Hello! I am very interested in turning on Powershell logging in my environment and then sending those logs to Splunk. Any good recommendations for articles / URLs for me to start learning how to do this? Thx
↧
Powershell Logging and ingesting to Splunk
↧
On-premise Splunk to AWS Cloud migration
Hi, we have on-premise Splunk deployment and we are planning to migrate Splunk to AWS Cloud.
We are looking forward to propose the hybrid deployment, means , forwarders lying on-prem and other Splunk components moving to Cloud.
Can someone please suggest how can we achieve this with one license ?
Thank you !
↧
↧
How to parse/index only json entry from raw data which are in non-uniform pattern?
How to parse/index only json entry from raw data which are in non-uniform pattern?
↧
How To rename the field value name from the output.
Hi
I want to rename output field value name
Week1
1. Systems ops 12.1 to ops
2 .Systems dev 12.1 to dev
Below is the diagram for more info.
![alt text][1]
[1]: /storage/temp/279741-splunk10000.png
↧
How to get Teiggered actions details from alert_actions.conf inside default directory of custom alert action app?
Hi Team,
I have created one custom alert action to get all triggered alert details. I am unable to get triggered actions.
How do I get the Triggered actions like email, slack, from parameter of my alert_actions.conf
I am trying to add a parameter $alert.action$ into my alert_actions.conf (param.action=$alert.action$) but that giving me blank ,after alert triggered.
The test alert has triggered actions of slack and email both.
I have tried like this also (param.action=$action$) or (param.action=$trigger_action$), but all not working.
Please help , any tips or hints appreciated.
Thanks,
↧
↧
Create Table from large JSON data
I've got a large JSON result from an API of the results from multiple domains
{"success": true, "message": "OK", "data": {"submission-date": "2020-01-25", "finished-date": "2020-01-125", "name": "{'source': 'api.com Dashboard', 'type': 'web', 'account': 'test, 'list': 'domain'} 54354543543", "identifier": "6546423432432", "api-version": "1.0", "domains": [{"domain": "domain1", "status": "ok", "score": 55, "link": "https://api.com/site/domain1/55/", "categories": [{"category": "ipv6", "passed": true}, {"category": "dnssec", "passed": true}, {"category": "tls", "passed": false}, {"category": "appsecpriv", "passed": false}], "views": [{"name": "web_appsecpriv_csp", "result": true}, {"name": "web_appsecpriv_referrer_policy", "result": true}, {"name": "web_appsecpriv_x_content_type_options", "result": false}, {"name": "web_appsecpriv_x_frame_options", "result": true}, {"name": "web_appsecpriv_x_xss_protection", "result": false}, {"name": "web_dnssec_exist", "result": false}, {"name": "web_dnssec_valid", "result": false}, {"name": "web_https_cert_chain", "result": true}, {"name": "web_https_cert_domain", "result": true}, {"name": "web_https_cert_pubkey", "result": true}, {"name": "web_https_cert_sig", "result": true}, {"name": "web_https_dane_exist", "result": false}, {"name": "web_https_dane_valid", "result": false}, {"name": "web_https_http_available", "result": true}, {"name": "web_https_http_compress", "result": true}, {"name": "web_https_http_hsts", "result": false}, {"name": "web_https_http_redirect", "result": true}, {"name": "web_https_tls_ciphers", "result": true}, {"name": "web_https_tls_clientreneg", "result": true}, {"name": "web_https_tls_compress", "result": true}, {"name": "web_https_tls_keyexchange", "result": true}, {"name": "web_https_tls_secreneg", "result": false}, {"name": "web_https_tls_version", "result": true}, {"name": "web_ipv6_ns_address", "result": true}, {"name": "web_ipv6_ns_reach", "result": true}, {"name": "web_ipv6_ws_address", "result": false}, {"name": "web_ipv6_ws_reach", "result": false}, {"name": "web_ipv6_ws_similar", "result": false}]}, {"domain": "domain2", "status": "ok", "score": 99, "link": "https://api.com/site/domain2/35/", "categories": [{"category": "ipv6", "passed": true}, {"category": "dnssec", "passed": true}, {"category": "tls", "passed": true}, {"category": "appsecpriv", "passed": false}], "views": [{"name": "web_appsecpriv_csp", "result": true}, {"name": "web_appsecpriv_referrer_policy", "result": false}, {"name": "web_appsecpriv_x_content_type_options", "result": true}, {"name": "web_appsecpriv_x_frame_options", "result": true}, {"name": "web_appsecpriv_x_xss_protection", "result": false}, {"name": "web_dnssec_exist", "result": true}, {"name": "web_dnssec_valid", "result": true}, {"name": "web_https_cert_chain", "result": true}, {"name": "web_https_cert_domain", "result": true}, {"name": "web_https_cert_pubkey", "result": true}, {"name": "web_https_cert_sig", "result": true}, {"name": "web_https_dane_exist", "result": false}, {"name": "web_https_dane_valid", "result": true}, {"name": "web_https_http_available", "result": true}, {"name": "web_https_http_compress", "result": true}, {"name": "web_https_http_hsts", "result": true}, {"name": "web_https_http_redirect", "result": true}, {"name": "web_https_tls_ciphers", "result": true}, {"name": "web_https_tls_clientreneg", "result": true}, {"name": "web_https_tls_compress", "result": true}, {"name": "web_https_tls_keyexchange", "result": true}, {"name": "web_https_tls_secreneg", "result": true}, {"name": "web_https_tls_version", "result": true}, {"name": "web_ipv6_ns_address", "result": true}, {"name": "web_ipv6_ns_reach", "result": true}, {"name": "web_ipv6_ws_address", "result": true}, {"name": "web_ipv6_ws_reach", "result": true}, {"name": "web_ipv6_ws_similar", "result": true}]}
I'm trying to get an overview of results per domain but I'm having difficulty getting the categories/views/results sorted per domain (domain1, domain2).
So far I've tried spath and mvzip but I haven't found a way to combine the domains properly:
index=json | spath | rename data.domains{}.domain as domain | rename data.domains{}.categories{}.category AS category, data.domains{}.categories{}.passed AS passed, data.domains{}.score AS score, data.domains{}.views{}.name AS viewname, data.domains{}.views{}.result AS viewresult | mvexpand domain | table domain, score, category, passed, viewname, viewresult
Does anyone have a good method for this?
↧
I need to know which index and app has been access how many time in last one month
I need to know how many time all the indexes in my splunk has been accessed in last 30 days by app name(I tried so many posts but none of the post resolved my issue). can anyone help me to get this fixed.
↧
Splunk DB connect app version compatibility
Can anyone verify if DB Connect 2.4.0 is capable of running with Splunk 7.0.0?
I am planning to upgrade Splunk Enterprise 7.0.0 but not sure Splunk DB Connect 2.4.0 is compatible or not.
Is there any matrix or table for Splunk DB app connect version?
↧
Is there a way to internally pass splunk login credentials to python script written for external lookup or customized search command and then pass it to remote server's CLI?
splunk UI-->splunk server-->remote server(CLI)
Whenever user performs some specific search on splunk UI,
I want his/her login credentials to pass to the external lookup / customized search command related script it is accessing on my splunk server.
Because, I further need those credentials to access a remote server's CLI, so that I can fetch information from that remote server and return the same to the script and display on splunk UI as results.
↧
↧
How to pass splunk UI login credentials securely to splunk server python external lookup script and then login to remote server with it?
splunk UI search <--> external lookup script on splunk server <--> Remote server CLI
Whenever user logs in to splunk UI and does a specific search,
the python external lookup script on splunk server should get its credentials,
these credentials should then be used to login to remote server and execute linux commands and get some data
this data is sent back to python script and then to splunk UI
↧
Create an alert when the eps drops drastically
Hi Team,
Currently, I have a requirement where I need to create an alert that checks for data flow for the last 1 week and based on that create an alert for max and min. threshold range.
To be more specific:
- Netflow data that is currently configured in our Splunk infra is unstable and very often stops sending the log data to Splunk Infra or the eps of the log data drops drastically.
In order to keep a track on the data flow, I am creating an alert whose main job is to trigger an alert whenever the eps of Netflow data drops drastically.
For ex: The average eps of Netflow data should be around 60000 eps for the last 1 week and based on that I need to write a SPL wherein I need to calculate the eps of last 1 week and based on that need to generate an alert when the eps drops below the average eps.
regards, Santosh
regards,
Santosh
↧
How to find root cause and solution for Unable to distribute to peer named xxxxxxxxxxxxx at uri= xxxxx
Unable to distribute to peer named xxxxxx at uri=xxxxxxxx:8089 using the uri-scheme=https because peer has status=2. Verify uri-scheme, connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information
↧
How to change frequency of messages received in splunk
I am receiving lot of messages in Splunk. I want to change the frequency of the messages receiving in splunk. Kindly help here
↧
↧
Splunk website monitoring timeout
I am getting the below error when trying to add new url for website monitoring app.
**Encountered the following error while trying to save: Splunkd daemon is not responding: ("Error connecting to /servicesNS/adaher/IS_OPS/data/inputs/web_ping: ('The read operation timed out',)",)**
Also, it fails with the below when trying via Splunk REST API
**Argument validation for scheme=web_ping: script running failed (killed by signal 9: Killed).\n**
Any idea?
↧
Not Able to send data to Null Queue
Hi
How to edit props.conf or blacklist the sub sourcetype
Have integrated PALO ALTO logs to Splunk it is fetching 3 sourcetypes. The pan:log sourcetyoe having pan:userid as sub sourcetype, it's generating alot of events so I want to discard them.
Tried with the Null Queue but the problem is for 1-minute window the userid is not coming whereas for 5-minute window it is coming.
props.conf:
[source::udp:514]
TRANSFORMS-null_syslogs=pa_useridnull
transforms:
[pa_useridnull]
REGEX = type=USERID
DEST_KEY = queue
FORMAT = nullQueue
↧
UF not forwarding to indexers
I have a very peculiar situation where my UF is sending data only to Lab Indexers where as it not been forwarded to Prod Indexers.
Here are the details:
1. UF monitors a syslog file in the same linux box .
2. Inputs.conf is part of an app in the etc/apps directory.
3. In inputs TCP routing is configured to send it to both lab and prod indexer groups as below
[monitor:///xxx/xxx/xxx/xxx/.../*.log]
_TCP_ROUTING=lab-indexers,prod-indexers
host_segment=5
sourcetype=syslog
blacklist = \.log\.1
disabled = false
index = X
4. outputs in etc/local which is common for all apps as below
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection|_internal|_telemetry)
forwardedindex.filter.disable = false
defaultGroup = lab-indexers, prod-indexers
[tcpout:lab-indexers]
server = xx.xxx.x.xxx:9997, xx.xxx.x.xxx:9997, xx.xxx.x.xxx:9997
[tcpout:prod-indexers]
server = xx.xxx.x.xxx:9997, xx.xxx.x.xxx:9997, xx.xxx.x.xxx:9997
Note : there many other inputs app which is routing data to both lab and prod indexers. so there is no problem with network related issues. Index is also created in prod
So help me with troubleshooting steps to narrow down this issue
Thanks in advance
↧
How can I create a dynamic HTML list of links to related dashboards
I am working in a simple dashboard environment and want to include links to related dashboards so make a more coherent experience for my user community. I have done this statically and it is very useful but a pain to maintain; so I would like to make it dynamic.
For example, say I have an Online Shop dashboard giving me an over view of some key metrics, I would like to visibly mention the related dashboards in a list of links at the top of the page.
**For Example:**
Bashboard Title: My Shop Overview Dashboard
HTML Panel: Toy Sales | Clothing Report | Security Issues (dynamic links)
Other Overview Panels follow...
I want the links to be dynamic so that as new dashboard get added then the links will be updated automatically based on some naming convention / filter logic.
I know how to look up the list of available dashboards from other postings on here.
↧
↧
I want to remove All value from multiselect if other values are selected
mutiselect field for ALL is not a "*" value its a dynamic value passed from other inputs. so i want to remove if "ALL" field for label is selected other values from multiselect and vice versa
↧
Splunk Dashboards app (beta): Embed scheduled report
Hi,
I am working with the new Splunk Dashboards App, but I can't find a functionality that would allow me to embed the dashboard. What I'm looking for is a way to let users without a Splunk account access a dashboard that was created in the Splunk Dashboards app (beta).
Am I blind or is this feature not available in the new Dashboards App yet? :)
↧
Multi-site architecture - Different retention times for the same index?
In the multi-site architecture models, it is not clear what settings on retention are available to you.
Is it possible to set different retention timeframes for the same index at two different sites. For example, index A, I want to retain for 2 years at site A, but only 180 days at site B.
Furthermore, is it possible to set up search head affinity for local users at site B to search the data at site B first (with only 180 days of lookback), and then, if a longer lookback is asked for, go back and request the rest from Site A?
↧