We have a PCI requirement to disable TLS1.1 or TLS1.0 cipher suites such as - TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLSv1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - TLSv1.0 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - TLSv1.0 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - TLSv1.1 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLSv1.1 TLS_DHE_RSA_WITH_AES_256_CBC_SHA Among others...   I checked a few docs and tested disabling anything less then TLS 1.2 in sslVersions = tls1.2 https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/SetyourSSLversion   How can i be sure the above cipher suites are disabled and TLS 1.2 is the only allowed? from previous posts i read we can use openssl to test via and look for any errors or the full certificate response if its open? openssl s_client -connect ipaddress:port -tls1_1our currrent server.conf is as follows Here is our current server.conf [sslConfig] sslVersions = *,-ssl2 sslVersionsForClient = *,-ssl2 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH ... View more

Hello, Looking for some assistance in reconstructing my query, which is currently using | transaction with a traceId value to tie together a couple different sourcetypes/sources. My query runs really slow, some of the sourcetype log results number in the 200million range so looking to speed it up using | stats by <traceId> instead to get the query to run faster. First source example snippet shows the highlighted traceId and 404 response code i am looking for. time=2021-12-11T23:59:51-07:00 time_ms=2021-12-11T23:59:51-07:00.620+ requestId=-1796576042 traceId=-1796576042 servicePath="/nationalnavigation/" remoteAddr=x.x.x.x clientIp=x.x.x.xclientAppVersion=NOT_AVAILABLE clientDeviceType=NOT_AVAILABLE app_version=- apiKey=somekey oauth_leg=2-legged authMethod=oauth apiAuth=true apiAuthPath=/ oauth_version=1.0 target_bg=default requestHost=services.timewarnercable.com requestPort=8080 requestMethod=GET requestURL="/nationalnavigation/V1/symphoni/event/tmsid/blah.com::TVNF0321206000538347?division=FTWR&lineup=15&profile=sg_v1&cacheID=959&longAdvisory=false&vodId=fort_worth&tuneToChannel=false&watchLive=true&watchOnDemand=true&rtReviewsLimit=0&includeAdult=f" requestSize=835 responseStatus=404 responseSize=420 responseTime=0.405 userAgent="Java/1.xxx" mapTEnabled="F" cClientIp="V-1|IP-x.x.x.x|SourcePort-12345|TrafficOriginID-x.x.x.x" sourcePort="12345" appleEgressEnabled="F" oauth_consumer_key="somekey" x_pi_auth_failure="-" pi_log="pi_ngxgw_access" second source example shows the REST server logs with an exception. 2021-12-11 23:59:51,261 ERROR [qtp1647496677-7239] [-1796576042] [c.t.a.n.r.s.r.s.SymphoniRestServiceBroker.handleNnsServiceErrorHeaders:1363] An internal service error occurred: com.twc.atgw.nationalnavigation.SymphoniWebException: Event Not Found Here's the current query i am looking to improve.     index=vap sourcetype=nns_all OR sourcetype=pi_ngxgw_access "nationalnavigation.SymphoniWebException: Event Not Found" OR "responseStatus=404" | rex "\] \[(?<traceId>.+)\] \[c.t.a.n.r.s.r.s" | transaction keepevicted=true by traceId | search "nationalnavigation.SymphoniWebException: Event Not Found" AND "responseStatus=404" | mvexpand requestURL | search requestURL="/nationalnavigation/V1/symphoni/series/tmsproviderprogramid*" OR "/nationalnavigation/V1/symphoni/event/tmsid*" | eval requestURLLength=len(requestURL) | rex field=requestURL "/nationalnavigation/V1/symphoni/event/tmsid/.*\%3A\%3A(?<queryString>.+)" | eval endpoint=case(match(requestURL,"/nationalnavigation/V1/symphoni/series/tmsproviderprogramid*"), "/nationalnavigation/V1/symphoni/series/tmsproviderprogramid", match(requestURL,"/nationalnavigation/V1/symphoni/event/tmsid*"), "/nationalnavigation/V1/symphoni/event/tmsid",1=1,requestURL) | rex field=queryString "(?<tmsIds>[^?]*)" | rex field=queryString "(?<tmsProviderProgramIds>[^?]*)" | eval assetIds=coalesce(tmsIds,tmsProviderProgramIds) | eval assetCount=mvcount(split(assetIds,",")) | stats count AS TxnCount by endpoint       ... View more

Hello, I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _raw events  Error in events: '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data ' 'collection. Error: Password prompt encountered. ' 'Aborting.',     #!/usr/local/bin/python3 # import time # need for sleep from xml.dom import minidom import time import json, pprint import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) base_url = 'https://127.0.0.1:8089' username = 'admin' password = 'changeme' search_query = "search=search index=main earliest=-4y" r = requests.get(base_url+"/servicesNS/admin/search/auth/login", data={'username':username,'password':password}, verify=False) session_key = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue print ("Session Key:", session_key) r = requests.post(base_url + '/services/search/jobs/', data=search_query, headers = { 'Authorization': ('Splunk %s' %session_key)}, verify = False) sid = minidom.parseString(r.text).getElementsByTagName('sid')[0].firstChild.nodeValue print ("Search ID", sid) done = False while not done: r = requests.get(base_url + '/services/search/jobs/' + sid, headers = { 'Authorization': ('Splunk %s' %session_key)}, verify = False) response = minidom.parseString(r.text) for node in response.getElementsByTagName("s:key"): if node.hasAttribute("name") and node.getAttribute("name") == "dispatchState": dispatchState = node.firstChild.nodeValue print ("Search Status: ", dispatchState) if dispatchState == "DONE": done = True else: time.sleep(1) r = requests.get(base_url + '/services/search/jobs/' + sid + '/results/', headers = { 'Authorization': ('Splunk %s' %session_key)}, data={'output_mode': 'json'}, verify = False) pprint.pprint(json.loads(r.text))       Events returned, here is one entry sample, all events i am searching seem to get returned but not sure what's causing the _raw event error.     {'_bkt': 'main~18~95A72A43-AF2F-49CF-B85A-B0788E1AA28A', '_cd': '18:455', '_indextime': '1632029978', '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data ' 'collection. Error: Password prompt encountered. ' 'Aborting.', '_serial': '38', '_si': ['DC-C02SD43JG8WP', 'main'], '_sourcetype': 'ossec_agent_control', '_time': '2021-09-18T23:39:38.000-06:00', 'host': 'DC-C02SD43JG8WP', 'index': 'main', 'linecount': '1', 'source': 'ossec_agent_control', 'sourcetype': 'ossec_agent_control', 'splunk_server': 'DC-C02SD43JG8WP'},       ... View more

I recently rolled out the unix app supported for version 6.1, I believe the unix app was version 5.02 or 5.03 and pretty dissappointed in it. The current unix app only has last 15min, hour or 24 hours and not being able to change the visualizations is limiting too. You also cant save the results to colleagues, incident managers etc...very frustrating. For example the older unix app you could at least timechart memory by process for timeframes within our outage. Has anyone worked on alternatives or have a number of saved searches to replace or modify it? Right now i need some iostat searches checking for iowait values based on a 1m interval collection in the Splunk_nix_TA index=os host=landdb01a* sourcetype=iostat | timechart span=1m avg(avgWaitMillis) by Device also checking for Read/Write values with index=os host=ship* sourcetype=iostat | search Device="dm-0" OR Device="dm-1" OR Device="dm-3" OR Device="dm-4" | timechart span=1m max(wKB_PS) max(rKB_PS) by Device | addtotals fieldname=read *rKB_PS* | addtotals fieldname=write *wKB_PS* | table _time read write ... View more

I am getting these errors, even though i think i have the timestamp parsed correctly based on other splunk answers. 2014 22:22:16.138 +0000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Oct 22 22:22:14 2014). Context: source::/app/logs/ocspresponder/ocspresponder.log|host::rat3be-d1-ap|ocsp_app|3549 10-22-2014 22:22:16.138 +0000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Oct 22 22:22:14 2014). Context: source::/app/logs/ocspresponder/ocspresponder.log|host::rat3be-d1-ap|ocsp_app|3549 Some sample data i am working with is as follows. 2014-10-21 22:01:07,348 [http-bio-8080-exec-1895] INFO [c.s.s.o.c.OcspController] GET IP: 24.222.89.103, 10.246.43.228, 72.246.43.217, 207.14.2.74 SN: 10c9cc CA: 10923 SUCC Here's my props.conf that i am using [ocsp_app] MAX_TIMESTAMP_LOOKAHEAD = 24 SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N TZ=UTC I did notice sometimes data comes in with period or a comma for the milliseconds portion. so 2014-10-21 22:01:07,348 2014-10-21 22:01:07.348 Can TIME_FORMAT accept regexs? This does not seem to work for me as i still get occasional DateParserVerbose errors with it enabled. TIME_FORMAT = %Y-%m-%d %H:%M:%S(,|.)%3N Also it seems like Splunk recognizes the timestamp by default using data preview but i still see the dateparserverbose errors on the ocsp_app sourcetype. ... View more