Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About PavelP
PavelP
Motivator
Member since:
12-03-2013
17 hours ago
Community Statistics
| Posts | 394 |
| Solutions | 61 |
| Karma Given | 77 |
| Karma Received | 53 |
| Member Since | 12-03-2013 |
Activity Feed
- Posted Re: App for McAfee/SkyHigh Web Gateway (MWG/SWG/SSE) Issues on All Apps and Add-ons. Sunday
- Posted Re: How to create a search to find the matching host in a index from the list of hosts ? on Splunk Search. 10-21-2022 09:04 AM
- Got Karma for Re: Error while executing scripted input deployed from universal forwarder.. 08-11-2022 02:24 AM
- Posted Re: Why is it that on my Splunk Cloud: settings get merged into SA-IdentityManagement? on Knowledge Management. 06-02-2022 08:59 AM
- Posted Re: Splunk Cloud: settings get merged into SA-IdentityManagement on Knowledge Management. 06-02-2022 08:34 AM
- Posted Why is it that on my Splunk Cloud: settings get merged into SA-IdentityManagement? on Knowledge Management. 06-02-2022 07:58 AM
- Got Karma for Re: Having trouble establishing connection with Splunk server for McAfee ePO integration.. 12-20-2021 05:15 AM
- Got Karma for Re: Having trouble establishing connection with Splunk server for McAfee ePO integration.. 12-20-2021 05:15 AM
- Got Karma for Re: .bash_history. 08-05-2021 04:37 AM
- Got Karma for Re: Sendemail command does not work. 12-16-2020 06:18 AM
- Got Karma for Re: How to check the expiration date of a certificate?. 09-01-2020 06:58 AM
- Got Karma for Re: Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?. 08-24-2020 02:02 PM
- Got Karma for Re: Indexer Splunkd services are not able to run. 07-09-2020 10:18 AM
- Karma Re: AWS TA - S3 Generic input. Insane Memory Usage! for nickhills. 06-15-2020 04:41 PM
- Got Karma for Re: AWS TA - S3 Generic input. Insane Memory Usage!. 06-12-2020 08:52 AM
- Karma Re: List of users who searched data of an index for to4kawa. 06-05-2020 12:51 AM
- Karma Re: Universal forwarder Sourcetype name changes itself for richgalloway. 06-05-2020 12:51 AM
- Karma Re: Splunk says bundle directory contains a large lookup file in .delta file but the .delta file does not contain a large lookup for harsmarvania57. 06-05-2020 12:51 AM
- Karma Re: Splunk web fails to start after upgrade to 8.0.1 - UnicodeDecodeError: 'ascii' codec can't decode for srauhala_splunk. 06-05-2020 12:51 AM
- Karma Re: Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: for darrenfuller. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 |
Sunday
Hello @fmcgheeSplunk truncated logs can by caused by the UDP transport but most common on indexer. Have you installed an add-on also on indexer to apply magic 6 settings for the ingestion? Duplicate proxy log is a common issue for high rate log inputs, when the same url requested by the same user multiple times per second, to confirm it you can add millisecond resolution to the timestamp. Is it cloud or on premise proxy? How you transfer logs from proxy to splunk, using syslog or UF? Have you run through this onboarding checklist: http://proxy-test.com/README.html#onboarding_checklist
... View more
10-21-2022
09:04 AM
if you can define hosts using a wildcard (as in your example hostA to hostZ): | metasearch index=IndexA host=host* | stats values(host) AS host if host* is to broad then you can restrict it with | where host IN or similar
... View more
06-02-2022
08:59 AM
it is a cloud environment, classic experience, so no luck with btool :-(. All what we have is an option to query /servicesNS/-/-/configs/conf-props REST endpoint I have no doubts to solve this problem on CLI if it were on premise setup...
... View more
06-02-2022
08:34 AM
SA-IdentityManagement is a hidden app, there are no way to just "create" KO in it using UI. This app comes with ES (actually a part of ES setup) and should not be modified by user. I can positive confirm there is no other user that could do this intentionally. Any other ideas?
... View more
06-02-2022
07:58 AM
Environment: Splunk ES SH running in cloud (Classic experience). There are two apps for a particular sourcetype (let's call it "sourcetype-x"):
TA-customer-props (the old one)
zzz-customer_props (the new one)
Settings > Sourcetype > sourcetype-x > edit > Advanced > adding some new extractions and evals
When I'm trying to dump all props using REST API call, I see that my settings are merged in a SA-IdentityManagement , how come?
As far I know, the SA-IdentityManagement should contain lookups only.
Is the any way to "de-configure" sourcetype-x from TA-customer-props and SA-IdentityManagement and leave it's configuration in zzz-customer_props only?
... View more
Labels
- Labels:
-
other
06-04-2020
04:29 AM
Hello @suzyd,
sar files are binary and cannot be read by Splunk as such. You need to use sar or sadf command to convert them into text.
You can convert sar raw files on the source system or push them on the universal or heavy forwarder via rsync/scp/etc. and process there.
I've tried various methods but ended with real time push using scripting input: https://splunkbase.splunk.com/app/1803/#/details
You can modify this app for your need as required.
... View more
06-02-2020
10:40 PM
Hello @joshnetwolf
what are the last lines in the output of ./splunk start?
what does the env variable $INSTANCE_ID contains?
After any environment variables are expanded, the server name
(if not an IPv6 address) can only contain letters, numbers, underscores,
dots, and dashes. The server name must start with a letter, number, or an
underscore.
... View more
05-31-2020
10:09 AM
@vrajshekar the second link is not available: The message you are trying to access is not available.
... View more
05-29-2020
09:08 AM
difficult to say without seeing your data, but seems to be not a splunk issue.
Have you tried ask on McAfee community forum:
ePO: https://community.mcafee.com/t5/ePolicy-Orchestrator/bd-p/epolicy-orchestrator
SIEM: https://community.mcafee.com/t5/Security-Information-and-Event/bd-p/siem
If you post there, please leave a link here, so everybody can benefit.
... View more
05-29-2020
06:41 AM
Hello @vrajshekar
is it possible you have 1512 different events in the DB? They cannot be duplicate because they have different AutoID values.
... View more
05-28-2020
06:24 PM
Hello @mvor
can you create a network capture with tcpdump/snoop on the Solaris itself? Don't filter by port, just filter out ssh
... View more
05-28-2020
02:54 PM
@socrates4rufio
is splunk running on windows or linux?
what happens if you click ignore/continue cert warning in Chrome? The same 500 Internal error?
can you post a full browser warning you get?
check also splunkd_access.log and splunkd_ui_access.log for 500 error and post the matching lines here
try to find any lines in splunkd.log matching the time when you navigating to Settings > Data Input
if not logged as admin - try to relogin as admin and test again. Do you get the same 500 error?
... View more
05-28-2020
10:42 AM
Hello @socrates4rufio
do you see any errors in $SPLUNK_HOME/var/log/splunk/splunkd.log ?
... View more
05-28-2020
02:00 AM
@jadengoho
tags are not exclusive for data models and used generally to assign names to specific field and value combinations, so if you search for tag=windows or tag::windows you get windows-related (coming from) events.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Abouttagsandaliases
... View more
05-27-2020
08:20 AM
@bijenderkhosya I think this will work if the cert verification is disabled. I think you cannot enable cert verification selectively.
The setup described in the pdf doesn't use mutual authenticated TLS, only DS' certificate is verified, the UF's certificate is not verified.
... View more
Hello @bijenderkhosya
as @gcusello mentioned, SSL is already enabled, but default certificates are used, which means the connection is not "secure" and can be MitM-ed.
Please follow these steps: https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPractices.pdf
... View more
05-27-2020
06:52 AM
Hello @conwaw,
it's a pity that there are no such section "security considerations" in a planing manual https://docs.splunk.com/Documentation/DBX/3.3.0/DeployDBX/Architectureandperformanceconsiderations, but there is an indication between the lines that DBConnect should be installed on a heavy forwarder,
... View more
05-27-2020
06:01 AM
Hello @jlongworth
you can find this information in the operating system's logs:
Windows - eventvwr.msc - installation
Linux - find the installation date and time in /var/log/yum*log or /var/log/dpgk*log and correlate it with output of last command
you can find it using splunk UI if these logs are indexed by splunk
... View more
05-27-2020
04:16 AM
I've just tested - splunk cron doesn't accept any special cron characters, except listed on the doc page (*,-/)
... View more
05-27-2020
01:19 AM
Hello @gpradeepkumarreddy,
not a response that you asking, but a suggestion anyway:
is switching to KVstore instead of
static lookup an option?
Please consider KV-Store vs CSV lookup:
https://dev.splunk.com/enterprise/docs/developapps/kvstore/#The-KV-Store-vs-CSV-files
https://dev.splunk.com/enterprise/docs/developapps/kvstore/migrateyourappfromusingcsv/
another options is to use gziped CSV files.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
17 hours ago
|
Karma given to
