Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About cudgel
cudgel
Path Finder
Member since:
05-20-2010
03-04-2025
Community Statistics
| Posts | 16 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 7 |
| Member Since | 05-20-2010 |
Activity Feed
- Karma SolarWinds add-on not working for ilhwan. 03-04-2025 05:49 AM
- Karma Re: Cisco ESA Combine logs for mikaelbje. 06-05-2020 12:49 AM
- Karma Splunk Enterprise Security App Integration with Ticketing / Incident Response System for fharding. 06-05-2020 12:47 AM
- Got Karma for Re: How to avoid duplicate events when using distributed search across cloned indexers. 06-05-2020 12:45 AM
- Got Karma for Isses with the Splunk for Cisco Security E-Mail Security module.. 06-05-2020 12:45 AM
- Got Karma for Populating a summary index with transactions while preserving fields.. 06-05-2020 12:45 AM
- Got Karma for Re: Populating a summary index with transactions while preserving fields.. 06-05-2020 12:45 AM
- Posted Re: Splunk Smartstore: Remote Storage Http Error Status Codes on Deployment Architecture. 09-19-2019 08:22 AM
- Posted Re: Splunk Smartstore: Remote Storage Http Error Status Codes on Deployment Architecture. 09-19-2019 08:01 AM
- Posted Re: REST API Modular Input: How to implement a custom response handler to deal with pagination limits pulling from AirTable REST API? on All Apps and Add-ons. 04-04-2018 11:00 AM
- Posted Re: How to log the actual request made by the REST API modular input? on All Apps and Add-ons. 04-02-2018 10:40 AM
- Posted How to log the actual request made by the REST API modular input? on All Apps and Add-ons. 04-02-2018 07:40 AM
- Tagged How to log the actual request made by the REST API modular input? on All Apps and Add-ons. 04-02-2018 07:40 AM
- Tagged How to log the actual request made by the REST API modular input? on All Apps and Add-ons. 04-02-2018 07:40 AM
- Tagged How to log the actual request made by the REST API modular input? on All Apps and Add-ons. 04-02-2018 07:40 AM
- Tagged How to log the actual request made by the REST API modular input? on All Apps and Add-ons. 04-02-2018 07:40 AM
- Tagged How to log the actual request made by the REST API modular input? on All Apps and Add-ons. 04-02-2018 07:40 AM
- Posted Re: The Splunk Add-on for Nessus config job runs, but why does it never connect or attempt to log in to SecurityCenter? on All Apps and Add-ons. 08-09-2016 04:33 AM
- Posted Re: The Splunk Add-on for Nessus config job runs, but why does it never connect or attempt to log in to SecurityCenter? on All Apps and Add-ons. 08-08-2016 07:55 AM
- Posted The Splunk Add-on for Nessus config job runs, but why does it never connect or attempt to log in to SecurityCenter? on All Apps and Add-ons. 08-08-2016 06:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
09-19-2019
08:22 AM
version 7.2.5.1
... View more
09-19-2019
08:01 AM
We are seeing the same thing in our environment. 403's doing REST.GET.BUCKETVERSIONS and 404's on REST.HEAD.OBJECT for keys ending in "receipts.json" or "done". Searches don't seem to be having problems, but we have a very high error count.
... View more
04-04-2018
11:00 AM
I have tried implementing this code for another REST input (a Cloudflare endpoint) and it does not work after the first page of results. The error I receive is below:
RESPONSE_HANDLER_INSTANCE(response,output,type,req_args,endpoint)
for result in output["result"]:
handle_output(r,r.text,response_type,req_args,endpoint)
self.__target(*self.__args, **self.__kwargs)
self.run()
File "/opt/splunk/etc/apps/rest_ta/bin/responsehandlers.py", line 171, in __call__
File "/opt/splunk/etc/apps/rest_ta/bin/rest.py", line 521, in do_run
File "/opt/splunk/etc/apps/rest_ta/bin/rest.py", line 616, in handle_output
File "/opt/splunk/lib/python2.7/threading.py", line 754, in run
File "/opt/splunk/lib/python2.7/threading.py", line 801, in __bootstrap_inner
Exception in thread Thread-1:
Traceback (most recent call last):
TypeError: 'NoneType' object is not iterable
I am guessing the inner loop is not getting some of the settings from the original input, specifically the HTTP header properties Cloudflare uses for authentication.
... View more
04-02-2018
10:40 AM
I modified the rest.py code to log the url with tokens when there is an exception:
# diff -b ../rest_ta/bin/rest.py rest_ta/bin/rest.py
524a525
> error_url = r.url
530a532
> logging.error("Problem URL: %s" % str(error_url))
... View more
04-02-2018
07:40 AM
How can I enable debug logging to capture the actual request being made by Splunk (with token substitution)? I have a REST input with custom tokens/response handler that stopped working after functioning properly for several months. If I make the same request via CURL and verify the endpoint is working properly. There is nothing in the python log on the heavy forwarder and the only errors in splunkd.log are from ExecProcessor and JsonLineBreaker:
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 400 Client Error: Bad Request
ERROR JsonLineBreaker - JSON StreamId:11717245446002646617 had parsing error:Unexpected character while looking for value: 'h' - data_source=...
... View more
08-09-2016
04:33 AM
That is unfortunate since the appliance does not really give you a granular upgrade option.
I hope the version support will be expanded to the latest versions of SecurityCenter - Tenable is fairly aggressive about pushing their customers to keep up-to-date.
... View more
08-08-2016
07:55 AM
I have verified that the connection from the Splunk host to SecurityCenter is open - I previously used a custom python script to collect vulnerability data from the same host so I can verify the account Splunk uses to connect to the API has the right role.
... View more
08-08-2016
06:14 AM
I am using SecurityCenter 5.4 (upgraded from 4.x specifically to get compatibility with this Splunk Add-on for Nessus). All of the configurations from the documentation have been applied correctly, but the TA never connects to SecurityCenter - no login attempts in the SecurityCenter logs. The following messages repeat at whatever the interval is set at:
2016-08-08 13:09:46,969 +0000 log_level=INFO, pid=18721, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=187 | End Tenable task
2016-08-08 13:09:46,968 +0000 log_level=INFO, pid=18721, tid=MainThread, file=ta_config.py, func_name=_generate_task_configs, code_line_no=78 | Totally generated 1 task configs
2016-08-08 13:09:44,302 +0000 log_level=INFO, pid=18721, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=180 | Start Tenable task
... View more
12-15-2015
11:24 AM
I have the same problem. Search head and index cluster, both have the appropriate bits installed (App, SA, and/or TA - SA and TA from the app/install directory) as specified by the instructions but I get this error from every index cluster member on every search. It seems like I didn't start seeing this error until upgrading from 6.3.0 to 6.3.1 on clustered hosts.
... View more
11-04-2010
02:22 PM
How well does the search "| metadata type=hosts | eval now = now() | where latestTime > now" work in a scheduled search? I seem to get a huge load of results for hosts off by as much as 2-3 minutes because of what - now() evaluates to when the search is scheduled to run? If I run the search manually, e.g. over the past hour, it seems to return accurate results.
... View more
10-01-2010
01:54 PM
1 Karma
This worked for what I need. Cut the searches from 2 hours to 2 minutes when run against the summary index.
... View more
09-23-2010
03:36 PM
Can you point to where I should start looking for how to do this? I am not really interested in the _raw events in the transaction per se, but the fields this transaction would normally generate which I could then use reporting operations on. Given those fields, I can customize the drilldown to use live data as needed.
mid="106908193"
icid="166122699"
mailfrom="jae-language+punEKLvrDf_UaCRaq1vSTfHzVbjrd@rswrte1xthvxlc.org"
mailto="towanda.ollie@cindy.edu"
mailto="carri.west@cindy.edu"
mailto="mark.susann@cindy.edu"
mailto="felisa@cindy.edu"
mailto="tabetha.bowman@cindy.edu"
dcid="51145731"
... View more
09-23-2010
01:45 PM
1 Karma
I have the following search which I would like to use to populate a summary index for reporting (run every 30 minutes or so to keep the summary index relatively up to date). Right now I am executing this transaction in saved searches to report on fields the cisco_esa_addon extracts (e.g. a search for a sender domain piped to "chart count(mailto) over mailfrom") but the searches take a long time to execute (up to 2 hours for a 24 hour period) as it operates on a very large set of data (~20 million events per day from our ironport cluster). The fillnull command is due to a csv lookup that is applied to the sourcetype cisco_esa that marks known large volume senders as "status=safe".
eventtype="cisco_esa" | transaction mid maxspan=180s | fillnull value=NULL status
A sample transaction is below:
<22>Sep 23 09:25:21 mail_logs: Info: Start MID 106908193 ICID 166122699
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 ICID 166122699 From: <jae-language+punEKLvrDf_UaCRaq1vSTfHzVbjrd@rswrte1xthvxlc.org>
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 ICID 166122699 RID 0 To: <towanda.ollie@cindy.edu>
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 ICID 166122699 RID 1 To: <carri.west@cindy.edu>
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 ICID 166122699 RID 2 To: <mark.susann@cindy.edu>
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 ICID 166122699 RID 3 To: <felisa@cindy.edu>
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 ICID 166122699 RID 4 To: <tabetha.bowman@cindy.edu>
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 Message-ID '<465C0721A14CC844B81CB20CA2E66025A269C1D97D@mchex2k7>'
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 Subject 'Question'
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 ready 4617 bytes from <jae-language+punEKLvrDf_UaCRaq1vSTfHzVbjrd@rswrte1xthvxlc.org>
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 matched all recipients for per-recipient policy Silas 2 in the inbound table
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 interim verdict using engine: CASE spam negative
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 using engine: CASE spam negative
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 interim AV verdict using Sophos CLEAN
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 antivirus negative
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 queued for delivery
<22>Sep 23 09:25:21 mail_logs: Info: Delivery start DCID 51145731 MID 106908193 to RID [0, 1, 2, 3, 4]
<22>Sep 23 09:25:21 mail_logs: Info: Message done DCID 51145731 MID 106908193 to RID [0, 1, 2, 3, 4]
<22>Sep 23 09:25:21 mail_logs: Info: MID 106908193 RID [0, 1, 2, 3, 4] Response 'Ok'
<22>Sep 23 09:25:21 mail_logs: Info: Message finished MID 106908193 done
I have tried following several of the suggestions posted in forum questions about populating a summary index from a transaction, but they either don't populate the summary index or they don't capture the original fields in such a fashion that I can report upon the data. Is there a way to preserve this as a multiline event with fields in a summary index?
... View more
09-15-2010
06:38 PM
1 Karma
I am having issues with the dashboard for E-Mail Security. When navigating to the dashboard it kicks off a new search "Cisco IronPort E-mail - DataCube" with the logged in user as the owner and "SplunkforCiscoSecurity" as the application. The scheduled searches that have completed show "splunk-system-user" as the owner and "cisco_esa_addon" as the application. Splunk never uses the cached results from the previous saved searches to populate the dashboard. As I am dealing with very large sets of data (>20 million events per day from our Ironport cluster), waiting for the search to complete after navigating to the page is not possible (the scheduled searches take over two hours to execute).
... View more
- Tags:
- app-cisco-will
05-20-2010
03:26 PM
1 Karma
I would like to see this feature as well, seems simple enough to implement - just the reverse of auto-lb from forwarders to the indexers.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-04-2025
12:20 PM
|
