Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About MaverickT
MaverickT
Communicator
Member since:
05-16-2013
07-05-2023
Community Statistics
| Posts | 71 |
| Solutions | 5 |
| Karma Given | 24 |
| Karma Received | 26 |
| Member Since | 05-16-2013 |
Activity Feed
- Got Karma for Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?. 09-20-2023 11:10 PM
- Posted Re: How to exclude a lookup from a tstats in subsearch? on Splunk Enterprise Security. 07-04-2023 10:55 PM
- Got Karma for Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?. 10-31-2022 11:22 AM
- Got Karma for Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?. 10-31-2022 10:30 AM
- Got Karma for Re: Mac OS X Sierra - How to get all logs from the Unified Log database?. 09-13-2022 04:00 AM
- Posted Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk? on Getting Data In. 08-28-2022 04:10 AM
- Posted Re: Mac OS X Sierra - How to get all logs from the Unified Log database? on Getting Data In. 08-28-2022 04:07 AM
- Posted Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error? on All Apps and Add-ons. 08-26-2022 01:15 AM
- Posted Re: How to migrate data in an indexer cluster to a new indexer cluster environment? on Splunk Enterprise Security. 06-21-2022 12:32 AM
- Posted Re: tstats where index=_internal no results on Monitoring Splunk. 07-29-2021 12:08 AM
- Tagged Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 12:57 PM
- Tagged Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:55 PM
- Posted Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:51 PM
- Posted Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 07:52 AM
- Got Karma for Re: Assign multiple risk objects in Risk Analysis. 05-03-2021 08:14 AM
- Got Karma for Re: Assign multiple risk objects in Risk Analysis. 05-02-2021 04:02 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 |
07-04-2023
10:55 PM
I think the catch is not the lookup. It is the data structure. While testing your search I got the results if I put IP address to my domainslist lookup table. The thing is that "DNS.answer" should be the IP address of the queried domain. Or am I wrong? If you want to search answers then your lookup should also include IP addresses. Note that in my experience if it is a big lookup file, this method will not work. It returns error and seach does not complete. In that case you have to return everything with tstats and then use lookup + search (or search + inputlookup).
... View more
08-28-2022
04:10 AM
3 Karma
Since Splunk 9.x, Universal Forwarder supports Apple Unified Logging. But Splunk didn't release corresponding TA. So I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security: https://splunkbase.splunk.com/app/6561/ I also published an app to visualize key security-relevant events from MacOS datasource: https://splunkbase.splunk.com/app/6562/ Any improvement requests are welcome.
... View more
08-28-2022
04:07 AM
1 Karma
Since Splunk 9.x supports Apple Unified Logging but Splunk didn't release corresponding TA I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security: https://splunkbase.splunk.com/app/6561/ I also published an app to visualize key security-relevant events from MacOS datasource: https://splunkbase.splunk.com/app/6562/
... View more
08-26-2022
01:15 AM
I had a same issue. It turned out that we needed to add Exchange Administrator role to the Enterprise Application associated with OAuth token. A bit of overkill of privileges, but it is what it takes to make thing working. Permission cheat-sheet: https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0
... View more
06-21-2022
12:32 AM
The easiest option is to add new indexers/nodes to existing cluster, sync existing data to this nodes and after that slowly retire old indexers using "splunk offline --enforce-counts" command.
... View more
07-29-2021
12:08 AM
Yes, thats exactly the behaviour. To be more precise - tstats does not fail, it just doesnt return any results. To make things even more challenging - same tstats command works on other indexes.
... View more
07-28-2021
12:51 PM
Thanks for your reply. I guess I wasn't clear enough. I run search on search head, the search log is taken from search head, but also includes log from indexer. It is taken from here: $SPLUNK_HOME/var/run/splunk/dispatch/$SEARCH_JOB_ID/remote_logs/$INDEXER.search.log I am sure all logs from search heads, heavy and universal forwarders are forwarded to indexer tier, since normal search (eg. index=_internal | stats count by host) produces results.
... View more
07-28-2021
07:52 AM
I am trying to run the following tstats search on indexer cluster, recently updated to splunk 8.2.1:
| tstats count where index=_internal by host
The search returns no results, I suspect that the reason is this message in search log of the indexer:
Mixed mode is disabled, skipping search for bucket with no TSIDX data: \opt\splunkhot\_internaldb\db\hot_v1_4334
When I check the specified bucket folder, I can see the tsidx files inside.
Interesting fact is, that this issue occurs only with _internal index, same command works fine with other indexes. I have datamodel "Splunk's Internal Server Logs" enabled and accelerated.
Any suggestions where to start troubleshooting this issue?
... View more
Labels
04-29-2021
11:11 PM
2 Karma
The easyest way is to upgrade your Enterprise Security to 6.4, which has the option to add multiple risk analysis to the same result.
... View more
04-29-2021
11:08 PM
We made a clean installation of on-prem Splunk Enterprise 8.0.9 and Enterprise Security 6.4.0. When correlation search returns results, we would like to append these results to an email via adaptive response action "Send Email". We had selected the option to include an inline-table, but regardless of this setting, the table with results is still not added to the email. There are two additional findings we discovered: If we try to append results of standard alert search (non-correlation search) to an email it works. If we set sendresults = 1 in $SPLUNK_HOME/etc/system/local/alert_actions.conf it also works but not for all correlation searches... Has anybody encountered such problems and how did you solve it?
... View more
Labels
- Labels:
-
notable event
-
troubleshooting
01-22-2021
07:51 AM
Which "CloudStrike cloud environment" do you have selected? In my case it didn't work until "EU Cloud" was selected. After switching to "US Commercial" it started working. Currently using EU Cloud is not beneficiary, since all requests are (at least currently) redirected to US commercial anyway.
... View more
11-22-2020
11:46 PM
1 Karma
My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase. I've managed to install and configure those add-ons in less than an hour. https://splunkbase.splunk.com/app/4336/ https://splunkbase.splunk.com/app/4337/
... View more
11-09-2020
12:58 AM
1 Karma
Since October 2020 there is add-on available for this matter: Microsoft Cloud App Security Add-on for Splunk
... View more
08-14-2020
07:20 AM
It is probably not a direct answer to your question. But by looking at your printsceen you have selected Continous scheduling, but in the "Latest Time" is formed in real-time format (rt+5m@m).
... View more
08-14-2020
07:16 AM
There is an option to code your own adaptive response action, which can be used to forward the data to other systems. But you will need to do a little bit of python coding... https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-05-2023
02:16 AM
|
Karma from
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Karma given to
