Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About reswob10
reswob10
Explorer
Member since:
04-10-2020
05-03-2022
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 04-10-2020 |
Activity Feed
- Posted Re: Crowdstrike Falcon Event Streams TA add account option does not have API key, just username password on All Apps and Add-ons. 05-03-2022 07:42 AM
- Posted Crowdstrike Falcon Event Streams TA add account option does not have API key, just username password on All Apps and Add-ons. 04-28-2022 11:58 AM
- Tagged Crowdstrike Falcon Event Streams TA add account option does not have API key, just username password on All Apps and Add-ons. 04-28-2022 11:58 AM
- Tagged Crowdstrike Falcon Event Streams TA add account option does not have API key, just username password on All Apps and Add-ons. 04-28-2022 11:58 AM
- Posted Can't get automatic extraction to work with json to kv on Getting Data In. 08-25-2020 08:27 PM
- Got Karma for Re: External lookup not working. 06-05-2020 12:51 AM
- Posted Re: External lookup not working on Splunk Dev. 04-11-2020 05:40 PM
- Posted Re: External lookup not working on Splunk Dev. 04-11-2020 07:56 AM
- Posted External lookup not working on Splunk Dev. 04-10-2020 02:18 PM
- Tagged External lookup not working on Splunk Dev. 04-10-2020 02:18 PM
- Tagged External lookup not working on Splunk Dev. 04-10-2020 02:18 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-03-2022
07:42 AM
That did work. Thanks.
... View more
04-28-2022
11:58 AM
I installed the Crowdstrike Falcon Event Streams TA on my all-in-one Splunk after creating the API key on my Crowdstrike instance per the instructions in the add on guide. But when I went to the app, then to configuration, then account, and from there clicked the 'Add' button to add an account, the input fields are 'Account Name', 'Username', and 'Password'. Not, as the guide says, 'Account name', 'ClientID', and 'Secret'. I have not found anything so far to switch from username/password to clientid/secret. What am I missing? Thanks
... View more
- Tags:
- api
- crowdstrike
Labels
- Labels:
-
troubleshooting
08-25-2020
08:27 PM
So I'm referencing this solved answer: https://community.splunk.com/t5/Getting-Data-In/Extract-JSON-data-within-the-logs-JSON-mixed-with-unstructured/td-p/195292/page/2 But my configuration isn't working. I have this mess of a field: Message={"ProviderGuid":"eb79061a-a566-4698-9119-3ed2807060e7","YaraMatch":[],"ProviderName":"Microsoft-Windows-DNSServer","EventName":"LOOK_UP","Opcode":0,"OpcodeName":"Info","TimeStamp":"2020-08-25T20:10:50.2211944-07:00","ThreadID":4168,"ProcessID":2632,"ProcessName":"dns","PointerSize":8,"EventDataLength":352,"XmlEventData":{"FormattedMessage":"RESPONSE_SUCCESS: TCP=0; InterfaceIP=192.168.1.5; Destination=192.168.1.50; AA=0; AD=0; QNAME=86.130.9.52.in-addr.arpa.; QTYPE=12; XID=17,307; DNSSEC=0; RCODE=0; Port=63,227; Flags=33,152; Scope=Default; Zone=..Cache; PolicyName=NULL; PacketData=439B8180000100010000000002383603...; AdditionalInfo= VirtualizationInstance:.; GUID={EC86881D-308D-4A91-94FE-5DCDDFCADFE3} ","RCODE":"0","TCP":"0","Scope":"Default","GUID":"{EC86881D-308D-4A91-94FE-5DCDDFCADFE3}","Port":"63,227","AD":"0","QNAME":"86.130.9.52.in-addr.arpa.","PolicyName":"NULL","MSec":"3243143.0166","XID":"17,307","AA":"0","Destination":"192.168.1.50","QTYPE":"12","Zone":"..Cache","PID":"2632","AdditionalInfo":"VirtualizationInstance:.","PacketData":"439B8180000100010000000002383603...","TID":"4168","ProviderName":"Microsoft-Windows-DNSServer","PName":"","DNSSEC":"0","InterfaceIP":"192.168.1.5","EventName":"LOOK_UP","Flags":"33,152"}} and I'm trying to parse out the KV portion in the middle. Here are my props.conf and transforms.conf files props.conf [windns] REPORT-jsonkv = report-json,report-kv transforms.conf [report-json] REGEX = XmlEventData":{(?<kvdata>.+?)," [report-kv] REGEX = \s(\S+)=(\S+) FORMAT = $1::$2 MV_ADD = true If I understand the sequence correctly, that blob above should parse into kvdata as the following: "FormattedMessage":"RESPONSE_SUCCESS: TCP=0; InterfaceIP=192.168.1.5; Destination=192.168.1.50; AA=0; AD=0; QNAME=86.130.9.52.in-addr.arpa.; QTYPE=12; XID=17,307; DNSSEC=0; RCODE=0; Port=63,227; Flags=33,152; Scope=Default; Zone=..Cache; PolicyName=NULL; PacketData=439B8180000100010000000002383603...; AdditionalInfo= VirtualizationInstance:.; GUID={EC86881D-308D-4A91-94FE-5DCDDFCADFE3} " and then that should become kv pairs TCP=0 InterfaceIP=192.168.1.5 and so on.... (except "AdditionalInfo" will NOT parse out due to the REGEX, but the rest should, but that's ok) I have a single server, basic config. suggestions appreciated.
... View more
04-11-2020
05:40 PM
1 Karma
Thanks. This was the answer.
New transforms.conf
[freqserver]
external_cmd = freq.py domain
external_type = python
python.version = python2
fields_list = domain, frequency
Of course, if the script is updated to python3, change the setting accordingly.
... View more
04-11-2020
07:56 AM
here is the errors in the error log and some surrounding context..
04-11-2020 14:49:49.298 INFO UnifiedSearch - Expanded index search = (index="bro" sourcetype=bro_dns _time>=1554994189.000)
04-11-2020 14:49:49.298 INFO UnifiedSearch - base lispy: [ AND index::bro sourcetype::bro_dns ]
04-11-2020 14:49:49.298 INFO UnifiedSearch - Processed search targeting arguments
04-11-2020 14:49:49.298 ERROR ExternalProvider - Command type 'external' is unsupported for lookup 'freqserver'.
04-11-2020 14:49:49.298 ERROR ExternalProvider - Command type 'external' is unsupported for lookup 'freqserver'.
04-11-2020 14:49:49.298 ERROR LookupProcessor - Error in 'lookup' command: Could not construct lookup 'freqserver, domain'. See search.log for more details.
04-11-2020 14:49:49.298 ERROR SearchPhaseGenerator - Fallback to two phase search failed:Error in 'lookup' command: Could not construct lookup 'freqserver, domain'. See search.log for more details.
04-11-2020 14:49:49.299 ERROR SearchOrchestrator - Error in 'lookup' command: Could not construct lookup 'freqserver, domain'. See search.log for more details.
04-11-2020 14:49:49.299 ERROR SearchStatusEnforcer - sid:1586616589.121 Error in 'lookup' command: Could not construct lookup 'freqserver, domain'. See search.log for more details.
04-11-2020 14:49:49.299 INFO SearchStatusEnforcer - State changed to FAILED due to: Error in 'lookup' command: Could not construct lookup 'freqserver, domain'. See search.log for more details.
04-11-2020 14:49:49.299 INFO SearchStatusEnforcer - Enforcing disk quota = 10485760000
... View more
04-10-2020
02:18 PM
I've looked through several of the other posts on answers regarding this problem and I think I've tried all the suggestions, so here's my post:
I have a script I put $SPLUNK_HOME/etc/apps/search/bin as below:
splunk@splunk1:/opt/splunk/etc/apps/search/bin$ ll freq.py
-r-xr-xr-x 1 splunk splunk 657 Apr 10 20:33 freq.py*
It runs fine when testing with splunk python:
splunk@splunk1:/opt/splunk/etc/apps/search/bin$ /opt/splunk/bin/splunk cmd python ./freq.py splunk.com
domain,frequency
splunk.com,5.96996388594
I created a transforms.conf in $SPLUNK_HOME/etc/apps/search/local as below:
splunk@splunk1:/opt/splunk/etc/apps/search/local$ cat transforms.conf
[freqserver]
external_cmd = freq.py domain
external_type = external
fields_list = domain, frequency
Made sure it had the right linux permissions and owner:
splunk@splunk1:/opt/splunk/etc/apps/search/local$ ll
total 20
drwx------ 2 splunk splunk 4096 Apr 10 20:56 ./
drwxr-xr-x 10 splunk splunk 4096 Mar 10 21:03 ../
-rw------- 1 splunk splunk 807 Mar 30 00:49 indexes.conf
-rw------- 1 splunk splunk 122 Mar 10 21:49 inputs.conf
-rw------- 1 splunk splunk 101 Apr 10 20:56 transforms.conf
In the lookup definition, for permissions, it says that object should appear in all apps and everyone has read and write permissions.
I performed all the above as the admin of a single instance of Splunk.
I restarted Splunk.
So now I run a search:
index="bro" earliest=-1y sourcetype=bro_dns | fields query | rename query as domain | lookup freqserver domain
but I get the following error:
Error in 'lookup' command: Could not construct lookup 'freqserver, domain'. See search.log for more details.
This is on splunk Version: 8.0.2
I was trying to follow these instructions for creating a new external lookup:
https[:]//docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureexternallookups
That error is the same error I get if I try a lookup name that does not exist:
index="bro" earliest=-1y sourcetype=bro_dns | fields query | rename query as domain | lookup nonsensename domain
would get the same kind of Could not construct lookup error...
Any suggestions?
... View more
Labels
- Labels:
-
python
