cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
zward
Path Finder
Member since: ‎06-01-2017
‎09-24-2021
Community Statistics
Posts 17
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎06-01-2017
Activity Feed
Topics I've Started
View All

Splunk Dashboard Studio PDF Export Background on C...

by in Dashboards & Visualizations
‎09-22-2021 03:46 PM
‎09-22-2021 03:46 PM
Hello, I am having an issue where dashboard studio has ceased to export background images (loaded on to the canvas) with PDF and PNG download.  When I download reports (via the download link in the upper right corner) in PDF/PNG format the canvas background image is gone and only the background color of the dashboard that is set exports out.  I am currently using a canvas background image and it is gone on the export of every dashboard -- this is quite problematic.  Does anyone have a solution on how to fix this? Thank you. Edit:  I figured this may be a KVStore linking issue, so I uploaded the image to the server and linked to it rather than uploading it.  The PDF export still does not contain the canvas background image. I also thought this may be a size limitation, however the file is around 1MB in size total.  This appears to not be the case also. ... View more
Labels

Re: Windows Process Name inputs.conf Blacklisting ...

by in All Apps and Add-ons
‎05-18-2020 05:56 PM
‎05-18-2020 05:56 PM
I was able to find the solution for this, it is: EventCode="(4660|4663|4688|4689)" Message="Process Name:\s+Tei.Content.ContentPublisher.exe|BBL.exe|BESRootServer.exe|BESClient.exe|elasticsearch-service-x64.exe|bactalk.exe|mcshield.exe|splunk-optimize.exe|splunk-winevtlog.exe|bactalk.exe|w3wp.exe|Microsoft.Exchange.Diagnostics.Service.exe|MSExchangeHMWorker.exe|SearchProtocolHost.exe|SearchIndexer.exe|PSMONITORSRV.exe|nslookupexe|traceroute.exe|postgres.exe|wmiapsrv.exe|wmiprvse.exe"> the character "*" is not used in regex in this case! For anyone struggling this is by far the best place to test out regex: https://www.regex101.com ... View more

Windows Process Name inputs.conf Blacklisting Rege...

by in All Apps and Add-ons
‎05-18-2020 03:12 PM
‎05-18-2020 03:12 PM
I am in desperate need of some help on regex/blacklisting process names in Windows Event logs. Our regex to exclude / filter out specific Process Name executables is not working and I would guess it likely is due to improper regex. I could definitely use any advice or help on the below regex as I am by no means an expert, but have done my best to try and get it working, but I just can't seem to get it. Right now the 4663 processes are completely overwhelming our licensing due to the amount of events being generated. Here is our regex code that is not functioning (blacklist8). Below that is our full blacklist. This is being done via Windows_TA inputs.conf file within the local directory being deployed to all universal forwarders. I am trying to exclude any message received by Windows that shows Process Name as one of the executables. Thank you so much for your help! Line that is not working: blacklist8 = EventCode="(4660|4663|4688|4689)" Message="Process Name:\s+*Tei.Content.ContentPublisher.exe|*BBL.exe|*BESRootServer.exe|*BESClient.exe|*elasticsearch-service-x64.exe|*bactalk.exe|*mcshield.exe|*splunk-optimize.exe|*splunk-winevtlog.exe|*bactalk.exe|*w3wp.exe|*Microsoft.Exchange.Diagnostics.Service.exe|*MSExchangeHMWorker.exe|*SearchProtocolHost.exe|*SearchIndexer.exe|*PSMONITORSRV.exe|*nslookup.exe|*traceroute.exe|*postgres.exe|*wmiapsrv.exe|*wmiprvse.exe" Full blacklist: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)" blacklist4 = EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%" blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." blacklist6 = EventCode="(4660|4663|4688|4689)" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|mongod|splunkd|python|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|optimize|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe)" blacklist7 = EventCode="4663" Message="(?:Object Name:)(?s).*(\\REGISTRY\\)" blacklist8 = EventCode="(4660|4663|4688|4689)" Message="Process Name:\s+*Tei.Content.ContentPublisher.exe|*BBL.exe|*BESRootServer.exe|*BESClient.exe|*elasticsearch-service-x64.exe|*bactalk.exe|*mcshield.exe|*splunk-optimize.exe|*splunk-winevtlog.exe|*bactalk.exe|*w3wp.exe|*Microsoft.Exchange.Diagnostics.Service.exe|*MSExchangeHMWorker.exe|*SearchProtocolHost.exe|*SearchIndexer.exe|*PSMONITORSRV.exe|*nslookup.exe|*traceroute.exe|*postgres.exe|*wmiapsrv.exe|*wmiprvse.exe" index = security_wineventlog renderXml = false Here is what I see when I search (obviously not working) image? ... View more

Inputlookup / Lookup - Add additional column for u...

by in Splunk Search
‎12-02-2018 01:12 PM
‎12-02-2018 01:12 PM
Hello, I am having some troubles with the lookup/inputlookup commands and was hoping someone could lend assistance. I have a search that I am using to get login/logoff details and duration of each session for virtual sessions. This search works great. Once this information is returned via search, I am attempting to use lookup (I also have tried inputlookup and append but that didn't work) to load additional detail from an Active Directory user list and attach a few columns of data from the AD list that will give additional user details (their email address, cn, description, and userPrincipalName) for our admin team. I am pulling in the lookup details by looking at a field with the Users information (UserDisplayName) and comparing it to the field "name" (in the lookup table). From my understanding doing this then allows me to pull any field from that particular row in the table. However when I go to output the data in a table, it's not working. I feel like I have the right coding, but there is either a conflict with the code not being laid out in the proper order that is resulting in the search not working or commands not interacting as I expect them too. I would appreciate if you could take a look and let me know what you think. Thank you. index=* host=vdi sourcetype=syslog (EventType="AGENT_DISCONNECTED" OR EventType="AGENT_CONNECTED") | transaction UserDisplayName maxevents=2 startswith=EventType="AGENT_CONNECTED" endswith=EventType="AGENT_DISCONNECTED" maxspan=-1 | eval Logontime=if(EventType="AGENT_CONNECTED",_time,null()) | eval Logofftime=Logontime+duration | eval duration2=duration | eval h=floor(duration2/3600) | eval m=floor((duration2-(h*3600))/60) | eval s=floor(duration2-(h*3600)-(m*60)) | eval SessionDuration=h."h ".m."m ".s."s" | eval total=TotalLoginLength/60 | eval total=round(total,2) | eval UserDisplayName=mvindex(split(UserDisplayName,"\\"),-1) | convert ctime(Logontime) as Logontime | convert ctime(Logofftime) as Logofftime | eval duration = duration/60 | eval duration=round(duration,2) | lookup AD_User_LDAP_list name AS UserDisplayName OUTPUTNEW cn AS cn description AS description userPrincipalName AS userPrincipalName | table UserDisplayName, MachineName, DesktopDisplayName, DesktopId, Logontime, Logofftime, SessionDuration, duration, total, description, cn, userPrincipalName | sort UserDisplayName, MachineName, -duration | rename duration AS "Splunk Session Duration (Mins)", Logontime AS "Logon", Logofftime AS "Logoff", SessionDuration AS "Total Session Duration", total AS "VDI Logged Session Duration (Mins)" What I see in my output is attached below, all of the data populating into the table is from the session duration search, the lookup info never seems to get added to the table as expected (the particular columns are empty (description, cn, userPrincipalName). Please note some machine data was blanked out on the left hand columns. How can I add the additional information to my search? ... View more

Workday Addon - Request Failed with Error Code 401

by in All Apps and Add-ons
‎08-14-2018 06:17 PM
‎08-14-2018 06:17 PM
Hello, I am in the process of working with our Workday team to setup Splunk to ingest Workday activity logs. As we work through the process we have our Workday area configured within Workday, including our tenant details, as well as all information generated from the Workday page entered into the Splunk setup page. We are not seeing any data come in from the Workday app into our index. When I check the Workday log, I see the below errors. It appears to be the client connecting to the API for Workday but receiving an error 401. Is there a way we can troubleshoot or fix this problem or does anyone have any thoughts on how to fix this issue? Your help is appreciated. 2018-08-14 19:44:28,848 INFO pid=1032 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2018-08-14 19:44:33,898 INFO pid=1032 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2018-08-14 19:44:42,471 INFO pid=1032 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2018-08-14 19:44:51,048 INFO pid=1032 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling 2018-08-14 19:44:51,049 INFO pid=1032 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2018-08-14 19:44:51,063 INFO pid=1032 tid=MainThread file=base_modinput.py:log_info:293 | Starting input "user_activity" for window (2018-08-15T00:09:51Z, 2018-08-15T00:39:51Z) 2018-08-14 19:44:51,403 ERROR pid=1032 tid=MainThread file=base_modinput.py:log_error:307 | Request failed with error code (401), retries exhausted ... View more

Pulling in LDAP information (Integration with MS A...

by in All Apps and Add-ons
‎05-24-2018 04:52 PM
‎05-24-2018 04:52 PM
Hello, The support request feature within the add-on goes to a 404 page, so I figured I would ask my question here. Our organization currently uses the MS AD Objects Splunk application to pull our LDAP information, so we do not use the Splunk LDAP app (SA-ldapsearch), which seems it may be a requirement for this app. My question is, is there a way to modify the code so that it looks for the lookup files in other locations or so that we can use the functionality of MS AD Objects with Search Activity, it seems like the option may be there with the existing LDAP Lookup option in setup. Is this a possibility, or is there a way to specify a file that contains the AD/LDAP lookup information without going through SA-ldapsearch? The application looks great, hoping this is a possibility. Thank you ... View more

Re: Building AD Lookups in MS Windows AD Objects

by in All Apps and Add-ons
‎05-22-2018 01:26 PM
‎05-22-2018 01:26 PM
Hi Shogan, Posting back again as I am running into the same issue, when I run "| inputlookup AD_User_LDAP_list | stats count" per step 3 of your directions, I received back the same count of 65410 over and over. The first search I ran per your directions above, with the search command of | ms_ad_obj_sched_sync_objects_base("User","user") produced another 50k users on top of the initial 15410, giving us 65410 users total. After this no new users are being added. Repeated searches from steps 1-3 above (you mention running it 5 times to gather all users), after the first time running and producing 50k users, does not pull any additional results now. I have tried running 30 days, 60 days, 90 days, and all time over the course of the past two weeks and after completion, the user count never goes up when running | inputlookup AD_User_LDAP_list | stats count. Is there a step I am missing, or should I try adjusting the head command to 100000 or 150000? It's almost like the list is not being checked for users and is repeatedly finding the same 50k users every time, is there a way I can look into this in more detail or any ideas on how to correct this issue? ... View more

Re: Building AD Lookups in MS Windows AD Objects

by in All Apps and Add-ons
‎05-09-2018 04:34 PM
‎05-09-2018 04:34 PM
Hi Shogan, Thank you for getting back to me and offering your help. I do appreciate it. *EDIT: As of 7:30pm CST your solution is working as you described, however it just takes a very long time for the search to complete, after running | inputlookup AD_User_LDAP_list | stats count I I am now sitting at 65k users, so it is indeed calculating and adding new users as designed. While slow, it is definitely a way to efficiently ensure all my users are being brought into Splunk. .. THANK YOU !!!! * To answer your questions: 1. We have one indexer, no clustering. 2. Verify baseline data comes back in 44 - 60 seconds and accurately reflects our environment, see below screenshot. I temporarily disabled the scheduled searches as you mentioned, I then ran eventtype=ms_ad_obj_msad_data (admonEventType=Sync) (objectClass="top|person|organizationalPerson|user") NOT ([| inputlookup AD_User_LDAP_list| fields objectGUID| table objectGUID| format]) | head 50000 which completed in around 44 seconds. After this I run the search in the ms windows ad objects app: | ms_ad_obj_sched_sync_objects_base("User","user")`` This proceeds, starting with "parsing", followed by "Finalizing Job". The search window then sits on finalizing job and nothing happens, when I check out the job menu, I see the following text: [subsearch]: No matching fields exist [subsearch]: No results. Created empty file 'AD_Objects_Queue_Main' I closed out and deleted this job, then started a new one with "Last 30 Days" search, this also sits on finalizing for quite awhile and nothing happens - it simply sits on finalizing with no indication of any output. When I run the command | inputlookup AD_User_LDAP_list | stats count I get the same count every time, (15410), this has been the value since the initial run of the add-on and has not changed to my knowledge. Maybe the search is purposely supposed to take this long? Do you have any thoughts? Here is the job log: This search is still running and is approximately 0% complete. (SID: 1525904118.152) search.log Execution costs Duration (seconds) Component Invocations Input count Output count 0.00 dispatch.check_disk_usage 1 - - 0.00 dispatch.createdSearchResultInfrastructure 1 - - 451.23 dispatch.evaluate 1 - - 450.61 dispatch.evaluate.append 2 - - 0.55 dispatch.evaluate.join 2 - - 0.05 dispatch.evaluate.inputlookup 1 - - 0.00 dispatch.evaluate.eval 14 - - 0.00 dispatch.evaluate.search 1 - - 0.00 dispatch.evaluate.fields 3 - - 0.00 dispatch.evaluate.fillnull 2 - - 0.00 dispatch.evaluate.makemv 1 - - 0.00 dispatch.evaluate.noop 1 - - 0.00 dispatch.evaluate.outputlookup 2 - - 0.00 dispatch.evaluate.rename 1 - - 0.00 dispatch.evaluate.sort 1 - - 0.00 dispatch.evaluate.stats 2 - - 0.07 dispatch.writeStatus 5 - - 0.21 startup.configuration 1 - - 0.50 startup.handoff 1 - - Search job properties canSummarize None createTime 2018-05-09T17:15:19.000-05:00 cursorTime 2038-01-18T21:14:07.000-06:00 custom { [-] dispatch.earliest_time: -30d@d dispatch.latest_time: now dispatch.sample_ratio: 1 display.general.type: statistics display.page.search.mode: verbose display.page.search.tab: statistics search: |`ms_ad_obj_sched_sync_objects_base("User","user")` } defaultSaveTTL 604800 defaultTTL 600 delegate None diskUsage 3842048 dispatchState FINALIZING doneProgress None dropCount None eai:acl { [-] app: ms_windows_ad_objects can_write: true modifiable: true owner: zward perms: { [+] } sharing: global ttl: 600 } earliestTime 2018-04-09T00:00:00.000-05:00 eventAvailableCount None eventCount None eventFieldCount None eventIsStreaming true eventIsTruncated true eventSearch None eventSorting desc isBatchModeSearch None isDone None isEventsPreviewEnabled None isFailed None isFinalized None isPaused None isPreviewEnabled true isRealTimeSearch None isRemoteTimeline None isSaved None isSavedSearch None isTimeCursored None isZombie None keywords sync_dn_chg::1 label None latestTime 2018-05-09T17:15:18.000-05:00 modifiedTime 2018-05-09T18:31:23.630-05:00 normalizedSearch None numPreviews None optimizedSearch None pid 332 priority 5 provenance UI:Search remoteSearch None reportSearch inputlookup AD_User_LDAP_list append=true | rename dn_hist AS dn_hist_hold | eval dn_hist_hold=case(dn_hist_hold="",distinguishedName,NOT dn_hist_hold="",dn_hist_hold."####".distinguishedName) | makemv delim="####" dn_hist_hold | append [search eventtype=ms_ad_obj_msad_data (admonEventType=Sync) (objectClass="top|person|organizationalPerson|user") NOT ([| inputlookup AD_User_LDAP_list| fields objectGUID| table objectGUID| format]) | head 50000 | fields DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,managedBy,memberOf,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated | fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly | fillnull value="" | stats earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID | eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0) | lookup AD_UAC_Details userAccountControl OUTPUT uac_bin_map, uac_details | join type=left DomainDNSName [|inputlookup AD_Domain_Selector | stats count by DomainDNSName,DomainNetBIOSName | rename DomainNetBIOSName as domain_lkp | table DomainDNSName,domain_lkp] | eval domain=if(isnull(domain_lkp),domain,mvdedup(domain_lkp)) | eval src_nt_domain=domain, q_link_id=domain."##".objectGUID | join primaryGroupID [|inputlookup AD_Groups_LDAP_list | fields distinguishedName, primaryGroupToken | rename primaryGroupToken AS primaryGroupID, distinguishedName AS prm_grp | eval prm_grp_id=PrimaryGroupID." - ".prm_grp] | eval memberOf=if(memberOf="",prm_grp,if(match(memberOf,prm_grp),memberOf,prm_grp."####".memberOf)) | table DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist_hold,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,managedBy,memberOf,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,q_link_id,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,src_nt_domain,st,streetAddress,title,uSNChanged,uSNCreated,uac_bin_map,uac_details,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated] | stats first(distinguishedName) AS current_dn,first(dn_path) AS current_dn_path,values(dn_hist_hold) AS dn_hist,last(*) AS * by objectGUID | eval current_dn=if(isnull(current_dn),orig_evt_dn,current_dn) | join type=left current_dn_path [|inputlookup AD_Objects_Queue_Main WHERE sync_complete=0 append=true | eval sync_ou_user=if(sync_ou==1,2,0) | eval sync_complete=if(sync_ou==1 AND sync_ou_user==2 AND sync_ou_group==2 AND sync_ou_computer==2,2,sync_complete) | table q_link_id,dn,dn_cnt,dn_hist,dn_path,domain,member,memberOf,objectGUID,objectClass,uSNChanged,whenChanged,sync_complete,sync_member,sync_ou,sync_ou_user,sync_ou_group,sync_ou_computer,sync_memberOf,sync_memberOf_user,sync_memberOf_computer,sync_memberOf_group | outputlookup AD_Objects_Queue_Main | search sync_ou=1 sync_ou_user=2 | table dn, dn_hist | makemv delim="####" dn_hist | mvexpand dn_hist | eval current_dn_path=dn_hist | rename dn AS new_ou_dn, dn_hist AS old_ou_dn | table current_dn_path, new_ou_dn, old_ou_dn] | eval sync_dn_chg=case((objectClass="top|person|organizationalPerson|user" OR objectClass="top|person|organizationalPerson|user|computer" OR objectClass="top|group") AND memberOf="",0,objectClass="top|group" AND member="",0,isnotnull(old_ou_dn) OR current_dn!=dn,1,isnull(old_ou_dn) AND current_dn=dn,0) | eval dn=if(isnull(old_ou_dn),dn,replace(dn,old_ou_dn,new_ou_dn)) | eval distinguishedName=if(isnull(old_ou_dn),dn,replace(dn,old_ou_dn,new_ou_dn)) | eval dn_path=if(isnull(old_ou_dn),dn_path,replace(dn_path,old_ou_dn,new_ou_dn)) | eval dn_hist=replace(replace(mvjoin(dn_hist,"####"),distinguishedName,""),"^####|####$","") | join type=left dn [ |inputlookup AD_Objects_Queue_Main WHERE sync_complete=0 | eval sync_memberOf_user=if(sync_memberOf==1,2,0) | eval sync_complete=if(sync_memberOf_user==2 AND sync_memberOf_group==2 AND sync_memberOf_computer==2,2,sync_complete) | table q_link_id,dn,dn_cnt,dn_hist,dn_path,domain,member,memberOf,objectGUID,objectClass,uSNChanged,whenChanged,sync_complete,sync_member,sync_ou,sync_ou_user,sync_ou_group,sync_ou_computer,sync_memberOf,sync_memberOf_user,sync_memberOf_computer,sync_memberOf_group | outputlookup AD_Objects_Queue_Main | search sync_memberOf=1 sync_memberOf_user=2 | table dn, dn_hist, member | makemv delim="####" member | mvexpand member | rename dn AS new_group_dn | rename member AS dn, dn_hist AS old_group_dn | stats values(old_group_dn) as old_group_dn, values(new_group_dn) as new_group_dn by dn | eval old_group_dn=mvjoin(old_group_dn,"|") | eval new_group_dn=mvjoin(new_group_dn,"####") | table dn, new_group_dn, old_group_dn] | eval memberOf=if(isnull(old_group_dn),memberOf, replace(memberOf,old_group_dn,"")) | eval memberOf=if(isnull(new_group_dn),memberOf, if(memberOf=="",new_group_dn,memberOf."####".new_group_dn)) | fields - old_ou_dn, - new_ou_dn, - current_dn, - dn_hist_hold, - orig_evt_dn, - current_dn_path, - new_member_dn, - old_group_dn, - new_group_dn, - old_member_dn, - new_memberOf_dn, - old_memberOf_dn | outputlookup AD_User_LDAP_list | fields q_link_id,dn,dn_cnt,dn_hist,dn_path,domain,member,memberOf,objectGUID,objectClass,uSNChanged,whenChanged,sync_dn_chg | search sync_dn_chg=1 | fillnull value="" member,memberOf | eval sync_member=case(objectClass="top|person|organizationalPerson|user",1,objectClass="top|person|organizationalPerson|user|computer",1,objectClass="top|group",1,objectClass="top|organizationalUnit" OR objectClass="top|container",0) | eval sync_memberOf=case(objectClass="top|person|organizationalPerson|user",0,objectClass="top|person|organizationalPerson|user|computer",0,objectClass="top|group",1,objectClass="top|organizationalUnit" OR objectClass="top|container",0) | eval sync_memberOf_user=if(sync_memberOf==1,1,0),sync_memberOf_group=if(sync_memberOf==1,1,0),sync_memberOf_computer=if(sync_memberOf==1,1,0) | eval sync_ou=case(objectClass="top|person|organizationalPerson|user",0,objectClass="top|person|organizationalPerson|user|computer",0,objectClass="top|group",0,objectClass="top|organizationalUnit" OR objectClass="top|container",1) | eval sync_complete=0,sync_ou_user=if(sync_ou==1,1,0),sync_ou_group=if(sync_ou==1,1,0),sync_ou_computer=if(sync_ou==1,1,0) | fillnull value=0 sync_complete,sync_member,sync_memberOf,sync_memberOf_user,sync_memberOf_computer,sync_memberOf_group,sync_ou,sync_ou_user,sync_ou_group,sync_ou_computer | append [|inputlookup AD_Objects_Queue_Main WHERE sync_complete=0 append=true | table q_link_id,dn,dn_cnt,dn_hist,dn_path,domain,member,memberOf,objectGUID,objectClass,uSNChanged,whenChanged,sync_complete,sync_member,sync_ou,sync_ou_user,sync_ou_group,sync_ou_computer,sync_memberOf,sync_memberOf_user,sync_memberOf_computer,sync_memberOf_group] | fields q_link_id,filter,dn,dn_cnt,dn_hist,dn_path,domain,member,memberOf,objectGUID,objectClass,uSNChanged,whenChanged,sync_complete,sync_member,sync_ou,sync_ou_user,sync_ou_group,sync_ou_computer,sync_memberOf,sync_memberOf_user,sync_memberOf_computer,sync_memberOf_group | sort 0 -uSNChanged | stats last(*) AS * by q_link_id | outputlookup AD_Objects_Queue_Main create_empty=true request { [-] adhoc_search_level: verbose auto_cancel: 30 check_risky_command: false custom.dispatch.earliest_time: -30d@d custom.dispatch.latest_time: now custom.dispatch.sample_ratio: 1 custom.display.general.type: statistics custom.display.page.search.mode: verbose custom.display.page.search.tab: statistics custom.search: |`ms_ad_obj_sched_sync_objects_base("User","user")` earliest_time: -30d@d indexedRealtime: latest_time: now preview: 1 provenance: UI:Search rf: * sample_ratio: 1 search: |`ms_ad_obj_sched_sync_objects_base("User","user")` status_buckets: 300 ui_dispatch_app: ms_windows_ad_objects } resultCount None resultIsStreaming None resultPreviewCount None runDuration 451.281 runtime { [-] auto_cancel: 30 auto_pause: 0 } sampleRatio 1 sampleSeed 0 scanCount None search |`ms_ad_obj_sched_sync_objects_base("User","user")` searchCanBeEventType None searchEarliestTime 1523250000 searchLatestTime 1525904118 searchProviders [ ] searchTotalBucketsCount None searchTotalEliminatedBucketsCount None sid 1525904118.152 statusBuckets None ttl 600 Additional info search.log ... View more

Building AD Lookups in MS Windows AD Objects

by in All Apps and Add-ons
‎05-01-2018 03:50 PM
‎05-01-2018 03:50 PM
Hello, I have successfully installed the MS Windows AD Objects app. When I go to build the kv stores/lookups users/groups, etc, The search will sit and never completes the job. After looking into the log files and job manager, I have found that the jobs run, but they quickly balloon to massive sizes in the job log (1 to 15+ GB size depending on the search) , to the point that the jobs never finish (often sitting on a % or on finalizing) and I am getting out of search memory issues in the job manager. Now we have 24gb of ram on this server -- and we continue to see the warning (search auto-finalized after disk usage limit (12500 MB) reached). When I run the verify all baseline data, it comes back with no problems, however when I select the build ad lookup lists it takes hours to locate admon baseline data, even though when I search for it normally, it finds the event within 2 seconds. The ad object counts never populate at the top of the dashboard and I cannot move on to the next step. So after this failed many times, I went to build or rebuild all lookups, which never resolves after allowing it to sit and run all day. After trying this I would then do the individual build lookups which resolved for ad groups and objects, but crashed mongod when I tried to build the user database (see below code snippet). I increased the paging file on the system from 10GB to 100GB and still the tables do not build. I have tried reinstalling the application from scratch and that has not done anything to alleviate the issue. I have also tried individually building the lookups one by one but continue to see finalizing that never completes -- the search sits for hours finalizing and never completes, frozen at a particular run time that never updates. I have increased the size from 10000 MB to to 12500 MB for our disk usage limit in authorize.conf, however I am not sure that is going to do the trick. I take it our server is out of memory, however why are these search sizes so massive? We have around 220k AD users. There has got to be a way to break this down to a smaller search so I can complete the build lookup and continue this process. Or how much RAM do we need to configure this app? The program is really splendid from what I have seen, however being unable to build the key data lookup files is affecting our ability to use the app entirely. What can I do to get these lookups to build? Please help! Mongod error: 2018-04-24T21:35:41.448Z I NETWORK [conn9973] end connection 127.0.0.1:54457 (10 connections now open) 2018-04-24T21:36:19.780Z I COMMAND [conn9810] command s_splunkiTR2RCAYp7Go4kZlq1TnMAm9_tSessiV6ysHGNENqOVEZL92qEHLjZQ.$cmd command: insert { insert: "sched@XbEOwXGEIGOSYrnChJNIFYp", writeConcern: { w: "majority", j: true, wtimeout: 1800000 }, ordered: true, documents: 1000 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:80 locks:{ Global: { acquireCount: { r: 1025, w: 1025 } }, MMAPV1Journal: { acquireCount: { w: 1026 }, acquireWaitCount: { w: 7 }, timeAcquiringMicros: { w: 913396 } }, Database: { acquireCount: { w: 1025 } }, Collection: { acquireCount: { W: 25 }, acquireWaitCount: { W: 1 }, timeAcquiringMicros: { W: 26 } }, oplog: { acquireCount: { w: 1000 } } } 1452ms 2018-04-24T21:36:42.151Z I COMMAND [conn9810] command s_splunkiTR2RCAYp7Go4kZlq1TnMAm9_tSessiV6ysHGNENqOVEZL92qEHLjZQ.$cmd command: insert { insert: "sched@XbEOwXGEIGOSYrnChJNIFYp", writeConcern: { w: "majority", j: true, wtimeout: 1800000 }, ordered: true, documents: 1000 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:80 locks:{ Global: { acquireCount: { r: 1025, w: 1025 } }, MMAPV1Journal: { acquireCount: { w: 1025 }, acquireWaitCount: { w: 6 }, timeAcquiringMicros: { w: 60953 } }, Database: { acquireCount: { w: 1025 } }, Collection: { acquireCount: { W: 25 } }, oplog: { acquireCount: { w: 1000 } } } 1048ms 2018-04-24T21:36:53.119Z I COMMAND [conn9810] command s_splunkiTR2RCAYp7Go4kZlq1TnMAm9_tSessiV6ysHGNENqOVEZL92qEHLjZQ.$cmd command: insert { insert: "sched@XbEOwXGEIGOSYrnChJNIFYp", writeConcern: { w: "majority", j: true, wtimeout: 1800000 }, ordered: true, documents: 1000 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:80 locks:{ Global: { acquireCount: { r: 1029, w: 1029 } }, MMAPV1Journal: { acquireCount: { w: 1030 }, acquireWaitCount: { w: 10 }, timeAcquiringMicros: { w: 59927 } }, Database: { acquireCount: { w: 1029 } }, Collection: { acquireCount: { W: 29 }, acquireWaitCount: { W: 1 }, timeAcquiringMicros: { W: 27 } }, oplog: { acquireCount: { w: 1000 } } } 1601ms 2018-04-24T21:36:59.934Z F STORAGE [conn9810] MongoDB has exhausted the system memory capacity. 2018-04-24T21:36:59.934Z F STORAGE [conn9810] Current Memory Status: { page_faults: -1503484610, usagePageFileMB: 674, totalPageFileMB: 84695, availPageFileMB: 68, ramMB: 24575 } 2018-04-24T21:37:00.034Z F STORAGE [conn9810] VirtualProtect for E:/Splunk/datastore/kvstore/mongo/local.1 chunk 4104 failed with errno:1455 The paging file is too small for this operation to complete. (chunk size is 67108864, address is 4020000000) in mongo::makeChunkWritable, terminating 2018-04-24T21:37:00.036Z I - [conn9810] Fatal Assertion 16362 2018-04-24T21:37:00.493Z I CONTROL [conn9810] mongod.exe index_collator_extension+0x146b13 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe index_collator_extension+0xfe14f 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe index_collator_extension+0xf0847 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe ??? 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe index_collator_extension+0x450e38 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe index_collator_extension+0x10a6f3 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe index_collator_extension+0x1670f1 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe index_collator_extension+0x47fa0b 2018-04-24T21:37:00.497Z I CONTROL [conn9810] mongod.exe index_collator_extension+0x47fbb2 2018-04-24T21:37:00.497Z I CONTROL [conn9810] KERNEL32.DLL BaseThreadInitThunk+0x22 2018-04-24T21:37:00.497Z I CONTROL [conn9810] 2018-04-24T21:37:00.497Z I - [conn9810] ... View more

Stats Count in InputLookup?

by in Splunk Search
‎02-20-2018 04:19 PM
‎02-20-2018 04:19 PM
Hello, I am working on a dashboard panel and I am at my wits end on how I can create a table entry for the eventcount or stats of the number of events. I am able to display my entire dashboard minus the eventcount (I need a full count of the number of events for the specific host), however when I attempt to use eventcount, it fails as it is not the first entry into the search, and stats dc(index) is not populating the search either and it ends up blank. Any thoughts on how I can get an event count for the particular host to display in my inputlookup dashboard? I am hoping it is an easy fix, but something just isn't adding up. Thank you. : <panel> <title>Results</title> <input type="dropdown" token="fields" searchWhenChanged="true"> <label>Field Selection:</label> <choice value="table host, sourcetype, index, firstTime, lastTime, recentTime, lastUpdated | sort - host">All</choice> <choice value="dedup index, sourcetype | table index, sourcetype">Indexes, Sourcetypes Only</choice> <choice value="table host, sourcetype, index">Indexes, Sourcetypes, Hosts Only</choice> <default>table host, sourcetype, index, firstTime, lastTime, recentTime, lastUpdated | sort - host</default> </input> <table> <search> <query>| inputlookup MCInventory where index=$index$ sourcetype=$sourcetype$ host=$host$ | $filter$ | convert ctime(recentTime) ctime(firstTime) ctime(lastTime) ctime(lastUpdated) | $fields$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">row</option> <option name="count">50</option> </table> </panel> ... View more

Re: Why are blacklisted 4663 and 4660 events still...

by in Getting Data In
‎12-13-2017 10:20 AM
‎12-13-2017 10:20 AM
Here is a sample event 4663: 12/13/2017 12:15:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=SPLUNKPRD01 TaskCategory=Removable Storage OpCode=Info RecordNumber=2992047793 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: S-1-5-18 Account Name: SPLUNKPRD01$ Account Domain: TESTENV Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: E:\Splunk\datastore\optiv\db\hot_v1_126\Hosts.data Handle ID: 0x4b0 Resource Attributes: Process Information: Process ID: 0x8e8 Process Name: C:\Program Files\Splunk\bin\splunkd.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 4660 12/13/2017 12:17:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4660 EventType=0 Type=Information ComputerName=SPLUNKPRD01 TaskCategory=Removable Storage OpCode=Info RecordNumber=2992128965 Keywords=Audit Success Message=An object was deleted. Subject: Security ID: S-1-5-18 Account Name: SPLUNKPRD01$ Account Domain: TESTENV Logon ID: 0x3E7 Object: Object Server: Security Handle ID: 0xfe8 Process Information: Process ID: 0x688 Process Name: C:\Program Files\Splunk\bin\splunkd.exe Transaction ID: {00000000-0000-0000-0000-000000000000} ... View more

Why are blacklisted 4663 and 4660 events still sho...

by in Getting Data In
‎12-12-2017 05:29 PM
‎12-12-2017 05:29 PM
I am hoping someone can help me out with a filtering blacklist issue I am having. I am currently filtering out event codes 4663 and 4660 so that splunk.exe (splunkd.exe, mcshield.exe, and a few other) processes are blacklisted and not sent, as Splunk is recording itself (splunkd.exe) accessing the Splunk directory every single time a file is touched or written (thousands of events per minute). Every time Splunk receives a file or log, it records and updates the index, which creates more log files with event codes 4663 and 4660. As you can imagine this is a massive amount of data being logged. Event codes 4660 and 4663 are for objects that are accessed. I have applied the blacklists below, however I am still seeing results when I search for the event codes. Below are my blacklists, any idea why these events are still showing up, maybe there is an issue with my blacklist? blacklist3 = EventCode="4663" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:splunkd|splunk|locktest|mongod|python|splunk\-(?:optimize|winevtlog))\.exe)" blacklist4 = EventCode="4663" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Common Files\\McAfee\\SystemCore\\(?:mcshield).exe)" blacklist5 = EventCode="4660" Message="Process_Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:splunkd|splunk|locktest|mongod|python|splunk\-(?:optimize|winevtlog))\.exe)" I did multiple searches and was unable to find an effective blacklist for event codes 4663 and 4660 that are granular enough to exclude splunkd.exe. Also please note full hostname information has been excluded from the screenshot for security reasons. Thank you for your help. ... View more

Re: How do I alert when a host stops sending data?

by in Splunk Search
‎12-07-2017 07:53 AM
‎12-07-2017 07:53 AM
I downvoted this post because not relevant to the question, and it is another question -- not an answer or solution to the original question. ... View more

Re: Windows Event Log 4625 - Eval Account_Name Sea...

by in Splunk Search
‎11-14-2017 03:27 PM
‎11-14-2017 03:27 PM
That worked wonderfully and is exactly what I needed, thank you Maciep! ... View more

Windows Event Log 4625 - Eval Account_Name Search ...

by in Splunk Search
‎11-14-2017 01:49 PM
‎11-14-2017 01:49 PM
Hello, I have the following search: index=security_wineventlog EventCode=4625 | table _time, Workstation_Name, Source_Network_Address, host, Account_Name | eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="ADFS",(mvindex(Account_Name,1)), Account_Name) | eval Time=strftime(_time,"%Y/%m/%d %T") Now using the eval command, I am finding any results with "-", "ADFS", or "randomcomputername$" and instead choosing the next result for account_name. However when running the search, I am still seeing account_names with $ at the end of the account name. Here are the results I get when I do a search: How can I move past account names with $ in them per my search above to populate the next result for account_name? I searched google and Splunk answers and was not able to find an answer. Thank you. ... View more

Re: Splunk addon for McAfee: Older version that su...

by in All Apps and Add-ons
‎11-07-2017 01:45 PM
1 Karma
‎11-07-2017 01:45 PM
1 Karma
I too would also like to know if this is available. We used the current Mcafee addon with EPO v4 and we do get results, but it would be nice to have a v4 addon that is supported. ... View more

Splunk Windows Update Monitoring

by in Getting Data In
‎06-01-2017 04:10 PM
‎06-01-2017 04:10 PM
Hi, I am new to Splunk and working on some basic queries and in need of some help. I am working on a dashboard for Windows updates. As part of this dashboard I am looking to show the patches that have been installed and patches not installed. I did this by grabbing the eventcode for the windows updates that were installed (EventCode 19). What I am then doing is grabbing a list from Microsoft of Bulletin KB #'s that have been issued (patches released) and using an inputlookup to import the KB numbers, then I want to search the Windows event logs for those KB numbers. If they do not exist I want a list of the computers that are missing the KB's. I am having a difficult time getting this to work. Here is what I have so far, I am hoping someone can lead me in the correct direction on what I am doing wrong. Grabbing the windowsupdate.log is not an option on each machine due to the way we are forwarding data. sourcetype=WinEventLog:System EventCode=19 NOT [| inputlookup BulletinSearch.csv | fields + "Bulletin KB" | rename "Bulletin KB" as KB] | eval Date=strftime(_time, "%Y/%m/%d")| rex "\WKB(?.\d+)\W" | table Date, host, KB, Message | sort by -Date ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-24-2021 02:20 AM
Karma from
View All
Karma given to
View All