Hi, TA-trendmicro is indeed delivered with Splunk Enterprise Security. To deploy it in a distributed environment, you will need to extract the add-on from the Splunk ES package and install/configure it across your indexers (cluster) and the forwarder running TMCM.
In TMCM you need to configure the alerts you are interested in to write an event in the Application Windows Event Log. TMCM events will be processed by TA-trendmicro, assigning sourcetypes, tags, extracting fields etc. so they become available to the ES Data Models.
I got the data into Splunk, properly tagged, sourcetype and all. However I don't find the data in ES ? Did you ? What more is needed ?
... View more
I have created a "Status over time" Multi-KPI alert and selected the ServiceHealthScore to configure a trigger. The trigger fires if the ServiceHealthScore is critical for more than 50% of the time. My correlation search runs every 15 minutes over the previous 15' period.
As ServiceHealtScores are calculated every 1', I have 15 samples in my correlation search results. As soon as 8 or more of these samples find the ServiceHealthScore in a critical state, a notable event should be generated and an episode will be started or appended to. What happens instead is that a notable event is fired, as soon as 1 or more samples return 'Critical' within the 15' period ?
I have analyzed the correlation search and found what I believe to be an error in a bugfix on an earlier error ... I found an earlier post by someone who also found this error and reported it to Splunk, I could not find it in the list of fixed issues of later ITSI releases though ...
In ITSI 4.1.2 the correlation search read : ..... stats count as occurances ...... and : ... 'getPercentage(alert_period, occurence), which obviously did not work as the occurence field did not correspond to the calculated occurances field.
In ITSI 4.3.0 the correlation search was corrected and reads : .... stats count as occurences ... and : .... 'getPercentage(alert_period, occurence), which is close, but still no cigar .... as occurences is plural and occurence is not.
So far for testing I suppose, as the correlation search is still not working and returns 100% regardless of the number of occurences satisfying the specified 50% Critical trigger condition....
Fixing it is simple enough (How do I call this fix on a bugfix now ? a bigfix ?) :
.... stats count as occurence .... and then .... 'getPercentage(alert_period, occurence) ... calculates the percentage correctly and notable events are only generated when the trigger condition is really met. To implement this bigfix, you need to edit the search in the correlation search editor and once you do that you cannot use the Multi-KPI Alert editor anymore on that correlation search. This is a one way street guys, there is no way back until Splunk fixes the search generator.
Hopefully this helps other Splunkers to save some troubleshooting time and inspires Splunk to bigfix their bugfix 🙂
... View more
Thanks bu no, that's what I did and rpm still replaced both my v7.0.1 instance in the path provide through --prefix AND my v6.6.3 instance installed in the default /opt/splunk folder 😞 Basically the reason I started this thread was to find out if there is a way to upgrade just one of the installed instances. Other ideas anyone ?
... View more
I have two instances running on a non-production linux box, one is v6.6.3 (TST) and the other one is v7.0.1 (DEV) as I can test new features first in DEV and only later plan an upgrade of TST. Having them run both on one box is not ideal, but quick and cheap.
Installing them side by side was not too complicated using rpm -i --prefix=... to specify the installation path. Splunk detects ports are already used when starting the 2nd instance and prompts you to specify other, free ports. Both instances then run fine in parallel.
Upgrading to 7.0.2 with rpm -U is not a wise thing todo, since it will replace all installed older versions with the new one. This will thus remove the v6.6.3 instance along with upgrading the v7.0.1 instance ! Is it in my case better to 1/ rpm -e uninstall the v7.0.1 package and 2/ rpm -i install the v7.0.2 package ? Will it keep/migrate my configuration files ? my add-ons ? my data ?
... View more