Activity Feed
- Got Karma for Encrypted information from deployer to search head. 07-18-2024 07:25 AM
- Got Karma for How to use deployer to push app to the search head cluster?. 06-05-2020 12:49 AM
- Got Karma for Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed. 06-05-2020 12:49 AM
- Got Karma for Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed. 06-05-2020 12:49 AM
- Got Karma for Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed. 06-05-2020 12:49 AM
- Got Karma for Re: Splunk Enterprise Security: Adaptive Response Action Adhoc invocation failed. 06-05-2020 12:49 AM
- Got Karma for Re: Custom search command always shows Statistics tab. 06-05-2020 12:48 AM
- Got Karma for Splunk Enterprise Security: Do I need to create a new correlation search to use threat intelligence?. 06-05-2020 12:48 AM
- Posted How to get information in ModularAction on All Apps and Add-ons. 04-18-2019 07:55 AM
- Tagged How to get information in ModularAction on All Apps and Add-ons. 04-18-2019 07:55 AM
- Tagged How to get information in ModularAction on All Apps and Add-ons. 04-18-2019 07:55 AM
- Tagged How to get information in ModularAction on All Apps and Add-ons. 04-18-2019 07:55 AM
- Posted Re: Encrypted information from deployer to search head on Deployment Architecture. 12-05-2017 01:06 PM
- Posted Re: Encrypted information from deployer to search head on Deployment Architecture. 12-05-2017 06:53 AM
- Posted Re: Encrypted information from deployer to search head on Deployment Architecture. 12-05-2017 05:50 AM
- Posted Encrypted information from deployer to search head on Deployment Architecture. 12-04-2017 01:55 PM
- Tagged Encrypted information from deployer to search head on Deployment Architecture. 12-04-2017 01:55 PM
- Tagged Encrypted information from deployer to search head on Deployment Architecture. 12-04-2017 01:55 PM
- Posted Re: How to use deployer to push app to the search head cluster? on Deployment Architecture. 12-04-2017 10:26 AM
- Posted How to use deployer to push app to the search head cluster? on Deployment Architecture. 12-04-2017 10:09 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
04-18-2019
07:55 AM
We are developing a ModularAction using the CIM framework, and we want to know how to get the following information:
trigger_date
trigger_timeHMS
trigger_time
These are the possible tokens user can enter into the config according to this doc:
https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog#Pass_search_result_values_to_alert_action_tokens
Thank you very much in advance!
... View more
12-05-2017
01:06 PM
Thanks!
I will look for the REST endpoint.
... View more
12-05-2017
06:53 AM
Hmmmm....
There is one disadvantage of this approach. It relies on the setup of the search heads. We develop addon for customers, and there is no guarantee that all the customers will setup their search heads like this. As a matter of fact, this is not mentioned in the guideline about setting up search cluster.
I imagine, some if not most customers did not setup their search cluster this way. Then this approach won't work.
Is it possible to get the (decrypted) pass4SymmKey via the splunk sdk? Then we can use it to generate a key. Since this is for sure the same for the deployer and all search heads, then we don't need to rely on the splunk.secret?
Thanks.
... View more
12-05-2017
05:50 AM
Thanks for your information!
I want to make sure I understand this right.
Start a new deployer. It will generate a splunk.secret file automatically (in $SPLUNK_HOME/etc/auth);
copy this splunk.secret file to a new search head before starting it the first time. Then the search head will use this splunk.secret as the seed to create keys? Those keys will then be the same as the keys used by the deployer?
Then an encrypted password in password.conf can be pushed from the deployer to the search head, because both the deployer and the search head are now using the same key to encrypt/decrypt?
Thanks!
... View more
12-04-2017
01:55 PM
1 Karma
We want to use splunk deployer to push our addon to the search headers, but have questions about the encrypted information.
First of all, if I understand it right, the addon has to be setup from the deployer, right? The setup link won't even show up in a search head for an addon.
During the setup of our addon there are some passwords we take from the user, and we need to store them for later use. We post them to the storage/passwords endpoint. So the passwords will be encrypted in the password.conf.
Now if the deployer push this addon to the search heads, how can they decrypt these please?
Thanks.
... View more
12-04-2017
10:26 AM
So for each app I install, if I want the deployer to push, I have to manually copy it over? That is the official way to do it?
Thanks.
... View more
12-04-2017
10:09 AM
1 Karma
After I installed "Splunk Machine Learning Toolkit" to the deployer (as a test), I want to push it to the search head cluster.
But the "splunk apply apply shcluster-config ....." command shows an error ".../splunk/etc/shcluster is likely empty".
I checked the folders. Apparently the above app has been installed to ....../splunk/etc/apps folder, not the shcluster folder.
What did I do wrong please?
Do I need to copy it manually to the shcluster folder?
Or does it mean I setup the deployer incorrectly?
Thanks!
... View more
11-08-2017
12:50 PM
4 Karma
I am going to answer my question. 🙂
From help from Splunk ES support, it turns out each field (parameter) in the alert UI must be specified in the alert_actions.conf (and defined in the alert_actions.conf.spec). This is not required for invocation from correlation search.
... View more
11-08-2017
06:45 AM
Hello,
We have an AR Action, and it works fine with correlation search. But when we try to invoke it as adhoc action, it failed with the following error message:
ActiveResponseException: Invalid parameter for adhoc modular action.
Now we use sendalert command in our alert_actions.conf, so according to the Splunk document, it should support adhoc invocation. The command we use in our alert_actions.conf follows the Splunk example for adaptive response:
command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" param.action_name=$action_name$ | stats count
None of the log files in $SPLUNK_HOME/var/log/splunk folder provides useful information. How can we debug this please?
Thanks!
... View more
09-22-2017
11:33 AM
Seems to be related to the role setting of power user. If I grant admin_all_objects capability to the power user, then it works. Not sure if our customer likes it though. So still looking for alternatives.
... View more
09-22-2017
10:59 AM
If I move the alert_actions.conf from $SPLUNK_HOME/etc/apps/OUR_ADDON/default to $SPLUNK_HOME/etc/system/local, then the power user can see it. Even though he still have trouble to edit it.
... View more
09-22-2017
10:39 AM
From Settings->All configurations, the power user can't find the Alert Actions.
The admin can find it from Settings->Alert Actions and Settings->All configurations, and the permission is set to Read/Write for everyone.
... View more
09-22-2017
09:57 AM
Settings -> Alert Actions only appears for admin user, right? No such thing for power user somehow.
... View more
09-22-2017
06:57 AM
Our customer installed our Addon using an admin account. Now the admin wants to give a power user permission to modify/use this addon. How can this be done please? The admin already granted Read/Write permission of this Addon to everyone. But still for a power user, this Addon is not shown in the available Trigger Actions selections of an Alert.
Everything works fine with the admin account. But customer wants to use the power user account to control it.
Thanks!
... View more
09-14-2017
07:31 AM
Ok, answering my own question. One way to contribute. 🙂
Need to set the following env var:
SPLUNKD_URI
to the FQDN of your machine. Then it will work.
... View more
09-13-2017
02:21 PM
Hello,
We want to enable Splunkd SSL, so we put
enableSplunkdSSL = true
to server.conf.
We generated a certificate using the FQDN as the CN of the certificate.
Then in our AddOn, we use splunk.getLocalServerInfo() to get the url:port. The problem is that splunk.getLocalServerInfo() always returns https://127.0.0.1:8089, even if we changed MgmtHostPort in web.conf. As a result, we always get an error:
SSLError: hostname '127.0.0.1' doesn't match xxxxxx, where xxxxxx is the CN we set for the certificate.
So how shall this work? Shall we use 127.0.0.1 as the CN to create a cert? Or we shall not call getLocalServerInfo()?
Thanks!
... View more
09-11-2017
01:36 PM
1 Karma
Actually it does not need v2. V1 works as well. Just need to set this in your command.conf for the command:
retainsevents=true
... View more
09-11-2017
12:57 PM
How can you do that please?
... View more
09-08-2017
12:51 PM
Replace the first "shape" with "script shape". ,
... View more
07-11-2017
10:30 AM
The result of this pre-built correlation research is shown in the "Threat Activity Detected" dashboard? Somehow it does not work.
1. We added a simple CSV file with an IP address 10.122.25.51.
2. We verified that this IP address appears in the ip_intel. This means Splunk ES parsed the CSV file and extracted the IOC properly, right?
3. We verified that there are simulated active events with dest="10.122.25.51". But there is not notable event created. Threat Activity Detected dashboard does not show notable event caused by this IP address being detected.
Anything missing here? How can we debug this please?
Thanks!
... View more
07-11-2017
08:51 AM
1 Karma
Hello,
We are researching on integration with Splunk Enterprise Security (ES), and I have a question about threat intelligence.
I added a CSV file for threat intelligence download, and I can see that the ip address stored in the CSV file has been extracted successfully and added to the threat intelligent artifacts. My question is how to use this newly added IOC? Do I need to create a new correlation research to use it? Or will it be used automatically by Splunk ES built-in correlation search?
Thanks!
... View more
07-06-2017
11:47 AM
This does not work for Splunk Cloud, right? There is no "install apps from file" button for Splunk Cloud. Only available for Splunk on-prem?
... View more
07-06-2017
11:45 AM
I see. Thanks!
... View more
06-30-2017
06:59 PM
For example this one:
https://splunkbase.splunk.com/app/3163/
... View more
06-30-2017
08:12 AM
Some of the certified custom Apps do not appear in the Browse More Apps pages. Why is that?
Also how can I install those Apps to my Splunk Cloud free trail instance please?
Thanks,
... View more
