Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About tjago11
tjago11
Communicator
Member since:
06-01-2017
07-21-2021
Community Statistics
| Posts | 54 |
| Solutions | 6 |
| Karma Given | 0 |
| Karma Received | 11 |
| Member Since | 06-01-2017 |
Activity Feed
- Got Karma for Re: How to get the top 10 max values for each field value?. 03-02-2022 03:00 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Re: Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Re: Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Posted Re: Splunk Stream Case Insensitive Extraction on Splunk Search. 01-23-2020 06:31 AM
- Posted Re: Finding the Duration between two timestamps on Splunk Search. 10-10-2019 09:28 AM
- Posted Re: Constant re-authentication after SSO migration on Security. 10-10-2019 09:18 AM
- Posted Re: Keep track of max count. on Splunk Search. 10-01-2019 07:59 AM
- Posted Re: Constant re-authentication after SSO migration on Security. 09-27-2019 06:16 AM
- Posted Re: Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 10:10 AM
- Posted Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 07:33 AM
- Tagged Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 07:33 AM
- Posted Re: How to view raw events in Stream?? on Getting Data In. 09-12-2019 07:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-10-2019
09:28 AM
Easiest way is to use strptime to format your time into epoch and then do the math to convert to minutes/hours/days whatever. Here is a run anywhere example using your date format:
| makeresults
| eval beginTime="2019-07-28T04:01:22.041Z"
| eval endTime="2019-07-28T05:01:22.041Z"
| eval beginTimeEpoch=strptime(beginTime, "%Y-%m-%dT%H:%M:%S")
| eval endTimeEpoch=strptime(endTime, "%Y-%m-%dT%H:%M:%S")
| eval durationInMinutes=(endTimeEpoch-beginTimeEpoch)/60
If you have multiple events then you'll need to do a stats with min/max on the epochs before you calculate the duration, something like:
| stats min(beginTimeEpoch) as beginTimeEpoch, max(endTimeEpoch) as endTimeEpoch by yourField
Enjoy!!
... View more
10-10-2019
09:18 AM
Updated date from Splunk is 2020-Q2:
https://jira.splunk.com/issues/?jql=project+%3D+CAUTO+AND+fixVersion+%3D+FY20-Q2
... View more
Success!! Well, at least an answer if not a solution...yet.
Got this note from Splunk regarding case number 1394793 :
Hey Tyler,
Update for you here dev is working on a fix that will:
"set the X-Splunk-Form-Key header directly reading from the splunkweb_csrf_token_ cookie every time instead of storing it in the variable."
They are building and testing this out currently and I will let you know which upcoming version this will be released in once i get a hard commitment.
While it was fun to tell the support folks, "I told you so", it is far better to see that the issue was reproducible and is being fixed. When I get word on the version of Splunk that contains the fix I'll post back. Progress!!
... View more
09-12-2019
10:10 AM
Ick, I feel dirty but this works.
[xX][-_][fF][oO][rR][wW][aA][rR][dD][eE][dD][-_][fF][oO][rR][:\s]+([\d\.:\s,]+)
I'll not accept this answer yet because it feels gross.
... View more
09-12-2019
07:33 AM
Doing an extraction in Splunk Stream and get an error when trying to use (?i) in my regex:
(?i)x-forwarded-for([:\s]+[\d\.:\s,]+)
Gives this error:
Invalid regex Expression
This works fine in a rex command, not sure what the Splunk Stream syntax is for case insensitive. Thanks.
... View more
09-12-2019
07:23 AM
That's the problem, I don't have sample data. 😉
My data is getting fed from a Gigamon tap at the LTM level. I don't have visibility into the raw tap data and I don't want to log it because it has authentication tokens and other scary stuff.
Working with the OTB HTTP Stream Protocol:
https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/FileTransfer#HTTP
The field that I want to build an extraction for is src_headers:
src_headers All HTTP headers sent from client to server http.cs-headers
I was able to extract a known header element that is added by an application team using this:
x-parentspantoken[\s:=]+(.{36})
The one I'm struggling with is the x-forwarded-for that is added by our F5 devices. I have this regex:
x-forwarded-for([:\s]+[\d.:\s,]+)
Which is just a guess because I can't see the actual raw header to know if that is right. Possibly a casing issue?? Tried adding (?i) to the front and it gave me an error:
Invalid regex Expression
Poop.
... View more
09-11-2019
12:59 PM
So, if you are trying to find the sum of values for the given years you'll need to get pretty creative. The way I read your question means you want results for each of the years selected, so if they pick 2018 and 2019 then you'll have two results.
Here is something that runs against the main index, the top section you would have to fix for using your Multi-Select. Should work:
| makeresults
| eval firstDay= "09/09/2019"
| eval secondDay= "09/10/2019"
| eval thirdDay="09/11/2019"
| eval daysCombined = firstDay.",".secondDay.",".thirdDay
| makemv daysCombined delim=","
| fields daysCombined
| eval groupBy="foo"
| append
[| tstats count where index=main earliest=-3d@d by _time span=1d
| eval formattedTime = strftime(_time, "%m/%d/%Y")
| eval groupBy="foo"
| eval {formattedTime}Count = count
| stats first(*Count) as *Count by groupBy
]
| stats list(*) as * by groupBy
| mvexpand daysCombined
| foreach *Count [eval <<MATCHSTR>>Included = if(strptime("<<MATCHSTR>>", "%m/%d/%Y") >= strptime(daysCombined, "%m/%d/%Y"), '<<FIELD>>', 0)]
| stats sum(*Included) as *
Enjoy!!
... View more
09-09-2019
11:43 AM
Getting a Splunk Stream feed from a Gigamon tap for HTTP.
I can see all the default fields to pull from the HTTP stream, including the one I care about "src_headers". However, I can't log the full src_headers because it potentially contains authentication tokens and other stuff I don't want to log. I have been able to extract a couple fields successfully by guessing at the regex, but been thrashing on the rest.
Is there some way to view the data that is coming to Stream without being forced to log all of it?? Something like a preview??
Would be nice to see a sample event before logging everything. Thanks.
-Tyler
... View more
09-09-2019
11:33 AM
Quick update, working on the version update from 6.8 to 7.2. Got the dev cluster done a couple weeks ago, unfortunately no help with this issue. Still gets the funky continuous re-authentication when multiple tab/windows are left open and then expire.
Also, the case is still being worked by Splunk. They increased the debugging on our dev cluster and are working on analyzing the data.
... View more
09-09-2019
11:16 AM
Yes on the proxy, but watching the network trace on the browser that doesn't look like a culprit. The tab sends the wrong token...so it will never work.
... View more
09-09-2019
11:13 AM
You are correct about the cookie changing, you can see this behavior in the original post where there are a lot of messages like "sent 1234, had 0987, expected xyz". I very much believe there is a JS variable that holding the token and not going to the cookie every time. This means if the cookie changes under your tab, the JS variable will be out of synch with the cookie and cause another re-authentication.
... View more
07-26-2019
08:36 AM
Yep, that is janky. 😉
Our users are pretty resilient to the abuse and have found ways around it. By increasing timeouts, the issue has been limited to just those people that leave sessions open overnight.
What I can't stomach, is as a web developer I know that the issue is bad session management and should be relatively easy to fix.
... View more
07-26-2019
08:29 AM
No, this is still a problem. Things we've done so far:
Increase ADFS Timeout to 9hrs
Increase SAML Timeout to 9hrs
Increase Web Timeout to 9hrs
Provide SAML Logout URL
Recently I recorded a video of the issue happening and did a network capture with Fiddler. The Case Worker was pretty confused about what is happening and escalated to the Developers.
I still very much believe that there is something with the tab session caching the Token Value instead of dynamically retrieving it from the cookie every time.
Also, we have this issue across both our Search Head Cluster and single Search Head instances, so that is not a factor.
... View more
06-21-2019
06:28 AM
Just confirmed that if I limit the results by the user, the search data does not come back. Did a search with a guid and then went to the internal indexes to see all the places it showed up. When I add in the user restriction it finds nothing, which is good.
index=_* "ec840050-a53f-4b0e-af5a-5f0678bfbcb5" user!=123456
Pretty sure this will work, thanks for the help.
... View more
06-21-2019
06:21 AM
Ahhhh, crap. Totally forgot about the indexer logs that will contain the searches ran there as well, ugh. Okay sounds like I'll need to create some search term restrictions to get a semblance of security around that data.
Do you think it is sufficient to do something like this??
NOT (user=123456 OR user=abcdefg)
I'll know who the security people are so building that restriction will be pretty easy. Heck, if I want to get fancy I can likely resolve the security people by role and gen a lookup table to use as the restriction.
... View more
Happens regardless of the browser, so definitely a Splunk issue.
Opened a case and they said that in our SSO configuration we didn't supply a SAML logout URL. Working on adding that and will update with result. Thanks.
... View more
06-20-2019
05:34 AM
We have Enterprise Security installed for a specific Search Head and would like the _audit logs in a different location than the main Search Heads.
The ES SH is used for doing security investigations and we do not want the searches executed readable by the masses.
However, we don't want to lock down everything in _audit.
I'd think the simplest thing to do is have the _audit logs for that one SH sent to a different index??
Is that even possible??
Thanks.
... View more
05-17-2019
01:07 PM
3 Karma
After our SSO migration, users have reported instances where a single tab will re-authenticate which causes a cascading re-authentication across all tabs.
This wouldn't be so bad if it happened once, but for some reason the re-authentication cycles between the tabs and happens continually. Here is a sample of the events that show up in the audit log:
5/15/19 9:52:05.198 AM 127.0.0.1 - 111111 [15/May/2019:15:52:05.198 +0000] "GET /en-US/splunkd/__raw/services/authentication/users/111111?output_mode=json&_=111222333 HTTP/1.0" 200 1904 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.111.111.111 Safari/537.36" - 111aaa222bbb333ccc 0ms
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd_ui_access.log sourcetype = splunkd_ui_access
5/15/19 9:52:05.160 AM 127.0.0.1 - 111111 [15/May/2019:15:52:05.160 +0000] "GET /en-US/splunkd/__raw/services/authorization/roles?output_mode=json&count=0&_=111222333 HTTP/1.0" 200 6593 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.111.111.111 Safari/537.36" - 111aaa222bbb333ccc 0ms
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd_ui_access.log sourcetype = splunkd_ui_access
5/15/19 9:52:05.039 AM Audit:[timestamp=05-15-2019 15:52:05.039, user=111111, action=change_authentication, info=denied ][n/a]
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = audittrail sourcetype = audittrail
5/15/19 9:51:57.179 AM 05-15-2019 15:51:57.179 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/servicesNS/111111/aaabbbcccddd/search/jobs" failed CSRF validation -- expected "111aaa222bbb333ccc444ddd", but instead cookie had "111aaa222bbb333ccc444ddd" and header had "555eee666fff777ggg888hhh"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
5/15/19 9:51:57.123 AM 05-15-2019 15:51:57.123 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/servicesNS/111111/aaabbbcccddd/search/jobs" failed CSRF validation -- expected "111aaa222bbb333ccc444ddd", but instead cookie had "111aaa222bbb333ccc444ddd" and header had "555eee666fff777ggg888hhh"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
5/15/19 9:51:57.071 AM 05-15-2019 15:51:57.071 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/servicesNS/111111/aaabbbcccddd/search/jobs" failed CSRF validation -- expected "111aaa222bbb333ccc444ddd", but instead cookie had "111aaa222bbb333ccc444ddd" and header had "555eee666fff777ggg888hhh"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
5/15/19 9:49:49.400 AM Audit:[timestamp=05-15-2019 15:49:49.400, user=111111, action=change_authentication, info=denied ][n/a]
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = audittrail sourcetype = audittrail
5/15/19 9:49:42.259 AM 05-15-2019 15:49:42.259 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/services/search/jobs/111111__111111__aaabbbcccddd__search3_111111111.145588_0000-000-000-000/control" failed CSRF validation -- expected "999iii000jjj111kkk222lll", but instead cookie had "999iii000jjj111kkk222lll" and header had "333mmm444nnn555ooo666ppp"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
5/15/19 9:49:42.252 AM 05-15-2019 15:49:42.252 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/services/search/jobs/111111__111111__aaabbbcccddd__search9_222222222.145594_0000-000-000-000/control" failed CSRF validation -- expected "999iii000jjj111kkk222lll", but instead cookie had "999iii000jjj111kkk222lll" and header had "333mmm444nnn555ooo666ppp"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
This cycle of Change Auth -> Fail -> CSRF Validation -> Change Auth will just repeat continually until the user closes all tabs and starts over. Somehow one of the tabs gets a new token and stores it in the cookie without telling his friends. Then, instead of reusing the updated token, the other tabs all try to get their own token and store it in the cookie.
Certainly sounds like a defect, but looking for guidance. Thanks.
-Tyler
... View more
