Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About MaverickT
MaverickT
Communicator
Member since:
05-16-2013
3 weeks ago
Community Statistics
| Posts | 69 |
| Solutions | 5 |
| Karma Given | 24 |
| Karma Received | 23 |
| Member Since | 05-16-2013 |
Activity Feed
- Got Karma for Re: Mac OS X Sierra - How to get all logs from the Unified Log database?. 2 weeks ago
- Posted Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk? on Getting Data In. a month ago
- Posted Re: Mac OS X Sierra - How to get all logs from the Unified Log database? on Getting Data In. a month ago
- Posted Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error? on All Apps and Add-ons. 08-26-2022 01:15 AM
- Posted Re: How to migrate data in an indexer cluster to a new indexer cluster environment? on Splunk Enterprise Security. 06-21-2022 12:32 AM
- Posted Re: tstats where index=_internal no results on Monitoring Splunk. 07-29-2021 12:08 AM
- Tagged Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 12:57 PM
- Tagged Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:55 PM
- Posted Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:51 PM
- Posted Why does the tstats search "where index=_internal" returns no results? on Monitoring Splunk. 07-28-2021 07:52 AM
- Got Karma for Re: Assign multiple risk objects in Risk Analysis. 05-03-2021 08:14 AM
- Got Karma for Re: Assign multiple risk objects in Risk Analysis. 05-02-2021 04:02 PM
- Karma Re: biuld a siem without Enterprise security app for radam2000. 04-29-2021 11:20 PM
- Posted Re: Assign multiple risk objects in Risk Analysis on Splunk Enterprise Security. 04-29-2021 11:11 PM
- Posted Adaptive Response Action Send email not sending results on Splunk Enterprise Security. 04-29-2021 11:08 PM
- Posted Re: Not receiving CrowdStrike Intel Indicators events on Getting Data In. 01-22-2021 07:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 |
a month ago
Since Splunk 9.x, Universal Forwarder supports Apple Unified Logging. But Splunk didn't release corresponding TA. So I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security: https://splunkbase.splunk.com/app/6561/ I also published an app to visualize key security-relevant events from MacOS datasource: https://splunkbase.splunk.com/app/6562/ Any improvement requests are welcome.
... View more
a month ago
1 Karma
Since Splunk 9.x supports Apple Unified Logging but Splunk didn't release corresponding TA I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security: https://splunkbase.splunk.com/app/6561/ I also published an app to visualize key security-relevant events from MacOS datasource: https://splunkbase.splunk.com/app/6562/
... View more
08-26-2022
01:15 AM
I had a same issue. It turned out that we needed to add Exchange Administrator role to the Enterprise Application associated with OAuth token. A bit of overkill of privileges, but it is what it takes to make thing working. Permission cheat-sheet: https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0
... View more
06-21-2022
12:32 AM
The easiest option is to add new indexers/nodes to existing cluster, sync existing data to this nodes and after that slowly retire old indexers using " splunk offline --enforce-counts" command.
... View more
07-29-2021
12:08 AM
Yes, thats exactly the behaviour. To be more precise - tstats does not fail, it just doesnt return any results. To make things even more challenging - same tstats command works on other indexes.
... View more
07-28-2021
12:51 PM
Thanks for your reply. I guess I wasn't clear enough. I run search on search head, the search log is taken from search head, but also includes log from indexer. It is taken from here: $SPLUNK_HOME/var/run/splunk/dispatch/$SEARCH_JOB_ID/remote_logs/$INDEXER.search.log I am sure all logs from search heads, heavy and universal forwarders are forwarded to indexer tier, since normal search (eg. index=_internal | stats count by host) produces results.
... View more
07-28-2021
07:52 AM
I am trying to run the following tstats search on indexer cluster, recently updated to splunk 8.2.1:
| tstats count where index=_internal by host
The search returns no results, I suspect that the reason is this message in search log of the indexer:
Mixed mode is disabled, skipping search for bucket with no TSIDX data: \opt\splunkhot\_internaldb\db\hot_v1_4334
When I check the specified bucket folder, I can see the tsidx files inside.
Interesting fact is, that this issue occurs only with _internal index, same command works fine with other indexes. I have datamodel "Splunk's Internal Server Logs" enabled and accelerated.
Any suggestions where to start troubleshooting this issue?
... View more
Labels
04-29-2021
11:11 PM
2 Karma
The easyest way is to upgrade your Enterprise Security to 6.4, which has the option to add multiple risk analysis to the same result.
... View more
04-29-2021
11:08 PM
We made a clean installation of on-prem Splunk Enterprise 8.0.9 and Enterprise Security 6.4.0. When correlation search returns results, we would like to append these results to an email via adaptive response action "Send Email". We had selected the option to include an inline-table, but regardless of this setting, the table with results is still not added to the email. There are two additional findings we discovered: If we try to append results of standard alert search (non-correlation search) to an email it works. If we set sendresults = 1 in $SPLUNK_HOME/etc/system/local/alert_actions.conf it also works but not for all correlation searches... Has anybody encountered such problems and how did you solve it?
... View more
Labels
- Labels:
-
notable event
-
troubleshooting
01-22-2021
07:51 AM
Which "CloudStrike cloud environment" do you have selected? In my case it didn't work until "EU Cloud" was selected. After switching to "US Commercial" it started working. Currently using EU Cloud is not beneficiary, since all requests are (at least currently) redirected to US commercial anyway.
... View more
11-22-2020
11:46 PM
1 Karma
My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase. I've managed to install and configure those add-ons in less than an hour. https://splunkbase.splunk.com/app/4336/ https://splunkbase.splunk.com/app/4337/
... View more
11-09-2020
12:58 AM
1 Karma
Since October 2020 there is add-on available for this matter: Microsoft Cloud App Security Add-on for Splunk
... View more
08-14-2020
07:20 AM
It is probably not a direct answer to your question. But by looking at your printsceen you have selected Continous scheduling, but in the "Latest Time" is formed in real-time format (rt+5m@m).
... View more
08-14-2020
07:16 AM
There is an option to code your own adaptive response action, which can be used to forward the data to other systems. But you will need to do a little bit of python coding... https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/
... View more
08-14-2020
02:05 AM
There is no way of doing Splunk database backup via GUI. Even the CLI might get a little bit complicated, because you have to roll the buckets before making backup. You can learn more about making backup here: https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Backupindexeddata https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/BackupKVstore Maybe you should consider moving the cold buckets to the QNAP NAS?
... View more
08-14-2020
01:34 AM
Can you check if you maybe have "Remote event log collections" enabled for this host on one of your Splunk instances? This is one of the reasons why there can be duplicate data..
... View more
- Tags:
- Can
07-09-2020
11:07 AM
Oh, sorry, fast reading. I am trying to download splunk 7.3.1.1 to help you, but somehow the download link for previous releases of splunk doesn't work :/.
... View more
07-09-2020
10:43 AM
Just one addon to your arhitecture. Search head cluster should have at least 3 members. Otherwise it won't be able to elect the search head captain.
... View more
07-09-2020
10:38 AM
We had just installed Splunk Add-on for Amazon Web Services on brand new Splunk server version 8. Works like a charm. You've mentioned that you are using Splunk 7.3.1.1. That might be the reason it is not working, since latest version of Add-on is supported only on Splunk version 8. I guess you have two options: Upgrade your heavy forwarder to latest splunk version Use old version of add-on - 4.6.1. is supported with splunk 7.3.
... View more
07-09-2020
05:33 AM
After small amount of scripting and even greater amount of waiting we finally managed to get those slice files merged with journal.gz. We tried uncompressing journal.gz and just appending slice file, but it didn't work. Final solution was to use "splunk cmd exporttool" and "splunk cmd importtool". Because the amount of bucket, that needed to be fixed was above 2500 we addapted the export/import script that was published splunkwiki years ago. I am sharing it here in case somebody needs it in future. #!/bin/bash
:'
This is a bucket fixup script. It fixes the buckets with leftover slices by using export command.
It also renames buckets that are single-instance to cluster format (by adding instance GUID)
Author: Žiga Humar, Our Space Appliances
Author takes no responsibily for this script or for any data corruption it might cause.
Thanks to jrodman, whos script was good starting point. And to Christian Bran at Splunk Support who expained me the
logic about leftover slices.
'
# EDIT YOUR VARIABLES HERE
BUCKET_TMPDIR=/tmp
SPLUNK_HOME=/opt/splunk
SPLUNK_BIN=/opt/splunk/bin/splunk
INSTANCE_GUID="C221DE6A-20A8-41B8-A8D2-27E1F7A4B0B8"
PATHS=(splunkhot splunkcold)
# VARIABLES FINISHED
EXPORT_CMD="$SPLUNK_BIN cmd exporttool"
IMPORT_CMD="$SPLUNK_BIN cmd importtool"
declare -a index_list
# select indexes to process
for path in ${PATHS[0]};
do
for index in /opt/$path/*;
do
index_name=$(basename $index)
if [ -d $index ] && [ ${index_name:0:1} != "_" ] && [ $index_name != "audit" ]
then
index_list+=($index_name)
fi
done
done
# loop trough hot and warm paths
for path in ${PATHS[@]};
do
echo "$(date) Processing path=/opt/$path/"
# loop trought indexes
for index in /opt/$path/*;
do
index_name=$(basename $index)
# check if this index should be processes by this instance
index_found=0
for iteration_index in "${index_list[@]}"
do
if [ "$iteration_index" == "$index_name" ] ; then
index_found=1
fi
done
# if this is folder and if it should be processed keep on going
if [ -d $index ] && [ $index_found == 1 ]
then
echo "$(date) Processing index: $index_name"
for bucket in $index/*/db_*;
do
bucket_dir=$(dirname $bucket)
bucket_name=$(basename $bucket)
if [ -d $bucket ] && [ ${bucket_name:0:2} == "db" ]
then
bucket_id_guid=$(echo $bucket_name | sed 's/db_[0-9]*_[0-9]*_//')
bucket_guid=$(echo $bucket_id_guid | sed 's/[0-9]*//')
bucket_id=$(echo $bucket_id_guid | sed 's/_[0-9a-Z\-]*$//')
#echo "$(date) Checking bucket=$bucket_id index=$index_name"
#echo "$(date) Guid: ${bucket_guid}"
# If rawdata folder contains uncompressed slice file, do the export/import procesure
if [ $(find $bucket -type f -regex '.*rawdata/[0-9]+$' | wc -l ) != "0" ] ;
then
echo "$(date) FIXUP task for bucket=${bucket_id} index=$index_name required"
echo "$(date) Exporting bucket=${bucket_id} index=$index_name"
NEW_BUCKET=$BUCKET_TMPDIR/new_bucket_$index_$bucket_id
EXPORTING_BUCKET=$BUCKET_TMPDIR/export_bucket_$index_$bucket_id.csv
# delete old export files (just in case they are left from previous migration)
rm -Rf $NEW_BUCKET
rm -Rf $EXPORTING_BUCKET
# do export
SECONDS=0
$EXPORT_CMD $bucket $EXPORTING_BUCKET -csv
EXPORT_ENDTIME=$(date +%s)
duration_export=$SECONDS
echo "Export took $duration_export seconds."
# do import
echo "$(date) Reimporting bucket=${bucket_id} index=$index_name"
SECONDS=0
$IMPORT_CMD $NEW_BUCKET $EXPORTING_BUCKET
duration_import=$SECONDS
echo "Reimport took $duration_import seconds."
# go into new bucket and get earliest and latest time in the bucket
(cd $NEW_BUCKET; ls *.tsidx | sed 's/-[0-9]\+\.tsidx$//' |sed 's/-/ /') | {
global_low=0
global_high=0
while read high low; do
if [ $global_high -eq 0 ] || [ $high -gt $global_high ]; then
global_high=$high
fi
if [ $global_low -eq 0 ] || [ $low -lt $global_low ]; then
global_low=$low
fi
done
REAL_BUCKET_NAME=db_${global_high}_${global_low}_${bucket_id}_${INSTANCE_GUID}
# move the old bucket to temporary location
if [ -d $bucket ];
then
mv $bucket $BUCKET_TMPDIR
else
echo >&2 bucket $bucket vanished while processing.. inserting new one and hoping for the best
fi
# replacing old bucket with a new one
echo "Replacing bucket=${bucket_id} index=$index_name"
mv $NEW_BUCKET $bucket_dir/$REAL_BUCKET_NAME
}
# delete temporary export file and the old one.
rm -rf $BUCKET_TMPDIR/$bucket_name # delete old one
rm $EXPORTING_BUCKET # delete exported one
# if bucket folder doesn't end with the INSTANCE_GUID, lets append it
elif [ "$bucket_guid" != "_${INSTANCE_GUID}" ];
then
echo "$(date) Renaming bucket=${bucket_id} from single instance to cluster format index=$index_name"
mv $bucket ${bucket}_${INSTANCE_GUID}
fi
fi
done
fi
done
done
Just for info: we had 30% of buckets in this state. The total size of all indexes is 3 TB. It took us 4 days to run the script. And after running it, there was also a couple of other buckets that were corrupted which had to be exported in same fashion, but it was fast and easy job.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
Karma from
Karma given to
