Thanks. Did not want to clear everything, so tried in-private mode which also seemed to let me complete ES install. ... View more

How many bytes does a character take ... View more

props.conf: [ csv ] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 INDEXED_EXTRACTIONS=csv KV_MODE=none category=Structured description=Comma-separated value format. Set header and other settings in "Delimited Settings" disabled=false pulldown_type=true TZ=UTC TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ TRANSFORMS-csv=response_body_csv, response_footer_csv trensforms.conf: [response_body_csv] REGEX=\"(?<Date>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z)\",\"(?<Action>\w+)\",\"(?<Module>\w+)\",\"(?<Details>\w+: \w+)\",\"(?<User_Name>\w+)\",\"(?<User_Role>\w+)\",\"(?<User_IP>[\w.:]+)\" [response_footer_csv] REGEX=\"(?<CODE>\d{4})\",\"(?<TEXT>.+)\",\"(?<URL>.+)\" If it is a field extraction at the time of search, it looks like this. ... View more

kamlesh_vaghela, I need to know one thing. to use the modular input I have to integrate the Splunklib sdk in my TA directory. How can I remove it and on runtime Splunk will resolve the from splunklib.modularinput import * ... View more

check this splunk answer, same problem is resolved ... View more

I got an answer for this problem using the import splunklib.client as client in the <app>_splunk_setup_handler.py script. I'm saving the password in my app/local/password.conf and retrieving it using the splunk session and service.storage_passwords . Created these 2 type of methods: '''Get clear password''' def get_password(session_key, username, realm): args = {'token': session_key, 'app': "my_app"} service = client.connect(**args) try: # Retrieve the password from the storage/passwords endpoint for storage_password in service.storage_passwords: if storage_password.username == username and storage_password.realm == realm: return storage_password.content.clear_password except Exception, e: raise Exception, "An error occurred while decrypting credentials. Details: %s" % str(e) '''Encripting the password''' def encrypt_password(service, ca_pass, username, realm): try: # If the credential already exists, delete it. for storage_password in service.storage_passwords: if storage_password.username == username and storage_password.realm == realm: service.storage_passwords.delete(username, realm) # Create the credential. password = service.storage_passwords.create(ca_pass, username, realm) return password.encrypted_password except Exception, e: raise Exception, "An error occurred while encrypting credentials. Details: %s" % str(e) ... View more

The interval is specified in the qualys stanza of the inputs.conf file. Create a local directory in the root of the app and create an inputs.conf file in the new directory. Then recreate the [qualys] stanza. The inputs.conf file's interval value can be a cron expression. This way you can specify specific times of the day and allow a period of time in which you can reboot without affecting your inputs. To run your inputs daily at 4:30 am every day you can use: [qualys] index = main disabled = true interval = 30 4 * * * Alternatively, you may specify an interval in seconds in which you can specify a decimal. For example, 'interval = 8640' would run every day (assuming no restarts). ... View more

@p_gurav I need one more help from you. In both of the JSON, there are 2 epoch time fields. sourcetype = [lastFound] {"vulnerability": null, "lastFound": "1511257640614", "os": null, "authType": ["UNIX_AUTH"], "supportedBy": ["VM", "CA-Linux Agent", "CA-Mac Agent"], "discoveryType": ["AUTHENTICATED"], "port": null, "firstFound": "1511257640614"} JSON DATA for sourcetype = [lastScanned] {"size": 520227288, "created": "1432662156000", "vulnerabilities": {"severity2Count": 2, "severity5Count": 11, "severity3Count": 38, "severity1Count": 0, "severity4Count": 30}, "lastScanned": "1516151267981"} I need to provide an OR case for the TIMESTAMP_FIELDS. I tried this but it didn't work. TIMESTAMP_FIELDS=lastScanned|created Could you suggest something? ... View more

Thanks @martin_mueller. It worked. ... View more

Hello, @dfoster. May I know does this feature is available in 6.6 version of Splunk? ... View more