cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
shubham87
Explorer
Member since: ‎06-15-2017
‎06-05-2020
Community Statistics
Posts 18
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎06-15-2017
Activity Feed
Topics I've Started
View All

Do we need to install this add-on on indexers?

by in All Apps and Add-ons
‎11-20-2018 10:29 AM
‎11-20-2018 10:29 AM
Please let me know if we need to install this add-on on our indexers? I have already installed same on Heavy forwarders and search head ... View more

Re: Blue Coat Field extractor name=custom_client_e...

by in All Apps and Add-ons
‎11-20-2018 09:43 AM
‎11-20-2018 09:43 AM
Custom format defined in this TA does not work. $(gmttime) $(x-bluecoat-appliance-name) bluecoat[0]: SPLV5 c-ip=$(c-ip) Content-Type=$(quot)$(rs(Content-Type) )$(quot) cs-auth-group=$(cs-auth-group) cs-bytes=$(cs-bytes) cs-categories=$(cs-categories) cs-host=$(cs-host) cs-ip=$(cs-ip) cs-method=$(cs-method) cs-uri-extension=$(cs-uri-extension) cs-uri-path=$(cs-uri-path) cs-uri-port=$(cs-uri-port) cs-uri-query=$(cs-uri-query) cs-uri-scheme=$(cs-uri-scheme) cs-User-Agent=$(quot)$(cs(User-Agent) )$(quot) cs-username=$(cs-username) dnslookup-time=$(dnslookup-time) duration=$(duration) rs-status=$(rs-status) rs-version=$(rs-version) s-action=$(s-action) s-ip=$(s-ip) s-sitename=$(s-sitename) s-supplier-ip=$(s-supplier-ip) s-supplier-name=$(s-supplier-name) sc-bytes=$(sc-bytes) sc-filter-result=$(sc-filter-result) sc-filter-result=$(sc-filter-result) sc-status=$(sc-status) time-taken=$(time-taken) x-bluecoat-appliance-name=$(x-bluecoat-appliance-name) x-bluecoat-appliance-primary-address=$(x-bluecoat-appliance-primary-address) x-bluecoat-application-name=$(x-bluecoat-application-name) x-bluecoat-application-operation=$(x-bluecoat-application-operation) x-bluecoat-proxy-primary-address=$(x-bluecoat-proxy-primary-address) x-bluecoat-transaction-uuid=$(x-bluecoat-transaction-uuid) x-exception-id=$(x-exception-id) x-virus-id=$(x-virus-id) c-url=$(quot)$(url)$(quot) cs-Referer=$(quot)$(cs(Referer) )$(quot) ... View more

Re: Splunk for Blue Coat ProxySG: ProxySG logs ind...

by in All Apps and Add-ons
‎11-20-2018 09:23 AM
‎11-20-2018 09:23 AM
On proxySG, you need to change log format to text instead of gzip. This should resolve the issue. ,On proxy SG change format to text file instead of gzip. That should resolve the issue ... View more

Re: index named "default" shows up in DMC

by in Installation
‎07-30-2018 10:29 PM
‎07-30-2018 10:29 PM
index=main does not return any value in last one week. And i am running this on my DMC which is searching all splunk instances in our environment. ... View more

index named "default" shows up in DMC

by in Installation
‎07-30-2018 11:38 AM
‎07-30-2018 11:38 AM
Hi All, See below screenshot. This screenshot is from Indexing--> License Usage section in DMC. Its shows that index named "default" has taken up almost 50 GB of our license. However i could not find this index on our indexers. Also below command does not return and index with this name. | eventcount summarize=false index=* | dedup index | fields index Can anyone suggest what this could be? Regards Shubham ... View more
Labels

Re: How to integrate the Blue Coat WSS app with Sp...

by in All Apps and Add-ons
‎08-16-2017 06:36 AM
‎08-16-2017 06:36 AM
Can anyone help on this? ... View more

Re: Can I use the same indexers for a Splunk Enter...

by in Splunk Enterprise Security
‎08-16-2017 06:35 AM
‎08-16-2017 06:35 AM
Is this the only concern? Is there anything else that we need to take care of? ... View more

Can I use the same indexers for a Splunk Enterpris...

by in Splunk Enterprise Security
‎08-15-2017 09:51 AM
‎08-15-2017 09:51 AM
I am in process of Splunk Enterprise Security deployment. While deployment of Add-ons to my indexers, documentation says: "Splunk Enterprise Security is running on a complex deployment, such as one Enterprise Security search head and one search head for other searches both using the same set of indexers" "Contact Splunk Professional Services for assistance with deploying add-ons to your indexers." What are issues while using same set of indexers for ES-Search Head and other Search Head? Anyone have documentation to successfully deploy same? Regards Shubham ... View more

Splunk Enterprise Security: How to deploy the incl...

by in Splunk Enterprise Security
‎08-15-2017 09:21 AM
‎08-15-2017 09:21 AM
I have recently deployed Splunk Enterprise Security (ES) on one of our Search Heads. While installing, it could not proceed, since I had two add-ons already installed (Splunk Add-on for Microsoft Windows and Splunk Add-on for Tenable) using my deployment server. I removed those add-ons from the deployment server and I was able to install ES. Now, one section in ES documentation says, "Deploy add-ons included with Splunk Enterprise Security": http://docs.splunk.com/Documentation/ES/4.7.2/Install/InstallTechnologyAdd-ons Now my question is, how should i deploy these add-ons to my forwarders? Shall i use deployment server to deploy them? Or it conflicts with ES? I am confused. Regards Shubham ... View more

Syslogs from devices to different indexers with sa...

by in Splunk Enterprise Security
‎08-09-2017 02:32 AM
‎08-09-2017 02:32 AM
Hi, We are planning to use TCP syslog to send logs from networks devices to heavy forwarders and from there to indexers. Heavy forwarders will be load balanced using external load balancer and Heavy forwarder will be configured to send logs to two indexers using internal splunk forwarder load balancing in outputs.conf. Considering this, logs from same network device will be divided between Heavy forwarders and hence indexers as well. Are there any challenges in this setup which i am not aware of? We will be using ES app for event corelation and security alerting. Will Search Head be able to corelate events coming from same source but being stored onto different indexers. Is there something which i need to take care of? Regards Shubham ... View more

Re: Data not showing up on Search Head - Distribut...

by in All Apps and Add-ons
‎08-03-2017 03:02 PM
‎08-03-2017 03:02 PM
Thanks for your swift response. I was able to see logs after I searched using Index=wineventlog. How can i ensure that Search app has default access to this Index and able to show data summary at default page? ... View more

Data not showing up on Search Head - Distributed e...

by in All Apps and Add-ons
‎08-03-2017 11:33 AM
1 Karma
‎08-03-2017 11:33 AM
1 Karma
We have distributed splunk environment. I am using Splunk_TA_windows on universal forwarders to send security event logs to Heavy forwarder and then to indexer. I can see that data is being sent to Indexer since i could see size of index growing, however on my search head I could not see this data. Indexer has been added as a search peer on my Search Head. What could be the possible issue? Thanks in Advance Shubham ... View more

Splunk Add-on for Microsoft Windows: Which compone...

by in All Apps and Add-ons
‎08-03-2017 10:39 AM
‎08-03-2017 10:39 AM
We have a distributed Splunk environment. We are using a universal forwarder to get logs from a Windows server. Deployment server is being used to deploy apps to different components. To which components should I deploy the Splunk Add-on for Microsoft Windows? ... View more

Re: Different index based on receiving port on Hea...

by in Getting Data In
‎07-19-2017 03:03 AM
‎07-19-2017 03:03 AM
Thanks. It works ... View more

Re: Different index based on receiving port on Hea...

by in Getting Data In
‎07-19-2017 01:31 AM
‎07-19-2017 01:31 AM
I have made changes as suggested and this is not working as intended. After making changes, i stop receiving logs on Indexer. Following is output from BTOOL. /opt/splunk/etc/apps/search/local/inputs.conf [udp://9514] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/apps/search/local/inputs.conf connection_host = ip /opt/splunk/etc/system/local/inputs.conf host = "Hostname of HF" /opt/splunk/etc/apps/search/local/inputs.conf index = meraki_logs /opt/splunk/etc/apps/search/local/inputs.conf sourcetype = meraki Can you please direct me how to troubleshoot? ... View more

Re: Different index based on receiving port on Hea...

by in Getting Data In
‎07-18-2017 02:22 AM
‎07-18-2017 02:22 AM
Thanks. But I am using GUI to create UDP receivers on HF. Shall i create inputs.conf under local folder on HF and use that? ... View more

How to achieve different index based on receiving ...

by in Getting Data In
‎07-13-2017 07:32 AM
‎07-13-2017 07:32 AM
Hi All, We are collecting different logs from same source on different UDP ports on Heavy forwarder. Heavy forwarder is forwarding these logs to Indexer on one port to indexer. We would like to send logs collected on different UDP ports on Heavy forwarder to be stored in different indexers on our indexer in order to apply different storage and retention policies. Can someone guide me on how to achieve this? Regards Shubham ... View more
Labels

How to integrate the Blue Coat WSS app with Splunk...

by in All Apps and Add-ons
‎06-15-2017 12:38 PM
‎06-15-2017 12:38 PM
We are using Blue Coat (now Symantec) Web security service in our environment. We have received Blue Coat WSS app for Splunk. But there is no documentation available for same. Has anyone succeeded in successfully integrating Splunk with Blue Coat WSS? Thanks in advance. Shubham ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Top