- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Product value is CMS and not Web MPS (product=CMS)...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The NX dashboard queries all look for product=Web MPS. We currently receive product=CMS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately we had to remove support for the CMS to send data directly to the Splunk app on behalf of the LMS appliances.
Version 3.0.5 of the release notes states the following:
"Bug fixes:
- Removed CM dashboards - there is not a clear method of sorting the events"
The reason for this is that some of the notification types such as syslog do not indicate which device type detected the original event. This can be parsed in more complex formats, but for the time being this feature had to be removed until we could devise a way to make this work with all notification formats.
Current deployment guidance is to have each of the LMS appliances send data to the Splunk instance--then the product field will be correct. We will revisit enabling the CMS to send data and autoparse the originating products in the future.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately we had to remove support for the CMS to send data directly to the Splunk app on behalf of the LMS appliances.
Version 3.0.5 of the release notes states the following:
"Bug fixes:
- Removed CM dashboards - there is not a clear method of sorting the events"
The reason for this is that some of the notification types such as syslog do not indicate which device type detected the original event. This can be parsed in more complex formats, but for the time being this feature had to be removed until we could devise a way to make this work with all notification formats.
Current deployment guidance is to have each of the LMS appliances send data to the Splunk instance--then the product field will be correct. We will revisit enabling the CMS to send data and autoparse the originating products in the future.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tony,
I have another question
We made the changes for each LMS appliance to report.
I see that for all data with 'category=domain-match' that the destination ip field shows as 'dvc_ip' and not 'dest_ip'. I am assuming this should be 'dest_ip'. Is there a reason for this in the app itself?
on some of the geo ip dashboards that are looking for 'dest_ip'.. no data with a 'category=domain-match' will be populated there because of this.
Please advise.
Thanks,
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The change to each LMS is a good change.
Unfortunately, the domain-match category does not include a dest_ip field in the alert sent to Splunk. In fact, you will see in the FireEye appliance dashboard that there is no destination IP address there either. The attacker URL is in the URL/MD5 category field. If the destination IP address is a desired feature, you will have to submit a feature request ticket to FireEye to have them add the IP to the FireEye device itself and to the alert. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's get on a webex to troubleshoot and then we can post the answer here. Shoot me an email via the app feedback link.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
