Activity Feed
- Posted Re: Noob guide to configure on All Apps and Add-ons. 10-13-2020 05:42 PM
- Tagged Re: Noob guide to configure on All Apps and Add-ons. 10-13-2020 05:42 PM
- Tagged Re: Can a built-in fowarder without configuration options (useAck) connect to a Splunk indexer cluster that uses "u on Deployment Architecture. 10-13-2020 05:36 PM
- Posted Re: Can a built-in fowarder without configuration options (useAck) connect to a Splunk indexer cluster that uses "u on Deployment Architecture. 10-13-2020 05:35 PM
- Posted Re: Is there any Mobile Iron device(MDM) integration documentation. on Dashboards & Visualizations. 10-13-2020 05:19 PM
- Posted Re: Is there any Mobile Iron device(MDM) integration documentation. on Dashboards & Visualizations. 10-13-2020 05:16 PM
- Posted Re: Can someone explain how splunk stream can be used to get email headers on All Apps and Add-ons. 08-04-2020 10:48 PM
- Posted Can someone explain how splunk stream can be used to get email headers on All Apps and Add-ons. 08-04-2020 08:50 PM
- Tagged Can someone explain how splunk stream can be used to get email headers on All Apps and Add-ons. 08-04-2020 08:50 PM
- Tagged Can someone explain how splunk stream can be used to get email headers on All Apps and Add-ons. 08-04-2020 08:50 PM
- Posted Re: How does Splunk Streams handle a SMTP stream containing multiple emails? on All Apps and Add-ons. 08-04-2020 08:42 PM
- Tagged Re: How does Splunk Streams handle a SMTP stream containing multiple emails? on All Apps and Add-ons. 08-04-2020 08:42 PM
- Tagged Re: How does Splunk Streams handle a SMTP stream containing multiple emails? on All Apps and Add-ons. 08-04-2020 08:42 PM
- Posted Re: Building AD Lookups in MS Windows AD Objects on All Apps and Add-ons. 07-21-2020 07:10 PM
- Posted Re: UniversalForwarder ParsingQueue filling up on Deployment Architecture. 05-20-2020 03:33 PM
- Posted After Upgrade ES to 6.1.0 Getting error as Health Check: Intelligence download of "icann_top_level_domain_list" has failed on host XXX in SA-ThreatIntelligence on Splunk Enterprise Security. 05-03-2020 08:22 PM
- Tagged After Upgrade ES to 6.1.0 Getting error as Health Check: Intelligence download of "icann_top_level_domain_list" has failed on host XXX in SA-ThreatIntelligence on Splunk Enterprise Security. 05-03-2020 08:22 PM
- Tagged After Upgrade ES to 6.1.0 Getting error as Health Check: Intelligence download of "icann_top_level_domain_list" has failed on host XXX in SA-ThreatIntelligence on Splunk Enterprise Security. 05-03-2020 08:22 PM
- Posted Health Check:msg="A script exited abnormally with exit status:1" on Splunk Enterprise Security. 04-29-2020 03:45 PM
- Tagged Health Check:msg="A script exited abnormally with exit status:1" on Splunk Enterprise Security. 04-29-2020 03:45 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-13-2020
05:42 PM
Hi , I am looking to integrate Splunk and MobileIron Core. At MobileIron Core end , it is prompting to enter Inder details. Our current architecture is UF->HF->IDX->SH, I am looking for ways to configure either to HFs or IDX cluster ? Is there any docs or leads please? Also, where to download the app "MobileIron App for Splunk Enterprise"?
... View more
10-13-2020
05:35 PM
Hi, I am looking at how to integrate MobileIron Core data to Splunk HFs or Splunk Index cluster. Any leads, please?
... View more
10-13-2020
05:19 PM
Hi , Our existing splunk architecture UF->HF->IDx->SH MY question here is, is that the only way to get data from MobileIron Core to splunk? How do i send the data to HF instead of IDX? thanks, Sangeetha
... View more
10-13-2020
05:16 PM
Hi, I have same question. Our exsiting splunk architecture UF->HF->IDX->SH. My question here, is that the only way to get data from MobileIron Core to Splunk or is there a way to send the data to HF instead of IDX
... View more
08-04-2020
10:48 PM
@thambisetty date_time doesn't look like the time when the message was sent by the user. Also, I am looking for original IP field to be the actual sender IP https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/message-tracking?view=exchserver-2019
... View more
08-04-2020
08:50 PM
The goal is to find the delay between the time sender sents the mail and recipient receive the mail , if the delay is more than 10 mins then alert
Options tried:
Message tracking logs C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking in exchange server2010. But the logs didn provide the actual time when the user sent the email, also the original IP of the sender is replaced with LB/Exchange server/relay server/firewall.
So now I looking for other options. One of them is using Splunk stream.
Please provide your suggestions.
... View more
Labels
- Labels:
-
configuration
-
development
08-04-2020
08:42 PM
Can someone explain how splunk stream can be used to get email headers
... View more
07-21-2020
07:10 PM
schHi Shogan, I am getting the same error whenever i run the report ms_ad_obj_sched_sync_user subsearch]: No matching fields exist. [subsearch]: No results. Created empty file 'AD_Objects_Queue_Main'. Also, field sync_dn_chg is always 0. Pleas help . Issue is for all the searches that uses the macro |`ms_ad_obj_sched_sync_objects_base("","")`
... View more
05-20-2020
03:33 PM
I know this is very old post. I am seeing the same problem . Only name=execprocessorinternalq and parsingQueue is blocked and that too only for one forwarders . Other are working fine . Deployment is UF->HFs->IDXs
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=execprocessorinternalq, blocked=true, max_size_kb=500, current_size_kb=499, current_size=162, largest_size=162, smallest_size=162
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=fschangemanager_queue, max_size_kb=5120, current_size_kb=1, current_size=7, largest_size=7, smallest_size=7
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=httpinputq, max_size_kb=0, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=indexqueue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=nullqueue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=parsingqueue, blocked=true, max_size_kb=10240, current_size_kb=10239, current_size=308, largest_size=308, smallest_size=308
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=splunktcpin, max_size_kb=0, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=structuredparsingqueue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
05-20-2020 19:16:10.812 +1000 INFO Metrics - group=queue, name=tcpin_queue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
... View more
05-03-2020
08:22 PM
Only for the stanza icann_top_level_domain_list , we are getting error "threat list download failed after multiple retries" Learn more.list" retries_remaining="-1" status="threat list download failed after multiple retries" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
Here is the sample log
2020-04-16 23:30:15,664+0000 INFO pid=17793 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="2" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-04-16 23:31:45,919+0000 INFO pid=17793 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="1" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-04-16 23:33:16,208+0000 INFO pid=17793 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="0" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-04-16 23:34:16,256+0000 INFO pid=17793 tid=MainThread file=threatlist.py:download_csv:417 | stanza="icann_top_level_domain_list" retries_remaining="-1" status="threat list download failed after multiple retries" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-04-17 02:51:43,154+0000 INFO pid=17044 tid=MainThread file=threatlist.py:run:459 | status="continuing" msg="Processing stanza" name="threatlist://icann_top_level_domain_list"
2020-04-17 02:51:43,154+0000 INFO pid=17044 tid=MainThread file=threatlist.py:run:473 | status="retrieved_checkpoint_data" stanza="icann_top_level_domain_list" last_run="1587079694.838963"
2020-04-17 02:51:43,154+0000 INFO pid=17044 tid=MainThread file=threatlist.py:download_csv:364 | status="CSV download starting" stanza="icann_top_level_domain_list"
2020-04-17 02:52:13,381+0000 INFO pid=17044 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="3" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-04-17 02:53:43,697+0000 INFO pid=17044 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="2" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-04-17 02:55:13,916+0000 INFO pid=17044 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="1" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-04-17 02:56:44,174+0000 INFO pid=17044 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="0" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-04-17 02:57:44,234+0000 INFO pid=17044 tid=MainThread file=threatlist.py:download_csv:417 | stanza="icann_top_level_domain_list" retries_remaining="-1" status="threat list download failed after multiple retries" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-05-02 02:51:43,206+0000 INFO pid=23520 tid=MainThread file=threatlist.py:run:459 | status="continuing" msg="Processing stanza" name="threatlist://icann_top_level_domain_list"
2020-05-02 02:51:43,207+0000 INFO pid=23520 tid=MainThread file=threatlist.py:run:473 | status="retrieved_checkpoint_data" stanza="icann_top_level_domain_list" last_run="1587091903.1543882"
2020-05-02 02:51:43,207+0000 INFO pid=23520 tid=MainThread file=threatlist.py:download_csv:364 | status="CSV download starting" stanza="icann_top_level_domain_list"
2020-05-02 02:52:13,858+0000 INFO pid=23520 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="3" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-05-02 02:53:44,127+0000 INFO pid=23520 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="2" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-05-02 02:55:14,407+0000 INFO pid=23520 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="1" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-05-02 02:56:44,681+0000 INFO pid=23520 tid=MainThread file=threatlist.py:download_csv:390 | stanza="icann_top_level_domain_list" retries_remaining="0" status="retrying download" retry_interval="60" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
2020-05-02 02:57:44,703+0000 INFO pid=23520 tid=MainThread file=threatlist.py:download_csv:417 | stanza="icann_top_level_domain_list" retries_remaining="-1" status="threat list download failed after multiple retries" url="https://data.iana.org/TLD/tlds-alpha-by-domain.txt"
... View more
04-29-2020
03:45 PM
Health Check:msg="A script exited abnormally with exit status:1" are poppling for below inputs
input=".opt/splunk/etc/apps/SA-Utils/bin/dm_accel_settings.py"
input="opt/splunk/etc/apps/SA-Utils/bin/configuration_check.py"
Internal log for all above shows "Client is not authenticated"
Internal log dm_accel_settings.log
ERROR pid=23024 tid=MainThread file=dm_accel_settings.py:run:182 | status="REST exception encountered when updating acceleration settings" model=Splunk_Audit,exc=[HTTP 401] Client is not authenitcated
ERROR pid=23024 tid=MainThread file=dm_accel_settings.py:run:182 | status="REST exception encountered when updating acceleration settings" model=Risk,exc=[HTTP 401] Client is not authenitcated
ERROR pid=23024 tid=MainThread file=dm_accel_settings.py:run:182 | status="REST exception encountered when updating acceleration settings" model=Incident_Management,exc=[HTTP 401] Client is not authenitcated
ERROR pid=23024 tid=MainThread file=dm_accel_settings.py:run:182 | status="REST exception encountered when updating acceleration settings" model=Endpoint,exc=[HTTP 401] Client is not authenitcated
ERROR pid=23024 tid=MainThread file=dm_accel_settings.py:run:182 | status="REST exception encountered when updating acceleration settings" model=Domain_Analysis,exc=[HTTP 401] Client is not authenitcated
ERROR pid=23024 tid=MainThread file=dm_accel_settings.py:run:182 | status="REST exception encountered when updating acceleration settings" model=Change,exc=[HTTP 401] Client is not authenitcated
Internal log
... View more
04-28-2020
01:37 AM
Hi David , Thanks for your response . Here is the python_modular_input.log
2020-04-28 01:09:28,980+0000 ERROR pid=32226 tid=MainThread file=base_modinput.py:execute:773 | Execution failed: [HTTP 401] Client is not authenticated
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite/modinput/base_modinput.py", line 764, in execute
always_run=always_run)
File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite/modinput/base_modinput.py", line 315, in do_run
self.run(stanzas)
File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/ess_content_importer.py", line 199, in run
exec_status, exec_status_msg = should_execute(session_key=self.input_config.session_key)
File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite/pooling.py", line 186, in should_execute
if is_cluster_member(session_key):
File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite/pooling.py", line 53, in is_cluster_member
r, c = splunk.rest.simpleRequest(uri, sessionKey=session_key, getargs=getargs)
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/init.py", line 553, in simpleRequest
raise splunk.AuthenticationFailed
splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated
2020-04-28 01:09:29,057+0000 INFO pid=32351 tid=MainThread file=base_modinput.py:execute:718 | Execute called
2020-04-28 01:09:29,218+0000 ERROR pid=32351 tid=MainThread file=base_modinput.py:execute:773 | Execution failed: [HTTP 401] Client is not authenticated
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 764, in execute
always_run=always_run)
File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 315, in do_run
self.run(stanzas)
File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threat_intelligence_manager.py", line 890, in run
self._stanza_name)
File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threat_intelligence_manager.py", line 690, in getStanzaNamespace
response, content = splunk.rest.simpleRequest(uri, getargs=getargs, sessionKey=session_key)
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/init_.py", line 553, in simpleRequest
raise splunk.AuthenticationFailed
splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated
2020-04-28 01:10:28,836+0000 INFO pid=1547 tid=MainThread file=base_modinput.py:execute:718 | Execute called
2020-04-28 01:10:29,027+0000 INFO pid=1685 tid=MainThread file=base_modinput.py:execute:718 | Execute called
2020-04-28 01:10:29,082+0000 INFO pid=1695 tid=MainThread file=base_modinput.py:execute:718 | Execute called
2020-04-28 01:10:29,107+0000 INFO pid=1656 tid=MainThread file=base_modinput.py:execute:718 | Execute called
2020-04-28 01:10:29,126+0000 ERROR pid=1685 tid=MainThread file=base_modinput.py:execute:773 | Execution failed: [HTTP 401] Client is not authenticated
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite/modinput/base_modinput.py", line 764, in execute
always_run=always_run)
File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite/modinput/base_modinput.py", line 315, in do_run
self.run(stanzas)
File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/app_permissions_manager.py", line 214, in run
Here is the configuration_check.log
2020-04-25 12:42:30,124+0000 INFO pid=17198 tid=MainThread file=configuration_check.py:run:135 | status="retrieved task" task="confcheck_app_exports"
2020-04-25 12:42:30,241+0000 ERROR pid=17198 tid=MainThread file=configuration_check.py:run:277 | status="Authentication exception when executing configuration check" exc="[HTTP 401] Client is not authenticated"
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-Utils/bin/configuration_check.py", line 139, in run
entity_id, sessionKey=self.input_config.session_key)
File "/opt/splunk/lib/python3.7/site-packages/splunk/models/base.py", line 572, in get
return SplunkRESTManager(cls, sessionKey=sessionKey).get(id)
File "/opt/splunk/lib/python3.7/site-packages/splunk/models/base.py", line 552, in get
entity = self._get_entity(id, host_path=host_path)
File "/opt/splunk/lib/python3.7/site-packages/splunk/models/base.py", line 468, in _get_entity
return self._fix_entity(splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=id))
File "/opt/splunk/lib/python3.7/site-packages/splunk/entity.py", line 276, in getEntity
serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/init.py", line 553, in simpleRequest
raise splunk.AuthenticationFailed
splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated
2020-04-25 12:42:30,243+0000 INFO pid=17198 tid=MainThread file=configuration_check.py:run:299 | status="exiting" exit_status="2"
2020-04-25 12:43:30,108+0000 INFO pid=18332 tid=MainThread file=configuration_check.py::304 | status="starting"
2020-04-25 12:43:30,110+0000 INFO pid=18332 tid=MainThread file=configuration_check.py:run:129 | status="executing"
2020-04-25 12:43:30,110+0000 INFO pid=18332 tid=MainThread file=configuration_check.py:run:135 | status="retrieved task" task="confcheck_app_exports"
2020-04-25 12:43:30,220+0000 ERROR pid=18332 tid=MainThread file=configuration_check.py:run:277 | status="Authentication exception when executing configuration check" exc="[HTTP 401] Client is not authenticated"
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-Utils/bin/configuration_check.py", line 139, in run
entity_id, sessionKey=self._input_config.session_key)
File "/opt/splunk/lib/python3.7/site-packages/splunk/models/base.py", line 572, in get
return SplunkRESTManager(cls, sessionKey=sessionKey).get(id)
File "/opt/splunk/lib/python3.7/site-packages/splunk/models/base.py", line 552, in get
entity = self._get_entity(id, host_path=host_path)
File "/opt/splunk/lib/python3.7/site-packages/splunk/models/base.py", line 468, in _get_entity
return self._fix_entity(splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=id))
File "/opt/splunk/lib/python3.7/site-packages/splunk/entity.py", line 276, in getEntity
serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/init_.py", line 553, in simpleRequest
raise splunk.AuthenticationFailed
splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated
2020-04-25 12:43:30,222+0000 INFO pid=18332 tid=MainThread file=configuration_check.py:run:299 | status="exiting" exit_status="2"
2020-04-25 12:44:30,066+0000 INFO pid=19331 tid=MainThread file=configuration_check.py::304 | status="starting"
2020-04-25 12:44:30,067+0000 INFO pid=19331 tid=MainThread file=configuration_check.py:run:129 | status="executing"
... View more
04-27-2020
08:24 PM
We have upgraded Splunk Enterprise recently to 8.0.2.1 and all the apps in our environment to the latest version. One of them is the Splunk Enterprise Security app to 6.1.0. We started receiving errors messages as "Health Check: msg="A script exited abnormally with exit status:1" input="opt/splunk/etc/apps/SA-Utils/bin/configuration_check.py stanza="configuration_check://confcheck_escorrelationmigration" .
Similar errors are popping for all the input stanzas in SplunkEnterpriseSecuritySuite configuration_check://
... View more
