I'm getting a scripting error on our Enterprise Security server every hour: msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py" stanza="default" status="exited with code 114" Other than that, everything seems to be working. How can I resolve this error? ... View more

I'm trying to create a search that will provide statistics for patch availability according to our Tenable scans. I'd like to make it all one table, but so far I'm creating separate searches and having trouble getting results. I want to breakdown the results by the patchPubDate value into "Less than 30 days old", 30 to 60 days old", & "over 60 days old". The individual searches that I've been working on so far look like this: index=tenable | where patchPubDate < relative_time(now(),"-30d@d") | stats count as "Patch Available less than 30 days" index=tenable | where patchPubDate = relative_time("-30d@d","-60d@d") | stats count as "Patch Available 30 to 60 days" So far, I'm bombing on the second search and I'm not sure how to ensure that I only get patches over 60 days old. The patchPubDate is in epoch time format. ... View more

I'm trying to filter my Tenable results to show only vulnerabilities seen within the last 7 days. Here is my current search: index=tenable (riskFactor=Critical OR riskFactor=High OR riskFactor=Medium OR riskFactor=Low) earliest=-2d | where lastSeen < relative_time(now(),"-7d") | eval LastSeen=strftime(lastSeen,"%Y-%m-%d") | stats count by ip,riskFactor,pluginName,dnsName,solution,scan_result_info.name,LastSeen | stats list(pluginName) list(solution) list(LastSeen) list(riskFactor) list(count) sum(count) by scan_result_info.name,ip,dnsName | sort -sum(count) If I remove the | where lastSeen < relative_time(now(),"-7d") then I get results. By default the lastSeen values are in epoch time format. ... View more

I am creating a dashboard for Tenable results and some entries have a Patch Publication Date value of -1. I'm having trouble getting the search to output results because I can't get the -1 value to resolve to a human readable date. Here is a copy of the search: index=tenable | eval PatchPubDate=strftime(patchPubDate,"%Y-%m-%d") | stats by riskFactor,severity.id,pluginID,description,solution,pluginText,PatchPubDate,ip Any ideas of how to get the results to show when the date is -1? When I exclude the -1 values from the search all other epoch time values convert as desired. ... View more

We are using a distributed architecture and I have a couple of servers with custom windows logs that we want to pull into Splunk. I added the needed configs to the inputs.conf file, but periodically the custom inputs.conf files are being overwritten with the universally distributed conf file. How can I prevent this from happening? Or should I just add the custom configs to the core inputs.conf file that gets pushed out to the whole environment? ... View more

I installed the Meta Woot! App for Splunk, and most of the data is populating as expected, but when I go to “Meta Woot! License Volume Usage”, I are not getting any data. I have a distributed deployment. I'm not sure why the data isn't populating for this tab. Any ideas? ... View more