Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About AntoineDRN
AntoineDRN
Path Finder
Member since:
05-02-2022
09-04-2023
Community Statistics
| Posts | 23 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 2 |
| Member Since | 05-02-2022 |
Activity Feed
- Got Karma for Re: Is it possible for squash_threshold to increase value, and are there consequences?. 08-30-2023 07:16 AM
- Posted Re: Is it possible for squash_threshold to increase value, and are there consequences? on Monitoring Splunk. 08-30-2023 07:13 AM
- Got Karma for Is it possible for squash_threshold to increase value, and are there consequences?. 08-30-2023 06:39 AM
- Posted Re: Splunk TA for Microsoft Office 365 can't parse timestamp correctly? on All Apps and Add-ons. 05-16-2023 01:36 AM
- Posted Re: Cluster Master is logging strange errors on Monitoring Splunk. 04-05-2023 12:53 AM
- Posted Why is Cluster Master logging strange errors? on Monitoring Splunk. 04-04-2023 06:59 AM
- Posted Re: Splunk TA for Microsoft Office 365 can't parse timestamp correctly on All Apps and Add-ons. 02-07-2023 07:37 AM
- Posted Re: Splunk TA for Microsoft Office 365 can't parse timestamp correctly on All Apps and Add-ons. 01-19-2023 08:06 AM
- Posted Re: Splunk TA for Microsoft Office 365 can't parse timestamp correctly on All Apps and Add-ons. 01-17-2023 03:20 AM
- Tagged Re: Splunk TA for Microsoft Office 365 can't parse timestamp correctly on All Apps and Add-ons. 01-17-2023 03:20 AM
- Posted Re: Splunk TA for Microsoft Office 365 can't parse timestamp correctly on All Apps and Add-ons. 01-16-2023 03:08 AM
- Posted Re: Splunk TA for Microsoft Office 365 can't parse timestamp correctly on All Apps and Add-ons. 01-12-2023 05:41 AM
- Posted Re: Splunk TA for Microsoft Office 365 can't parse timestamp correctly on All Apps and Add-ons. 01-12-2023 05:23 AM
- Posted Splunk TA for Microsoft Office 365 can't parse timestamp correctly? on All Apps and Add-ons. 01-12-2023 05:06 AM
- Tagged Splunk TA for Microsoft Office 365 can't parse timestamp correctly? on All Apps and Add-ons. 01-12-2023 05:06 AM
- Posted Re: How do you manage several look-ups reviews? on Knowledge Management. 12-07-2022 11:48 PM
- Karma Re: How do you manage several look-ups reviews? for Atriarc. 12-06-2022 11:59 PM
- Karma Re: How do you manage several look-ups reviews? for gcusello. 12-06-2022 11:58 PM
- Posted How do you manage several look-ups reviews? on Knowledge Management. 12-06-2022 08:08 AM
- Tagged How do you manage several look-ups reviews? on Knowledge Management. 12-06-2022 08:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
08-30-2023
07:13 AM
1 Karma
Hello @splunkreal, thanks for replying to this it was really out of my mind. I reached the support about it, and the conclusion was that it is possible. The best way to increase the parameter is to do it gradually and monitor the effects on the platform. Regards
... View more
05-16-2023
01:36 AM
After long discussion with the support, here is a workaround that work for us : In the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/props.conf [o365:graph:api] TIME_PREFIX = ("createdDateTime":\s*")|timestamp TIMESTAMP_FIELDS = TIME_FORMAT = %Y-%m-%dT%H:%M:%S KV_MODE = json TZ = UTC Hope it can help someone !
... View more
04-05-2023
12:53 AM
Hello @richgalloway , Yeah, it makes sense but I don't understand why it only raise this error for the 17 same things. I'll investigate further for the connectivity but I don't have any error other than this so I'm a bit confused. Thanks for your answer !
... View more
04-04-2023
06:59 AM
Hello Splunkers,
I'm here to ask you for a bit or your wisdom.
Context : This happens since the upgrade from 8.2.x to 9.0.3. The issue does not impact the platform (which is a dev platform).
For a few weeks, I receive some errors in my interna logs that are really bizarre :
03-02-2023 17:25:30.518 +0100 ERROR CMRepJob [49280 CMExecutorWorker-1] - job=CMSyncP2PJob bid=firewall_juniper~219~91483FBC-75D0-4410-9205-DE9DB070C3F3 my_guid=B3309FA8-4903-40B3-9E5D-B7BD712F6F70 my_rawport=xxxx my_usessl=1 ot_guid=91483FBC-75D0-4410-9205-DE9DB070C3F3 ot_hp=xxx.xxx.xxx.xxx :xxxx ot_rawport=xxxx ot_usessl=1 relative_path= custact=p2p_syncup getHttpReply failed; err: Connect Timeout
I thought it was a problem with few buckets that have been replicated wrong or not at all.
But, first, I don't have any warning on the Replcation Factor / Search Factor and, it is always the same 17 bids. So I guess it is not what I thought.
I don't have any other logs like this, every event that get in is correctly indexed / replicated.
Have you any idea of what's happening here ? And if it might be a problem, have you any idea of how I can fix that?
Thanks for your time.
Best regards !
... View more
Labels
- Labels:
-
error
-
indexer clustering
02-07-2023
07:37 AM
Hello @PaulPanther , @davidoff96 , Whatever I tried nothing worked sadly. I also reach the support, who confirms that the only workaround is to modify the default/props.conf . Even if this work I found this is not a sustainable solution for platforms that are beginning to be wide. I also found that modifying the datetime.xml may correct this issue without having to modify the default folder. I can't try this for know but i'll try as soon as I have time. Best regards
... View more
01-19-2023
08:06 AM
Hello @PaulPanther , I will try it for sure, and let you know how it's going. Hope it will works, thanks for your help! Best Regards! Antoine
... View more
01-17-2023
03:20 AM
Hello @PaulPanther, I get two events fully anonymized that I can show. {
"preview": false,
"result": {
"_raw": "{\"id\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"createdDateTime\": \"2023-01-17T10:25:15Z\", \"userDisplayName\": \"FirstName LASTNAME\", \"userPrincipalName\": \"xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx\", \"userId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"appId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"appDisplayName\": \"Windows Sign In\", \"ipAddress\": \"xxx.xxx.xxx.xxx\", \"clientAppUsed\": \"Mobile Apps and Desktop clients\", \"correlationId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"conditionalAccessStatus\": \"notApplied\", \"isInteractive\": true, \"riskDetail\": \"none\", \"riskLevelAggregated\": \"none\", \"riskLevelDuringSignIn\": \"none\", \"riskState\": \"none\", \"riskEventTypes\": [], \"riskEventTypes_v2\": [], \"resourceDisplayName\": \"Windows Azure Active Directory\", \"resourceId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"status\": {\"errorCode\": 0, \"failureReason\": \"Other.\", \"additionalDetails\": null}, \"deviceDetail\": {\"deviceId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"displayName\": \"X-XXXXXX-xxxxxx\", \"operatingSystem\": \"Windows\", \"browser\": \"\", \"isCompliant\": true, \"isManaged\": true, \"trustType\": \"Azure AD joined\"}, \"location\": {\"city\": \"XXXXXXX\", \"state\": \"XXXXXXXX\", \"countryOrRegion\": \"XX\", \"geoCoordinates\": {\"altitude\": null, \"latitude\": XXXXX, \"longitude\": XXXXX}}, \"appliedConditionalAccessPolicies\": []}",
"_time": "2023-01-17T11:35:09.000+0100",
"action": "notApplied",
"app": "Windows Sign In",
"appDisplayName": "Windows Sign In",
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"clientAppUsed": "Mobile Apps and Desktop clients",
"conditionalAccessStatus": "notApplied",
"correlationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdDateTime": "2023-01-17T10:25:15Z",
"deviceDetail.browser": "",
"deviceDetail.deviceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"deviceDetail.displayName": "X-XXXXXX-xxxxxx",
"deviceDetail.isCompliant": "true",
"deviceDetail.isManaged": "true",
"deviceDetail.operatingSystem": "Windows",
"deviceDetail.trustType": "Azure AD joined",
"yyyySite": "XXX",
"yyyyZone": "XXX",
"eventtype": [
"o365_graph_api",
"o365_signins"
],
"host": "xxxxxx",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"index": "o365",
"ipAddress": "xxx.xxx.xxx.xxx",
"isInteractive": "true",
"linecount": "1",
"location.city": "XXXXXX",
"location.countryOrRegion": "XX",
"location.geoCoordinates.altitude": "null",
"location.geoCoordinates.latitude": "XXXXXXX",
"location.geoCoordinates.longitude": "XXXXXX",
"location.state": "XXXXXXX",
"punct": "{\"\":_\"----\",_\"\":_\"--::\",_\"\":_\"_\",_\"\":_\"@..\",_\"\":_\"",
"reason": "Other.",
"resourceDisplayName": "Windows Azure Active Directory",
"resourceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"source": "AuditLogs.SignIns",
"sourcetype": "o365:graph:api",
"splunk_server": "xxxxxx",
"src": "xxx.xxx.xxx.xxx",
"src_ip": "xxx.xxx.xxx.xxx",
"status": "0",
"status.additionalDetails": "null",
"status.errorCode": "0",
"status.failureReason": "Other.",
"tag": "authentication",
"tag::eventtype": "authentication",
"timestamp": "none",
"user": "xxxx@xxxxxxxxxxxxxxxx.xxx",
"userDisplayName": "FirstName LASTNAME",
"userId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"userPrincipalName": "xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx"
}
}
{
"preview": false,
"lastrow": true,
"result": {
"_raw": "{\"id\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"createdDateTime\": \"2023-01-17T09:53:26Z\", \"userDisplayName\": \"FirstName LASTNAME\", \"userPrincipalName\": \"xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx\", \"userId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"appId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"appDisplayName\": \"Windows Sign In\", \"ipAddress\": \"xxx.xxx.xxx.xxx\", \"clientAppUsed\": \"Mobile Apps and Desktop clients\", \"correlationId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"conditionalAccessStatus\": \"notApplied\", \"isInteractive\": true, \"riskDetail\": \"none\", \"riskLevelAggregated\": \"none\", \"riskLevelDuringSignIn\": \"none\", \"riskState\": \"none\", \"riskEventTypes\": [], \"riskEventTypes_v2\": [], \"resourceDisplayName\": \"Windows Azure Active Directory\", \"resourceId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"status\": {\"errorCode\": 50126, \"failureReason\": \"Error validating credentials due to invalid username or password.\", \"additionalDetails\": \"The user didn't enter the right credentials. \\xxxxxxxx's expected to see some number of these errors in your logs due to users making mistakes.\"}, \"deviceDetail\": {\"deviceId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"displayName\": \"X-XXXXXX-xxxxxx\", \"operatingSystem\": \"Windows\", \"browser\": \"\", \"isCompliant\": false, \"isManaged\": true, \"trustType\": \"Azure AD joined\"}, \"location\": {\"city\": \"XXXXX\", \"state\": \"XXXXX\", \"countryOrRegion\": \"XX\", \"geoCoordinates\": {\"altitude\": null, \"latitude\": XXXXX, \"longitude\": XXXXXXX}}, \"appliedConditionalAccessPolicies\": []}",
"_time": "2023-01-17T11:00:12.000+0100",
"action": "notApplied",
"app": "Windows Sign In",
"appDisplayName": "Windows Sign In",
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"clientAppUsed": "Mobile Apps and Desktop clients",
"conditionalAccessStatus": "notApplied",
"correlationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdDateTime": "2023-01-17T09:53:26Z",
"deviceDetail.browser": "",
"deviceDetail.deviceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"deviceDetail.displayName": "X-XXXXXX-xxxxxx",
"deviceDetail.isCompliant": "false",
"deviceDetail.isManaged": "true",
"deviceDetail.operatingSystem": "Windows",
"deviceDetail.trustType": "Azure AD joined",
"yyyySite": "XXX",
"yyyyZone": "XXX",
"eventtype": [
"err0r",
"o365_graph_api",
"o365_signins"
],
"host": "xxxxxxxx",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"index": "o365",
"ipAddress": "xxx.xxx.xxx.xxx",
"isInteractive": "true",
"linecount": "1",
"location.city": "Xxxxxx",
"location.countryOrRegion": "XX",
"location.geoCoordinates.altitude": "null",
"location.geoCoordinates.latitude": "XXXXXX",
"location.geoCoordinates.longitude": "XXXXXX",
"location.state": "XXXXXXX",
"punct": "{\"\":_\"----\",_\"\":_\"--::\",_\"\":_\"_\",_\"\":_\"@..\",_\"\":_\"",
"reason": "Error validating credentials due to invalid username or password.",
"resourceDisplayName": "Windows Azure Active Directory",
"resourceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"source": "AuditLogs.SignIns",
"sourcetype": "o365:graph:api",
"splunk_server": "xxxxxxx",
"src": "xxx.xxx.xxx.xxx",
"src_ip": "xxx.xxx.xxx.xxx",
"status": "50126",
"status.additionalDetails": "The user didn't enter the right credentials. It's expected to see some number of these errors in your logs due to users making mistakes.",
"status.errorCode": "50126",
"status.failureReason": "Error validating credentials due to invalid username or password.",
"tag": [
"authentication",
"error"
],
"tag::eventtype": [
"authentication",
"error"
],
"timestamp": "none",
"user": "xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx",
"userDisplayName": "firstName LASTNAME",
"userId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"userPrincipalName": "xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx"
}
} Here it is, hope you can find something. Best Regards!
... View more
- Tags:
- ell
01-16-2023
03:08 AM
Hello Paul, Yes, I already tried this stanza. I sadly can't provide raw data due to internal policies. Thanks again for your time!
... View more
01-12-2023
05:41 AM
The changes have been made in the app/default or local/props.conf Here is a sample event with the wrong time parsing :
... View more
01-12-2023
05:23 AM
Yes, I did. In the both case (local/default) I had the same result which is normal, but the timestamp field within Splunk Web is sadly not recognize when the stanza is in local/props.conf
... View more
01-12-2023
05:06 AM
Hello Splunkers,
I am currently facing a problem and can't find any documentation.
Let me explain, we are using the Splunk_TA_o365 mostly for sign-in logs. The issues is that any of this logs have the right timestamp.
For these sign in logs, the timestamp is stored in the "createdDateTime" field, and not in the "timestamp" field like other events. So I tried to "fix" it with the local/props.conf with the stanza :
[o365:graph:api]
TIME_PREFIX = ("createdDateTime":\s*")|timestamp
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
KV_MODE = json
TZ = UTC
And it didn't work at all, but when I tried (and I know it is REALLY not recommended in the best practice) to write the same stanza in the default/props.conf, it surprizingly worked.
So I was wondering if it was a normal behavior (which I'd find strange), or if there is another solution that could be more sustainable than modifying the default folder.
Thanks in advance for your time,
Best regards and Happy splunking!
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
12-07-2022
11:48 PM
That's what I will try to implement. Thanks for your answer
... View more
12-06-2022
08:08 AM
Hello Splunkers, I come to you in order to gather some tips and tricks around look-ups management. For example, I have several look-ups used to whitelist some machine, and after a time a part of these machine aren't used anymore. I bet we are not the only one to face this, so I was wondering, how you manage the review and update of these? I first had the idea to use the [fschange] stanza on ours to get mofications (with time information and details about the change Add/Delete/Edit). But i also saw that is was deprecated. Is it still a good thing to use in order to manage our look-ups? Is there something that replace this stanza? Because I unfortunately have not found anything. I also thought adding columns to have the "Creation date"/"Modification date"/"Too old" or stuff like that for each row. Is that a good enought workaround? Thanks for your tips! 🙂 Happy Splunking, A-D
... View more
- Tags:
- Lookup review
Labels
- Labels:
-
lookup
09-13-2022
07:39 AM
Hello Splunkers,
We had some trouble with notable events.
Long story short, by wanting edit one notable, something like 15,000 events has been updated instead.
Is there any way to rollback, and suppress the update done on the edited notable events?
Thanks in advance for your answer,
Best Regards
... View more
Labels
- Labels:
-
administration
-
notable event
-
other
09-05-2022
07:14 AM
We are still not in 9+, but it is scheduled. Thanks for your answer I think I got it.
... View more
09-05-2022
06:42 AM
Hello Splunkers,
I was wondering if there is a way to get the creation date of a correlation search.
If so, what is it, because I found nothing anywhere.
Thanks in advance,
Best regards!
... View more
Labels
- Labels:
-
administration
-
correlation search
08-02-2022
02:45 AM
1 Karma
Hello Splunkers,
I would like to have a better insight on my license usage, but the "Squash_threshold" default conf is not enough. I have been looking here if there were answers, sadly there are few answers and the rare that exist are a little old.
In the documentation, it is said to ask to a Splunk expert, my contact being in holidays yet, I would like to try to move forward anyways.
So have you any recommendations on this setting and the possible consequences if I increase it?
Thanks in advance,
Best regards,
... View more
Labels
- Labels:
-
license usage
06-15-2022
09:09 AM
Normally, the architecture have been set up for this kind of need. There is just a few edge cases like this one that might reveal problems. I will investigate further on the storages throughput and the hardware requirement. Thanks again for your help, Regards, Antoine
... View more
06-15-2022
08:34 AM
Thanks for your answer, I'm gonna deal with it then. To go further, does an index parallelization or maybe add one or more search peers can avoid or at least reduce the impact of a sudden large amount of data incoming?
... View more
06-15-2022
07:51 AM
Hello Splunkers,
After my own unsuccessful researches, I thought you may have the answer.
So, I'm wondering if there is a way to make the thruput variable.
Indeed, my search peer may have a too large amount of data to index at a time due to a network issue, and I would like to spread out the indexing during the night for example.
So is there a way to set a throughput ([thruput]) limit when my server is the most asked and unset this limit when it is less used?
Thanks in advance for your time and your answer!
Regards,
Antoine
... View more
05-05-2022
07:04 AM
Hello Splunkers! I'm pretty new with Splunk and I retrieve an old splunk project that i didn't set up at all. I'm trying to train myself on it, but... I have some problems i couldn't solve alone. I have one Search Head, one Indexer and between 3 and 5 forwarders depending on my need. Here is the VM of my indexer : Almost all logs that I collected went in /dev/vda1, which is not suppose to be the case. I've override the default storage location , but i guess it doesn't matter ... /opt/splunk/etc/system/local/indexes.conf : [main] homePath = /mnt/data/$_index_name/db I assume it's the reason why i stillm got those messages : Please let me know if I did something wrong or if i missed something, Thanks in advance for your help! Regards , Antoine
... View more
Labels
- Labels:
-
indexer
05-02-2022
04:40 AM
Hi everyone ! As an intern for an engineer degree, I have to make a stat of the art around Windows logs and how it is used with Splunk among others. So here is my question, what are you doing usually with Windows logs, which piece of information do you get back and what is the purpose? Thank you in advance for your answers! Regards, Antoine
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-04-2023
11:51 AM
|
