HI,
I tried to blacklist windows event logs for EventCode and Message field content.
I can´t figure out whats going wrong here.
My input, that was deployed to my UF´s ( I can see in internal that this happend for sure). App has "Restart Splunkd" and " Enable App" marked. Also checked with btool that the clients are picking up the conf changes.
[WinEventLog://Security]
blacklist1= EventCode="4627" Message="Account\sName:\s+\w+\$$"
blacklist2= EventCode="4661" Message="Account\sName:\s+\w+\$$"
I want to filter out EventCode 4627 and 4661 IF Account Name contains Names ending with $. Thats why I have $ twice. One for acutally $ and one for end of line.
I am using Message as a Key field, since in inputs.conf its stated that WinEventLogs need certain Key fields, within you can than extract your value.
> The following keys are equivalent to> the fields that appear in the text of > the acquired events: * Category,> CategoryString, ComputerName,> EventCode, EventType, Keywords,> LogName, Message, OpCode, RecordNumber, Sid, SidType,> SourceName,TaskCategory, Type, User"
Regex101 is extracting properly.
I had a look in the _internal for blacklist1 and blacklist2 and for stanza WinEventLog://Security. No Error or Warm messages from clients.
I use this search `index=myindex (EventCode="4661" OR EventCode="4627") Account_Name="*$"` to test if there are still events coming. For now they are.
So If anyone has a good hint on how to do is please let me know. I would appreciate specific answers, why your code should work not only the code itself. Thank you :)
Example Event for 4661
EventCode=4661
EventType=0
Type=Information
ComputerName=xxx
TaskCategory=SAM
OpCode=Info
RecordNumber=xxx
Keywords=Audit Success
Message=A handle to an object was requested.Subject :
Security ID: xxxx
Account Name: XXXXXX$
↧
Blacklist WinEventLog Security not working
↧
How do I keep a fishbucket on a Citrix non-persistent storage?
Hi folks,
I've rolled out Splunk UFs on Citrix workstations, but found out that the storage was non-persistent. This caused the workstations to be "whiped" every night, including deletion of the fishbucket, thus causing the UF to reindex all historical data on the workstation. We tried solving this by creating a symbolic link to a separate persistent storage. That is, the fishbucket folder would point to a folder on a different path, "tricking" Splunk into storing the fishbucket files on the persistent storage. Unfortunately I can find no "official" way of changing the location of the fishbucket.
The problem is, this doesn't work. Even though the symbolic link seems to be working just fine, and Splunk writes to the fishbucket files on the persistent storage, we still get reindexing of data every night when the workstations are whiped. I can find no error messages in the Splunk internal logs. Has anyone solved this problem? Are there any insights on exactly how the fishbucket works that could help me? Has anyone created a GPO for this?
Ant help is much appreciated. Thanks!
↧
↧
I have indexer 7.2.3 and I want to install a forwarder in w2003 server, which forwarder i have to install
I have indexer 7.2.3 and I want to install a forwarder in w2003 server, which splunk forwarder version I have to install in order to get data form that windows server 2003?
↧
SEARCH NOT of lookup not working is not working in realtime search
i am running a realtime search in which i need to check that if a particular id is present in a lookup then it should not be ingested in it again
↧
edit datetime.xml for my custom date and time in source field
Hi everyone,
Can someone tell me what I'm suppose to edit in my datetime.xml file for my custom date and time to be recognized in Splunk?
I want to extract date and time from my source field which is like this-`20190128T06:14:25.json` IT is in format `%Y%m%dT%H:%M:%S`
I tried below but it won't help-
↧
↧
internal documentation links
I have updated the docsCheckerBaseURL property in web.conf (in system/local) however clicking on any of the links under "Help" are still trying to contact external links. I have tested the internal link and it does work. Is there something I am missing to force our search head to look at this link versus the external help sites?
Splunk 7.2.3
↧
How to know who modified a role or capability of a user?
good morning
It is required to audit the modifications of the users in the splunk environment, know who modified who and the schedule if possible.
regards
↧
hostwide component in resource_usage.log
What exactly is the hostwide component in below.
It is reporting the very high utilization of memory & subsequently the Splunkd process crashes.
The issue goes away on VM restart, but slowly hits saturation again in around a day..
Is it process in Splunk itself or is it a nix process.
It states: https://docs.splunk.com/Documentation/Splunk/7.2.3/Troubleshooting/Whatdatagetslogged
**host-level, dynamic CPU utilization and paging information.**
Not much description here: https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTREF/RESTintrospect#server.2Fstatus.2Fresource-usage.2Fhostwide
index=_* host=ukwkmh-vmua084 source="/opt/splunk/var/log/introspection/resource_usage.log" sourcetype = splunk_resource_usage
{ [-]
component: Hostwide
data: { [-]
cpu_arch: x86_64
cpu_count: 12
cpu_idle_pct: 13.45
cpu_system_pct: 20.37
cpu_user_pct: 66.18
forks: 13292498
instance_guid: XXXXX
mem: 11910.879
mem_used: 10249.320
↧
how to skip header file in csv
i have a csv file with header column"Name","CapacityGB","FreeSpaceGB" with the line number 1.
This header is also coming along with the next line as one single event:
I have used the below props.conf:
[xxxxx]
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = (\,\"\d+\.\d+\"$)
FIELD_DELIMITER=,
FIELD_QUOTE="
ISSUE:
1/27/19
4:31:01.000 AM
"Name","CapacityGB","FreeSpaceGB"
"xxxxxx","1008.374375","486.1959375"
Please let me know how to exclude the header file.
Do i have to update anything on props.conf?
↧
↧
How to get specify record from kV store using splunkjs and REST endpoint
I am storing records into KV store/delete using SplunkJS and REST endpoints
Store
service.request(
"storage/collections/data/mycollection/",
"POST",
null,
null,
JSON.stringify(record),
{"Content-Type": "application/json"},
null)
.done(function() {
// Run the search again to update the table
search1.startSearch();
// Clear the form fields
$("#formCustomerInfo input[type=text]").val("*");
});
Delete
$("#deleteRecord").click(function() {
// Get the value of the key ID field
var tokens = mvc.Components.get("default");
var form_keyid = tokens.get("KeyID");
// Delete the record that corresponds to the key ID using
// the del method to send a DELETE request
// to the storage/collections/data/{collection}/ endpoint
service.del("storage/collections/data/mycollection/" + encodeURIComponent(form_keyid))
I need methods to get specific records to check the availability if the record in the KV store before storing it.
And I need a method to run the query in a specific query in a different tab based on the tokens provided
Ex:
app/search/customer?form.CustID=1&form.CustName=Kalyan_New&form.CustStreet=US&form.CustCity=US&form.CustState=US&form.CustZip=US&earliest=0&latest=&form.KeyID=5c4ef7a7b9d3520f1c004b55
↧
Dashboard input display issue with fr-FR
I developed a dashboard using the en-US/en-GB splunk, but my client is using the fr-FR splunk by default. I was surprised to see that there seems to be a incompatibility issue.
I have a time select input that shows **Last 7 days** in the english splunk, while,
it shows **Dernière %aunité %umontée** in the french version. Which can be roughly translated btw as Last unit (something)?
See picture below for screenshots.
It doesn't seem to be a navigator issue (IE, chrome, firefox checked).
Any idea why I would have this? Any help would be appreciated.
![alt text][1]
[1]: /storage/temp/264673-fr-error.png
↧
WineventLog are indexed late.
Hi all,
I am using splunk enterprise 7.1.4. I noticed some of the domain controllers logs(wineventlog) are indexed very late. The data is indexed 2.5 hrs late than the timestamp of the event. This is seen only on two domain controllers.
I need help or advise on this issue.
Thanks,
↧
Change user password via JS
Hi everyone,
I'm wondering if there is any way to change the user password via Javascript.
Thanks for all
↧
↧
How to prevent the map command from encapsulating the variable in quotes?
The quotes can _only_ be seen in the `search.log` in one of the `SearchParser` component events. My ultimate goal is to be able to pass a single field with an arbitrary number of values through map to the same variable in multiple sections of the subsearch, one of which is specifically in the `by` section of a `tstats`. The examples below are proofs-of-concept to illustrate the problem. I've tried other approaches including tokens, not that there's a token to remove quotes, but have obviously been unsuccessful in my various attempts.
**Ex #1**: Value End Up Quoted & Does Not Work
`| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"`
**Ex #2**: Does Not Quote Value & Works
`| makeresult
| eval test = "sourcetype"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"`
Here's an alternative approach I tested, but it only seems to execute whatever is in the first record of the nested subsearch, which in this case is "sourcetype,host".
**Ex #3**: "by" Subsearch
`| makeresults
| fields sourcetype, host, lastTime
| map
[| tstats latest(_time) AS lastTime WHERE index=_internal by
[| makeresults count=2
| streamstats count AS counter
| eval search = if(counter=1, "sourcetype,host", "sourcetype")
| fields - _time, counter ]
]`
Any thoughts?
**Note**: I did see the post "*Why is there a problem when passing a command through a variable in map-command?*", but it doesn't really help in this situation seeing as it doesn't solve how to do it in the `by` section. At least, if it does, I missed it.
↧
Email alerts issue
Hi,
I´m trying to configure some alerts by email but I got the following error:
Sending the test email failed: command="sendemail", (550, '5.7.1 Client does not have permissions to send as this sender') while sending mail to: myemail
The following search command works fine: head 100 | top 2 host | sendemail to="myemail" server=myserver:25 from=emailalerts
Any suggest? Thanks
↧
Need to check how to identify all technical accounts that are not automatically locked after 5 consecutive failed log in attempts
I need to check how to identify all technical accounts that are not automatically locked after 5 consecutive failed log in attempts
Please help with the query
Thanks,
Sahil
↧
How to prevent the map command from encapsulating the variable in quotes?
The quotes can _only_ be seen in the `search.log` in one of the `SearchParser` component events. My ultimate goal is to be able to pass a single field with an arbitrary number of values through map to the same variable in multiple sections of the subsearch, one of which is specifically in the `by` section of a `tstats`. The examples below are proofs-of-concept to illustrate the problem. I've tried other approaches including tokens, not that there's a token to remove quotes, but have obviously been unsuccessful in my various attempts.
**Ex #1**: Value End Up Quoted & Does Not Work
| makeresults | eval test = "sourcetype,host" | map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"**Ex #2**: Does Not Quote Value & Works
| makeresult | eval test = "sourcetype" | map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"Here's an alternative approach I tested, but it only seems to execute whatever is in the first record of the nested subsearch, which in this case is "sourcetype,host". **Ex #3**: "by" Subsearch
| makeresults
| fields sourcetype, host, lastTime
| map
[| tstats latest(_time) AS lastTime WHERE index=_internal by
[| makeresults count=2
| streamstats count AS counter
| eval search = if(counter=1, "sourcetype,host", "sourcetype")
| fields - _time, counter ]
]
Any thoughts?
**Note**: I did see the post "*Why is there a problem when passing a command through a variable in map-command?*", but it doesn't really help in this situation seeing as it doesn't solve how to do it in the `by` section. At least, if it does, I missed it.
↧
↧
How to change menu layout
Dear all,
By default (7.2), Splunk displays menu in the app bar.
I wish I could configure this menu. I know many options are already available using XML but I want to go deeper. For example, I would like my menu to appear on a side vertical bar i/o a horizontal bar (as we are all used to). I wish the navigation flow could be different (like this one : [https://semantic-ui.com/modules/sidebar.html][1])
Even if applying some CSS may help, I am looking for a clean solution. I have been through the AppBar.js file provided by Splunk but it looks like it is not recommended to modify it (and there are no clean solution to do so)
If I had any JS function with which I could retreive the list of navigation items, I could generate my own HTML with my own javascript behavior. The only reachable entry point is the REST API to get application navigation configuration but it is XML... `http://:/servicesNS///data/ui/nav`
Can you help ?
[1]: https://semantic-ui.com/modules/sidebar.html
↧
Index only Critical events
I'm trying to use advanced whitefilter, but coming up short. Basically, I want to index all windows event logs that have a Type of Critical. I see EventType and Type, but both aren't what I'm looking for. Perhaps I can do transforms?
↧
Dashboard historical dont work after an upgrade to 2.5.6
After an upgrade to 2.5.6 my main default dashboard dont work anymore.
But if i switch to real-time everything works fine?
Any suggestion?
Thanks you
↧