Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About datasearchninja
datasearchninja
Communicator
Member since:
05-07-2011
Community Statistics
| Posts | 73 |
| Solutions | 21 |
| Karma Given | 14 |
| Karma Received | 54 |
| Member Since | 2011-05-07 |
| colinhumphreys@nbnco.com.au |
Activity Feed
- Got Karma for Re: Splunk DB Connect: How can I recover MSSQL encrypted database passwords?. 02-28-2024 07:15 AM
- Got Karma for Re: Splunk DB Connect: How can I recover MSSQL encrypted database passwords?. 08-24-2023 06:07 AM
- Got Karma for Re: Splunk DB Connect: How can I recover MSSQL encrypted database passwords?. 08-14-2022 11:19 PM
- Got Karma for Re: Splunk DB Connect: How can I recover MSSQL encrypted database passwords?. 08-12-2022 08:34 AM
- Got Karma for Re: Splunk DB Connect: How can I recover MSSQL encrypted database passwords?. 01-18-2022 06:44 AM
- Got Karma for Re: Splunk DB Connect: How can I recover MSSQL encrypted database passwords?. 12-07-2021 12:02 PM
- Got Karma for Re: Why is the frozen data not deleted automatically?. 11-05-2021 11:36 AM
- Got Karma for Re: How to use a subsearch to search across two indexes with no common field?. 05-12-2021 02:27 AM
- Got Karma for Re: Splunk DB Connect: How can I recover MSSQL encrypted database passwords?. 07-31-2020 05:56 AM
- Karma Re: How to make a custom REST endpoint in Splunk? for LukeMurphey. 06-05-2020 12:50 AM
- Karma Re: What are your Splunk t-shirt ideas? for landen99. 06-05-2020 12:49 AM
- Karma Re: How come custom search commands (CSC) SCPv2 cannot handle large event sets? for kulick. 06-05-2020 12:49 AM
- Karma Re: Can you ignore indexing of a header field on a CSV file? for richgalloway. 06-05-2020 12:49 AM
- Karma Re: In the search head, why am I not able to see which heavy forwarder the logs are coming from? for FrankVl. 06-05-2020 12:49 AM
- Karma Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached for MuS. 06-05-2020 12:49 AM
- Got Karma for Re: Inputcsv using a regex for the filename?. 06-05-2020 12:49 AM
- Got Karma for Re: Poor ldapsearch performance - SA-ldapsearch app. 06-05-2020 12:49 AM
- Got Karma for Re: Poor ldapsearch performance - SA-ldapsearch app. 06-05-2020 12:49 AM
- Got Karma for Re: Poor ldapsearch performance - SA-ldapsearch app. 06-05-2020 12:49 AM
- Got Karma for Re: Poor ldapsearch performance - SA-ldapsearch app. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
07-31-2019
09:11 PM
Well done on this triage! I have not looked into this issue in the last year or so, but I do see there is now a pull request on the issue in github, which I have not yet had a look at. https://github.com/splunk/splunk-sdk-python/issues/150 https://github.com/splunk/splunk-sdk-python/pull/251
... View more
10-28-2018
10:29 PM
I downvoted this post because the other answer on this page is more correct
... View more
09-25-2018
03:27 PM
70000 is greater than the maximum of 10000 for a subsearch. You either need to transpose your results in the subsearch so that rows become columns, or move the large output to be the first query so it is no longer a subsearch.
... View more
09-23-2018
09:04 PM
1 Karma
By default, there is no field stored in the data that indicates which splunk instance that parsed/cooked the data.
You only have splunk_server which is the indexer where the data for that search is on disk, and the host field which will be the source of the data, unless you have overwritten the host field with a transform, or explicitly set it to something else in inputs.conf. (And this is likely the case where you are receiving firewall logs)
If this is really a requirement, you could create an additional indexed field (in the example below I call this splunk_parser) to store the data.
On the heavy forwarder, in inputs.conf:
[default]
_meta = splunk_parser::<ENTERYOURHEAVYFORWARDERNAMEHERE>
On your search head, configure fields.conf to let splunk know this is an indexed field:
[splunk_parser]
INDEXED = True
INDEXED_VALUE = False
... View more
09-23-2018
04:35 PM
Your query is using join when it shouldn't the correct use for this is as I suggested. Note this is lookup, not inputlookup:
index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip]
|stats values(field1) values(field2) by src_ip
|lookup mylookup.csv src_ip
... View more
09-23-2018
04:33 PM
yes, this would show that.
... View more
09-20-2018
08:44 PM
See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Concurrency
Assuming that the starttime is in field '_time', and the duration is in the field duration, to get the number of concurrent calls at that event, then bucket _time per second to find the maximum concurrency per second:
index=data ...
| concurrency start=_time duration=duration
| bin _time span=1s
| stats max(concurrency) as concurrency by _time
... View more
09-20-2018
08:36 PM
1 Karma
How about a shell process that autogenerates a lookup table with the csv file names in it.
The below (adjusted for actual full paths), to list the filepath of the newest csv:
#!/bin/sh
echo filename > SPLUNKPATH/etc/apps/my_app/lookups/vcenter_reports.csv
ls -t SPLUNKPATH/var/run/splunk/vcenter_reports/*.csv >> SPLUNKPATH/etc/apps/my_app/lookups/vcenter_reports.csv
This could be executed regularly via cron, yourown custom splunk command, or with something like the command modular input https://splunkbase.splunk.com/app/1553/#/details
Then use your exisitign approach with an iinputlookup:
inputcsv [| inputlookup vcenter_reports.csv | return $filename]
... View more
09-20-2018
02:37 AM
1 Karma
Because you want to search on the field value, not the kv pair, you need to use the special column name "search" in the field name in the subsearch.
So:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID | rename xyzID as search ] | table _time, _raw
This will evaluate to:
index=abc_test ((56789))
rather than
index=abc_test ( ( xyzID="56789" ) )
See http://docs.splunk.com/Documentation/Splunk/7.1.3/Search/Changetheformatofsubsearchresults for more details.
... View more
09-20-2018
12:34 AM
Subsearches like you are calling with 'join' and 'append' are limited to 10000 rows by default. See http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_considerations
... View more
09-19-2018
11:40 PM
The Splunk ML toollkit is sitting on top of a copy of Anaconda Python 2.7 sitting in Splunk_SA_Scientific_Python_linux_x86_64 (or other relevant OS/arch directory)
It is possible to just download a copy of Anaconda 2.7 and then copy over the relevant modules. From my notes it looks like https://repo.anaconda.com/archive/Anaconda2-4.0.0-Linux-x86_64.sh out of https://repo.anaconda.com/archive/ is a good place to start. Install it on its own, and then install the relevant module, then copy the directory, and deps over to the splunk app module directory Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7. When testing you need to make sure you execute via the splunk python to call the anaconda python as the install uses libraries from both.
If you want to install them in a different Splunk app than the ML app, you will need to copy over and perhaps modify the exec_anaconda.py as per the instructions in the SA README. I have successfully done this to add pandas and pyarrow to a custom application which uses the base numpy package out of Splunk_SA_Scientific_Python_linux_x86_64.
To use Splunk_SA_Scientific_Python, copy exec_anaconda.py into your app's bin directory. At the top of your custom search command, add the following preamble:
#!/usr/bin/python import
exec_anaconda
exec_anaconda.exec_anaconda() # Put
the rest of your imports below, e.g.:
import numpy as np
... View more
09-19-2018
06:48 PM
You need to add some hours into the calculation to shift the base hours into the next day when it is somewhere between 8pm -> midnight
So:
earliest=+4h@d-4h
When it is between midnight and 8pm, this will calculate to 8pm yesterday, after 8pm it will be 8pm today
latest=+4h@d+14h
When it is between midnight and 8pm, this will calculate to 2pm today, after 8pm it will be 2pm tommorrow
... View more
09-19-2018
06:14 PM
The most perfomant option will be to look them up from the lookup after the stats command
So:
index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip]
| stats values(field1) values(field2) by src_ip
| lookup mylookup.csv src_ip
... View more
09-18-2018
10:02 PM
1 Karma
I have just been looking at an issue to fetch data from an endpoint that requires this approach. What I found is that setting the r.cookies values does NOT work, but setting the cookie directly in the header does...
e..g: This doesn't work:
if cookies:
r.cookies = cookies
but this does:
if cookies and "myauthcookiename" in cookies:
r.headers['Cookie'] = "myauthcookiename=" + cookies["myauthcookiename"])
... View more
07-05-2018
01:53 PM
1 Karma
It requires glibc which will be in all rhel base installs.
... View more
07-04-2018
10:22 PM
Hi, if you set the CHECK_METHOD in a props.conf on the universal forwarder to modtime, then the splunkd.log will have a entry when the file is created.
E.g: If /opt/splunkforwarder/etc/system/local/inputs.conf had an entry:
[monitor:///data/test/*.trg]
And there was a /opt/splunkforwarder/etc/system/local/props.conf with an entry:
[source::/data/test/*.trg]
CHECK_METHOD = modtime
Then when a file is created the splunkd.log will have an entry liek the following:
# date
Thu Jul 5 15:19:53 AEST 2018
# touch /data/test/my_new_file.trg
# grep trg /opt/splunkforwarder/var/log/splunk/splunkd.log
07-05-2018 15:20:08.415 +1000 INFO WatchedFile - Will use tracking rule=modtime for file='/data/test/my_new_file.trg'.
If these splunkd logs are forwarded, you can search them in the index=_internal
... View more
07-03-2018
04:03 PM
As an update, I've seen the ctypes stuff is only used in the directory sync portion of the ldap3 library, so removing that bit means the ctypes library isn't needed, and the app can stay portable...
Just comment out these 2 lines:
--- ldap3/protocol/microsoft.py.orig 2018-07-04 09:02:54.502926488 +1000
+++ ldap3/protocol/microsoft.py 2018-07-03 20:58:38.366085375 +1000
@@ -23,7 +23,7 @@
# along with ldap3 in the COPYING and COPYING.LESSER files.
# If not, see <http://www.gnu.org/licenses/>.
-import ctypes
+#import ctypes
from pyasn1.type.namedtype import NamedTypes, NamedType
from pyasn1.type.tag import Tag, tagClassApplication, tagFormatConstructed
@@ -112,7 +112,7 @@
flags |= 0x80000000
# converts flags to signed 32 bit (AD expects a 4 bytes long unsigned integer, but ASN.1 Integer type is signed
# so the BER encoder gives back a 5 bytes long signed integer
- flags = ctypes.c_long(flags & 0xFFFFFFFF).value
+ #flags = ctypes.c_long(flags & 0xFFFFFFFF).value
control_value.setComponentByName('Flags', flags)
control_value.setComponentByName('MaxBytes', max_length)
... View more
07-01-2018
04:31 PM
Hi, can you send through the search from the search bar that made the graph in your original post? (If it is in a dashboard, when you mouseover it, you can select the magnifying lens icon to open the underlying search)
... View more
06-28-2018
07:59 PM
Yes you can do this with a case statement, so assuming your graph is currently produced like this, where the numbers are in afield call 'line':
| stats count by line
You could then do this, defaulting back to the number if you haven't set a value:
| eval text=case(line=="181","text_for_181",line=="211","text_for_211",line=="212","maxis",line==42","text_for_42",1==1,line)
| stats count by text
... View more
06-24-2018
09:54 PM
I have had good results by upgrading the version of ldap3 that ships with the package. See my answer in https://answers.splunk.com/answers/587284/poor-ldapsearch-performance-sa-ldapsearch-app.html?childToView=667314#answer-667314
... View more
06-24-2018
09:54 PM
I have had good results by upgrading the version of ldap3 that ships with the package. See my answer in https://answers.splunk.com/answers/587284/poor-ldapsearch-performance-sa-ldapsearch-app.html?childToView=667314#answer-667314
... View more
06-24-2018
09:50 PM
7 Karma
I have had really good results by upgrading the ldap3 library that ships with the package to the latest version. This is complicated by a change in name of some attributes, and a dependancy on ctypes which also makes it non portable. However I'm seeing a reduction in time of a full query of one directory from 4 hours to 3 minutes.
https://github.com/cannatag/ldap3/archive/v2.5.tar.gz
http://downloads.sourceforge.net/project/ctypes/ctypes/1.0.2/ctypes-1.0.2.tar.gz
On a system with python + python-devel 2.7 (RHEL 7):
$ cd ~
$ tar zxf ctypes-1.0.2.tar.gz
$ cd ctypes-1.0.2
$ python setup.py build
$ tar zxf ldap3-2.5.tar.gz
$ cd ldap3-2.5
$ python setup.py build
$ cd /opt/splunk/etc/apps/
$ tar zxvf ~/splunk-supporting-add-on-for-active-directory_217.tgz
$ rm -fR SA-ldapsearch/bin/packages/ldap3
$ mv ~/ctypes-1.0.2/build/lib.linux-x86_64-2.7/* SA-ldapsearch/bin/packages/
$ mv ~/ldap3-2.5/build/lib/ldap3 SA-ldapsearch/bin/packages/
$ cd SA-ldapsearch
$ patch -p1 < ~/SA-ldapsearch.patch
The patch
$ cat ~/SA-ldapsearch.patch
diff -Naur ./SA-ldapsearch.2.1.7/bin/ldapfetch.py SA-ldapsearch/bin/ldapfetch.py
--- ./SA-ldapsearch.2.1.7/bin/ldapfetch.py 2018-05-29 22:53:10.000000000 +1000
+++ SA-ldapsearch/bin/ldapfetch.py 2018-06-25 14:27:13.465247255 +1000
@@ -64,7 +64,7 @@
"""
configuration = app.Configuration(self, is_expanded=True)
expanded_domain = app.ExpandedString(self.domain)
- search_scope = ldap3.SEARCH_SCOPE_BASE_OBJECT
+ search_scope = ldap3.BASE
search_filter = '(objectClass=*)'
try:
diff -Naur ./SA-ldapsearch.2.1.7/bin/ldapfilter.py SA-ldapsearch/bin/ldapfilter.py
--- ./SA-ldapsearch.2.1.7/bin/ldapfilter.py 2018-05-29 22:53:10.000000000 +1000
+++ SA-ldapsearch/bin/ldapfilter.py 2018-06-25 14:27:13.465247255 +1000
@@ -50,9 +50,9 @@
**Default:** sub.
''',
default='sub', validate=validators.Map(
- base=ldap3.SEARCH_SCOPE_BASE_OBJECT,
- one=ldap3.SEARCH_SCOPE_SINGLE_LEVEL,
- sub=ldap3.SEARCH_SCOPE_WHOLE_SUBTREE
+ base=ldap3.BASE,
+ one=ldap3.LEVEL,
+ sub=ldap3.SUBTREE
))
decode = Option(
diff -Naur ./SA-ldapsearch.2.1.7/bin/ldapgroup.py SA-ldapsearch/bin/ldapgroup.py
--- ./SA-ldapsearch.2.1.7/bin/ldapgroup.py 2018-05-29 22:53:10.000000000 +1000
+++ SA-ldapsearch/bin/ldapgroup.py 2018-06-25 14:27:13.465247255 +1000
@@ -68,7 +68,7 @@
"""
configuration = app.Configuration(self, is_expanded=True)
expanded_domain = app.ExpandedString(self.domain)
- search_scope = ldap3.SEARCH_SCOPE_BASE_OBJECT
+ search_scope = ldap3.BASE
search_filter = '(objectCategory=Group)'
attributes = ['objectSid']
diff -Naur ./SA-ldapsearch.2.1.7/bin/ldapsearch.py SA-ldapsearch/bin/ldapsearch.py
--- ./SA-ldapsearch.2.1.7/bin/ldapsearch.py 2018-05-29 22:53:10.000000000 +1000
+++ SA-ldapsearch/bin/ldapsearch.py 2018-06-25 14:27:13.465247255 +1000
@@ -14,6 +14,7 @@
from time import time
import ldap3
import app
+import datetime
@Configuration(retainsevents=True)
@@ -53,9 +54,9 @@
**Default:** sub.
''',
default='sub', validate=validators.Map(
- base=ldap3.SEARCH_SCOPE_BASE_OBJECT,
- one=ldap3.SEARCH_SCOPE_SINGLE_LEVEL,
- sub=ldap3.SEARCH_SCOPE_WHOLE_SUBTREE
+ base=ldap3.BASE,
+ one=ldap3.LEVEL,
+ sub=ldap3.SUBTREE
))
debug = Option(
@@ -108,13 +109,14 @@
yield LdapSearchCommand._record(
serial_number, time_stamp, connection.server.host, dn, attributes, attribute_names, encoder)
serial_number += 1
+ GeneratingCommand.flush
if self.limit and serial_number == self.limit:
break
pass
pass
- except ldap3.LDAPException as error:
+ except ldap3.core.exceptions.LDAPException as error:
self.error_exit(error, app.get_ldap_error_message(error, configuration))
return
@@ -127,10 +129,14 @@
for name, value in attributes.iteritems():
if isinstance(value, str):
attributes[name] = b64encode(value)
+ elif isinstance(value, datetime.datetime):
+ attributes[name] = str(value)
elif isinstance(value, list):
for i in range(len(value)):
if isinstance(value[i], str):
value[i] = b64encode(value[i])
+ elif isinstance(value[i], datetime.datetime):
+ value[i] = str(value[i])
raw = encoder.encode(attributes)
diff -Naur ./SA-ldapsearch.2.1.7/bin/ldaptestconnection.py SA-ldapsearch/bin/ldaptestconnection.py
--- ./SA-ldapsearch.2.1.7/bin/ldaptestconnection.py 2018-05-29 22:53:10.000000000 +1000
+++ SA-ldapsearch/bin/ldaptestconnection.py 2018-06-25 14:27:13.465247255 +1000
@@ -11,7 +11,7 @@
from collections import Iterable
from itertools import chain
from json import JSONEncoder
-from ldap3 import Connection, SEARCH_SCOPE_BASE_OBJECT
+from ldap3 import Connection, BASE
from ldap3.core.exceptions import LDAPException
from ldapsearch import LdapSearchCommand
from time import time
@@ -55,7 +55,7 @@
servers = configuration.server if isinstance(configuration.server, Iterable) else (configuration.server,)
search_base = configuration.basedn
search_filter = '(objectClass=*)'
- search_scope = SEARCH_SCOPE_BASE_OBJECT
+ search_scope = BASE
attribute_names = 'distinguishedName',
records = []
diff -Naur ./SA-ldapsearch.2.1.7/bin/packages/app/configuration.py SA-ldapsearch/bin/packages/app/configuration.py
--- ./SA-ldapsearch.2.1.7/bin/packages/app/configuration.py 2018-05-29 22:53:10.000000000 +1000
+++ SA-ldapsearch/bin/packages/app/configuration.py 2018-06-25 14:25:40.464586343 +1000
@@ -9,7 +9,7 @@
import ssl
import sys
-from ldap3 import Server, Tls, LDAPSSLConfigurationError, GET_ALL_INFO
+from ldap3 import Server, Tls, core, ALL
from splunklib.searchcommands.validators import Boolean, Integer, List, Map
from splunklib.binding import HTTPError
from splunklib import data
@@ -318,10 +318,8 @@
tls = Tls(
ca_certs_file=ca_cert_file if ca_cert_file else None,
validate=ssl.CERT_REQUIRED if ssl_verify_server_cert else ssl.CERT_NONE,
- version=version,
- use_ssl_context=True if version==ssl.PROTOCOL_SSLv23 else False,
- ssl_no_v2=ssl_no_v2, ssl_no_v3=ssl_no_v3)
- except LDAPSSLConfigurationError as error:
+ version=version)
+ except core.exceptions.LDAPSSLConfigurationError as error:
message = 'SSL configuration issue: {0}'.format(error)
command.error_exit(error, message)
return
@@ -365,7 +363,7 @@
ca_certs_file=ca_cert_file if ca_cert_file else None,
validate=ssl.CERT_REQUIRED if ssl_verify_server_cert else ssl.CERT_NONE,
version=version)
- except LDAPSSLConfigurationError as error:
+ except core.exceptions.LDAPSSLConfigurationError as error:
message = 'SSL configuration issue: {0}'.format(error)
command.error_exit(error, message)
return
@@ -527,7 +525,7 @@
def create_server(hostname):
return Server(
- hostname, int(port), use_ssl, formatter=formatter, get_info=GET_ALL_INFO,
+ hostname, int(port), use_ssl, formatter=formatter, get_info=ALL,
allowed_referral_hosts=[('*', True)], tls=tls)
self.server = create_server(host[0]) if len(host) == 1 else [create_server(h) for h in host]
diff -Naur ./SA-ldapsearch.2.1.7/bin/packages/app/__init__.py SA-ldapsearch/bin/packages/app/__init__.py
--- ./SA-ldapsearch.2.1.7/bin/packages/app/__init__.py 2018-05-29 22:53:10.000000000 +1000
+++ SA-ldapsearch/bin/packages/app/__init__.py 2018-06-25 14:25:40.463586336 +1000
@@ -324,7 +324,7 @@
# Example: The message produced for LDAPInvalidCredentialsResult
error.message = error.message.replace('\0', '')
- if not isinstance(error, ldap3.LDAPInvalidCredentialsResult):
+ if not isinstance(error, ldap3.core.exceptions.LDAPInvalidCredentialsResult):
return error.message
try:
@@ -384,12 +384,12 @@
is_microsoft_active_directory = True
for feature in supported_features:
- if feature.oid == '1.3.6.1.4.1.4203.1.5.1': # This DSA supports "All Operational Attributes" as per RFC 3673
+ if feature[0] == '1.3.6.1.4.1.4203.1.5.1': # This DSA supports "All Operational Attributes" as per RFC 3673
supports_all_operational_attributes = True
break
- if feature.docs != 'MICROSOFT':
+ if feature[3] != 'MICROSOFT':
is_microsoft_active_directory = False
- if feature.oid in _required_features:
+ if feature[0] in _required_features:
required_features_countdown -= 1
if not (is_microsoft_active_directory and required_features_countdown == 0):
... View more
06-20-2018
07:49 PM
The workaround mentioned in https://answers.splunk.com/answers/189732/splunk-support-for-active-directory-why-are-non-ad.html still works.
You can place the plaintext password in the ldap.conf file against a password= paramater, and remove the encrypted version from passwords.conf, and the code will fallback to the plaintext one.
... View more
05-15-2018
08:58 PM
1 Karma
If you want to delete when freezing, do not set a coldToFrozenDir, and then data will not be moved to the frozen directory, but be deleted instead
See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf .
... View more
05-15-2018
12:30 AM
1 Karma
Note that last() and first() are dependant on the order the events arrive at the stats command, which is trypically reverse time order, so first and last probably have the opposite meaning to what you expect. Use earliest() and latest()
So:
index=main source = xyz earliest=-6mon
| stats latest(size) as "Latest", latest(_time) as "LatestTimestamp", earliest(size) as "Old", earliest(_time) as "EarliestTimestamp"
You might also want to consider the time formatting of the epoc string after this:
| eval LatestTimestampPretty=strftime(LatestTimestamp, "%Y-%m-%d %H:%M%S")
| eval EarliestTimestampPretty=strftime(EarliestTimestamp, "%Y-%m-%d %H:%M%S")
... View more
Contact Me
Karma from
