Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dionrivera
dionrivera
Path Finder
Member since:
05-01-2015
yesterday
Community Statistics
| Posts | 19 |
| Solutions | 2 |
| Karma Given | 9 |
| Karma Received | 0 |
| Member Since | 05-01-2015 |
Activity Feed
- Karma Re: Ingesting XML and Classic WinEventLogs issue (renderXml=false) for Matias. Saturday
- Posted Why are we missing Windows "WinEventLog:Security" event logs? on Getting Data In. Saturday
- Karma Re: Security Windows Event Logs not collected by the UF on Windows 2008 and Windows 2012 - Splunk 6 for mgaraventa_splu. Saturday
- Posted Re: How to set up a heavy forwarder to forward data to Splunk Cloud? on Getting Data In. Wednesday
- Posted Re: How to set up a heavy forwarder to forward data to Splunk Cloud? on Getting Data In. a week ago
- Karma Re: How to set up a heavy forwarder to forward data to Splunk Cloud? for pgreer_splunk. a week ago
- Karma Re: Converting UTC to PST time on events for PickleRick. 4 weeks ago
- Posted Re: Converting UTC to PST time on events on Splunk Search. 4 weeks ago
- Karma Re: Converting UTC to PST time on events for richgalloway. 4 weeks ago
- Posted Converting UTC to PST time on events? on Splunk Search. 4 weeks ago
- Posted How to add metadata to UF config files? on Getting Data In. 12-01-2022 08:58 AM
- Posted How can I build a report using my query of IP addresses with the location information off of the lookup file? on Splunk Search. 11-08-2022 05:48 PM
- Karma Re: Monitoring log sources that go silent for gcusello. 11-07-2022 10:00 AM
- Posted Re: Monitoring log sources that go silent? on Monitoring Splunk. 11-06-2022 02:57 PM
- Posted Re: Monitoring log sources that go silent on Monitoring Splunk. 11-04-2022 01:00 PM
- Posted Monitoring log sources that go silent? on Monitoring Splunk. 11-04-2022 12:03 PM
- Karma Re: Why am I getting "Socket error communicating with splunkd" when I try to reload my deployment server to push out new configurations? for mookiie2005. 08-26-2022 10:09 AM
- Karma Re: Why am I getting "Socket error communicating with splunkd" when I try to reload my deployment server to push out new configurations? for hortonew. 08-26-2022 10:09 AM
- Posted Re: How to push my new certs to all my UFs? on Security. 08-25-2022 04:24 PM
- Posted How to push my new certs to all my UFs? on Security. 08-25-2022 02:46 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Saturday
I have 40 Windows 2012 domain controllers (forwarding through heavy forwarders to cloud), that intermittently stop sending "WinEventLog:Security" events to cloud indexers. In some cases, one of the servers will send Security events for a few hours and then stop sending altogether. I know the events exist on the server because I can see them through Event Viewer. On the other hand, I don't have the same issue with the Application or System events. They flow all the time. The issue only happens with "WinEventLog:Security" events. So far, I have tried to split the load among 4 heavy forwarders, thinking it was a forwarder congestion issue. I also configured the domain controllers to send directly cloud, bypassing the heavy forwarders. Alas, no success. Has anyone experienced or heard about this issue? Thank you.
... View more
Labels
- Labels:
-
heavy forwarder
-
universal forwarder
Wednesday
Correction: After building a second HF. You do need to configure receiving. Receiving will allow the HF to receive data from forwarding clients.
... View more
a week ago
Thanks for the short but awesome list of steps. This helped me more than any other documentation (that I've discovered) in Splunk docs. I would add that if all you're doing is forwarding and not indexing on a host. You can skip step 3(receiving data)
... View more
4 weeks ago
Some of my events are displaying UTC time while others display PST time, as they should since I have my preferences set to PST. The UTC times are skewing my results. Is there a way to convert my results so that all events show UTC time or at least have a variable e.g., PST_time which shows the UTC > PST conversion?
... View more
Labels
- Labels:
-
other
12-01-2022
08:58 AM
Hello. I'm trying to identify a pool of windows hosts by adding an additional field to the events they forward. I can do this by adding an inputs.conf in /Splunk_home/etc/system/local and this works. My metadata field is called uf_deployment::remote_laptop(see below). [monitor://C:\Windows\System32\winevt\Logs\Application.evtx] index = my_index disabled = 0 sourcetype = XmlWinEventLog _meta = uf_deployment::remote_laptop
However, the only way I can see how to do this is by monitoring a log file and using the [monitor] tag. But this presents a problem; I don't want to forward events from a log that I'm not interested in, nor do I want to duplicate events. I'm looking for a solution that will allow me to send the _meta = uf_deployment::remote_laptop field without having to "monitor" a log file. So far I have tried [default] with no success(see below) Any help is appreciated. Thank you. [default] index = my_index disabled = 0 sourcetype = XmlWinEventLog _meta = uf_deployment::remote_laptop
... View more
Labels
- Labels:
-
universal forwarder
11-08-2022
05:48 PM
Hi Team. I have a splunk query with a list of IP addressses(Client_IP). I also have a lookup file with the IP ranges(cidr_match) which also has a location(location) fields pinpointing a location of that IP address. How can I build a report using my query of IP addresses with the location information off of the lookup file?
... View more
Labels
- Labels:
-
lookup
11-04-2022
01:00 PM
@gcuselloAny suggestions how I could include the time within the query? I need to look every hour if the event count has changed. Grazie!
... View more
11-04-2022
12:03 PM
Hi team. I'm looking for a query/solution that will alert me when a log source is no longer sending logs. For example, I have an index called "linux_prod" which is populated when linux hosts fortheir events. I would like to receive an alert when this index stops receiving events for the past 1 hour. This happens when SC4S or some other issue on the network have problems.
Thank you.
... View more
Labels
08-25-2022
04:24 PM
@chaker It's actually the cert that secures the connection to the DS.
... View more
08-25-2022
02:46 PM
I'm using my on-prem DS to push out apps to my UFs. The current cert has expired, how can I push a new cert to my UFs? I see that in my DS, I have a directory /opt/splunk/etc/deployment-apps/100_splunkcloud/default/. In this directory I have a server.pem file with last year's date. Is this where I need to move the new pem file? I thought it was in the /opt/splunk/etc/deployment-apps/100_splunkcloud/local directory instead.
Thank you!
... View more
Labels
- Labels:
-
SSL
08-13-2022
02:37 PM
Thanks for following up on your solution. I need something similar and will try this first.
... View more
07-21-2022
09:17 AM
@Roy_9 As it turns out, the upgrade to CMC changed the timeframe it looks back to 7 days instead of 1 day which explains why my numbers were multiplied. I reached out to Splunk and they are working on changing the default timeframe to 1 day. Which makes sense because this is what teams use to gauge their daily ingest rate which goes against their licensing costs. To answer your question, I'm on cloud. Thank you for your suggestion. You are appreciated.
... View more
07-17-2022
12:13 PM
In the Overview tab, it shows 25TB of total ingest volume. This is incorrect, we should be at ~4TB. This is important for our licensing and storage levels.
... View more
Labels
- Labels:
-
troubleshooting
05-23-2022
04:21 PM
@tonygpe Curious. Did this work for you. Looking for a similar solution
... View more
04-20-2022
07:54 AM
@isoutamo As it turns out the hostname on my HF had changed which caused it to lose connection to my Deployment Server. When it lost connection the deploymentclient app was not pushed out to the HF so it did not know how to talk to Splunk cloud. I have re-deployed the correct app and now I'm connecting. Thank you.
... View more
04-19-2022
11:25 AM
My HF stopped forwarding events. So far:
1. The splunkd service is running
2. no firewalls enabled
3. Running this command is successful which I think means I'm connecting to the indexers
$ ./bin/splunk cmd openssl s_client -connect inputs1.<stack>.splunkcloud.com:9997
4. Tried restarting the service with no success.
5. the splunkd.log file on the HF is reporting a lot of ERROR TcpInputProc errors
Help! Thank you
Any suggestions would be appreciated
... View more
Labels
- Labels:
-
heavy forwarder
-
Linux
01-26-2022
12:04 PM
FYI, adding the search and rtsearch capabilities to my role fixed this issue for me.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
Karma given to
