Issues with OMS Query Filters

June 27, 2018, 6:45 am

≫ Next: Getting issue while parsing event which have no timestamp in logs

Use case: I want to pull a specific set of security events from OMS into Splunk. Within OMS log search, querying for: SecurityBaseline gives me all events from the set, and filtering for the events I want is: SecurityBaseline | AnalyzeResult=="Failed" No issues. In Splunk OMS inputs, setting my "OMS Query" to the first one does indeed work and start pulling events from that set (it is huge). However, if I change it to the latter with the filter no events are pulled and the following error show up in the oms app log: tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events. Traceback (most recent call last): File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\ta_oms_inputs\modinput_wrapper\base_modinput.py", line 127, in stream_events self.collect_events(ew) File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py", line 96, in collect_events input_module.collect_events(self, ew) File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\input_module_oms_inputs.py", line 86, in collect_events search_id = data["id"].split("/") Relatively new to OMS, but I think this is probably just a syntax issue somewhere...any place for reference queries or different way I should do this? (If it matters, I am using OMS Inputs app v 1.3.3 on Splunk Enterprise 7.0.2)

↧

Getting issue while parsing event which have no timestamp in logs

June 27, 2018, 7:22 am

≫ Next: how to filter a table results

≪ Previous: Issues with OMS Query Filters

Getting issue while parsing events which have no timestamp in logs, it should use date\time from last log event timestamp but it is not updating, can you please help...

↧

how to filter a table results

June 27, 2018, 8:13 am

≫ Next: Help Please! Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC;

≪ Previous: Getting issue while parsing event which have no timestamp in logs

Hi all! A have a table as a search result: date Country cs_username 2018-06-12 Mexico mendoza 2018-06-12 Mexico mendoza 2018-06-12 Mexico mendoza 2018-06-14 Mexico mendoza 2018-06-20 Mexico mendoza 2018-06-22 Mexico mendoza 2018-06-25 Mexico mendoza 2018-06-26 Mexico mendoza 2018-06-26 Mexico mendoza 2018-06-11 Netherlands xing 2018-06-11 United States xing 2018-06-11 Nigeria xing 2018-06-13 United States xing 2018-06-14 United States xing 2018-06-15 United States xing 2018-06-17 United States xing 2018-06-22 Brazil xing 2018-06-24 United States xing 2018-06-25 Brazil xing 2018-06-25 Brazil xing 2018-06-25 United States xing 2018-06-17 China xue 2018-06-18 China xue 2018-06-20 China xue 2018-06-21 China xue 2018-06-22 China xue 2018-06-22 China xue 2018-06-22 Brazil xue Note that to the same days I have the same user and 2 different Countries. 2018-06-11 xing 2018-06-25 xing 2018-06-22 xue This is the condition that I have interest. I need to filter the table results to show just this: 2018-06-11 Netherlands xing 2018-06-11 United States xing 2018-06-11 Nigeria xing 2018-06-25 Brazil xing 2018-06-25 Brazil xing 2018-06-25 United States xing 2018-06-22 China xue 2018-06-22 China xue 2018-06-22 Brazil xue Can anyone help me? Thanks a lot!

↧

Help Please! Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC;

June 27, 2018, 9:04 am

≫ Next: Does full key value not extract properly if it starts with a number?

≪ Previous: how to filter a table results

I've been getting this error: ./splunk add monitor /var/log/*log ERROR: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC; perhaps one should be set in environment I have the ff structure for reference: /opt/splunk/bin(no splunk executable file) /opt/splunkforwarder/splunk.exe

↧

Does full key value not extract properly if it starts with a number?

June 27, 2018, 9:48 am

≫ Next: How to parse hash code from a raw log into a field

≪ Previous: Help Please! Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC;

I have created a new log message that looks like 2018-06-27 11:28:01,743 WARN TestReporting , id="LJ99YUT5F1K", trans_timestamp="6/27/18 3:42 AM", 3d_secure_data="", arn="", purchase_amount="57.80", currency="USD" All of my Key-value pairs do auto-extract but the one named 3d_secure_data does not seem to extract the full name. When you look at the Interesting Fields, the key is actually named d_secure_data, the 3 is being dropped off somehow. See screenshot ![alt text][1] Is this a known key naming convention where keys can only start with alpha char or is this an issue with auto-extraction? I am using Splunk Enterprise 6.6.3. I can work around the issue by remaining the key and spelling out the word three, Ijust want to know if this a known configuration setup or a bug. Regards Jen [1]: /storage/temp/252079-key-splunk.jpg

↧

How to parse hash code from a raw log into a field

June 27, 2018, 9:55 am

≫ Next: display results in descending order

≪ Previous: Does full key value not extract properly if it starts with a number?

Mail_Log_Splunk: Info: MID 119972447 SHA **ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a** filename Pics meeting pagoda.doc queued for possible file analysis upload What is the regex to parse the bold section out of a raw log?

↧

display results in descending order

June 27, 2018, 9:55 am

≫ Next: How to conditionally display HTML panels with a token, set via a javascript program?

≪ Previous: How to parse hash code from a raw log into a field

It shows the result in the below format uri 208 400 ... .... ... I want to show those uri's on top which has maximum responseCodes, I tried using the below query but it is not giving the desired output. host="*prod*" uri="*v*" earliest = -7d@d | WHERE responseCode != 200 | chart count by uri, responseCode | sort -responseCode sort is not giving results in descending order.

↧

How to conditionally display HTML panels with a token, set via a javascript program?

June 27, 2018, 10:03 am

≫ Next: How do I add time stamp or label onto my timechart to mark a specific time/event?

≪ Previous: display results in descending order

I have a fair idea that `depends="$token$"` can be used to display or hide the panel. My requirement is that I get the list of roles for a user, via a Javascript file, and load it onto tokens present on the dashboard. Now, these tokens will be set to "null" when the dashboard initially loads, and from the script, set to the role value. The dashboard itself is filled with panels which I need to conditionally display based on the roles returned from the search. Here is some code I have put together: Titletrying to render based on token setting from JS

I also have CSS attached to the dashboard And, here is the JS code: require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function( $, mvc ) { var tokens = mvc.Components.get("default"); var permissionGrant = "power"; tokens.set("role1", permissionGrant); }); So, summarizing, the JS will set the token "role1" with a value from a search(In the example I have hardcoded the value). The panel will then make a request and get the relevant HTML page and render it. Thanks in advance. Splunk for Life :)

↧

How do I add time stamp or label onto my timechart to mark a specific time/event?

June 27, 2018, 10:04 am

≫ Next: display column results in descending order

≪ Previous: How to conditionally display HTML panels with a token, set via a javascript program?

Hi! I've got a very simple timechart query that pulls up number of user sessions per day. What I want to do is to add a label or a line that marks when a major event occurred so I can see how the user sessions have changed after it. How do I go about adding these labels? Query being used: | timechart span=1day@day dc(session_id) values(session_id)

↧

display column results in descending order

June 27, 2018, 9:55 am

≫ Next: Regex extraction to grab string1 after the occurrence of string2

≪ Previous: How do I add time stamp or label onto my timechart to mark a specific time/event?

↧

Regex extraction to grab string1 after the occurrence of string2

June 27, 2018, 11:00 am

≫ Next: How to troubleshoot if splunk is down

≪ Previous: display column results in descending order

In my logs I have something that looks like the following "string1":"string2" I would like to extract string2 as a field using string1 as a reference point for my regex.

↧

How to troubleshoot if splunk is down

June 27, 2018, 11:41 am

≫ Next: Need a way to split the default savedsearches.conf from the local one?

≪ Previous: Regex extraction to grab string1 after the occurrence of string2

one of our search head is down ,and not able to log in into it,what is the quick way to fix it and on which component of splunk this troubleshooting needs to be done

↧

Need a way to split the default savedsearches.conf from the local one?

June 27, 2018, 11:50 am

≫ Next: How to sort by field?

≪ Previous: How to troubleshoot if splunk is down

I am using a search command to find the savedsearches.conf for an alert. I created a search which can list all of the parameters in the savedsearches.conf, however it merges both the default and local savedsearches.conf for that alert. the search I use is below: | rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=INSERT_APP_NAME" | search title="INSERT_ALERT_TITLE" | rename eai:acl.app as app, eai:acl.perms.read as read, eai:acl.sharing as sharing | fields - updated published id eai* | fields title author splunk_server app read sharing * | eval title="[".title."]" | foreach * [eval title=if("<>"="author" OR "<>"="splunk_server" OR "<>"="app" OR "<>"="read" OR "<>"="sharing" OR "<>"="title" OR '<>'="",title,mvappend(title,"<>"."="."\"".'<>'."\""))] | fields title author splunk_server app read sharing | search title=** Is there any way for me to only see the local portion of the savedsearches.conf?

↧

How to sort by field?

June 27, 2018, 8:08 am

≫ Next: How to filter table results?

≪ Previous: Need a way to split the default savedsearches.conf from the local one?

I am trying to get the highest used process percentage by user, however, I am unable to sort by the field I want to. index=os sourcetype=top host=hostname | chart sum(pctCPU) as CPU_USAGE by USER,COMMAND | sort sum(pctCPU) desc | head 5 This produces a table but I'd like the chart to only show the top 5 users and the commands they are running sorted by their CPU_USAGE

↧

How to filter table results?

June 27, 2018, 8:13 am

≫ Next: Anyone know where I can find 800-53 Controls Supported by Splunk?

≪ Previous: How to sort by field?

Hi all! I have a table as a search result: date Country cs_username 2018-06-12 Mexico mendoza 2018-06-12 Mexico mendoza 2018-06-12 Mexico mendoza 2018-06-14 Mexico mendoza 2018-06-20 Mexico mendoza 2018-06-22 Mexico mendoza 2018-06-25 Mexico mendoza 2018-06-26 Mexico mendoza 2018-06-26 Mexico mendoza 2018-06-11 Netherlands xing 2018-06-11 United States xing 2018-06-11 Nigeria xing 2018-06-13 United States xing 2018-06-14 United States xing 2018-06-15 United States xing 2018-06-17 United States xing 2018-06-22 Brazil xing 2018-06-24 United States xing 2018-06-25 Brazil xing 2018-06-25 Brazil xing 2018-06-25 United States xing 2018-06-17 China xue 2018-06-18 China xue 2018-06-20 China xue 2018-06-21 China xue 2018-06-22 China xue 2018-06-22 China xue 2018-06-22 Brazil xue Note that to the same days I have the same user and 2 different Countries. 2018-06-11 xing 2018-06-25 xing 2018-06-22 xue This is the condition that I have interest. I need to filter the table results to show just this: 2018-06-11 Netherlands xing 2018-06-11 United States xing 2018-06-11 Nigeria xing 2018-06-25 Brazil xing 2018-06-25 Brazil xing 2018-06-25 United States xing 2018-06-22 China xue 2018-06-22 China xue 2018-06-22 Brazil xue Can anyone help me? Thanks a lot!

↧

Anyone know where I can find 800-53 Controls Supported by Splunk?

June 27, 2018, 12:35 pm

≫ Next: Issue with SAML authentication using OKTA

≪ Previous: How to filter table results?

Hello, Trying to find if there is anything like the below, however for Splunk. Trying to see how Splunk fits in and what 800-53 controls are supported by Splunk. Appreciate any guidance. http://www-01.ibm.com/software/tivoli/products/endpoint-federal/index.html Thanks

↧

Issue with SAML authentication using OKTA

June 27, 2018, 12:58 pm

≫ Next: rex or regex to extract string and create a new field

≪ Previous: Anyone know where I can find 800-53 Controls Supported by Splunk?

I'm trying to configure SAML authentication using OKTA for splunk login. Splunk version 7.0.3. I'm getting the below error: Data could not be written: /nobody/system/authentication/userToRoleMap_SAML: admin::abc::abc@xyz.com

↧

rex or regex to extract string and create a new field

June 27, 2018, 2:20 pm

≫ Next: How to display column results in descending order?

≪ Previous: Issue with SAML authentication using OKTA

I have the raw data below. How do I get the strings after the "action": and put all the results into a new field? {"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"} {"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"} {"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"} {"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"}

↧

How to display column results in descending order?

June 27, 2018, 9:55 am

≫ Next: Is there a way to split the default savedsearches.conf from the local one?

≪ Previous: rex or regex to extract string and create a new field

↧

Is there a way to split the default savedsearches.conf from the local one?

June 27, 2018, 11:50 am

≫ Next: Would you create rex or regex to extract a string and create a new field?

≪ Previous: How to display column results in descending order?

↧