Activity Feed
- Karma Need complete set of Buttercup games data ? Does anyone has it ? Will be great if Splunk can provide it. Thank you. for Upas02. 06-05-2020 12:49 AM
- Got Karma for Re: How to restart a splunk on windows through Command Prompt and control panel?. 06-05-2020 12:49 AM
- Karma Re: What are the differences between Splunk vs HP Arcsight as a SIEM tool? for javiergn. 06-05-2020 12:48 AM
- Got Karma for Re: Getting error “Connect to 127.0.0.1:9999 failed. Connection refused“ when I start the Kaspersky Threat Feed App for Splunk. 06-05-2020 12:48 AM
- Karma Re: Why am I unable to extract 2 fields from source at index-time with my current configuration and regex? for lguinn2. 06-05-2020 12:47 AM
- Karma Re: Splunk Interface based on Roles for woodcock. 06-05-2020 12:47 AM
- Karma Re: How do we ingest data from Jive into Splunk for analysis. for woodcock. 06-05-2020 12:47 AM
- Karma Re: How to troubleshoot why a deployment client is unable to phone home to the deployment server? for esix_splunk. 06-05-2020 12:47 AM
- Karma Re: How to create a timechart with overlay lines for Mean, Upper Control Limit, Lower Control Limit, and Targets? for aljohnson_splun. 06-05-2020 12:47 AM
- Karma Re: How can we use splunk in software testing? for lguinn2. 06-05-2020 12:47 AM
- Karma What is the proper JavaScript code to clear duplicate records in KVstore? for krishnarajapant. 06-05-2020 12:47 AM
- Karma Re: Unable to plot custom Tag Cloud chart in splunk? for skawasaki_splun. 06-05-2020 12:47 AM
- Got Karma for Re: splunk process compulsion stop. 06-05-2020 12:47 AM
- Got Karma for Re: How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?. 06-05-2020 12:47 AM
- Got Karma for Re: What information do we need from respective server and application owners for installing and configuring Splunk forwarders to collect event logs?. 06-05-2020 12:47 AM
- Got Karma for Re: What information do we need from respective server and application owners for installing and configuring Splunk forwarders to collect event logs?. 06-05-2020 12:47 AM
- Got Karma for Re: How to estimate a project based on events per second (EPS), not GB/day?. 06-05-2020 12:47 AM
- Got Karma for Re: How to convert TimeRangeView selected values to a human readable format in my dashboard header?. 06-05-2020 12:47 AM
- Got Karma for Re: How can we use splunk in software testing?. 06-05-2020 12:47 AM
- Got Karma for Re: Where can I find the logs for Apache status on a Linux server to set up an alert if Apache goes offline?. 06-05-2020 12:47 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 |
04-18-2018
01:01 AM
1 Karma
Assuming you have installed Splunk Enterprise in the default location ("C:\Program Files\Splunk"), which is also known as $SPLUNK_HOME path:
Open Command Prompt
Navigate to $SPLUNK_HOME\bin folder
Issue the command splunk start and wait for the application to start.
Normally, Splunk Enterprise setup would create a service (should be listed in Services.msc console) and set it to start Automatically at OS boot.
Another 'legacy' service would be in 'Manual' mode and is not necessary to be started for Splunk to run properly. This service status can be safely ignored.
Look forward to your comments/feedback/vote.
Rgds, Mitesh.
... View more
01-17-2018
06:08 AM
Have you tried creating 'Field Alias' for both aIP and bIP ?
If not, create one as src_ip and try this:
index=web (sourcetype=a OR sourcetype=b) | table page, src_ip
HTH, Mitesh.
... View more
09-30-2016
10:23 PM
The new version of Kaspersky Security Center 10.3.x can send the fresh (as well as historical data available in backend DB) to Splunk in CEF format. Just provide the IP address and port number of Splunk Indexer.
Run the Console.
Expand the node Reports and notifications → Events.
Select Properties in the context menu.
On the Exporting events tab, select the check box Automatically export events to SIEM system database.
Select Splunk from the drop-down list and specify the address of your SIEM server.
Click OK.
Hope this helps.
Regards, Mitesh.
... View more
09-02-2016
12:58 AM
1 Karma
The documentation of the App states : BEFORE YOU START USING THE APPLICATION, PLEASE CONTACT KASPERSKY LAB TO GET KASPERSKY THREAT FEED SERVICE AND ACCESS TO KASPERSKY THREAT INTELLIGENCE DATA FEEDS.
Kindly reach out to anyone in Kaspersky Lab team in your region for obtaining trial access to the feed service.
Kaspersky Threat Feed App for Splunk and Feed Service have the following system requirements.
Supported operating systems: Linux x64
Software requirements: Splunk 6.2+ & Python 2.6, 2.7
Source URL: https://help.kaspersky.com/KFS/1.0/en-EN/98426.htm
Make sure your system meets the stated requirements.
Please share your experience.
Mitesh.
... View more
12-28-2015
05:39 AM
In case, you do not find anything relevant to the context of the topic, feel free to use the Visio/OmniGraffle stencils to create your own diagrams.
Contact me offline and I will be happy to help you as well.
... View more
12-22-2015
05:58 AM
2 Karma
Apart from the list of the questions, there are some more that would be useful for a Splunk Solution Architect:
Is this a stand-alone Splunk instance or a distributed deployment.
How are the Indexers placed (close of Application Servers or away in another DataCenter)
By default, FWDR are configured for consuming 256kbps of bandwidth. Is this sufficient or can the customer/business unit allocate more?
Do you need the logs in offline/archive format for Compliance/Regulatory reasons? If so, provision archival/backup storage accordingly.
Are there any key terms within Application logs that should/can be discarded or route+filter special event logs to special index?
Is there a plan to migrate the Application to a different platform (OS, language or on-premise-to-cloud, etc)? If so, get it documented right now.
Suggest that OS and Network logs be collected/captured for better troubleshooting Application-related errors, latency problems, challenges/concerns in future.
... View more
12-21-2015
08:11 PM
1 Karma
In case, you are using the Common Information Model, then you can start your search as tag=Authentication . This will invoke the data from across all "relevant" indexes and will be much faster in returning results.
... View more
12-19-2015
07:17 PM
Here is the link: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/DashboardPDFs#Limitations_to_PDF_generation
And this is the direct text for quick view:
Limitations to PDF generation
Integrated PDF generation functionality has a few limitations:
PDFs for dashboards with multiple panels in a row might generate with only a single panel per row.
You cannot generate PDFs of dashboards that are built using advanced XML or HTML. Splunk only supports PDF generation from dashboards built with simple XML.
You cannot generate PDFs for forms.
PDF generation ignores charting customizations that are not supported by the JSChart charting library. The finished PDF displays the panels as rendered in JSChart with the unsupported customizations removed.
Hope this helps.
Mitesh.
... View more
12-19-2015
07:09 PM
Have a look at the Fire Brigade App. You might find a lot of useful panels which can be re-used to fit your purpose. It comes with a TA to gather info from across other Splunk instances too.
... View more
09-14-2015
11:04 PM
1 Karma
While it is not a Splunk-supported way, but try this : http://splunk-sizing.appspot.com/
... View more
09-14-2015
05:33 AM
If your download trial is over 60-day period, you cannot extend the trial duration by simply copying the license from another download trial or overwriting the existing Splunk instance with a fresh download copy. (this is most likely your case since you mentioned 'splunk.license' file name, commercial/paid enterprise license files are named differently.)
Also a download trial only allows 3 warnings before it locks down your search (except searching _internal index).
A reset license only allows to reset the count of the warnings but will not extend your trial license for another 60-day window.
... View more
09-03-2015
08:30 AM
I have updated the answer with path to the directory where the jar file needs to be copied.
Hope this helps.
Mitesh.
... View more
09-03-2015
03:28 AM
Couple of things:
1. Grab MS SQL Server JDBC Driver 4.0 from here. Extract and drop the sqljdbc4.jar file to $SPLUNK_HOME/etc/apps/splunk_app_db_connect/bin/lib directory.
2. Restart Splunk.
3. Download the DB Connect App 2.0.4.
4. Configure MS SQL Server to use Mixed Authentication (try it before-hand via Management Console or CLI, your choice).
More Troubleshooting steps can be referred here.
If this answer has helped you, please vote and mark this as accepted answer.
Thanks, Mitesh.
... View more
09-02-2015
02:25 AM
1 Karma
Check if this one works for you: ... | fieldformat time_field = strftime(time_field, "%H:%M:%S %d/%b/%Y")
... View more
08-16-2015
10:50 PM
+1 to what @Esix said.
Additionally, there are times when firewalls and auth/transparent proxies play evil and restrict the connection.
... View more
07-13-2015
04:36 AM
There are handful number of apps which can help you with field extractions. Have a look at this list and pick what meets your requirement or is the closest.
Mitesh.
... View more
06-27-2015
01:22 PM
2 Karma
One of the line in the message log reads "Connection refused.". Check:
1. MSSQL is set to use SQL Authentication.
2. JAVA_HOME is auto-detected by the app while setting it up after installation.
3. If using DBX 1.1.7, use jre7u or jre8u45 for DBX 2.0.x
Pls share what OS/SQLver/JREv are you have in your setup.
Mitesh.
... View more
05-25-2015
07:37 PM
@kobayashikenji I am bit curious to know about the purpose of force-stopping Splunk. 🙂
... View more
05-25-2015
04:19 AM
AFAIK, cron does not go down to sub-minute resolutions/granularity.
... View more
05-25-2015
04:12 AM
There is a high possibility that the data you wish to forward is already sent and there is no more new data to be sent.
Try generating some events or run this eventgen to produce random samples, and then check the status.
Regards, Mitesh.
... View more
05-25-2015
03:33 AM
1 Karma
Splunk Docs link for "Naming conventions for apps and add-ons on Splunkbase" : http://docs.splunk.com/Documentation/Splunkbase/latest/Splunkbase/Namingguidelines
Mitesh.
... View more
05-25-2015
12:51 AM
1 Karma
You can kill all processes on 'splunkd' with
kill `ps -ef | grep splunkd | egrep -v grep | awk '{print $2}'`
But, just like @esix_splunk mentioned, make sure you restart Splunk with the correct user and that, using Splunk's native commands to Start/Stop/Restart the service is much cleaner.
Mitesh.
... View more
05-25-2015
12:33 AM
Here is the doc link that explains how Splunk handles log file rotation.
On the other hand, you can also add ignoreOlderThan = stanza in inputs.conf file, with value mentioned as {number}{unit} (without brackets). For example, "7d" indicates one week. Valid units are "d" (days), "h" (hours), "m" (minutes), and "s" (seconds).
Let us know what worked for you so others visiting this post can learn/re-use.
Regards, Mitesh.
... View more
05-25-2015
12:05 AM
You can use Whitelist stanza in your inputs.conf. You can add the keywords/event-codes that are part of the events you wish to capture.
Here is the doc link for detailed explanation.
Mitesh.
... View more
05-13-2015
12:13 AM
1 Karma
Or you can consider looking for details like 'passwords captured in plain text and stored in logs', SSN or Credit Card Numbers in your logs.
... View more