Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About deepakc
deepakc
Builder
Member since:
12-15-2017
yesterday
Community Statistics
| Posts | 240 |
| Solutions | 23 |
| Karma Given | 14 |
| Karma Received | 68 |
| Member Since | 12-15-2017 |
Activity Feed
- Posted Re: Splunk on RHEL9 won't start on Installation. Monday
- Got Karma for Re: Timestamp file breakup. a week ago
- Posted Re: Timestamp file breakup on Getting Data In. a week ago
- Posted Re: Forward data from Netscout to Splunk on Getting Data In. a week ago
- Posted Re: Forward data from Netscout to Splunk on Getting Data In. a week ago
- Got Karma for Re: Error: "There was an error processing the upload...". 3 weeks ago
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 3 weeks ago
- Posted Re: Azure Servers not powerful enough on Deployment Architecture. 3 weeks ago
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 3 weeks ago
- Posted Re: Getting "GnuTLS handshake retry returned error" when try to communicate with ForeScout" on Security. 3 weeks ago
- Posted Re: Can I download credentials ssplunkcloud.spl splunkforwarder by using curl? on Installation. 3 weeks ago
- Posted Re: Splunk db connect onboarding data on Getting Data In. 4 weeks ago
- Got Karma for Re: How to query for MFA and SSO on network. 06-20-2024 07:47 AM
- Karma Re: Add-on Builder Certificate Location for LH_Splunker. 06-20-2024 03:54 AM
- Got Karma for Re: Add-on Builder Certificate Location. 06-20-2024 03:07 AM
- Got Karma for Re: Service user for scheduled searches: one or more?. 06-20-2024 02:53 AM
- Got Karma for Re: trace if a server in a network path behind a firewall. 06-19-2024 06:13 AM
- Posted Re: How to query for MFA and SSO on network on Splunk Search. 06-18-2024 09:20 AM
- Posted Re: IBMi Server Data Correlation with Splunk on Splunk Enterprise. 06-17-2024 10:07 AM
- Posted Re: IBMi Server Data Correlation with Splunk on Splunk Enterprise. 06-17-2024 07:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Monday
Start by checking that you have port 8000 available - check firewall ports The SSH issue is again most likely related to ports/access 22 (but this is not a splunk issue) Speak to an Linux OS admin, as your issue's seem to be OS config related.
... View more
a week ago
1 Karma
Splunk is all about time series data, so you can search data/events using various times etc, so what this means, you need to ensure you have well formatted logs with a time stamp, which is what Splunk loves and try's to break the events based on the timestamp. Splunk has the capability to auto detect most common log formats and timestamps, but this is not best practice for custom logs, its better to ensure you parse and format the timestamp correctly. As you have a custom log file it looks , you will need to create a new sourcetype for it and apply props and transforms configuration to it, which will then parse and ensure the time stamp is correct. First try and understand the props concepts and apply that to your log file, it will requires some props code trial and error, until your get it to work as expected. Start here: https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Improving_data_onboarding_with_props.conf_configurations
... View more
a week ago
Yes HEC is often used when you cant use UF/syslog etc. https://docs.splunk.com/Documentation/Splunk/9.2.2/Data/UsetheHTTPEventCollector
... View more
a week ago
At a high level: 1. I would first look at the integration manual they state in the app - - Omnis Data Streamer 6.3.5 Splunk Integration Guide - look for data onboarding or something on those lines. 2. The App you have is just for mainly displaying data and, I think you would need the look the the TA - NETSCOUT Omnis Data Streamer App Add-on | Splunkbase (This is what helps get the data parsed and in to splunk) Start by working out your exact Netscout device and the options it provides in terms of data (json/syslog/log files etc), look at the manual and workout what they suggest and follow that plan, test it and ingest it. Then use the App to help display the results. Splunk has many options in getting data in, UF/Syslog/HEC and supports many different formats of data, such as Json, but first you must do some home work and work out the details.
... View more
3 weeks ago
That's odd one, never seen that, I've have installed many Splunk instances on RHEL/CentOS/Fedora (7/8), over the years and not the other flavours so much, and with systemctl and not initd. There may be a parameter that could be changed, in the Splunkd.service file, example TimeoutStopSec=360 lower this perhaps, it's not something I've done or ever had to, and only do in a lab test server and see if that makes a difference) https://docs.splunk.com/Documentation/Splunk/9.2.2/Workloads/Configuresystemd#Configure_systemd_manually Other areas to further troubleshoot/investigate Ensure the splunk user has the below: (Add to Wheel or sudoers) and see if that makes a difference Non-root users must have super user permissions to manually configure systemd on Linux. Non-root users must have super user permissions to run start, stop, and restart commands under systemd https://docs.splunk.com/Documentation/Splunk/9.2.2/Workloads/Configuresystemd#Configure_systemd_manually
... View more
3 weeks ago
This indicates that the CPU is spending a significant amount of time waiting for I/O (typically disk) as your ingesting/parsing data/searching, so with Splunk you need to size it sufficiently, otherwise you will get those messages, remember Splunk is a workhorse and needs resources: Have a look at the below to posts, I recently had replied to around iowait https://community.splunk.com/t5/Splunk-Enterprise/IOWAIT-Mystery-What-is-it-Is-it-important/m-p/690256#M19597 https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Enterprise-how-does-it-detect-IOWAIT-warning-or-error/m-p/690444#M19605 Go through these questions https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Performancechecklist Look at the guide in terms of performance recommendations https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Summaryofperformancerecommendations In summary I think you will need to bump up your specifications, but for a dev environment, you can ignore those messages, unless it's starts to crawl and become unbearable.
... View more
3 weeks ago
If splunk hangs and there are timeout issues, it could be a number of things, what I have seen in the wild , is this normally relates to performance or the undelying storage system and the amount of ingest that may and can cause these types of issues. Timeouts could relate to the network, whats the latency like between the Splunk instances. How much volume of data are you ingesting, can the Splunk instances handle this? https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Summaryofperformancerecommendations 1. Check that your CPU/MEM, DIsk I/O meets the requirments, if thats ok then its something else that needs investigation. #Reference hardware https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Referencehardware 2. Check that THP has been disabled - plenty of topics on this on google and this community https://docs.splunk.com/Documentation/Splunk/9.2.1/ReleaseNotes/SplunkandTHP 3. Check that ulimits has been configured again, plenty of topics on this on google and this community Check ulimits have been configured
... View more
3 weeks ago
Why not provide a better summary of your issues, so the Splunk community can then respond. It’s much better to a summary your Splunk environment, what you are trying to do, what have you done to troubleshoot and provide any errors in logs. (Also redact and sensitive information).
... View more
4 weeks ago
It sounds like some sort of setting related to connection issue: A few thinsg to check: Is there a firewall between your DB connect server and the HEC server? Ensure the port(s) are availble Ensure on Splunk HEC server, you have global settings enabled: Click Settings > Data Inputs. Click HTTP Event Collector. Click Global Settings. In the All Tokens toggle button, select Enabled. Some other aspects to check and troubleshoot: #Check if the Hec collector is healthy curl -k -X GET -u admin:mypassword https://MY_Splunk_HEC_SERVER:8088/services/collector/health/1.0 #Check if HEC stanzas with config are configured /opt/splunk/bin/splunk http-event-collector list -uri https://MY_Splunk_HEC_SERVER:8089 #Check the settings using btool /opt/splunk/bin/splunk cmd btool inputs list --debug http
... View more
06-18-2024
09:20 AM
1 Karma
1.If you have your SSO/MFA data ingested and parsed correctly, also using Splunk's TA's most of them come with out of the box tags that can be used to search for the data type. Simple Example - This will search for authentication data across your defined indexes - and present the results (The tags search for authentication data) You can add your sourcetypes as well index=linux OR index=Windows OR index=my_SSO_data tag=authentication You can find the tags via GUI – easy way, or inspects the TA itself (eventtypes and tags) 2. If you have not ingested data then you need to ensure the below. Example Okta SSO / MFA - Okta would provide authentication data somewhere, in logs or API, you then need to onboard this data into Splunk, ensure there is a TA that helps with the parsing and tagging, then analyse the data, to see what it gives you and run various queries to give you the results you are looking for. Windows Event logs normally give you authentication data, based on AD / Logon events, they also provide Azure AD/ Entra, so if you used these you again would need to ingest that data into Splunk first and then run queries. Side note: Using Splunk you can check with TA’s have tags for authentication | rest splunk_server=local services/configs/conf-tags
| rename eai:acl.app AS app, title AS tag
| table app tag authentication This will show you the eventtypes which are associated with tags | rest splunk_server=local services/configs/conf-eventtypes
| rename eai:acl.app AS app, title AS eventtype
| table app search eventtype
... View more
06-17-2024
10:07 AM
Your data that's already in ingested needs to be made CIM complaint, it might be worth spending some time getting your head around the CIM concepts, after this you can look at developing correlation rules. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Complying_with_the_Splunk_Common_Information_model
... View more
06-17-2024
07:26 AM
At a high level: Splunk can ingest most types of logs data, using different methods of collection. Splunk works on Key Value pairs - so if IBMi can send the data, with this data, you can then search it. The first thing to do is to look at the IBMi data and workout what format it is and how to collect that data, example, is it in a text log file, Json, XML, DB, syslog or API. You then need to set up the data collection method, this could involve a UF(Splunk Agent), Hec using HTTP API, or syslog etc, this has to be based on your environment and preferred method of collecting IBMi data, and place that data into an index. You then need to look at if there's a Splunk Add on in Splunkbase for IBMi data, this is used for parsing the data, if there isn’t one, you then need to develop Splunk props and transforms for the parsing of the data. You then have to make the IBMi, Data CIM complaint, so analyse what type of data it is, extract it via parsing and map those fields to CIM fields, so Splunk SIEM ES can make use of that data.
... View more
06-17-2024
04:39 AM
No worries, glad it worked out out 🙂
... View more
06-17-2024
04:38 AM
I guess you can have same auto lookup attribute names inside the same App, that then point to look up files being used. but causes issues when same inside of another app (I know Splunk for saved searches sends a message with same name or duplicate, but I don’t think it does for lookups) So, something like this alert may help | rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-*
| stats count by attribute
```Filter or add ones that are OK as they may be other attributes that use similar lookups in the same App context```
```| search NOT attribute="LOOKUP-my_ok_lookup1" NOT attribute="LOOKUP- my_ok_lookup2"```
| eval duplicate=if(count > 1, "Yes", "No")
| where count > 1 You can then find out, explore if there are other apps that use the same name attribute: Example in your case eventcode | rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-eventcode Have play and see if this helps.
... View more
06-17-2024
01:07 AM
From the Error, it states "failed to parse license because: The license payload seems to be empty" Its normally XML format so you should be able to check it and that its not corrupted etc. If your still having lic issues then contact Splunk to ensure you have the correct license. Follow these steps: https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Installalicense
... View more
06-17-2024
01:00 AM
It could be several things blocking you. TcpOutputFd (this is normally a networking or config setting) You have set the whitelist and disabled the FW. Other things to check: Check your network allows for the HF to route outbound to Splunk cloud Deploy the Splunk Credentials Package to the HF - https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/ConfigSCUFCredentials Check you can connect – try this command: openssl s_client -connect inputs1.MY_STACK_NAME>.splunkcloud.com:9997 Further than that more troubleshooting is required. But it’s usually a networking that’s blocking.
... View more
06-17-2024
12:36 AM
1 Karma
The index data lives on the Splunk indexer Server's . You typically use a Splunk Universal Forwarder or Heavy forwarder or some other means to send data to the Indexers and they get stored into a bucket(folder). So login to your Splunk indexers and go to the storage volume and see the data there. See the table section "What the index directories look like" this will show you the paths https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/HowSplunkstoresindexes
... View more
06-17-2024
12:25 AM
Support would be something that comes to mind in this process. As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated. I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support https://www.splunk.com/en_us/legal/splunk-software-support-policy.html
... View more
06-14-2024
01:19 AM
In the Gui > Data > Data availability - Click on the Green Base Line Search Button, that will generate the look up, you can then go back to the Data availability and it should display results.
... View more
06-14-2024
12:58 AM
Splunk has to pull data from somewhere, logs or API, if you missed the scan, then the data should reside somewhere in the Nessus system. You would need to look at the inputs configuration and see if there's an option based on the inputs to collect historical data from the Nessus system. I would start by referring the the documentation and see if that can help you. https://docs.tenable.com/integrations/Splunk/Content/Splunk2/CreateInput.htm
... View more
06-14-2024
12:33 AM
I suspect that they have made some changes to the TA add-on code and python scripts universal_session.py I would contact them directly and see if you can get any further information. Disabling comes with security risks, and most likely done within the python code. But I understand you have self signed ones, and should have options, so seeking their advise might be the best cause of action, hopefully they can get the TA developer to give you further help. support@nozominetworks.com.
... View more
06-13-2024
09:33 AM
1 Karma
If you look under lookups, it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context. Also check if there's another lookup with that name, sometimes I have seen another same name #this should point to most of the sysmon TA code (transforms) or show another. /opt/splunk/bin/splunk cmd btool transforms list eventcode --debug
... View more
06-13-2024
03:30 AM
In order for Splunk to present the metrics and data you want; you need to look at how the web tool can output to any logs or does it use API. then you need to look at that data, logs or API data and see if it contains the metrics or data you want. You then need a plan of how to ingest that data into Splunk. Splunk has many methods of collecting data, via Splunk HTTP- HEC / API JSON/XML, Agents (Universal forwarder) so it can collect those logs you’re interested in and ingest into a Splunk index for you to search and generate insights and then create the dashboards, alerts, based on your metrics etc. There is a good talk soon - might be worth joining this for you to get some concept knowledge on getting data in https://community.splunk.com/t5/Community-Office-Hours/Getting-Data-In-Splunk-Platform-Wed-9-11-24/ec-p/690523#M105
... View more
06-13-2024
02:09 AM
Sound like a case for dedup, based on that you can optionally also place the devices into a lookup file and also use that. (You can then use that SPL in your drop down menu which is what I suspect you want to do) See the examples and if that meets what you want to do. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Dedup#Examples
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
Karma from
Karma given to
