cannot see this index or auto complete it when I type it in search. Is there another file I need to modify to make my search head aware of the indexes in an indexer? I haven't seen a real clear answer on this and I am trying to expand my Splunk instance from all in one to distributed architecture ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-03-2021 11:20 AM