Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Kieffer87
Kieffer87
Communicator
Member since:
10-12-2016
06-05-2020
Community Statistics
| Posts | 63 |
| Solutions | 1 |
| Karma Given | 29 |
| Karma Received | 14 |
| Member Since | 10-12-2016 |
Activity Feed
- Got Karma for Re: Hardware recommendation for high log volume splunk deployments. 07-29-2021 05:53 AM
- Karma Re: Defining Timestamp for HEC Input for harsmarvania57. 06-05-2020 12:50 AM
- Got Karma for Defining Timestamp for HEC Input. 06-05-2020 12:50 AM
- Karma Re: Estreamer or FMC limitation to ±100GB daily? for douglashurd. 06-05-2020 12:49 AM
- Karma Re: Use field as _time for Timechart and timepicker for somesoni2. 06-05-2020 12:49 AM
- Got Karma for Use field as _time for Timechart and timepicker. 06-05-2020 12:49 AM
- Got Karma for Re: Setup Secure (Encrypted) Syslog. 06-05-2020 12:49 AM
- Karma Re: Indexer and Search Head Hardware Diminishing Returns for richgalloway. 06-05-2020 12:48 AM
- Karma Re: How to rename host field value based on event data? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to rename host field value based on event data? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Optiv_TA_threat: Do I need to schedule the starter_script.sh to run via a cron job to update the data in the Optiv index? for BenTan. 06-05-2020 12:48 AM
- Karma Re: Optiv_TA_threat: Do I need to schedule the starter_script.sh to run via a cron job to update the data in the Optiv index? for klaxdal. 06-05-2020 12:48 AM
- Karma Re: How to show Splunk log ingestion availability by sourcetype in a dashboard? for mattymo. 06-05-2020 12:48 AM
- Karma Re: SubSearch Based on initial results for jplumsdaine22. 06-05-2020 12:48 AM
- Karma Re: Search Archived Buckets in Hadoop for shaskell_splunk. 06-05-2020 12:48 AM
- Karma Re: How to prevent a user from running a high memory-use search and understand why this search consumed 120GB of memory on indexer(s)? for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: Universal Forwarder Crash _initCrcLen' failed. for dwaddle. 06-05-2020 12:48 AM
- Karma Users can no longer execute ldapsearch; capability required only admins have for tweaktubbie. 06-05-2020 12:48 AM
- Karma Re: Indexer and Search Head Hardware Diminishing Returns for lukejadamec. 06-05-2020 12:48 AM
- Karma Re: How to configure DMC for heavy forwarder monitoring? for mathiask. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-18-2019
12:46 PM
Running python script from my machine. Have a single instance of Splunk running HEC/Indexing/Search.
... View more
01-18-2019
11:13 AM
Yes, and I get the same result, the timestamp defaults to the time the data is received.
... View more
01-18-2019
07:49 AM
1 Karma
I'm running into a strange issue where Splunk is using the current time for a HTTP Event Collector input rather than pulling out the timestamp field I've defined in props.conf. I started by cloning the _json sourcetype and made a few adjustments as event parsing and field extraction were working as expected. I've tried using both the TIMESTAMP_FIELDS and TIME_PREFIX in props.conf without any luck. I'm using a python script to query the Github API and I'm then passing the JSON to splunk_handler.
Payload
[SplunkHandler DEBUG] Sending payload: {"event": "[{\"created_at\": \"2019-01-18T15:24:13Z\", \"pr_user\": \"userid123\", \"merged_at\": \"2019-01-18T15:24:51Z\", \"pr_url\": \"https://github.com/someorganization/somerepo/pull/12345\", \"pr_number\": 12345, \"repo_name\": \"somerepo\"}, {\"created_at\": \"2019-01-18T14:56:27Z\", \"pr_user\": \"userid123\", \"merged_at\": \"2019-01-18T15:09:42Z\", \"pr_url\": \"https://github.com/someorganization/somerepo/pull/12346\", \"pr_number\": 12346, \"repo_name\": \"somerepo\"}]", "host": "myhost", "index": "prmetrics", "source": "test", "sourcetype": "json-github"}
Raw Event Text (as shown in Splunk)
{"created_at": "2019-01-17T21:20:55Z", "pr_user": "userid123", "merged_at": "2019-01-18T14:10:37Z", "pr_url": "https://github.com/someorganization/somerepo/pull/12345", "pr_number": 12345, "repo_name": "somerepo"}
props.conf
[json-github]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
disabled = false
SHOULD_LINEMERGE = false
TIME_PREFIX = \{\"created_at\"\:\s\"
MAX_TIMESTAMP_LOOKAHEAD = 50
#TIMESTAMP_FIELDS = created_at
... View more
08-10-2018
09:05 AM
We are trying to send data to Splunk HEC via Kinesis Firehose but for some reason Firehose keeps logging "Could not connect to the HEC endpoint. Make sure that the HEC endpoint URL is valid and reachable from Kinesis Firehose." We've tried a combination of the following with no luck:
https://hostname.test.com:8088
https://hostname.test.com:8088/services/collector
https://hostname.test.com:8088/services/collector/raw
We are referencing this post: Power Data Ingestion into Splunk which indicates the first https://hostname.test.com:8088 with a raw endpoint should have worked. I'm able to post events via curl using batch and the raw endpoint and json and the event endpoint. This tells me the ELB is working and forwarding events. So I'm wondering what others have set for their Splunk Cluster Endpoint and Splunk endpoint type in Firehose?
Raw Endpoint:
curl -k "https://hostname.test.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" -H "Authorization: Splunk token" -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.917 -0700] "GET /servicesNS/admin/launcher/data/ui/nav/default HTTP/1.0" 200 4367 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.941 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 4ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.954 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 3ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.968 -0700] "GET /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 HTTP/1.0" 200 58672 - - - 5ms'
Events Endpoint:
curl -k "https://hostname.test.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" -H 'Authorization: Splunk token' -d '{"event": "Hello"}'
... View more
- Tags:
- splunk-enterprise
08-01-2018
11:39 AM
Not sure I would have thought to do this since I don't use this search head as my DMC.
... View more
07-26-2018
08:37 AM
Not sure if you are still having issues but I came across this same issue and didn't have any luck with the answer either. What fixed it for me was switching from the JDBC 3.0 (db2jcc.jar) driver to JDBC 4.0 (db2jcc4.jar). No additional classpaths were needed.
... View more
06-07-2018
11:40 AM
We ended up creating unique roles and apps and locked down write permission to that app.
... View more
05-29-2018
11:02 AM
The proofpoint cloud cluster caches some amount of logs, so a Splunk restart shouldn't result in a loss of logs.
... View more
05-29-2018
11:01 AM
1 Karma
Ended up creating certificates and using the following configuration settings in inputs.conf. The key to making this work is the cipherSuite which is not a default cipher.
[tcp-ssl://1518]
sourcetype = pps_log
index = proofpoint
disabled = false
acceptFrom = *comma seperated list of your cluster server IPs*
[SSL]
requireClientCert = false
serverCert = /opt/splunk/etc/apps/TA_pps/local/certs/combined.cer
sslVersions = tls1.2
cipherSuite = AES256-SHA
The ServerCert should be combined and in the following order:
-----BEGIN CERTIFICATE-----
(Your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate (if you have one))
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key)
-----END RSA PRIVATE KEY-----
Proofpoint will need to load this certificate chain as well.
... View more
05-15-2018
05:15 AM
Has anyone had luck setting up secure (encrypted) syslog with this Addon? It only mentions creating a TCP input which would not be encrypted. Our Proofpoint is hosted at their cloud, so encryption between their cloud and our Heavy Forwarder onsite is imperative.
... View more
03-29-2018
04:43 AM
We have a multi-domain setup currently and are wanting to send connection events from 1 of the 3 domains. We'd still like the connection events available in the FMC for all domains for analysis but don't need them in Splunk. If there isn't a clean way to do this in eNcore, no big deal, just thought I'd ask. I'm currently using a simple regex on the heavy forwarder to find the sensor names and sending those events to the sinkhole. So far haven't had any issues.
... View more
03-21-2018
05:12 AM
http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Sourcetypes
It will show up as a sourcetype of opsec:audit.
... View more
03-21-2018
05:03 AM
Generally if you want to collect all events except audit, you can just use the non-audit option. If you wanted to also collect audit, you would create a second input for audit.
... View more
03-21-2018
05:02 AM
Non-Audit will collect SmartDefense and Firewall events...Remove those two inputs from your inputs and you should be good to go. In the end you should only need to have an input for Firewall Audit and Non-Audit.
... View more
03-16-2018
08:08 AM
Is there a reason your using file creation time rather than the event_sec field for the timestamp? We found this to be causing issues on out side anytime the Access Control Policy Metadata event was logged which didn't have the event_sec field. Splunk would then stop indexing the files.
We made several changes which seem to have helped:
1. Changed the monitor input to batch and set to sinkhole. I couldn't come up with a reason to wait for the cleanup script to run and would just rather Splunk deletes the files after indexing.
2. Since we found no value in the Access Control Policy Metadata events, and they didn't have the event_sec field, we excluded these events in estreamer.conf by adding "145" to the exclude section of the records handler.
After making these two changes our setup has been running fairly smooth event with a single CPU core maxed out. We will see how things go once we add additional locations in the coming months.
... View more
03-12-2018
07:47 AM
I seem to have spoke too soon. This seems to work fine when the latest event is now (last 7 days), but as soon as you use a latest date in the past (March 5-March10), the count for each day changes drastically.
... View more
03-06-2018
01:11 PM
Is there a way to blacklist or exclude certain RNA events based on values in the data? Right now I have 3 sensors which I do not want connection event data sent to Splunk. I'm able to send these events to the nullqueue using props.conf/transforms.conf to find the string sensor=sensors1.domain.com but I'd love to be able to filter these out at the eNcore level so they aren't even writen to the log file and processed by Splunk. In the configure it appears as though I can exclude by rec_type but is it possible to exclude by other fields?
... View more
03-06-2018
11:19 AM
We were able to get this working without changing anything in ldap.conf. We just had to add the list_settings capability. We are running Splunk 6.0.2 on linux with app version 2.1.4. Thanks for the workaround suggestion, it got us going in the right direction.
... View more
03-06-2018
10:37 AM
1 Karma
Also having this issue though we are just now noticing it after upgrading to 7.0.2. Have you found a workaround for this?
... View more
03-06-2018
06:07 AM
1 Karma
I'm trying to chart some phishing logs over time which contain 3 time values:
_time - The time when an analyst processed the phishing request.
email_received - The time the user received the email
time_reported - The time the user reported the email as fishing.
I've put together the following search string to change email_received to _time and chart using timechart. The problem is now timepicker doesn't work as expected because it's still using the original _time from the event and not the email_received value. How can I change _time for both the search and the timechart?
index=phishme sourcetype=phishme:data | eval _time=strptime(email_received,"%b %d %Y %H:%M:%S") | timechart span=1d count as Reports
I've confirmed my eval command is working as expected and email_received is being converted to epoch.
... View more
03-02-2018
05:37 AM
Nope, we just upgraded to 7.0.2 and still no HF role.
... View more
02-13-2018
12:21 PM
Doug,
Let me know if you need any help testing/troubleshooting. We have a Splunk lab instance setup and are generating several million connection events daily with plans to grow significantly this year. Currently our FMC3500's only retain ~8 days worth of connection events event with the FMC internal DB setting increased to 350 million events. We've worked with you on this issue in the past and found the bottleneck has been the single threaded python script. We'd love to get this data into Splunk in a near real-time fashion.
Great work your doing on the add-on, let us know how to help.
... View more
11-29-2017
05:28 AM
Disabling the connection events (and anything else aside from Intrusion Events) at the FMC seems to have corrected the Intrusion Event lag to Splunk. Surprisingly there is still a single python process at 100% CPU utilization. I would be really surprised if hardware is the limiting factor, Server has 2x Intel E7-4830 (2.13GHz base and 2.4GHz Boost). We have Splunk heavy forwarders ingesting Checkpoint Firewall OpsecLEA connections at 5k+ EPS running 4 core, 8GB ram virtual machines.
... View more
11-28-2017
11:38 AM
Were you ever able to resolve this issue? I've got three UFs on a fairly high latency connection that report this error on a regular basis. I've implemented bandwidth restriction using limits.conf but still see the error logged.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
