Just want to confirm process:
1. Create private key on splunk web
2. Create CSR from private
3. Pass to my CA authority and get a pem created
4. place the key and pem on splunk web
5. make web.conf changes to point to caroot and server cert
6. restart splunk
Thanks!
↧
SLL certs for SPLUNK WEB
↧
DbConnect version 2 and 3, Can I run both on the same server?
I am currently running DbConnect version 2.3.0 and I would like to upgrade to DbConnect version 3. My issue is that I have maybe 40 database inputs and various other uses of DbConnect that would make a migration difficult. What I would like to do is install both versions on the same server and slowly migrate and test one input at a time.
Is it possible to run DbConnect version 2 and version 3 on the same server?
↧
↧
SSL certificate for Splunk Web process -- can you verify these steps I'm taking?
Just want to confirm process:
1. Create private key on splunk web
2. Create CSR from private
3. Pass to my CA authority and get a pem created
4. place the key and pem on splunk web
5. make web.conf changes to point to caroot and server cert
6. restart splunk
Thanks!
↧
How can I monitor logs from a WAN?
I want to monitor logs on a remote computer (on the wan)
I would like to forward the logs in order to watch them on my local computer.
How can I do?
↧
Splunk DB Connect: Setting alias as "Group" is not working when select from database using dbxquery
Suddenly, DB-Connect is not retrieving data. And when investigating we found that searching using dbxquery we found an error regarding setting an alias to Group in select query.
The search query (Not Working) : | dbxquery query=" Select 'Example' as title, 0 as group " connection=< My Connection >
ERROR : java.sql.SQLException: [Simba][ImpalaJDBCDriver](500051) ERROR processing query/statement. Error Code: 0, SQL state: TStatus(statusCode:ERROR_STATUS, sqlState:HY000, errorMessage:AnalysisException: Syntax error in line 1: Select 'Total' as title, 0 as group ^ Encountered: GROUP Expected: IDENTIFIER CAUSED BY: Exception: Syntax error ), Query: Select 'Total' as title, 0 as group.
And When Setting it to group1 or any thing else it works.
The search query (Working) : | dbxquery query=" Select 'Example' as title, 0 as group1 " connection=< My Connection >
Also, I tried to another queries and i found the same result which is that group is not working and when i change it to group1 or anything else it works.
↧
↧
How to extract my event in index time using props.conf and transforms.conf?
How to extract my event in index time using props.conf and transform .conf?
How to extract by event in index time to get expected format?
Actual format:
Tue Sep 26 11:38:08 EDT 2017 name="queue_browse" event_id="" queue_name="queue://DCS00/******" queue_length="1212" messages="ID:414d512044574343533030202020202059c473c8101beaf1,ID:414d512044574343533030202020202059c473c8101beaf2,ID:414d512044574343533030202020202059c473c8101beaf3" earliest_msg="1506093703930" latest_msg="1506337258320"
Expected Format:
Tue Sep 26 11:38:08 EDT 2017 name="queue_browse" event_id="" queue_name="queue://DCS00/******" queue_length="1212" earliest_msg="1506093703930" latest_msg="1506337258320"
↧
Is there any plan to pull Azure Security Center logs and alerts from Splunk Add-on for Microsoft Cloud Services?
Is there any plan or in a roadmap to support pulling Azure Security Center logs/alerts as mentioned in this Microsoft article https://docs.microsoft.com/en-us/azure/security/security-azure-log-integration-overview.
↧
How to disable realtime searches for the power user role?
I'm wanting to disable real-time searches for the roles 'user' and power-user'. For the user role, I removed most of the capabilities including `rtsearch`. When I login as a local user account, I do not see the real-time search functionality available which I expect. When I do the same thing for the power-user role, the user still has the real-time functionality.
Here's the additional capabilities the power-user has that the regular user does not have
edit_sourcetypes
embed_report
list_settings
schedule_search
search_process_config_refresh
↧
Actual disk size
A few months back I was doing a dashboard and looking at various disk usage charts, one being Overall Disk Usage
As I was doing research, I came across several posts that mentioned a rule of thumb of divide by two. Utilizing this rule, we were able to successfully pull the proper numbers.
We are just now having a discussion on a conference call, and the divide by two rule came up. I cannot for the life of me google the right phrase to find out where this came from, and why.
Does anyone have any insight?
↧
↧
Is it possible to collect data from vSphere without a domain name?
Currently, we are in the process of setting up Splunk to collect from our vSphere POC instance. However, when I go to add the vCenter server, it wants the fully qualified domain name (FQDN). We not have a domain/DNS setup, can we still collect? If so, how do can I set this up?
↧
Splunk DB Connect: Can I run 2 versions on the same server to avoid migrating database inputs to an upgrade? (v2.3.0 and v3)
I am currently running DbConnect version 2.3.0 and I would like to upgrade to DbConnect version 3. My issue is that I have maybe 40 database inputs and various other uses of DbConnect that would make a migration difficult. What I would like to do is install both versions on the same server and slowly migrate and test one input at a time.
Is it possible to run DbConnect version 2 and version 3 on the same server?
↧
What is the latest supported Splunk version for servsers with OpenSSL for Windows?
I am new to Splunk and trying to understand some Security issues with the Splunk version. My servers are a bit old (2003 and 2008 windows ). If I can get the last supported Splunk version for all the Windows OS with OpenSSL versions., I can configure my machines.
thanks in advance.
↧
Why are we getting these error messages with Outlook-Exchange server? Events/emails are not indexing
We are getting issues while setting IMAP-MailBox to Outlook-Exchange Server with valid user account
We are not seeing any mail in Splunk.
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" File "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py", line 698, in
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" parseArgs()
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" File "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py", line 684, in parseArgs
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" imapProc.initFromOptlist(optlist)
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" File "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py", line 128, in initFromOptlist
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" self.readConfig()
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" File "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py", line 173, in readConfig
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" config.read(path)
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" File "C:\Program Files\Splunk\Python-2.7\Lib\ConfigParser.py", line 305, in read
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" self._read(fp, filename)
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" File "C:\Program Files\Splunk\Python-2.7\Lib\ConfigParser.py", line 512, in _read
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" raise MissingSectionHeaderError(fpname, lineno, line)
10-03-2017 17:10:33.478 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" ConfigParser.MissingSectionHeaderError: File contains no section headers.
10-03-2017 17:10:33.479 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" file: C:\Program Files\Splunk\etc\apps\imap\bin\..\local\imap.conf, line: 1
10-03-2017 17:10:33.479 +0530 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\imap\bin\getimap.py"" '\xef\xbb\xbf\n'
10-03-2017 17:10:33.981 +0530 ERROR IntrospectionGenerator:resource_usage - AdminManager - External admin handler 'imaphandler' has not specified 'handleractions'. Will not add.
10-03-2017 17:10:33.981 +0530 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (Resource Usage) starting; period=10s
10-03-2017 17:10:34.498 +0530 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (IO Statistics) starting; interval=60s
10-03-2017 16:49:27.059 +0530 ERROR HttpListener - Exception while processing request from 127.0.0.1 for /en-US/api/messages/index: Connection closed by peer
10-03-2017 16:49:27.059 +0530 ERROR HttpListener - Handler for /en-US/api/messages/index sent a 0 byte response after earlier claiming a Content-Length of 341!
10-03-2017 16:26:24.189 +0530 ERROR IntrospectionGenerator:resource_usage - AdminManager - External admin handler 'imaphandler' has not specified 'handleractions'. Will not add.
↧
↧
CSV Searches
Hello everyone. I've been reading and reading and I can not get consistent results from anything I have tried. So hopefully someone can help me get this straight. I have a csv as follows:
Indicator Type, Indicator, Description
domain, google.com, stuff
hash, asdfasdfdf4a6sd54fa6sd4fa6sd4f6sd, stuff
file, test.exe, stuff
I am trying to conduct a search that uses the Indicator column to search for ANY instances of the indicator. For example, it should return not just google.com, but also mail.google.com, or google.com.net. Additionally, I want to search the entire log, not just a specific field for that value. Here is what kinda works:
index=myindex | lookup NamedDefinition Indicator as logField OUTPUT Indicator as IOC | search IOC=* | stats count by IOC
That last part doesn't really matter, so it can be fields or whatever. This command works SOMETIMES. Sometimes I get errors that the lookup doesn't exist.
However, when it does work, this only searches one field in a log for something that matches in the csv EXACTLY. I tried putting a wildcard in the value (i.e. *google.com) but did not work. I also do not have access to modify any configuration files. I have also seen this command:
index=myindex [|inputlookup NamedDefinition.csv | fields Indicator]
but that has never returned any results. I know there are results (I use google.com as a control domain as well). Any help would be extremely appreciated.
↧
Riverbed Steelhead Technology Add-on: Can't see any of the prebuilt panels in the app
Hi Team,
I have a distributed environment which is running on version 6.6.2.
I have installed the Riverbed Steelhead Technology Add-on in it.
Currently I am unable to see the prebuilt panel in the app.
While checking for the logs for the steelhead logs I can see that in Splunk.
Could you please help me in guiding to set up this add-on to be working?
Thanks & Regards,
Stephin Paul
↧
Is it okay to install Splunk DB Connect on the Enterprise Security search head?
Hello all,
Potentially a bit of a sensitive topic, but I wanted to see what others thought.
Splunk Best Practice are *great* and really help installations to go smoothly and work optimally, but I can think of at least one case where it's not always practical to follow them.
My example is something I have done on all of my ES deployments: Install DBX on the ES SH when needed (best practice is to have no additional apps installed on the ES SH). I do this because some environments use DBX to collect asset data and, while you could index it, it's much simpler to just write directly to a CSV using a scheduled search.
Asset data is a type of data where (when using a well made search) the old data is of not actionable value because the newest data should be a complete picture of your environment, so installing DBX on a forwarder and indexing it is a waste of storage paste (regardless of how small) and adds additional complexity that does not need to be there.
I understand the reasoning behind "no additional apps on the ES SH" is to prevent bloat and take precious resources away from a very hungry system, but I treat this best practice as a rule of thumb that should be approached at a case by case basis .Having a single search run at 1 AM every day is going to have exactly 0 performance impact, and if it does you've got bigger problems.
I've never had any issues doing this, until recently were someone was told to remove DBX from the ES SH because it wasn't a best practice, which caused a few headaches and, in my opinion, caused more problems by fixing an issue that didn't exist.
---
What are your thoughts on this? Do you have any other examples of best practices being a great guideline, but not a rule of law?
↧
What is splunk-wmi.path ?
I'm trying to account for a number of Splunk configurations on a domain controller and I was trying to figure out what the splunk-wmi.path script was that points to splunk-wmi.exe. I wasn't sure if this was something that Splunk automatically configured or if sys admins prior to me wrote this custom.
Trying to figure out if I need to account for this configuration or not.
Thanks!
↧
↧
Is it possible to restore the sendemail.py file?
I am interested in knowing if it's possible to restore files. I somehow deleted "sendemail.py" file, tried modifying and receiving a following error:
Installed Files Integrity Checker: File Integrity checks found 1 files that did not match the system-provided manifest.
Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View ;
potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem
↧
Is it possible to change the shape and color of values in a dashboard based on the value change?
How to create a flowchart shape in Splunk dashboard and get some value inside, according to the value change the shape colour
I have a search string using rangemap and it was structured inside the tag in the panel. I have the different results like Success, Pending, failure and in-progress. according to the range it may getting the colour. but the text is coming with the colour. Instead i need some rectangle shape in the panel carrying the status like success or failure and the shape colour should be according the value in rangemap.
Can anyone help me to get this done.
↧
MongoDB Monitoring: logs appear on cmdline but aren't updating in Splunk
Hey,
I am able to view the MongoDB logs in Splunk by adding the data input and configuring using the third way mentioned on the github readme. The problem I am having is the logs aren't live, I can see the logs updating on the cmdline window but when I refresh Splunk they aren't updating. If I restart the Splunk server though they will update then again will be stuck on the last one it pulled.
Any help would be appreciated, Thanks!
↧