Activity Feed
- Got Karma for Re: exit_code=255 ERROR dispatchRunner. 06-05-2020 12:49 AM
- Karma Re: Is it possible to access properties from a custom config file (props.conf) in a Simple XML extension? for kbarker302. 06-05-2020 12:48 AM
- Karma Re: How to write regex to capture multiple groups and replace parentheses with periods from DNS Logs? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Enterprise Security: How to add swimlanes of custom sourcetypes to Identity Investigator dashboard? for jcoates_splunk. 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Enterprise Security: How to add swimlanes of custom sourcetypes to Identity Investigator dashboard?. 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES). 06-05-2020 12:47 AM
- Got Karma for TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd. 06-05-2020 12:47 AM
- Got Karma for TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd. 06-05-2020 12:47 AM
- Got Karma for TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd. 06-05-2020 12:47 AM
- Karma Re: Display images in dashboard - dynamically from search for sideview. 06-05-2020 12:46 AM
- Karma Re: Display images in dashboard - dynamically from search for Genti. 06-05-2020 12:46 AM
- Karma Re: ERROR DistBundleRestHandler - Problem untarring file for clocker_splunk. 06-05-2020 12:46 AM
- Karma Why is the dispatch.finalizeRemoteTimeline causing searches to take extremely long to finish? for mjones414. 06-05-2020 12:46 AM
- Karma Re: Splunk 6 Web Framework - Python SDK - How to get logged in username? for ineeman. 06-05-2020 12:46 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
7 | |||
0 | |||
1 | |||
0 | |||
3 | |||
0 | |||
1 | |||
0 | |||
1 |
03-16-2018
08:47 AM
1 Karma
Solution: Rename the app and deploy to search heads.
... View more
03-16-2018
08:47 AM
Yup! Renaming must have fixed it on our end too. Haven't seen the "red triangle of doom" pop back up yet. Marking as solved.
... View more
03-15-2018
01:05 PM
I am having the exact same issue you describe. All nodes are Splunk 7.0.2.
Very simple app -- just a dashboard and some panels -- yet sometimes it works, sometimes it doesn't.
Setup: 1 SH --> 3 Indexers. No clustering.
Did you figure it anything out?
... View more
10-20-2014
08:20 PM
7 Karma
Hey Splunkers,
Question about notable events. I know how to modify a correlation drill-down searches (and pass tokens into it). But lately my security analysts have been asking, "can we pass those same tokens into a dashboard?"
So can you? Is there any customization you can do to ES to specify a correlation search to drilldown into a dashboard INSTEAD of a search? This could save our analysts a LOT of time. Thanks!!
... View more
08-26-2014
10:39 AM
Hey Splunkers,
Working on configuring Enterprise Security and need a hand with New Domain Analysis Dashboard. Here's whats up:
Under "Domain Type" when I select
"Newly Seen" -- I see plenty of
results and all but the bottom panel
populate correctly.
Under "Domain
Type" when I select "Newly
Registered" -- none of the panels
populate.
My hunch is that whatever mechanism that calls the "whois" doesn't work correctly. I went into "SA-NetworkProtection\bin" and chmoded all the python files to execute. Permissions look right.
The problem (I think) is that my ES search head has no internet access. Pretty sure I need to open up the mechanism that makes the whois work. Any advice on this? Documentation? Instructions?
As always, thanks in advance!
... View more
08-25-2014
08:05 AM
VERY Helpful. Would have never figured this out on my own.
Thank you for showing me this example. I'll work on implementing this soon -- provide more information, questions as they come up.
... View more
08-25-2014
06:50 AM
1 Karma
Hey Splunkers,
Our securty team really likes the Identity Investigator dashboard. Only things is -- it would be GREAT to add a few more swimlanes of custom sourcetypes (for example, our DNS, Proxy...etc).
I see you can edit, remove, rename the default sourcetypes, but is there anyway to add a new one?
Looked at the code underneath and everything seems pretty hard-coded. Is there a best-practices approach?
Thanks!
... View more
08-21-2014
12:04 PM
There is a blog article that talks about this approach: http://stratumsecurity.com/2012/07/03/splunk-security/
... View more
08-21-2014
11:26 AM
Stumped on a regex problem and need a hand. Basically, I have DNS logs that come in like this:
8/21/2014 9:32:20 AM 0E5C PACKET 000000298F0CA280 UDP Rcv 10.2.56.13 136b Q [0001 D NOERROR] PTR (2)25(2)21(1)5(2)10(7)in-addr(4)arpa(0)
8/21/2014 9:32:20 AM 0E60 PACKET 000000298EE81DF0 UDP Rcv 10.2.4.60 7d30 Q [0001 D NOERROR] A (14)usca-cdst-sw01(3)domain(3)com(0)
8/21/2014 9:32:20 AM 0E60 PACKET 00000029936FBF70 UDP Rcv 10.2.4.60 ce83 Q [0001 D NOERROR] A (14)usca-edge-sw01(3)domain(3)com(0)
8/21/2014 9:32:20 AM 0E60 PACKET 00000029936FBF70 UDP Rcv 10.2.4.60 db29 Q [0001 D NOERROR] A (14)usxo-core-vg02(3)domain(3)com(0)
8/21/2014 9:32:20 AM 0E60 PACKET 000000298EE81DF0 UDP Rcv 10.2.4.60 42b1 Q [0001 D NOERROR] A (14)brca-rvrb-wo01(3)bru(3)domain(3)com(0)
Towards the end of each event, you'll see something like, "(14)ussp-usrv-rt01(3)domain(3)com(0)"
Basically, I'm trying to write regex to convert this into "ussp-usrv-rt01.domain.com"
My strategy was to capture everything after NOERROR]\s+\w+\s+ to end of line, then replace the parenthesis with a period. Having trouble getting it just right.
Any suggestions? Thanks!
... View more
06-26-2014
07:25 AM
Thanks or the info. Is this warning harmless? Can it be affecting performance? Is there anyway to suppress?
... View more
06-25-2014
10:35 PM
3 Karma
Hey Splunkers,
I'm getting an error in _internal that I can't seem to figure out. Every enabled app that has a csv lookup is throwing this error in splunkd.log. These happen quite frequently -- adding up to 100,000 a day! 😞
Environmont Details: Splunk 6.1. Enterprise Security 3.1
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=identities_expanded.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=pci_domains.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=pci_domains_from_assets.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=assets.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN TransformsExtractionHandler - Unable to find stanza=identities.csv in lookups.conf, cannot enumerate fields list
Why would Splunk complain about every csv lookup in my environment??? I don't get any syantax errors when I start splunk. Any help would be greatly appreciated. Thanks!
... View more