Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About robdanl
robdanl
Explorer
Member since:
12-06-2013
03-26-2021
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 1 |
| Member Since | 12-06-2013 |
Activity Feed
- Got Karma for Re: In the Tenable Add-On for Splunk, what is the best way to determine if a vulnerability still exists on a host system?. 05-03-2021 08:54 AM
- Karma Splunk Add-on for Box works on 7.3.2 but on 7.3.3 it gives [Loading] Input page for yuichirosuzuki. 06-05-2020 12:50 AM
- Karma Azure Add-On Version 8.x Python 3.0 ready ? for splunkmachine. 06-05-2020 12:50 AM
- Karma Re: How would a lookup to combine two values to one OUTPUT field? for MuS. 06-05-2020 12:48 AM
- Posted Re: In the Tenable Add-On for Splunk, what is the best way to determine if a vulnerability still exists on a host system? on All Apps and Add-ons. 04-15-2020 01:09 PM
- Posted Re: Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder? on All Apps and Add-ons. 07-07-2017 12:22 PM
- Posted Re: Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder? on All Apps and Add-ons. 07-07-2017 11:58 AM
- Posted Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder? on All Apps and Add-ons. 07-07-2017 10:08 AM
- Tagged Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder? on All Apps and Add-ons. 07-07-2017 10:08 AM
- Tagged Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder? on All Apps and Add-ons. 07-07-2017 10:08 AM
- Tagged Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder? on All Apps and Add-ons. 07-07-2017 10:08 AM
- Tagged Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder? on All Apps and Add-ons. 07-07-2017 10:08 AM
- Posted Re: How would a lookup to combine two values to one OUTPUT field? on Splunk Search. 06-05-2017 07:22 AM
- Posted Re: How would a lookup to combine two values to one OUTPUT field? on Splunk Search. 06-05-2017 07:20 AM
- Posted Re: How would a lookup to combine two values to one OUTPUT field? on Splunk Search. 06-01-2017 11:45 AM
- Posted Re: How would a lookup to combine two values to one OUTPUT field? on Splunk Search. 06-01-2017 11:30 AM
- Posted Re: How would a lookup to combine two values to one OUTPUT field? on Splunk Search. 05-30-2017 01:37 PM
- Posted How would a lookup to combine two values to one OUTPUT field? on Splunk Search. 05-30-2017 12:36 PM
- Tagged How would a lookup to combine two values to one OUTPUT field? on Splunk Search. 05-30-2017 12:36 PM
- Tagged How would a lookup to combine two values to one OUTPUT field? on Splunk Search. 05-30-2017 12:36 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
04-15-2020
01:09 PM
1 Karma
I would make an addition to the example as it is deduping but you may end up removing a version that isn't the latest state.
`get_tenable_index` sourcetype="tenable:sc:vuln" | dedup ip, repository.id, pluginID, port, protocol sortby - lastSeen | search state=open OR state=reopened
... View more
07-07-2017
12:22 PM
I saw that as well. My concern (and correct me if you feel otherwise), is that if I have a search head cluster that installing this would result in the inputs being on every search head in the cluster - and then duplicate data being sent to the indexer.
This is due to the part that states "configure inputs on forwarders to avoid duplicate data collection" under "Search Head Clusters" comments.
... View more
07-07-2017
11:58 AM
I use a universal forwarder and I'm looking for recommendations that don't involve "don't use the universal forwarder" 🙂
It's an existing architecture I really don't want to change to get an add-on installed.
... View more
07-07-2017
10:08 AM
The Splunk Add-on for Microsoft Cloud Services documentation at http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install seems to be stating that you must configure the input on the search head if you are using a Universal Forwarder. Underneath, however, it says if installing on a search head cluster you should configure the input to be on the forwarder.
What are you supposed to do when you are using a search head cluster but the (unsupported) Universal Forwarder?
... View more
06-05-2017
07:22 AM
It doesn't appear I can do as you were suggesting as calculated fields are processed before lookups per your initial link as well as some documention on props.conf:
Calculated fields come fifth in the search-time operations sequence, after field aliasing but before lookups
... View more
06-05-2017
07:20 AM
Unfortunately, it doesn't look like this will work per the documentation on props.conf:
Splunk processes calculated fields after field extraction and field
aliasing but before lookups. This means that:
- You can use a field alias in the eval statement for a calculated
field.
- You cannot use a field added through a lookup in an eval statement for a
calculated field.
... View more
06-01-2017
11:45 AM
It also appears I can also do it this way:
eval org_group=mvappend(src_group,dest_group)
Now I just need to figure out how to make every search include this behind the scenes.
... View more
06-01-2017
11:30 AM
On your second option (with the foreach), how would that be included in every search? While I would be able to copy/paste that string or add it into a macro, not every user could or would want to do that.
... View more
05-30-2017
01:37 PM
Both of your suggestions work. It's a shame there doesn't seem to be a way to create a multi-value field as part of a lookup the way I described. That would be ideal as - you're right - doing a loop through fields and concatenating them doesn't feel ideal when we need to have it included in every single search performed.
... View more
05-30-2017
12:36 PM
I'm looking at firewall logs which typically have (among other details) a source address and a destination address. I'm attempting to use a lookup table to determine the organizational group that each IP belongs to. The lookup table is a fairly basic format:
Subnet,OrgGroup
192.168.0.0/24,Group1
192.168.1.0/24,Group2
This was how I was originally going to do it:
sourcetype=cisco:asa | lookup ip_to_group Subnet AS src_ip OUTPUT OrgGroup as src_group | lookup ip_to_group Subnet AS dest_ip OUTPUT OrgGroup as dest_group
This gives me: src_group=Group1, dest_group=Group2
For business reasons, we don't want to have two output fields (src_group, dest_group) but one ("org_group"):
sourcetype=cisco:asa | lookup ip_to_group Subnet AS src_ip OUTPUT OrgGroup as org_group | lookup ip_to_group Subnet AS dest_ip OUTPUT OrgGroup as org_group
How would I blend those lookups into both using "org_group" without overwriting? e.g. org_group=Group1,Group2
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-26-2021
01:11 AM
|
