did you downgrade to version 3.x?
or you are still using version 4.x?
Part of the functionality we want was enabled after 4.0, but if they told you to go back to three it is not an option for us.
... View more
yes, you can enable the index and forward option but this will work to forward to another splunk indexer because the data has been already cooked. The alternative is to use props and transfrorms to change the routing to use syslog to avoid additional splunk headers.
... View more
Alternative would be to use regular expression:
index="test" regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.+)\?"
stats count by url | sort -count
... View more
This is a tricky one, the authorize.conf is where the roles are defined, so what we do is create an application called
auth_dev
and we include in the default folder two files:
authorize.conf
authentication.conf
in authorize.conf we define the role:
[role_somethingnew]
srchIndexesAllowed = mynewindex
srchIndexesDefault = mynewindex
srchMaxTime = 0
in authentication.conf we define the map for ldap group:
[roleMap_MYCOMPANY-LDAP-DEV]
somethingnew = SOME_AD_GROUP
Then we push this app from the deployer.
The thing you need to consider is local authentication.conf on each SH should contain the LDAP strategy definition, and because the password is hashed we cant update this file form the deployer, but once we set it up the first time, we dont need to modify it anymore:
so in your etc/system/local/authentication.conf for all your search heads you will have something like:
[authentication]
authSettings = MYCOMPANY-LDAP-DEV
authType = LDAP
[MYCOMPANY-LDAP-DEV]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = cn=somuser,ou=people,dc=mycompanydomain,dc=com
bindDNpassword = ****$1$H#shedPasword=****
charset = utf8
groupBaseDN = ou=groups,dc=mycompanydomain,dc=com
groupBaseFilter = (cn=SOME_AD*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.mycompany.com
nestedGroups = 1
network_timeout = 20
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = ou=people,dc=mycompany,dc=com
userNameAttribute = cn
emailAttribute = mail
bindDN password will be different on each SH.
next time you need to add another role just modify the auth_dev app and that is it
... View more
The easiest way would be to change the external script to include the header, but if this is not an option we need to fix the lookup to force "host" header, this is what I would do:
|inputlookup puppet_results.csv | transpose|transpose|eval host='row 1'| fields - "row 1",column | outputlookup puppet_resultswithheader.csv
that would fix the column name as host and use the first value you had before as a value not as a header.
then you can run your query:
index=_internal | dedup host | inputlookup append=t puppet_resultswithheader.csv | stats count by host | where count < 2
... View more
index=blah HOST1 OR HOST2 pam_unix session opened
|rex field=_raw "\d+\sPM\s(?\w+)"
|rex field=_raw "for\suser\s(?\w+)"
|transaction startswith=HOST1 endswith=HOST2 maxevents=2 keepevicted=true
|where closed_txn==0
this will give you any user that opened a session in host2 but not in host1
... View more
if for example you have:
First Kind of event,Some More field,Authentication,7,More,More
Second Kind of event,Data,Data,Data,Data,Data,Data,LogOFF,7,More,More
if you want to get the 7
(Authentication\,\d+|LogOFF\,\d)
... View more
Probably when you installed the UF on that server all options were checked durting the installation, so that UF is trying to collect information from Active Directory, Peformance monitor, Network etc.
If you just want to enable windows event logs : System, Security and Application, you need to make sure the rest of the inputs are disabled
go to apps/Splunk_TA_Windows/local/inputs.conf and make sure the additional ones are disabled=true
... View more