Timestamps are not properly being parsed using v1.0.0 of the TA-pps_ondemand app. 01-16-2019 02:56:09.819 -0500 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Jan 16 02:28:43 2019). Context: source=proofpoint_message_log|host=sp-01|pps_messagelog| ... View more

Anyone out there doing 10G with Splunk Stream on RHEL (or linux) utilizing an Intel x520? We're attempting to configure a dedicated Stream capture server on RHEL7 with 2x 1GB copper nics bonded and bound to TCP, and the x520 is designed to be a dedicated out of band monitoring card. The optical link is connected to Gigamon. We've validated the link is active and sending data through the transceiver by plugging it into a fluke. Problem 1: RHEL isn't recognizing the link: Settings for eth6: Supported ports: [ FIBRE ] Supported link modes: 10000baseT/Full Supported pause frame use: No Supports auto-negotiation: No Advertised link modes: 10000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: No Speed: Unknown! Duplex: Unknown! (255) Port: Other PHYAD: 0 Transceiver: external Auto-negotiation: off Supports Wake-on: umbg Wake-on: g Current message level: 0x00000007 (7) drv probe link Link detected: no Problem 2: I have configured Splunk for dedicated capture as described in the documentation. > cat streamfwd.conf [streamfwd] dedicatedCaptureMode = 1 streamfwdcapture.0.interface=0000:01:00.0 When Splunk starts, RHEL drops the entire network stack (the servers go offline): Jun 23 11:16:17 sp-strm-01 kernel: Generic UIO driver for PCI 2.3 devices version: 0.01.0 Jun 23 11:16:17 sp-strm-01 kernel: ixgbe 0000:01:00.0: removed PHC on em1 Jun 23 11:16:17 sp-strm-01 kernel: igb 0000:06:00.0: removed PHC on em3 Jun 23 11:16:17 sp-strm-01 kernel: igb 0000:06:00.1: removed PHC on em4 Jun 23 11:16:17 sp-strm-01 kernel: igb 0000:81:00.0: removed PHC on p1p1 Jun 23 11:16:17 sp-strm-01 kernel: bond0: Releasing active interface p1p1 Jun 23 11:16:17 sp-strm-01 kernel: bond0: the permanent HWaddr of p1p1 - a0:36:9f:e5:9b:78 - is still in use by bond0 - set the HWaddr of p1p1 to a different address to avoid conflicts Jun 23 11:16:17 sp-strm-01 kernel: bond0: making interface p1p2 the new active one Jun 23 11:16:17 sp-strm-01 kernel: igb 0000:81:00.1: removed PHC on p1p2 Jun 23 11:16:17 sp-strm-01 kernel: bond0: Releasing active interface p1p2 Jun 23 11:16:17 sp-strm-01 kernel: igb 0000:81:00.2: removed PHC on p1p3 Jun 23 11:16:18 sp-strm-01 kernel: igb 0000:81:00.3: removed PHC on p1p4 Would appreciate any guidance y'all might have... ... View more

The documentation[1] for the Splunk Stream does not include SSH as one of the recognized protocols for field extraction. I'd like the capability to extract, for example, the SSH keys (fingerprints) as part of our threat intelligence collection (eg, see [2]). Is this possible with Splunk Stream? If not, how do we get this into the product team's hands to get this support added? 1: http://docs.splunk.com/Documentation/StreamApp/7.0.0/DeployStreamApp/ProtocolDetection 2: https://www.bro.org/sphinx-git/scripts/base/bif/plugins/Bro_SSH.events.bif.bro.html ... View more

When configured for LDAP authentication, Splunk will "fall back" to splunk local accounts if the LDAP user isn't found. Is it possible to bypass SAML authentication to log in with a Splunk local account? I've tried a variety of things including statically pasting the link to /en-US/account/login? but no matter what, I'm directed to the ADFS AdP. Right now that's not working, so I need to make modifications and re-export the SAML metadata /saml/spmedata but even that forces me to the IdP login page. I'm kinda stuck... I did manage to switch authentication.conf to Splunk local logins so I could log in as local admin, make the appropriate changes, and re-export the metadata, but there must (should) be a way to allow this... ... View more

The upgrade instructions for indexer clusters specifies: When you upgrade from a 6.x, such as 6.2, indexer cluster to a 6.3 cluster, you must take all cluster nodes offline. You cannot perform a rolling, online upgrade. What about upgrading a 6.3 cluster to 6.4? I presume it's "safe" to follow this advice, but the phrasing sorta implies a rolling upgrade is possible... ... View more

Enterprise Security 3.3.1, Splunk 6.2.4. I have notable events being generated by correlation searches (for instance, Short-lived account detected, but there are others). For each notable in the Incident Review dashboard, there are links to View original event and View account change events of $user$ (or whatever is set under the correlation search's "drill-down name"), but rather than being bound to the time of the original event, it's reverting to the default (last 15 minutes in our case) and showing no results. What should the notable event be keying off of for "event time"? I'm presuming we should be passing a time field or two from the correlation search to key off of? I want to be able to similarly set earliest and latest default times for custom notables I'm working on, but the only way I can seem to get it to work is to hard code earliest and latest in my search string, which makes it more difficult for my analysts to pick different time boundaries (via zoom, dragging around in the timeline, or using the time picker) . ... View more