Hi,
I am running into an issue where I have keys and values which will show up once; upon expansion however it shows that there are two values for each key. The only fields that have the two values are under the 'Event' type.
Here is an example of what I see:
![alt text][1]
and then expanded:
![alt text][2]
And here is an example souretype configuration that is on one of my forwarders:
[blahblah]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
TZ = UTC
category = structured
Does anyone have any idea of what is going on?
[1]: /storage/temp/255833-screen-shot-2018-08-28-at-122554-pm.png
[2]: /storage/temp/255834-screen-shot-2018-08-28-at-121341-pm.png
↧
Duplicate values but one key
↧
Why am I getting a "SSL: CERTIFICATE_VERIFY_FAILED" error despite having valid certificates in Splunk Add-on for Tenable?
Add-on is configured to obtain data from Tenable nessusd (Nessus) 7.1.3 [build M20120] for Linux
Error in logs
```
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed.
```
SSL Connection test
```
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key: EFB3E32FE3292430D26CE3BE6B5DF3FB9D6ECE9922687B0ECD51A7B82A31B11342F43CD30A1671FFCE030AE4D047B381
Start Time: 1535474072
Timeout : 300 (sec)
Verify return code: 0 (ok)
```
Certificate Authority used for this connection - Lets Encrypt
↧
↧
How to use stats as a filtered self join?
I have groups of events that have the same `GroupID` field.
For events matching given criteria I need to find another event with predefined `EventName` from the same group and then `table` together certain fields from both events .
Using `join` it will be something like this:
index=common_index sourcetype=common_sourcetype EventName=First somethingElse=whatever
| join GroupID [search index=common_index sourcetype=common_sourcetype EventName=Second | table GoupId keyField]
| table EventName keyField
What would be the same type of query with `stats`?
I do not know how to do something like `earliest(EventName==value)`
↧
Changes to passwd file in Splunk 7
We’ve started testing Splunk 7 and I noticed that when I make changes to the splunk/etc/passwd file and restart splunkd, a number is getting appended to the line each time. ie.
:admin:$6$J5am*::Administrator:admin:changeme@example.com::
becomes
:admin:$6$J5am*::Administrator:admin:changeme@example.com::17954
Where is that number coming from?
↧
Search with different MAC formats in dashboard
Hi Splunkers,
I've created a dashboard that searches a MAC address and displays L1-L3 information. My only problem is, the search box only accepts aa:aa:aa:aa format. What is the best way to allow different search formats. I want to be able to search with in :/-/. formats.
↧
↧
JSON Field Extraction and Charting
I have a sample JSON just like this.
{"Domain":"DotComMobile","Metrics":"city","Brooklyn":782,"Bronx":450,"New York":411,"Philadelphia":287,"Chicago":254,"Washington":210,"Silver Spring":176,"Houston":148,"Los Angeles":140,"Boston":133}
I want to chart the values corresponding to cities in a pie chart similar to the picture attached. How would I accomplish this?
**spath** extracts the JSON as individual key value pairs but not able to move further from there to creating pier chart of the cities in the JSON.
↧
How to use Splunk JMS app UI to provide MQ connection details to connect to MQ queue
Splunk JMS app UI is basically showing to enter connection details for connecting solace queues. In case if I have to connect to MQ queue(where wee have host, serverchannel etc), May I know how to enter the values on UI. I tried to enter key value pairs in JNDI properties input box, but it is not working.
It would be a great help.
↧
Lookup matching question
enter code hereHi
I use the code below
In a first version code, I used my code began by | inputlookup append=t NZDL.csv
And after there was a lot of | join type=outer host [search index
The code was running but very slowly
So I done the new request below :
(index="perfmon" sourcetype="winhostmon")
OR (index="windows-wmi" sourcetype="WMI:LastLogon")
OR (index="windows-wmi" sourcetype="WMI:LastReboot" LastBootUpTime)
OR (index="windows-wmi" sourcetype="wmi:MemorySize")
OR (index="windows-wmi" sourcetype="WMI:PeriphIssue" Caption=Mobile ConfigManagerErrorCode)
OR (index="windows-wmi" sourcetype="WMI:MonitorSN" SerialNumberID)
OR (index=windows sourcetype=winregistry earliest=-120d
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry" OR
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" OR
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" OR
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\PatchLevel")
OR (index=windows sourcetype=tools:flags filename=*ABDM-TOUPDATE*)
| lookup VideoSignalStatus.csv ConfigManagerErrorCode
| eval TotalSpace = TotalSpaceKB/1024
| eval FreeSpace = FreeSpaceKB/1024
| eval FreeSpace = round(FreeSpace/1024,1)
| eval TotalSpace = round(TotalSpace/1024,1)
| eval FreePerc = round((FreeSpace/TotalSpace)*100,1)
| eval DiskSpace = TotalSpace." GB". " (Total) ". FreeSpace." GB". " (Free) ". FreePerc." %". " (Free %) "
| rex field=LastLogon mode=sed "s/\..*$$//"
| eval LastLogon = strftime(strptime(LastLogon,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
| rex field=LastBootUpTime mode=sed "s/\..*$$//"
| eval LastBootUpTime = strftime(strptime(LastBootUpTime,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
| eval MemorySize =round(TotalPhysicalMemory/1024000000, 0). " GB"
| eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion",data, null),
NATCO=if(key_path=="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry",data,null),
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null),
Patch=if(key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\PatchLevel",data,null)
| eval filename=if(filename=="ABDM-TOUPDATE.$$w$$", "YES", null)
| stats first(DiskSpace) as DiskSpace latest(LastLogon) as LastLogon latest(FreePerc) as FreePerc latest(LastBootUpTime) as LastReboot latest(MemorySize) as MemorySize latest(Meaning) as ScreenSignal latest(filename) as StayAwake latest(SerialNumberID) as VideoSN latest(Patch) as Patch values(NATCO) as NATCO values(OS) as OS values(Build) as Build by host
| lookup NZDL.csv host OUTPUT Building, Floor, Gate, Ping
| eval Ping =if(Ping=="True","OK","KO")
| eval StayAwake=if(isnotnull(StayAwake),StayAwake,"No")
| table host Building Floor Gate Ping DiskSpace FreePerc MemorySize LastLogon LastReboot ScreenSignal VideoSN StayAwake Patch NATCO OS Build
I just need a confirmation about this code.
Could you confirm me that there is well a matching between the “host” field in my CSV and the SPLUNK “host” field?
As I work actually in local, I am unable to confirm that the match with the field “host” works fine.
Other question :
Is it possible to do this?
(index="perfmon" sourcetype="winhostmon")
OR (index="windows-wmi" sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot" LastBootUpTime OR sourcetype="wmi:MemorySize" OR sourcetype="WMI:PeriphIssue" Caption=Mobile ConfigManagerErrorCode OR sourcetype="WMI:MonitorSN" SerialNumberID) OR (index=windows sourcetype=winregistry earliest=-120d
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry" OR
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" OR
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" OR
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\PatchLevel")
OR (index=windows sourcetype=tools:flags filename=*ABDM-TOUPDATE*)
Thanks
↧
Table row highlighting not working using text comparison for cell value
I have gone through all the answers here, and can not find one that was actually answered with details to make this work. All examples from the dashboard app refer to int values, I have been unsuccessful in any attempt to make it work with string comparisons.
Does anyone have a working example with rows highlighted based on text values?
↧
↧
Need help on LINE_BREAKER,TIME_FORMAT and TIME_PREFIX
I have built a props.conf but when I upload the log file manually it works fine but when the app writes the log the line break is not working. Please advise how to make this props.conf working when the app writes log file.
**Complete Log file:-**
INFO:SESSION TOKEN = A5BD11D7B2BB200B5FB893C120333044:2018-08-28 15:12:03,991
INFO:REQUEST:2018-08-28 15:12:08,456
INFO: version="1.0" encoding="UTF-8"?>A5BD11D7B2BB200B5FB8C120333044 433
↧
Correct configuration of Cisco Firepower eNcore
For those using the Cisco eStreamer eNcore app and Cisco eStreamer eNcore add-on, could you verify which goes where? I think I missed those instructions in the documentation.
Add-on -> HF (linux), Indexers (linux)
App -> SH (linux)
The reason I'm asking is because I am not getting any data despite having a status of 'Running' in the dashboard on the Search Head.
On my HF when I look at the tcpdump I'm seeing data (encrypted so I don't know what data) moving between the FMC and the HF, but nothing is showing up in the cisco:estreamer:data sourcetype. All the boxes are checked under eStreamer Event Configuration on the FMC and also Log Extra Data, Log packets and Log Flows are checked on the Splunk app under eStreamer for Splunk:Settings.
There are no errors in /opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer.log or in the splunkd.log
Any other suggestions?
↧
mcatalog doesn't work (at least not with the Add-On for Microsoft Windows)
The command recommended by the docs to view all metrics in all indexes is:
| mcatalog values(metric_name)
But with Splunk Enterprise 7.1.2 and the Add-On for Microsoft Windows, this shows nothing.
I guess a larger question is: Is anyone using metric indexes for anything? Most of the apps I've seen have agents that produce EVENTS that contain numeric values in fields, and they then use these events for their calculations.
↧
Splunk DB Connect 3.1.1 - Why database input for MS SQL server query does not capture any data to the index?
i have setup a database input to connect to MS SQL server in Splunk DB connect 3.1.1. My database connection is working fine and I just tested a simple query like "select * from " but no data has been collected and indexed in my new index. i did not see any errors from any log.
Below is the setting in db_inputs.conf but i have configured it through the GUI.
[data-SQL]
connection = data-SQLconnection
disabled = 0
host = data-SQL
index = av
index_time_mode = current
interval = 60
mode = batch
query = SELECT * from
source = data-SQL
sourcetype = data:sql
i appreciate for any advices.
Thanks
↧
↧
Dbxlookup Functioning
When we call a ```dbxlookup``` in a search query, does the lookup search for the matching filed values in the entire database.
While creating a dbxlookup , we just mention the matching fields and the output fields.
↧
Alert suppression
What is the best way to run a search to be alerted/emailed between 4pm-6am M-F, weekend and holidays? Should the search include the times or be adjusted in the cron schedule or lookup table? What would the example look like? Thanks.
↧
Configuring Splunk to use MSA
I need to monitor a dir/file on a remote server that does not have Splunk. I have had my IT create a MSA that can run Splunk. Unfortunately the msi GUI installation only allows you to enter Domain users in which you can explicitly provide a user name and password. This is not possible (to my knowledge) when using a MSA. My question is how can I configure Splunk to use my MSA?
I have seen the many documents which tell me I have to:
- Uninstall my current instance (since I've previously started splunk)
- And install Splunk via cmdline
- msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes LOGON_USERNAME=AD\Splunk LAUNCHSPLUNK=0 INSTALL_SHORTCUT=1 /lv D:\SplunkInstall.log
- The above cmd opens up the msi GUI and stops on the page prompting me to check the still unchecked License agreement (even though I've agreed to it via the cmdline options
- adding in /quite to the cmdline doesn't prompt me to check the License agreement,but doesn't seem to do anything else either
- the verbose log appears uneventful as well.
↧
Can you hide the Splunk Forwarder service?
I recently ran across some exploit kit modules designed to stymie incident responders by attacking endpoint security agents (Splunk included) and wanted to know if I could hide the Splunk service on my endpoints. The modules do simple string searches for service names so renaming the Splunk Forwarder service to something innocuous would do the trick. Does anyone know how to do this on Windows and Linux hosts without breaking Splunk?
↧
↧
How can I configure Splunk to use my MSA?
I need to monitor a dir/file on a remote server that does not have Splunk. I have had my IT create a MSA that can run Splunk. Unfortunately, the msi GUI installation only allows you to enter Domain users in which you can explicitly provide a user name and password. This is not possible (to my knowledge) when using a MSA. My question is how can I configure Splunk to use my MSA?
I have seen the many documents which tell me I have to:
- Uninstall my current instance (since I've previously started splunk)
- And install Splunk via cmdline
- msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes LOGON_USERNAME=AD\Splunk LAUNCHSPLUNK=0 INSTALL_SHORTCUT=1 /lv D:\SplunkInstall.log
- The above cmd opens up the msi GUI and stops on the page prompting me to check the still unchecked License agreement (even though I've agreed to it via the cmdline options
- adding in /quite to the cmdline doesn't prompt me to check the License agreement,but doesn't seem to do anything else either
- the verbose log appears uneventful as well.
↧
Can you hide the Splunk Forwarder service to combat exploit kit modules?
I recently ran across some exploit kit modules designed to stymie incident responders by attacking endpoint security agents (Splunk included) and wanted to know if I could hide the Splunk service on my endpoints. The modules do simple string searches for service names so renaming the Splunk Forwarder service to something innocuous would do the trick. Does anyone know how to do this on Windows and Linux hosts without breaking Splunk?
↧
Data Model Acceleration TSTATS where clause NOT working
The following SPL is returning multiple values for nmds_adapter_survey.iccid when the where clause is set to a value. It should only return the specified value.
| tstats
values(nmds_adapter_survey.iccid)
values(nmds_adapter_survey.hcar)
values(nmds_adapter_survey.c_id)
from datamodel=nmdm_survey
where nmds_adapter_survey.iccid="89014103255440210384"
Results:
![alt text][1]
[1]: /storage/temp/255837-screen-shot-20180828-01.png
Setting the where clause to any numbers for the last 4 characters returns what matches the first 16 characters. The where clause below returns the same values as the SPL where clause above.
where nmds_adapter_survey.iccid="89014103255440210000"
In the data model the iccid value is defined as a string.
↧