Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About woodcock
woodcock
Esteemed Legend
Member since:
10-22-2010
yesterday
Community Statistics
| Posts | 12408 |
| Solutions | 1767 |
| Karma Given | 1957 |
| Karma Received | 3921 |
| Member Since | 10-22-2010 |
Activity Feed
- Posted Re: Splunk Enterprise Security: How to use a downloaded threat intelligence source as a lookup? on Splunk Enterprise Security. 13 hours ago
- Posted Re: SC4S, how do I write raw message into a directory? on Getting Data In. 15 hours ago
- Karma SC4S, how do I write raw message into a directory? for karn. 15 hours ago
- Posted Re: Splunk Connect for Syslog (SC4S) suddenly stopped working and cannot start (full story with solution) on Reporting. 15 hours ago
- Posted Splunk Connect for Syslog (SC4S) suddenly stopped working and cannot start (full story with solution) on Reporting. yesterday
- Tagged Splunk Connect for Syslog (SC4S) suddenly stopped working and cannot start (full story with solution) on Reporting. yesterday
- Got Karma for Re: Timestamp lookahead questions. a week ago
- Got Karma for Re: How to find a host which is missing a specific value?. a week ago
- Got Karma for Re: How to remove "Missing" forwarder from Forwarder Monitoring on Splunk Light 6.5 (Not DMC). 3 weeks ago
- Got Karma for Re: How do I sort this stats count?. 11-15-2024 09:14 AM
- Got Karma for Re: When adding "KV_MODE=none" to props.conf, how come unwanted field extractions are not being stopped?. 11-10-2024 06:53 PM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite ind. 10-25-2024 10:50 AM
- Got Karma for Re: How do I create a histogram to show distribution?. 10-08-2024 09:12 AM
- Got Karma for Re: Searching in multiple indexes. 10-05-2024 09:09 AM
- Got Karma for Re: How to filter on KV Store lookup time-based fields using a time picker?. 10-04-2024 07:06 AM
- Got Karma for Re: How to set loading order for panels?. 10-03-2024 06:45 AM
- Got Karma for Re: How to replace the value of field for another field value if a certain condition is met?. 09-27-2024 04:54 AM
- Got Karma for Re: Replacing "No Results Found" with "0". 09-26-2024 11:37 AM
- Got Karma for Re: What are the definitions of Tag and Eventtype and what are the differences between the two?. 09-26-2024 03:25 AM
- Got Karma for Re: Where are Noteable Event Suppressions stored in Splunk?. 09-25-2024 12:16 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 |
13 hours ago
This should help: https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Useintelinsearch
... View more
15 hours ago
I, too, am having this problem. We are working from this document: https://splunk.github.io/splunk-connect-for-syslog/2.30.1/troubleshooting/troubleshoot_resources/
... View more
15 hours ago
The splunk(-company)-wrapped syslog-ng service, "Splunk Connect for Syslog" (AKA SC4S) comes standard with a systemd unit file that reaches out on every startup to github to obtain the latest container image. This had worked flawlessly since we first setup syslog inputs for the client. However years later, somebody made a WAF change that blocked connectivity to github, which included our download URL round in the unit file (specifically, ghcr.io/splunk/splunk-connect-for-syslog/container3:latest) and did not properly warn or socialize this fact before doing so. This caused the sc4s service to be unable to restart because the systemd unit file downloads a fresh image every time before it starts, which it could no longer do. WARNING, if you setup SC4S the normal way, then you did so as user "root" so you will need to do all of this as user "root" also. The most immediate solution is to see if there is still an older image around to run by using this command: docker image ls You should see something like this: REPOSITORY TAG IMAGE ID CREATED SIZE ghcr.io/splunk/splunk-connect-for-syslog/container2:2 latest SomeImageID2 SomeDate SomeSizeGB If there is, you can modify the unit file by copying the "IMAGE ID" value (in this case "SomeImageID2") and changing this line: Environment="SC4S_IMAGE=https://ghcr.io/splunk/splunk-connect-for-syslog/container2:2:latest" To this: Environment="SC4S_IMAGE=SomeImageID2" And also commenting out this line, like this: #ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE Then you need to reload systemd like this: systemctl daemon-reload This should allow you to start your service immediately as normal: service sc4s start Now you have the problem of how do you get the latest image manually (now that the automatic download cannot work) which according to this link: https://splunk.github.io/splunk-connect-for-syslog/main/upgrade/ is now this: ghcr.io/splunk/splunk-connect-for-syslog/container3:latest The following link gave us all of what we need but we had to do it a few times with various options mined from the comments to get it eactly right: https://stackoverflow.com/questions/37905763/how-do-i-download-docker-images-without-using-the-pull-command You will first have to install docker someplace that CAN get to the image URL. If you can run a broswer there, just post the value in your browser and it should redirect to an actual page. If you only have the CLI there, just use curl to test like this: curl ghcr.io/splunk/splunk-connect-for-syslog/container3:latest In our case, we just installed docker on a Windows laptop and then opened powershell to run these 2 commands: docker pull ghcr.io/splunk/splunk-connect-for-syslog/container3:latest docker image ls You should see something like this: REPOSITORY TAG IMAGE ID CREATED SIZE ghcr.io/splunk/splunk-connect-for-syslog/container3 latest SomeImageID3 SomeDate SomeSizeGB Next you need to export the image to a file like this: docker save SomeImageID3 --output DockerImageSC4S.tar Then transfer this to "/tmp" on your SC4S server host however you please and load it like this: docker load -i /tmp/DockerImageSC4S.tar Then, of course, you need to re-modify the unit file using the new "SomeImageID3" value instead of "SomeImageID2".
... View more
yesterday
We have a very vanilla SC4S configuration that has been working flawlessly with a cron job to do "service sc4s restart" every night to upgrade. We just discovered that a few nights ago, it did not come back from this nightly restart. When examining the journal with this command: journalctl -b -u sc4s We see this: Error response from daemon: pull access denied for splunk/scs, repository does not exist or may require 'docker login': denied: requested access to the resource is denied This problem could happen to ANYBODY at ANY TIME and it took us a while to complete work around it so I am documenting the whole story here.
... View more
Labels
- Labels:
-
other
06-28-2024
06:25 AM
We deployed our first Splunk in AWS using the tooling in AWS to do this and see that there is unallowed traffic calling out from our Splunk to beam.scs.splunk.com, which I see is for Splunk Cloud Edge processor, which we have no intention to use. We would like to disable this traffic but there is no documentation on it. Can this be done?
... View more
- Tags:
- Edge
Labels
- Labels:
-
other
06-11-2024
08:01 PM
You are using Windows OS for your DS and deploying to non-Windows servers. This cannot be made to work. Start over and use a Linxus OS for your DS.
... View more
05-30-2024
07:16 AM
This just means that the script being called did not run to completion. I recently had a confusing problem that caused this exact error. I had a working design where I had a sendalert named "my_send_alert" which called a python script named "my_send_alert.py" which then called a shell script named "my_send_alert_alt.sh". It all worked great. So I cloned it to create a different one and it didn't work, giving this error. The problem ended up being that I named the shell script the same name as the python script and splunk was SKIPPING calling the python script and was calling the shell script directly! I simply changed the name of the shell script and all was well. So in summary: All 3 named the same does not work.
This DOES NOT work:
my_send_alert(alert_actions.conf) -> my_send_alert.py -> my_send_alert.sh
This DOES work:
my_send_alert(alert_actions.conf) -> my_send_alert.py -> my_send_alert_alt.sh
This should also work:
my_send_alert(alert_actions.conf) -> my_send_alert.sh
... View more
04-11-2024
12:23 PM
A better way to do this is to use the "Run a Script" alert action (after you create a script to do the copy). Yes, this alert action is deprecated but I use it often and there is no way that Splunk will be removing it from the product.
... View more
04-11-2024
11:02 AM
According to the developer, it can be done with HEC: https://infosecwriteups.com/knowbe4-to-splunk-33c5bdd53e29
... View more
03-09-2024
09:40 AM
You are reading his request backwards. That git project is for SENDING TO OpenCTI. He (and I) need to RECEIVE FROM OpenCTI. I cannot find anything that does this.
... View more
03-06-2024
06:51 AM
WARNING! This answer is wrong. The date of this file will be the date of the file when it was packaged in the installer (tgz/rpm).
... View more
02-04-2024
02:37 PM
WARNING! The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable. So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT. The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">. If you do that, it works. The stupid site is also forcing me to add an app, even this this Q/A has nothing to do with any app.
... View more
02-04-2024
02:34 PM
WARNING! The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable. So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT. The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">. If you do that, it works.
... View more
11-14-2023
06:21 AM
Splunk has the mechanism in place to make it work: $trellis.name$ and $trellis.value$, but instead of these being available for ALL searches, they are only available for the trellis search/chart. I have tried many things but all have failed. If annotations are supported in Studio, you could try there. That is my next step, but I don't know Studio so don't know if I will try or how long it would take. The next best thing to do is make the "annotation_category" set to the value of the split-by field for the Trellis so that a hover makes it clear which ones are for which trellis panel.
... View more
10-30-2023
11:37 AM
1 Karma
This has finally been addressed in a useable way that seems to not have any downside/impact in 9.1 (search for "Preserve search history across search heads"): https://docs.splunk.com/Documentation/Splunk/9.1.1/ReleaseNotes/MeetSplunk Scarily enough, it appears to be enabled by default.
... View more
10-30-2023
11:36 AM
This has finally been addressed in a useable way that seems to not have any downside/impact in 9.1 (search for "Preserve search history across search heads"): https://docs.splunk.com/Documentation/Splunk/9.1.1/ReleaseNotes/MeetSplunk Scarily enough, it appears to be enabled by default.
... View more
09-29-2023
05:26 PM
2 Karma
Probably because there are also events (at least one) in that bucket that are younger.
... View more
09-29-2023
03:35 PM
2 Karma
There is so much "depends" here that we could open a nursing home. Are you using SmartStore? Are you using indexer clustering? What are your SF/RF settings? Are you using Volume settings for your indexers? Are you Splunk Cloud? What is the "btool" output for your indexes.conf from one of your indexers?
... View more
08-22-2023
06:45 AM
1 Karma
Yes, you could, but it really doesn't make sense. You can just directly peer the new Search Head to every/any Indexer. You can discriminate what lives/came-from where by examining the "splunk_server" value. So whatever you do, you can add a splityby (... BY splunk_server) to keep the results separated.
... View more
08-19-2023
07:16 AM
See my answer. The accepted answer is useless.
... View more
07-13-2023
01:22 PM
1 Karma
... | eval 2nd = mvindex(mvfield, 1, 1)
... View more
07-11-2023
08:24 AM
A while back I noticed the "endpoint" setting in the "serverclass.conf.spec" which *probably* could be used to create a functional Windows-based DS by directing the clients to retrieve the files from a non-Windows repository such that file modes are preserved: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf
... View more
07-05-2023
02:12 PM
1 Karma
The search above is slightly wrong. Try this: | rest /services/search/jobs splunk_server=local
| stats count avg(performance.command.addinfo.duration_secs) AS avg max(performance.command.addinfo.duration_secs) AS max
BY search
| sort 0 - max - avg
... View more
05-31-2023
05:08 AM
3 Karma
https://www.youtube.com/watch?v=1yEhbKXRFMg
... View more
