If you go to the Search page within the Cloudflare application and perform a search against the raw cloudflare data that has been indexed, do you see all of the expected fields from the query you shared visible? I'm expecting one, or more, of them is missing which is causing this query to fail. That or there are simply no events with OriginResponseStatus="200" in them. ClientCountry ClientDeviceType dest_ip dest_host uri_parth http_user_agent http_method status src_ip uri_path OriginResponseStatus RayID WorkerSubrequest ... View more

@davidpaper A couple of additional notes I had from working with support 1-2 years ago on the limitations of _introspection logs for HEC: The way to differentiate the _introspection events is to filter on data.series="http_event_collector" for the rolled up summary of all tokens or data.series="http_event_collector_token" for the per-token summaries. This is useful for making sure you're doing your math against the proper numbers as you elude to above 🙂 At times you may have num_of_requests=0 however total_bytes_received>0. It was explained to me that.. "this channel writes every minute, so if the channel gets the data but has not processed it just yet, you can generally get the details in the next event from the same token/indexer" Multiple requests can make up a single _introspection log so take the math of total_bytes_received / num_of_requests with a grain of salt. If you have multiple clients all using the same token then you could have situations where one client is making big requests while another in making small, thus skewing this average. There is no way to more granularly understand the relationship of requests to the introspection logs. Therefore say if you have num_of_requests=3 and the next _introspection event from the same indexer shows num_of_requests=2 there is no way of knowing if 1 request was processed between that time frame or say 1 new request came in and two requests were processed. It makes tracking the status of requests within the _introspection log extremely painful, also when you need to track back issues to the client side all you have to go off of is trying to correlate based on timing. ... View more

Why not just use the on-prem instance as a hybrid search head then no need to forward the data? ... View more

You can also simply use the extremely popular MetaWoot! App for Splunk. It provides a ton of useful reporting, including license reports... https://splunkbase.splunk.com/app/2949/ ... View more

I originally wrote the Barracuda Web Filter application a longgg time ago (first published in 2011 with last update in 2014) and it was intended only for use with Barracuda Web Filter appliances. The app is in much need of a refresh as a whole and its also possible the format of your data may not match expectations of the app. With that said, if you wish to supply me with a sample of your data I can assess if it makes sense to do it within that app or building a separate app is better. Let me know if you can supply a sample and we can take the communication off-forum. ... View more

Is there any target date for the next maintenance release? Same issue here with an environment gearing up to have 150+ devices sending NF 😞 ... View more

If you're copying/pasting the search I posted and answer for back in 2011 then the HTML chars in the regex are breaking it (dont know why those are there)... but also note there are addons and custom commands people have developed since there that are a bit more detailed/flexible than this post was... If you want to use this search then it should be like this: index=access_logs | fields + user_agent | rex field=user_agent "((?<browser_ff>Firefox\S+)|(?<browser_ie>MSIE [\d\.]+)|(?<browser_opera>Opera)|(?<browser_chrome>Chrome)|(?<browser_safari>Safari)|(?<browser_java>Java\S+)|(?<browser_nagios>nagios\S+)|(?<browser_nessus>[Nn][Ee][Ss][Ss][Uu][Ss])|(?<browser_apache>Apache\S+))" | eval browser_none=if(user_agent=="-","None","") | fillnull value="" browser_ff browser_ie browser_chrome browser_safari browser_opera browser_java browser_nagios browser_nessus broswer_none browser_apache | eval browser = browser_ff.browser_ie.browser_chrome.browser_safari.browser_opera.browser_java.browser_nagios.browser_nessus.browser_none.browser_apache | top 50 browser ... View more

Not sure if you have already solved this one since its been some time... but I just ran into the same error and for anyone else that comes across this, here is what my issue was and the solution... When you run the command in the instructions (https://github.com/splunk/splunk-add-on-google-drive/blob/master/README.md) that takes the client id/secret key and then has you enter the authorization code, what it does is create a local credentials file named splunk_input_name_google_drive_creds which the add-on expects to be within $SPLUNK_HOME/etc/apps/splunk-add-on-google-drive/bin/ ...in my case when I ran this command the file was created in $SPLUNK_HOME so I needed to move it to the proper bin directory. Upon doing so, this fixed the authentication issue but then the Google Reports API returned a 403 error because in the documentation it is missing the part that you must choose the "Admin SDK" from the "Google Apps APIs" after creating your project. If this API is not enabled for your project, then you receive the 403 error. All of this troubleshooting is made much easier if you enable DEBUG logging or logging to a separate file (not splunkd.log). Check inside $SPLUNK_HOME/etc/apps/splunk-add-on-google-drive/bin/googledrive.py for more information. Hope this helps. ... View more

Hi Lucas, This is where a bit of confusion lies in what you would think the parameter you are looking for is called and what it is actually called... The 'namespace' parameter will define the application context in which it is to run. Its definitely not clear in the REST endpoint doc but you can understand namespace here: http://docs.splunk.com/Documentation/Splunk/6.4.0/RESTUM/RESTusing#Namespace Which you can then see is an available parameter to the REST endpoint you are calling: http://docs.splunk.com/Documentation/Splunk/6.4.0/RESTREF/RESTsearch#search.2Fjobs.2Fexport Give it a shot and you should get your desired output. ... View more

I hear ya, I see those conversations all too often. We can't give the naysayers any fuel for their fight! But with that being said I would never disagree with this being a good time for all those out there to kick off the development, and injection, of a process of ripping out vendor-provided certs in favor of their own. Definitely not easy for legacy stuff but at least now is the time to start building the process for future rollouts and get a good handle on @dwaddle's awesome SSL presentation/talks. ... View more

@jbrodsky does this need to be qualified a bit further tho? Because the forwarder application provided for Cloud customers would only contain the outputs.conf therefore default certs would still be used for the REST API (default mgmt port 8089). However, as demonstrated with our tests below, this should not impact the operating of a Universal Forwarder or Heavy Forwarder (which has yet to be mentioned as well) since we were not able to observe any default enforcement of certificate validation on the REST API. Any on-prem Deployment Server used to manage the U/H Forwarders should also continue to use the default certs and work regardless of version. So really from a Forwarder perspective, the only impact of all of this (Cloud customer, or not) would be on the use of Splunk TCP SSL forwarding (splunktcp-ssl). Am I fair to say this? ... View more

Thanks @mcluver ... glad the Discovered Intelligence team and I could help out -- your comments are the exact reason we jumped on this testing in the first place today 🙂 ... View more

Thats what is trying to be demonstrated with the post...by default the functionality does not do validation of the client certificate, therefore by default the impact is less than whats stated because who really turns on client certificate validation without putting down their own set of certs at the same time? Therefore, environments using old forwarders with default certs for internal splunk-to-splunk communication can survive past July 21st under the condition that certificate is not being used for Splunk TCP SSL forwarding. I am not arguing that keeping expired certs is a good practice, its just simply that users have more of a window to upgrade the UF or upgrade the cert, as long as the cert is not being used for Splunk TCP SSL forwarding. If the cert is being used for forwarding, then the rush is on... ... View more

Are you sure about the side issues with the Universal Forwarders? What level of testing has been performed? Right now in my lab we have the following: Universal Forwarder v6.2.9 (ip-172-31-17-125) Deployment Server v6.2.9 (ip-172.31.17.127) Search Head v6.3.2 (ip-172.31.17.128) Indexer v6.3.2 (ip-172.31.17.124) The system time on all instances have been set to beyond the expiry date of the certificate (July 21). [root@ip-172-31-17-125 auth]# openssl x509 -enddate -noout -in cacert.pem notAfter=Jul 21 17:12:19 2016 GMT [root@ip-172-31-17-125 auth]# date Fri Jul 22 22:46:21 UTC 2016 As expected the Splunk SSL forwarding fails connectivity to the Indexer with the Indexer returning a message to check the certificate expiry: 07-22-2016 22:59:00.941 +0000 ERROR TcpOutputFd - Connection to host=172.31.17.124:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed But I am not observing any issues with DS communication. It actually completes the handshake succesfully with the DS: [splunk@ip-172-31-17-125 ~]$ splunk display deploy-client Deployment Client is enabled. [splunk@ip-172-31-17-125 ~]$ splunk show deploy-poll Deployment Server URI is set to "172.31.17.127:8089". 07-22-2016 22:58:12.841 +0000 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected 07-22-2016 22:58:17.846 +0000 INFO HttpPubSubConnection - SSL connection with id: connection_172.31.17.125_8089_ip-172-31-17-125.us-west-2.compute.internal_ip-172-31-17-125_uf-6.2 07-22-2016 22:58:17.850 +0000 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.31.17.125_8089_ip-172-31-17-125.us-west-2.compute.internal_ip-172-31-17-125_uf-6.2 07-22-2016 22:58:24.842 +0000 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.31.17.125_8089_ip-172-31-17-125.us-west-2.compute.internal_ip-172-31-17-125_uf-6.2 07-22-2016 22:58:24.843 +0000 INFO DC:HandshakeReplyHandler - Handshake done. On the DS side I can see the client phone in, I can assign it to serverclasses and successfully have it download and install deployment applications, even performing a restart after install. From the CLI/API perspective, I can run commands on the Universal Forwarder to interact as a normal admin might without issue: [splunk@ip-172-31-17-125 ~]$ splunk disable deploy-client Your session is invalid. Please login. Splunk username: admin Password: Deployment Client is disabled. You need to restart the Splunk Server (splunkd) for your changes to take effect. [splunk@ip-172-31-17-125 ~]$ splunk edit user admin -password doesthiswork Your session is invalid. Please login. Splunk username: admin Password: User admin edited. From the Search Head I can actually add the DS as a search peer, further showing splunk-to-splunk API access across 8089 is successful: [splunk@ip-172-31-17-128 ~]$ splunk list search-server Server at URI "172.31.17.124:8089" with status as "Up" Server at URI "172.31.17.127:8089" with status as "Up" UPDATE 1: Forgot to add, that we also in the lab spun up a DS with 6.3.2 and observe the same success with communication between the UF on 6.2.9 and DS on 6.3.2. ... View more

You will need to distribute the app to the indexers as noted here: https://answers.splunk.com/answers/312136/sa-ldapsearch-connection-test-failing-he-default-c.html ... View more

Yes the RSA app is in dire need of an update, but unfortunately time has not permitted this activity to commence. Christmas "holidays" may provide such a time though 🙂 Are you able to provide me with a sample of your syslog data (just replace any sensitive data with fictitious data)? It would be beneficial to compare the samples we have built the TA on against that which you have. ... View more

Hi nychawk, No it currently does not since the RSA app has not been updated in quite some time. I am however working on that as we speak and hope to have it updared/supported by early next week. I will post for you here when I am done. Thanks, Josh ... View more

Ok great, feel free to contact me directly -- josh _ discoveredintelligence % ca _ = @ % = . 🙂 ... View more