Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About pablobarquin
pablobarquin
Explorer
Member since:
03-12-2020
10-24-2022
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 03-12-2020 |
Activity Feed
- Posted Re: Undocumented error message in _internal on Monitoring Splunk. 10-24-2022 08:53 AM
- Karma What does this undocumented error message in _internal mean? for gesa_behrens. 10-24-2022 08:52 AM
- Posted Re: Why is Splunk Add-on for Google Workspace inputs getting 401 response? on Getting Data In. 08-11-2022 03:53 AM
- Tagged Re: Why is Splunk Add-on for Google Workspace inputs getting 401 response? on Getting Data In. 08-11-2022 03:53 AM
- Posted Re: Why is Splunk Add-on for Google Workspace inputs getting 401 response? on Getting Data In. 08-08-2022 06:34 AM
- Got Karma for Re: Need help with a search/subsearch not providing the expected results. 02-04-2021 12:38 PM
- Posted Re: Need help with a search/subsearch not providing the expected results on Splunk Search. 02-03-2021 11:37 PM
- Posted Re: Need help with a search/subsearch not providing the expected results on Splunk Search. 02-03-2021 02:29 PM
- Posted Need help with a search/subsearch not providing the expected results on Splunk Search. 02-02-2021 02:26 PM
- Posted Re: G Suite For Splunk on All Apps and Add-ons. 03-12-2020 07:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
10-24-2022
08:53 AM
We have the same situation with version 8.2.8 Any idea about the root cause? Thanks!
... View more
08-11-2022
03:53 AM
We now have the input working for the admin SDK via GCP for Splunk- Addon, the root cause of the authorization issue was a GCP service account needing to do user impersonation of a GWS account with proper admin rights (not what Splunk support advised). https://medium.com/google-cloud/impersonating-users-with-google-cloud-platform-service-accounts-ba762db09092
... View more
08-08-2022
06:34 AM
Hello, Did you have any luck fixing the issue? we are getting exactly the same error and we are getting crazy trying to make it work but with no luck so far. Any help will be very welcome. Thanks!
... View more
02-03-2021
11:37 PM
1 Karma
@bowesmana Many thanks for your help here! Finally, I'm getting the expected results with the following query: (index=tenable repository=DISCOVERY sourcetype="tenable:sc:vuln" pluginID=11936) OR (index=snow_ci sourcetype=cmdb_ci_server SYS_CLASS_NAME="Windows Server" OPERATIONAL_STATUS!=Retired NOT IP_ADDRESS IN ("0.0.0.0", "255.255.255.255", "127.0.0.1", "169.254.*") earliest=-24h)
| rex "(?i)Remote operating system : (?P<os>[\D\d]+(?=Confidence level))"
| rex "(?i)Confidence level : (?P<os_confidencial_level>[\d]+)"
| makemv delim="\n" os
| search (index=tenable AND os=*windows*server*) OR index=snow_ci
| eval IP_ADDRESS=if(index="tenable", "__N/A__", IP_ADDRESS)
| regex IP_ADDRESS="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|__N/A__"
| eval ip=if(index="tenable", ip, IP_ADDRESS)
| stats dc(index) as indexCount values(index) as indexes values(dnsName) as dnsName values(os) as os values(os_confidencial_level) as os_confidencial_level by ip
| where indexCount=1 and indexes="tenable"
| fields - indexCount indexes
| sort 0 - os_confidencial_level I have accepted your first answer as the solution to the problem 🙂
... View more
02-03-2021
02:29 PM
@bowesmana, many thanks for your prompt reply 🙂 I have tried with your suggestion and it only works (it delivers the expected 11137 results) if I just leave the ip field in the stats command: (index=tenable repository=DISCOVERY sourcetype="tenable:sc:vuln" pluginID=11936) OR (index=snow_ci sourcetype=cmdb_ci_server SYS_CLASS_NAME="Windows Server" OPERATIONAL_STATUS!=Retired NOT IP_ADDRESS IN ("0.0.0.0", "255.255.255.255", "127.0.0.1", "169.254.*") earliest=-24h)
| rex "(?i)Remote operating system : (?P<os>[\D\d]+(?=Confidence level))"
| rex "(?i)Confidence level : (?P<os_confidencial_level>[\d]+)"
| makemv delim="\n" os
| search (index=tenable AND os=*windows*server*) OR index=snow_ci
| eval IP_ADDRESS=if(index="tenable", "__N/A__", IP_ADDRESS)
| regex IP_ADDRESS="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|__N/A__"
| eval ip=if(index="tenable", ip, IP_ADDRESS)
| stats dc(index) as indexCount values(index) as indexes by ip
| where indexCount=1 and indexes="tenable" In the moment I add the remaining fields (or even one more like the dnsName), it delivers many results (29498). Those fields exist in the tenable index but not in the snow_ci. Any idea why this is happening? Thanks again for your help!
... View more
02-02-2021
02:26 PM
Hello there! I need help with a search that is not providing the expected results. Let me share the details and background information: This search provides the list of the Windows server's IPs found by a network discovery scan: index=tenable sourcetype="tenable:sc:vuln" repository=DISCOVERY pluginID=11936
| rex "(?i)Remote operating system : (?P<os>[\D\d]+(?=Confidence level))"
| rex "(?i)Confidence level : (?P<os_confidencial_level>[\d]+)"
| makemv delim="\n" os
| search os=*windows*server*
| table ip dnsName os os_confidencial_level
| dedup ip dnsName os It delivers a total of 28806 IPs. This another search provides the list of the Windows server's IPs located in the CMDB: index=snow_ci sourcetype=cmdb_ci_server SYS_CLASS_NAME="Windows Server" OPERATIONAL_STATUS!=Retired NOT IP_ADDRESS IN ("0.0.0.0", "255.255.255.255", "127.0.0.1", "169.254.*") earliest=-24h
| regex IP_ADDRESS="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
| dedup IP_ADDRESS
| rename IP_ADDRESS as ip
| table ip I get a total of 22845 IPs. This means that ideally the number of Windows servers in the shadow should be 28806 - 22845 = 5961 So I'm trying to get a similar value with this final search: index=tenable repository=DISCOVERY sourcetype="tenable:sc:vuln" pluginID=11936
| rex "(?i)Remote operating system : (?P<os>[\D\d]+(?=Confidence level))"
| rex "(?i)Confidence level : (?P<os_confidencial_level>[\d]+)"
| makemv delim="\n" os
| search os=*windows*server*
| search NOT
[ search index=snow_ci sourcetype=cmdb_ci_server SYS_CLASS_NAME="Windows Server" OPERATIONAL_STATUS!=Retired NOT IP_ADDRESS IN ("0.0.0.0", "255.255.255.255", "127.0.0.1", "169.254.*") earliest=-24h
| regex IP_ADDRESS="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
| dedup IP_ADDRESS
| rename IP_ADDRESS as ip
| fields ip ]
| table ip dnsName os os_confidencial_level
| dedup ip dnsName os But unfortunately I'm not getting the expected results. I should get the IPs included in the first search but NOT in the second one, not sure why but I'm getting many results (21025) with IPs from the subsearch too. While troubleshooting I have tried this: if at the end of the whole search we look for the IPs that are removed with the subsearch, if the subsearch is working fine, we should get 0 results, which is exactly what I get! index=tenable repository=DISCOVERY sourcetype="tenable:sc:vuln" pluginID=11936
| rex "(?i)Remote operating system : (?P<os>[\D\d]+(?=Confidence level))"
| rex "(?i)Confidence level : (?P<os_confidencial_level>[\d]+)"
| makemv delim="\n" os
| search os=*windows*server*
| search NOT
[ search index=snow_ci sourcetype=cmdb_ci_server SYS_CLASS_NAME="Windows Server" OPERATIONAL_STATUS!=Retired NOT IP_ADDRESS IN ("0.0.0.0", "255.255.255.255", "127.0.0.1", "169.254.*") earliest=-24h
| regex IP_ADDRESS="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
| dedup IP_ADDRESS
| rename IP_ADDRESS as ip
| fields ip ]
| table ip dnsName os os_confidencial_level
| dedup ip dnsName os
| search
[ search index=snow_ci sourcetype=cmdb_ci_server SYS_CLASS_NAME="Windows Server" OPERATIONAL_STATUS!=Retired NOT IP_ADDRESS IN ("0.0.0.0", "255.255.255.255", "127.0.0.1", "169.254.*") earliest=-24h
| regex IP_ADDRESS="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
| dedup IP_ADDRESS
| rename IP_ADDRESS as ip
| fields ip ] So what is the issue here? This is driving me crazy so any help will be really appreciated. Thanks!
... View more
Labels
- Labels:
-
subsearch
03-12-2020
07:55 AM
Hello,
I have exactly the same issue. Weird thing is that Gsuite app is installed since looong time ago with no issues and suddenly this message is appearing in all user's searches/reports/dashboards.
The index we are using is googleapps so I have no idea why this is raising suddenly.
Any ideas?
Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-24-2022
12:14 PM
|
