Hi all, I am currently a little bit stuck ... Commands.conf looks like this: [tc] chunked = true filename = tc.py [t] retainsevents = true streaming = true filename = t.py tc is the same command as t but it should use protocol version 2 instead of 1 The version 1 script works but when using the version 2 script, it just says "Could not locate the time (_time) field on some results returned from the external search command 'tc'" Documentation on version 2 is a little bit sketchy so, --> what needs to be changed when switching from version 1 to version 2? --> is there a sample custom streaming command for version 2 ? Thanks ... View more

Hello all, Is there any possibility to detect if somebody ran a | delete command? I do know about the "can delete" permission and currently, it is not assigned to anyone, but this might change in the future (I will hand over Splunk responsibility to someone else). I tried to find some _internal logs that mention a previously executed delete command (on demo data of course 🙂 ) but I could not find any. Thank you! ... View more

Hi all, I'm currently experiencing this challenge. At a customer site we have two identical syslog servers receiving the same data from the same sources. For some reasons it might be that a data source decides to only send it's data to one of the two syslog servers (as it happened yesterday). Since currently only one of the two syslog servers has a forwarder installed, we miss data that is only sent to the other syslog server. But if I install the forwarder on both syslog servers I would get most of the data twice (if the inputs.conf is the same). How are such situations handled properly? Is there any possibility to only index data once although it is present on both syslog servers? Thank you ! ... View more

Hi all, I am looking for a possibility to visualize the data I get from firewalls/router/switches/... Basically what I have is a table that looks something like src_ip ---> firewall01_dvc ---> firewall02_dvc ---> dest_ip and I'd like to somehow visualize this. Is there a good possibility to do this. I tried to use the sankey diagram but thats not really working out as I want it to. If possible I'd like to avoid using d3 -> it takes too much time 🙂 Thank you ... View more

Hi all, so I built this query search index=sey_ips src_ip=10.0.0.1 dest_ip=10.0.0.2 | eval time = _time | sort - time | streamstats current=f window=1 first(time) AS lastTime by src_ip, dest_ip, signature_id | eval diff = lastTime-time | search lastTime=* | table _time, src_ip, dest_ip, time, lastTime, signature_id, diff | stats stdev(diff) by src_ip, dest_ip, signature_id If I define the IPs manually it works great, but I have a lookup file containing quite a lot of src_ip, dest_ip combination and I'd like to run this query with all the defined IPs. How would I do that? I am basically looking for something like a loop. Thank you ... View more

Hi all, Has any one of you integrated logs from Oracle SGD? Actual integration is easily done via Syslog, but making sense of all these logs is really hard. I'm currently trying to make these logs CIM compatible, but I don't really know how to do this without proper documentation - and afaik there is no documentation regarding the logs. Have you already done this, is there a Splunk app, do you know of any documentation? - all information is helpful. Thank you ! ... View more

How do I see the state of the connection to the Checkpoint Log/Management Servers - like in previous version I always saw the last communication. This is be really important- we just installed the new version, created new inputs (with old certificates) and no data is coming in. Thank you ... View more

Hi all, so we installed the OPSEC App yesterday (took about 2 hours) and now we get Logs - a LOT of logs. Our firewall Team expected around 25 Gig per day, now at 8am we are at around 40 Gig. Now I was wondering if maybe the configuration of opsec app is somehow incorrect and that maybe data is indexed multiple times or something the like. I did few very short tests to find duplicates (just searched for the raw test of an event) but could not find any. Are there any known configuration mistakes that might cause such that much data to be indexed. During the configuration we did had to create/delete/re-create several connections and trust relations, but now we only have the connections that we actually need and want. What I am a little bit worried about is the following configuration in the opsec-log-status.conf file. I see multiple stanzas for the same data-source (clm-data-1) but only for the last one the "last_rec_pos" variable is increased automatically. [1466632741@clm-data-1] fileid = 1466632741 filename = fw.log last_rec_pos = 23801843 [1466644651@clm-data-1] fileid = 1466644651 filename = fw.log last_rec_pos = 23725430 [1466655679@clm-data-1] fileid = 1466655679 filename = fw.log last_rec_pos = 23407048 [1466661952@clm-data-1] fileid = 1466661952 filename = fw.log last_rec_pos = 1710000 Or are there any features on how to reduce the amount of data indexed by the opsec app. We could deactivate VPN and Audit Logging but that's only around 1% of all logs. Thank you ! ... View more

Hi all, I am not sure if I understood how to set up the Distributed Management Console correctly. So I have two independent indexers, two search heads, and a bunch of heavy forwarders - I'd like to monitor them all with the DMC. The setup manual states that I have to configure each instance that I want to monitor as a search peer for the DMC. In another part of the manual (prerequisites), it is written that I have to forward the _internal logs of all other systems to the indexers (I do this for all systems already). So should I deactivate the _internal forwarding for all the systems I want to monitor with the DMC, or is it sufficient to point the DMC to the indexers (all _internal logs are there)? Thank you ... View more