Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About weicai88
weicai88
Path Finder
Member since:
06-09-2015
03-05-2021
Community Statistics
| Posts | 19 |
| Solutions | 3 |
| Karma Given | 0 |
| Karma Received | 5 |
| Member Since | 06-09-2015 |
Activity Feed
- Posted Re: Parsing McAfee Firewall Logs on Getting Data In. 03-05-2021 07:18 AM
- Posted Re: Parsing McAfee Firewall Logs on Getting Data In. 03-05-2021 06:27 AM
- Posted Parsing McAfee Firewall Logs on Getting Data In. 03-04-2021 02:40 PM
- Posted Re: Unhash password found on Slave-apps on Security. 06-12-2020 07:56 AM
- Got Karma for Why am I unable to find orphaned searches or alerts?. 06-05-2020 12:48 AM
- Got Karma for Tripwire Enterprise App for Splunk Enterprise: SCM data is getting pulled, but why not FIM Data?. 06-05-2020 12:47 AM
- Got Karma for Re: Tripwire Enterprise App for Splunk Enterprise: SCM data is getting pulled, but why not FIM Data?. 06-05-2020 12:47 AM
- Got Karma for Re: Tripwire Enterprise App for Splunk Enterprise: SCM data is getting pulled, but why not FIM Data?. 06-05-2020 12:47 AM
- Got Karma for Re: Tripwire Enterprise App for Splunk Enterprise: SCM data is getting pulled, but why not FIM Data?. 06-05-2020 12:47 AM
- Posted Re: Error at search time after upgrading Palo Alto Networks App for Splunk to version 6.0 on All Apps and Add-ons. 01-17-2018 07:31 AM
- Posted Re: Error at search time after upgrading Palo Alto Networks App for Splunk to version 6.0 on All Apps and Add-ons. 01-16-2018 12:45 PM
- Posted Re: How to filter out search results where a field value ends with the $ character? on Splunk Search. 01-17-2017 01:50 PM
- Posted Re: Why am I unable to find orphaned searches or alerts? on Alerting. 11-08-2016 12:12 PM
- Posted Why am I unable to find orphaned searches or alerts? on Alerting. 11-08-2016 09:31 AM
- Tagged Why am I unable to find orphaned searches or alerts? on Alerting. 11-08-2016 09:31 AM
- Tagged Why am I unable to find orphaned searches or alerts? on Alerting. 11-08-2016 09:31 AM
- Tagged Why am I unable to find orphaned searches or alerts? on Alerting. 11-08-2016 09:31 AM
- Tagged Why am I unable to find orphaned searches or alerts? on Alerting. 11-08-2016 09:31 AM
- Tagged Why am I unable to find orphaned searches or alerts? on Alerting. 11-08-2016 09:31 AM
- Posted Query Data Not Going into Index with DBConnect on All Apps and Add-ons. 01-15-2016 09:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
03-05-2021
07:18 AM
Just figured it out, instead of using source, sourcetype should be used in the props.conf. Now I am seeing proper events break-up:
... View more
03-05-2021
06:27 AM
Yeah, the vast majority are 1 line, and there are many other line counts. What I need is events with 7 lines. BTW, the props.conf is on heavy forwarders to send to Splunk Cloud.
... View more
03-04-2021
02:40 PM
Hello All! I am trying to parse McAfee firewall logs but the props.conf I am using doesn't seem to work. This is my props.conf: [source::<source location>] TIME_PREFIX = Time:\s+ TIME_FORMAT = %m/%d/%Y %H:%M:%S LINE_BREAKER = ([\r\n]+)Time: SHOULD_LINEMERGE = false This is the log that I want to break at each timestamp line: Time: 03/04/2021 17:31:18 Event: Traffic IP Address: 172.16.0.21 Description: Path: Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915) Matched Rule: Block all traffic Time: 03/04/2021 17:31:19 Event: Traffic IP Address: 172.16.0.21 Description: Path: Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915) Matched Rule: Block all traffic Time: 03/04/2021 17:31:20 Event: Traffic IP Address: 172.16.0.21 Description: Path: Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915) Matched Rule: Block all traffic Time: 03/04/2021 17:31:21 Event: Traffic IP Address: 172.16.0.21 Description: Path: Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915) Matched Rule: Block all traffic Time: 03/04/2021 17:31:22 Event: Traffic IP Address: 172.16.0.21 Description: Path: Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915) Matched Rule: Block all traffic ... Thank you so much!
... View more
Labels
- Labels:
-
heavy forwarder
-
indexer
-
props.conf
-
source
-
time
06-12-2020
07:56 AM
I am having the same issue. Probably you can get the hash value on the CM, assuming it has the same certificate and splunk secret (which is used to encrypt the password), and plug the hash in the master app, then deploy the bundle to peers.
... View more
01-17-2018
07:31 AM
I only installed the Add-on 6.0.2, not the App. And yes, it is on both Search Heads and Indexers. It's odd that I have two Search Head clusters, but the errors only show up on one of them although the Add-on was installed on both.
... View more
01-16-2018
12:45 PM
rphillips:
I got the same error, and following your instructions, checked my settings with btool. Here's what's on my search heads:
/opt/splunk/etc/apps/Splunk_TA_paloalto/default/collections.conf [minemeldfeeds]
/opt/splunk/etc/apps/Splunk_TA_paloalto/default/collections.conf enforceTypes = false
/opt/splunk/etc/apps/Splunk_TA_paloalto/default/collections.conf field.indicator = string
/opt/splunk/etc/apps/Splunk_TA_paloalto/default/collections.conf field.splunk_source = string
/opt/splunk/etc/apps/Splunk_TA_paloalto/default/collections.conf field.value = string
/opt/splunk/etc/system/default/collections.conf profilingEnabled = false
/opt/splunk/etc/system/default/collections.conf profilingThresholdMs = 1000
/opt/splunk/etc/apps/Splunk_TA_paloalto/default/collections.conf replicate = true
/opt/splunk/etc/system/default/collections.conf replication_dump_maximum_file_size = 10240
/opt/splunk/etc/system/default/collections.conf replication_dump_strategy = auto
/opt/splunk/etc/system/default/collections.conf type = undefined
As you can see, replicate = true. Why do i still see the error?
Thanks!
Wei
... View more
01-17-2017
01:50 PM
This should work:
account_name != "*$"
... View more
11-08-2016
12:12 PM
Right on, bmacias84! I was able to track down the saved searched in those users' home directory. Thanks for your quick response!
... View more
I run following search to look for orphaned searches/alerts:
| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
I found a few which belong to some departed users. However, when I go to Settings>Searches, Reports, and Alerts, they are not listed. I also searched $SPLUNK_HOME/etc/apps to make sure all the departed users' names to be replaced with a current user's name. Yet the same orphaned searches turned up whenever I run the above search. What did I miss?
Thanks!
... View more
01-15-2016
09:05 AM
Hi,
I use DBConnect 2 to pull McAfee endpoint security data from ePO into Splunk and that part works great. However, when I tried to pull additional audit data from the same database, the data won't show up in the index. The test of the SQL query in the DBConnect connection was successful and there's no error in the splunkd.log. Here's the stanza in the inputs.conf:
[mi_input://ta_mcafee_epo_5_input:audit]
disabled = 0
host = <SQL Host Name>
connection = <Connection Name>
index = mcafee
interval = * * * * *
max_rows = 10000
output_timestamp_format = YYYY-MM-dd HH:mm:ss
changed "SELECT TOP 10000" to just "SELECT" because it's not working with DBXv2
query = SELECT [AutoId],[UserId],[UserName],[Priority],[CmdName],[Message],[Success],[StartTime],[EndTime],[RemoteAddress],[TenantId] FROM [ePO_MTIB-EPO-APP].[dbo].[OrionAuditLogMT] WHERE [AutoID] >10000
sourcetype = mcafee:audit
source = dbx1
mode = tail
tail_follow_only = 1
tail_rising_column_name = AutoID
tail_rising_column_number = 2
ui_query_mode = advanced
input_timestamp_column_name = timestamp
input_timestamp_column_number = 1
tail_rising_column_checkpoint_value = 10000
What could be the problem?
Thanks!
Wei
... View more
12-18-2015
11:04 AM
jkat54:
This sounds like what I need to do. I will test it tonight and let you know the result.
Thanks!
Wei
... View more
12-17-2015
02:01 PM
Yes, multiple times.
... View more
12-17-2015
08:28 AM
Hi Everyone:
I keep getting this error on my 3 Enterprise Security search heads:
msg="A lookup table used in a CIDR or WILDCARD definition exceeds the maximum allowable value" file="asn_by_cidr.csv" size="16360595" param="max_memtable_bytes" limit="10000000".
I am aware of the fix: https://answers.splunk.com/answers/152483/splunk-app-for-enterprise-security-where-to-change-the-setting-for-lookup-table-maximum-allowable-value.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev,
but after I made the suggested change to all 3 search heads, the error keeps popping up.
I have verified with btool that the max_memtable_bytes limit has been set to 20000000:
./bin/splunk cmd btool --debug limits list |grep mem
/opt/splunk/etc/apps/tsp_esh_limits/default/limits.conf max_memtable_bytes = 20000000
Any suggestions?
... View more
11-04-2015
06:06 AM
3 Karma
After reviewing the tripwire_fim.py script, I realized it was looking for a firstrun_fim.txt file as a condition to execute. There's already a firstrun_scm.txt so I manually created firstrun_fim.txt. That's all you need to do.
... View more
11-02-2015
11:12 AM
Yes, the file does exist:
total 0
-rw-------. 1 splunk splunk 0 Nov 2 13:10 DCR-hist.csv
Running the command directly resulted the following errors:
Traceback (most recent call last):
File
"/opt/splunk/etc/apps/TA_te/bin/tripwire.py",
line 540, in
main() File "/opt/splunk/etc/apps/TA_te/bin/tripwire.py",
line 58, in main
xml = client.report(args.title, args.type, params) File
"/opt/splunk/etc/apps/TA_te/bin/tripwire.py",
line 501, in report
return self._attachment(self._do_soap('report',
args, parseresult=False)) File
"/opt/splunk/etc/apps/TA_te/bin/tripwire.py",
line 482, in _attachment
raise Exception(ET.tostring(fault))
Exception: xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/">SOAP-ENV:ClientFailed
to find object in database
(CONTENTS), id =
-9223372036298495233 />***
So it does appear to be a missing object from the database. What can I do to fix it? The weird thing is, I have installed the same app on an all-in-one instance, with the same credential for Tripwire and it can get both FIM and SCM data without any issues. Tripwire has very little documentation on this app except a one page installation instructions. The Tripwire support says they are not responsible for this app, Splunk is, which is denied by Splunk. 😞
... View more
11-02-2015
07:50 AM
1 Karma
Hi,
I am having problems getting the FIM data from Tripwire Enterprise with the Python script while the SCM pull worked just fine. I have a distributed Splunk deployment so according to the TE app documentation, I put TA_te on the heavy forwarder. The Python scripts are supposed to pull the data and deposit it in /opt/teexports. I can see that /opt/te/exports/SCM is getting updated and the dashboard on the search heads is populated with the SCM data. However, there's no FIM data. Reviewing the splunkd.log I can see some Python errors as below:
10-29-2015 15:20:46.620 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" Exception: <ns0:Fault xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/"><faultcode>SOAP-ENV:Client</faultcode><faultstring>Failed to find object in database
10-29-2015 15:20:46.620 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" (CONTENTS), id = -9223372036298495233</faultstring><detail><com.tripwire.space.core.persistence.db.ObjectNotFoundException /></detail></ns0:Fault>
10-29-2015 15:20:46.625 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" Traceback (most recent call last):
10-29-2015 15:20:46.625 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" File "/opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py", line 162, in <module>
10-29-2015 15:20:46.626 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" main()
10-29-2015 15:20:46.626 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" File "/opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py", line 151, in main
10-29-2015 15:20:46.626 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" subprocess.check_call(cmd, shell=True)
10-29-2015 15:20:46.626 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" File "/opt/splunk/lib/python2.7/subprocess.py", line 540, in check_call
10-29-2015 15:20:46.628 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" raise CalledProcessError(retcode, cmd)
10-29-2015 15:20:46.628 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" subprocess.CalledProcessError: Command '/opt/splunk/bin/splunk cmd python "/opt/splunk/etc/apps/TA_te/bin/tripwire.py" -s "10.20.12.24" -u "yyyyyy" -p "xxxxxxxxxxxx" report -T "DCR" -t detailedchanges_rpt -P BooleanCriterion,currentVersionsOnly,false,displayUsers,true,displayCriteriaAtEnd,true,showContentDiff,true:RelativeTimeRangeCriterion,229,day,"In the last 229 day" -F CSV -o "/opt/teexports/FIM/tmp/DCR-hist.csv"' returned non-zero exit status 1
... View more
08-11-2015
10:28 AM
I noticed that even after I stopped the Forwarder, the errors still popped up so it didn't appear to be from the data source. I then restarted one of the three indexers and that cleared up all the errors.
... View more
08-10-2015
11:30 AM
Jeff,
Yes, btool was what I used to search where the index came from on both the indexers and forwarder. "sec_events" is not present in the output.
Thanks,
Wei
... View more
08-07-2015
02:13 PM
I have a distributed deployment and use a Universal Forwarder on Windows to get the event logs and performance information into indexers. After deploying the Splunk_TA_windows to the Windows client, the event log data comes into the indexers and get indexed to wineventlog just fine. However, I still get errors as below:
Search peer idx2 has the following message: received event for unconfigured/disabled/deleted index='sec_events' with source='source::Perfmon:Available Memory' host='host::Prod-TS1' sourcetype='sourcetype::Perfmon:Available Memory' (1 missing total) 8/7/2015, 3:40:29 PM
I checked both my indexers and forwarders, but could not find where the index "sec_events" came from. If you have any suggestions please let me know.
Thanks!
... View more
