Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ArmbrusterC
ArmbrusterC
Explorer
Member since:
09-18-2014
04-06-2022
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 1 |
| Member Since | 09-18-2014 |
Activity Feed
- Karma Re: Phantom App for Splunk: Why is there Error loading Phantom Server Configurations & Error HTTP certification verification? for test_qweqwe. 01-27-2022 08:44 PM
- Posted Re: Unbound DNS Resolver Logs on Getting Data In. 12-27-2020 01:11 PM
- Karma Re: Unbound DNS Resolver Logs for to4kawa. 12-27-2020 12:59 PM
- Posted Unbound DNS Resolver Logs on Getting Data In. 12-26-2020 11:14 PM
- Karma Re: unable to get developers license to work for CSRA_Eagles. 10-03-2020 09:32 PM
- Karma Re: MIssing events from Universal Fowarder for FrankVl. 06-05-2020 12:49 AM
- Got Karma for Re: Looking for a way to append a token value to the end of a URL. 06-05-2020 12:48 AM
- Posted Re: MIssing events from Universal Fowarder on Getting Data In. 02-08-2018 07:50 AM
- Posted Re: MIssing events from Universal Fowarder on Getting Data In. 02-08-2018 07:18 AM
- Posted Re: MIssing events from Universal Fowarder on Getting Data In. 02-08-2018 06:00 AM
- Posted Re: What Ports can I use for UF on Deployment Architecture. 02-08-2018 04:33 AM
- Posted MIssing events from Universal Fowarder on Getting Data In. 02-08-2018 04:20 AM
- Tagged MIssing events from Universal Fowarder on Getting Data In. 02-08-2018 04:20 AM
- Tagged MIssing events from Universal Fowarder on Getting Data In. 02-08-2018 04:20 AM
- Tagged MIssing events from Universal Fowarder on Getting Data In. 02-08-2018 04:20 AM
- Posted Re: Looking for a way to append a token value to the end of a URL on Dashboards & Visualizations. 06-27-2016 08:17 PM
- Posted Looking for a way to append a token value to the end of a URL on Dashboards & Visualizations. 06-20-2016 10:43 PM
- Tagged Looking for a way to append a token value to the end of a URL on Dashboards & Visualizations. 06-20-2016 10:43 PM
- Tagged Looking for a way to append a token value to the end of a URL on Dashboards & Visualizations. 06-20-2016 10:43 PM
- Tagged Looking for a way to append a token value to the end of a URL on Dashboards & Visualizations. 06-20-2016 10:43 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-27-2020
01:11 PM
Thats smart, I hadn't thought of using eval to feed in data with a search time extraction. Thanks for that piece. So using this method to test it appears the match is correct. So the problem Im having is likely related to the App changes Ive done |makeresults
| eval _raw="Dec 27 01:47:46 pvlpfSense01 unbound: [91480:1] info: resolving acceptor.mcafee-mvision-mobile.com. A IN
Dec 27 01:47:46 pvlpfSense01 unbound: [91480:0] info: resolving ns-1608.awsdns-09.co.uk. AAAA IN
Dec 27 16:00:51 pvlpfSense01 unbound: [15920:1] info: resolving (init part 3): 165.185.in-addr.arpa. DS IN"
| multikv noheader=t
| table _raw
| rex "(?<time>\S+ \d\d \S+) (?<sensor>\S+) (?<bound>\S+): \[(?<session>\d+:\d+)\] info: resolving (?:\(init part \d\):\s{2})?(?P<query>[\S?]+)\.\s(?P<query_type>\S+)" The example you gave includes the final "." in the FQDN. I will mark your answer as correct since you gave me the piece I was missing to test the extraction in realtime. Thanks!
... View more
12-26-2020
11:14 PM
``` Dec 27 01:47:46 pvlpfSense01 unbound: [91480:1] info: resolving acceptor.mcafee-mvision-mobile[.]com. A IN Dec 27 01:47:46 pvlpfSense01 unbound: [91480:0] info: resolving ns-1608.awsdns-09[.]co[.]uk. AAAA IN ``` Above I have included 2 separate events. Note * I added brackets for sanitization in this post, the real events have no square brackets. These are from a DNS Resolver. I've been using a splunk app I've modified to handle extraction of fields. The current stanza in props.conf is: EXTRACT-queries = info: resolving (?P<query>(?:.[^\.\s]+)*)\.\s(?P<query_type>\S+) Ive also tried: EXTRACT-queries = info: resolving (?P<query>[\S?]+)\.\s(?P<query_type>\S+) Both of these work fine testing outside splunk. But have strange behavior when used in splunk. This annoyingly is including the ending period in the query field. Which I specifically wrote the regex to exclude. query = "acceptor.mcafee-mvision-mobile[.]com.", query_type = "A" query = "ns-1608.awsdns-09[.]co[.]uk.", query_type = "AAAA" I'm no splunk expert nor am I a regex expert but I don't see how the match for the query group is including the last period after the TLD. Any help or suggestions would be appreciated. I think ive given enough info but if you need more let me know.
... View more
Labels
- Labels:
-
field extraction
-
indexer
-
props.conf
02-08-2018
07:50 AM
02-07-2018 07:45:56.718 -0500 WARN FileClassifierManager - The file '/var/log/openvpn.log' is invalid. Reason: binary
02-07-2018 07:45:56.718 -0500 INFO TailReader - Ignoring file '/var/log/openvpn.log' due to: binary
Well there we go, never occurred to check logs on the forwarder itself. So now I have a new mystery. The file is definitely not a binary.
[2.4.2-RELEASE][root@pvlpfs01.local]/var/log: file openvpn.log
openvpn.log: ASCII text
[2.4.2-RELEASE][root@pvlpfs01.local]/var/log: hexdump -C openvpn.log | less
00000000 4a 61 6e 20 32 34 20 32 33 3a 33 32 3a 32 31 20 |Jan 24 23:32:21 |
00000010 70 76 6c 70 66 73 30 31 20 6f 70 65 6e 76 70 6e |pvlpfs01 openvpn|
00000020 5b 32 32 38 38 31 5d 3a 20 65 76 65 6e 74 5f 77 |[22881]: event_w|
the /// doesn't hurt anything, just defines the path all the way from root. That was added to see if it made a difference with the problem I was having.
In any case im going to add a stanza in props.conf
[openvpn]
NO_BINARY_CHECK = true
... View more
02-08-2018
07:18 AM
I had that thought myself, even running as root it still doesn't forward that particular source. You can see from the config there are other source files in that same directory, they all appear to be working fine just having trouble with this openvpn log.
... View more
02-08-2018
04:33 AM
You can define in your outputs.conf file which port you want to use. After you do this you will need to restart the splunk universal forwarder service and adjust your inputs on your receiving indexer.
[tcpout:my_indexers]
server=INDEXER_IP_OR_HOSTNAME.DOMAINNAME:9997
the inputs.conf on the indexer should look something like this. Same goes for restarting the indexer after the change.
[splunktcp://FORWADER_IP_OR_HOSTNAME.DOMAINNAME:9997]
disabled = false
connection_host = none
compressed = true
This is the bare minimum you can do to change it as far as i know.
Im not sure how you'd do it if you have a deployment server.
... View more
02-08-2018
04:20 AM
I know this question has been asked many times, but the answers dont seem to help my situation.
I am running SUF on a freebsd (specifically PFSense) Im currently feeding many different sources into a single splunk indexer/search head. The indexer also receives events from a SUF installed on debian syslog server. I am having issues with one specific source from the FreeBSD forwarder.
The logs are located at ///var/log/openvpn.log
I added a configuration line to the inputs.conf file for the forwarder. Initially i didnt include the crcSalt stanza but after doing some reading on the issue last month I added it, with seemingly no effect. There are no events from the source ///var/log/openvpn.log in the indexer.
This is the inputs.conf for the forwarder giving me problems. Any suggestions are welcome, I will keep searching and if I find a solution myself I'll post an update.
[monitor:///var/log/suricata/suricata_em115040/eve.json]
disabled=false
sourcetype=suricata
index=main
ignoreOlderThan=3d
[monitor:///var/log/suricata/suricata_em022665/eve.json]
disabled=false
sourcetype=suricata
index=main
ignoreOlderThan=3d
[monitor:///var/log/filter.log]
disabled=false
sourcetype=firewall
index=main
ignoreOlderThan=3d
[monitor:///var/squid/logs/access.log]
disabled=false
sourcetype=squid
index=main
ignoreOlderThan=3d
[monitor:///var/log/openvpn.log]
disabled=false
sourcetype=openvpn
index=main
ignoreOlderThan=3d
crcSalt=<SOURCE>
[monitor:///var/log/dhcpd.log]
disabled=false
sourcetype=dhcpd
index=main
ignoreOlderThan=3d
[monitor:///var/log/vnstat/output_em1.json]
disabled=true
sourcetype=vnstat
index=main
ignoreOlderThan=3d
SOLUTION FOUND
___________________________________-
After it was suggested I review the splunkd logs on the forwarder, I found it was classifying the file as a binary.
02-07-2018 07:45:56.718 -0500 WARN FileClassifierManager - The file '/var/log/openvpn.log' is invalid. Reason: binary
02-07-2018 07:45:56.718 -0500 INFO TailReader - Ignoring file '/var/log/openvpn.log' due to: binary
The solution I found was simple, add a stanza to props.conf on the forwarder. Then restart the forwarder.
[openvpn]
NO_BINARY_CHECK = true
Question 373137
Thank you for your help in figuring this out. I was hitting a mental wall but the logs on the forwarder helped.
... View more
06-27-2016
08:17 PM
1 Karma
This put me on the right track. The field is a text input for a hostname.
I have posted the correct answer below.
<row>
<html> <a href="https://ticketing.system.com/textsearch.do?sysparm_search=$field1$">Search for Tickets</a> </html>
</row>
... View more
06-20-2016
10:43 PM
I have a dashboard with a field called %field1%
I would like to generate a simple hyperlink the user can click on to open a new tab to our ticketing system.
I need to append the value of the token to the end of a static URL. Then display that value as an active link somewhere in the dashboard for the user to click and open the ticketing system.
For example:
If I enter FooBar in the field
The link would be:
hxxps://ticketing.system.com/textsearch.do?sysparm_search=FooBar
Thanks in advance for any help. I will continue reading and update the question myself if I find a working solution. This seems too simple not to be possible.
... View more
04-08-2015
08:22 PM
Thank you for the quick answer ramdaspr.
Im wondering why we are searching index_a for sourcetype_b which is not in that index. Does the JOIN statement take care of this?
I will test it when I get an opportunity and let you know.
... View more
04-08-2015
05:57 PM
I want to do a search for field_A in index_A. The value of field_A contains a URL minus any http(s), or query terms. I then want to use the value of field_A and search field_B from index_B for values containing it. If field_B contains field_A I want splunk to pull the value of field_C from index_B within the same event/log entry.
I have tried a few different iterations of the search but cannot seem to get the value from field_A to carry as a search term for field_B. I have read many different answer pages, and wikis. I thought I was on the right track with return, or fields commands but I am stuck.
"
earliest =-7d index=index_A sourcetype=source_A field_A=* | fields field_A | dedup field_A | eval = result [ search earliest=-7d index=index_B sourcetype=source_B field_B=<$field_A> ] | fields field_B
"
This one above is a simplified attempt, it does not work but I hope it shows the order I am trying to do things in. index_B is quite large so I want to search index_A first.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-06-2022
02:01 PM
|
