Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About woodcock
woodcock
Esteemed Legend
Member since:
10-22-2010
Friday
Community Statistics
| Posts | 12418 |
| Solutions | 1767 |
| Karma Given | 1962 |
| Karma Received | 3931 |
| Member Since | 10-22-2010 |
Activity Feed
- Got Karma for Re: Change the span start time defaults when using bin span=1w _time. 6 hours ago
- Got Karma for Re: Change the span start time defaults when using bin span=1w _time. 6 hours ago
- Got Karma for Re: Splunk Connect for Syslog (SC4S) suddenly stopped working and cannot start (full story with solution). Saturday
- Got Karma for Splunk Connect for Syslog (SC4S) suddenly stopped working and cannot start (full story with solution). Saturday
- Got Karma for Re: Formatting in CSV when using Stats. Friday
- Got Karma for Re: How to tag events based on the host value that contains a condition?. Friday
- Posted Re: Splunk Connect for Syslog (SC4S) suddenly stopped working and cannot start (full story with solution) on Reporting. Friday
- Got Karma for Re: Splunk Connect for Syslog (SC4S) suddenly stopped working and cannot start (full story with solution). Thursday
- Got Karma for Re: What causes "Search auto-canceled"?. 2 weeks ago
- Karma Re: How to get a report on latency between Heavy Forwarder and Indexer? for bharadwaja30. 3 weeks ago
- Got Karma for Re: Data being auto-indexed as .tmp file instead of .csv. 3 weeks ago
- Got Karma for Re: How do I add yesterday's date to an emailed report subject?. a month ago
- Karma How to use the threat feed I added using threat intelligence downloads in Splunk Enterprise Security? for thambisetty_bal. 12-26-2024 07:40 AM
- Karma Re: How to use the threat feed I added using threat intelligence downloads in Splunk Enterprise Security? for kchamplin_splun. 12-26-2024 07:40 AM
- Posted Re: How do I test/check to see if my new "local" ES ThreatFeed is working? on Splunk Enterprise Security. 12-26-2024 07:39 AM
- Posted How do I test/check to see if my new "local" ES ThreatFeed is working? on Splunk Enterprise Security. 12-25-2024 11:46 AM
- Posted Re: How to compare events from two sourcetypes in the same index without using join on Splunk Search. 12-22-2024 08:50 PM
- Posted Re: How to find empty indexes in Splunk Cloud? on Splunk Search. 12-22-2024 07:34 PM
- Posted Re: Splunk Enterprise Security: How to use a downloaded threat intelligence source as a lookup? on Splunk Enterprise Security. 12-22-2024 07:02 PM
- Posted Re: Scheduled report not working as expected when collected to a new Summary index on Splunk Enterprise. 12-22-2024 06:58 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 |
Friday
I forgot to mention that you also need to comment out the line in the systemd unit file that reaches out to github because the failure of that line causes the whole startup to fail.
... View more
12-26-2024
07:39 AM
I assume that this accepted answer is correct: https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-use-the-threat-feed-I-added-using-threat-intelligence/m-p/234794 So like this: | `service_intel`
| `process_intel`
| `file_intel`
| `registry_intel`
| `user_intel`
| `email_intel`
| `certificate_intel`
| `ip_intel`
... View more
12-25-2024
11:46 AM
I am using these dox: https://docs.splunk.com/Documentation/ES/8.0.1/Admin/AddThreatIntelSources#Add_threat_intelligence_with_a_custom_lookup_file It is pretty straightforward but I suspect that my configuraiton is not working. Where are the "master lookups" that Splunk's Threat Framework uses? I assume that there is 1 "master lookup" each for IPv4, domains, urls, hashes, etc. Or perhaps they are all combined into 1. There are about 100 lookups this client's ES and I have checked out the ones that look promising but didn't find my new data so I cannot conclude anything.
... View more
12-22-2024
08:50 PM
Something like this:
| makeresults
| eval host="sender"
| eval raw = mvappend("2024-12-18 17:02:50 , file_name=XYZ.csv, file copy success",
"2024-12-18 17:02:58, file_name=ABC.zip, file copy success",
"2024-12-18 17:03:38, file_name=123.docx, file copy success",
"2024-12-18 18:06:19, file_name=143.docx, file copy success")
| append [
| makeresults
| eval host="receiver"
| eval raw = "2024-12-18 17:30:10 <FileTransfer status=success>
<FileName>XYZ.csv</FileName>
<FileName>ABC.zip</FileName>
<FileName>123.docx</FileName>
</FileTransfer>"
]
| mvexpand raw
| rename raw AS _raw
| rex "^(?<_time>\S+\s+\S+)"
| eval _time = strptime(_time, "%Y-%m-%d %H:%M:%S")
| rex max_match=0 "(?ms)(\<FileName\>|file_name=)(?<FileName>.*?)(\<|,)"
| rex "(<FileTransfer status=\"?|file copy )(?<status>[^\"\>]+)"
| stats list(status) AS status_list list(host) AS host_list dc(host) AS hosts values(status) AS status BY FileName
| where hosts==1 OR status="fail*"
... View more
12-22-2024
07:34 PM
Like this:
| tstats count max(_time) AS _time WHERE index IN("_*", "*")
BY index
| eval which = coalesce(which, "data")
| append [
| rest splunk_server=local /services/data/indexes
| dedup title
| table title
| rename title AS index
| eval which = coalesce(which, "defined") ]
| stats dc(which) AS which_count values(which) AS which first(count) AS count first(_time) AS _time BY index
| search which_count=1
... View more
12-22-2024
07:02 PM
There is an app for this, too: https://splunkbase.splunk.com/app/635
... View more
12-22-2024
06:58 PM
I am sure this is documented somewhere but it catches everybody the first time. It is not enough to just create the index on the indexers; you must also instantiate a dummy index on the Search Head(s), too! If you do not, "collect" (wheter explicitly in the SPL or as an alert action) will not work AND will not generate any kind of error.
... View more
12-22-2024
06:44 PM
Hey, OP! This is the correct answer!
... View more
12-22-2024
06:34 PM
Like this: |makeresults | eval URL = mvappend("https://answers.splunk.com/answers/ask.html?foo=bar", "https://answers.splunk.com/answers/ask.html", "http://docs.splunk.com/Documentation") | rex field=URL mode=sed "s/\?.*$//" Also, there is an app that does this kind of thing: https://splunkbase.splunk.com/app/2734
... View more
12-21-2024
08:59 AM
This should help: https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Useintelinsearch
... View more
12-21-2024
07:40 AM
I, too, am having this problem. We are working from this document: https://splunk.github.io/splunk-connect-for-syslog/2.30.1/troubleshooting/troubleshoot_resources/
... View more
The splunk(-company)-wrapped syslog-ng service, "Splunk Connect for Syslog" (AKA SC4S) comes standard with a systemd unit file that reaches out on every startup to github to obtain the latest container image. This had worked flawlessly since we first setup syslog inputs for the client. However years later, somebody made a WAF change that blocked connectivity to github, which included our download URL round in the unit file (specifically, ghcr.io/splunk/splunk-connect-for-syslog/container3:latest) and did not properly warn or socialize this fact before doing so. This caused the sc4s service to be unable to restart because the systemd unit file downloads a fresh image every time before it starts, which it could no longer do. WARNING, if you setup SC4S the normal way, then you did so as user "root" so you will need to do all of this as user "root" also. The most immediate solution is to see if there is still an older image around to run by using this command: docker image ls You should see something like this: REPOSITORY TAG IMAGE ID CREATED SIZE ghcr.io/splunk/splunk-connect-for-syslog/container2:2 latest SomeImageID2 SomeDate SomeSizeGB If there is, you can modify the unit file by copying the "IMAGE ID" value (in this case "SomeImageID2") and changing this line: Environment="SC4S_IMAGE=https://ghcr.io/splunk/splunk-connect-for-syslog/container2:2:latest" To this: Environment="SC4S_IMAGE=SomeImageID2" And also commenting out this line, like this: #ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE Then you need to reload systemd like this: systemctl daemon-reload This should allow you to start your service immediately as normal: service sc4s start Now you have the problem of how do you get the latest image manually (now that the automatic download cannot work) which according to this link: https://splunk.github.io/splunk-connect-for-syslog/main/upgrade/ is now this: ghcr.io/splunk/splunk-connect-for-syslog/container3:latest The following link gave us all of what we need but we had to do it a few times with various options mined from the comments to get it eactly right: https://stackoverflow.com/questions/37905763/how-do-i-download-docker-images-without-using-the-pull-command You will first have to install docker someplace that CAN get to the image URL. If you can run a broswer there, just post the value in your browser and it should redirect to an actual page. If you only have the CLI there, just use curl to test like this: curl ghcr.io/splunk/splunk-connect-for-syslog/container3:latest In our case, we just installed docker on a Windows laptop and then opened powershell to run these 2 commands: docker pull ghcr.io/splunk/splunk-connect-for-syslog/container3:latest docker image ls You should see something like this: REPOSITORY TAG IMAGE ID CREATED SIZE ghcr.io/splunk/splunk-connect-for-syslog/container3 latest SomeImageID3 SomeDate SomeSizeGB Next you need to export the image to a file like this: docker save SomeImageID3 --output DockerImageSC4S.tar Then transfer this to "/tmp" on your SC4S server host however you please and load it like this: docker load -i /tmp/DockerImageSC4S.tar Then, of course, you need to re-modify the unit file using the new "SomeImageID3" value instead of "SomeImageID2".
... View more
We have a very vanilla SC4S configuration that has been working flawlessly with a cron job to do "service sc4s restart" every night to upgrade. We just discovered that a few nights ago, it did not come back from this nightly restart. When examining the journal with this command: journalctl -b -u sc4s We see this: Error response from daemon: pull access denied for splunk/scs, repository does not exist or may require 'docker login': denied: requested access to the resource is denied This problem could happen to ANYBODY at ANY TIME and it took us a while to complete work around it so I am documenting the whole story here.
... View more
Labels
- Labels:
-
Other
06-28-2024
06:25 AM
We deployed our first Splunk in AWS using the tooling in AWS to do this and see that there is unallowed traffic calling out from our Splunk to beam.scs.splunk.com, which I see is for Splunk Cloud Edge processor, which we have no intention to use. We would like to disable this traffic but there is no documentation on it. Can this be done?
... View more
- Tags:
- Edge
Labels
- Labels:
-
Other
06-11-2024
08:01 PM
You are using Windows OS for your DS and deploying to non-Windows servers. This cannot be made to work. Start over and use a Linxus OS for your DS.
... View more
05-30-2024
07:16 AM
This just means that the script being called did not run to completion. I recently had a confusing problem that caused this exact error. I had a working design where I had a sendalert named "my_send_alert" which called a python script named "my_send_alert.py" which then called a shell script named "my_send_alert_alt.sh". It all worked great. So I cloned it to create a different one and it didn't work, giving this error. The problem ended up being that I named the shell script the same name as the python script and splunk was SKIPPING calling the python script and was calling the shell script directly! I simply changed the name of the shell script and all was well. So in summary: All 3 named the same does not work.
This DOES NOT work:
my_send_alert(alert_actions.conf) -> my_send_alert.py -> my_send_alert.sh
This DOES work:
my_send_alert(alert_actions.conf) -> my_send_alert.py -> my_send_alert_alt.sh
This should also work:
my_send_alert(alert_actions.conf) -> my_send_alert.sh
... View more
04-11-2024
12:23 PM
A better way to do this is to use the "Run a Script" alert action (after you create a script to do the copy). Yes, this alert action is deprecated but I use it often and there is no way that Splunk will be removing it from the product.
... View more
04-11-2024
11:02 AM
According to the developer, it can be done with HEC: https://infosecwriteups.com/knowbe4-to-splunk-33c5bdd53e29
... View more
03-09-2024
09:40 AM
You are reading his request backwards. That git project is for SENDING TO OpenCTI. He (and I) need to RECEIVE FROM OpenCTI. I cannot find anything that does this.
... View more
03-06-2024
06:51 AM
WARNING! This answer is wrong. The date of this file will be the date of the file when it was packaged in the installer (tgz/rpm).
... View more
02-04-2024
02:37 PM
WARNING! The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable. So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT. The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">. If you do that, it works. The stupid site is also forcing me to add an app, even this this Q/A has nothing to do with any app.
... View more
02-04-2024
02:34 PM
WARNING! The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable. So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT. The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">. If you do that, it works.
... View more
11-14-2023
06:21 AM
Splunk has the mechanism in place to make it work: $trellis.name$ and $trellis.value$, but instead of these being available for ALL searches, they are only available for the trellis search/chart. I have tried many things but all have failed. If annotations are supported in Studio, you could try there. That is my next step, but I don't know Studio so don't know if I will try or how long it would take. The next best thing to do is make the "annotation_category" set to the value of the split-by field for the Trellis so that a hover makes it clear which ones are for which trellis panel.
... View more
10-30-2023
11:37 AM
1 Karma
This has finally been addressed in a useable way that seems to not have any downside/impact in 9.1 (search for "Preserve search history across search heads"): https://docs.splunk.com/Documentation/Splunk/9.1.1/ReleaseNotes/MeetSplunk Scarily enough, it appears to be enabled by default.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Friday
|
Karma given to
