Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About payal4296
payal4296
Explorer
Member since:
08-14-2018
09-09-2022
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 08-14-2018 |
Activity Feed
- Posted Re: compare two field values for equality on Splunk Search. 03-12-2021 09:01 AM
- Posted Installation Script for UF 7.3.3 on Getting Data In. 02-25-2021 03:29 AM
- Posted Re: Simple installation script for Universal Forwarder on Getting Data In. 02-23-2021 03:32 AM
- Posted Re: Masking sensitive information from event on Getting Data In. 09-15-2020 08:39 AM
- Posted Re: Masking sensitive information from event on Getting Data In. 09-15-2020 07:25 AM
- Posted Re: props.conf and transforms.conf does not work on Getting Data In. 09-15-2020 04:37 AM
- Posted Masking sensitive information from event on Getting Data In. 09-15-2020 04:36 AM
- Posted Re: props.conf and transforms.conf does not work on Getting Data In. 09-15-2020 04:11 AM
- Got Karma for Why am I getting a "Winsock Error 10053" while using " Microsoft Log Analytics Add-on(Formerly Know as OMS?. 06-05-2020 12:49 AM
- Posted Re: Can we integrate a Splunk Instance with another Splunk Instance through REST API Modular Input? on Splunk Enterprise. 01-18-2019 04:53 AM
- Posted Can we integrate a Splunk Instance with another Splunk Instance through REST API Modular Input? on Splunk Enterprise. 01-18-2019 03:39 AM
- Tagged Can we integrate a Splunk Instance with another Splunk Instance through REST API Modular Input? on Splunk Enterprise. 01-18-2019 03:39 AM
- Posted Why I am getting the below Error while trying to run .jar file of SPLUNK JAVA SDK? on Splunk Dev. 10-01-2018 06:06 AM
- Tagged Why I am getting the below Error while trying to run .jar file of SPLUNK JAVA SDK? on Splunk Dev. 10-01-2018 06:06 AM
- Tagged Why I am getting the below Error while trying to run .jar file of SPLUNK JAVA SDK? on Splunk Dev. 10-01-2018 06:06 AM
- Tagged Why I am getting the below Error while trying to run .jar file of SPLUNK JAVA SDK? on Splunk Dev. 10-01-2018 06:06 AM
- Posted Why am I getting a "Winsock Error 10053" while using " Microsoft Log Analytics Add-on(Formerly Know as OMS? on All Apps and Add-ons. 08-16-2018 03:18 AM
- Tagged Why am I getting a "Winsock Error 10053" while using " Microsoft Log Analytics Add-on(Formerly Know as OMS? on All Apps and Add-ons. 08-16-2018 03:18 AM
- Tagged Why am I getting a "Winsock Error 10053" while using " Microsoft Log Analytics Add-on(Formerly Know as OMS? on All Apps and Add-ons. 08-16-2018 03:18 AM
- Tagged Why am I getting a "Winsock Error 10053" while using " Microsoft Log Analytics Add-on(Formerly Know as OMS? on All Apps and Add-ons. 08-16-2018 03:18 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
03-12-2021
09:01 AM
what if 1 field with string "A" is the substring of flied "B"? |where B=*A* , how can we find out that?
... View more
02-25-2021
03:29 AM
For installation of Splunk (UF or Enterprise) with version <=7.0 ,there is no default password "changeme". Installer asks for password during installation. How can I modify the below line in the script . /opt/splunkforwarder/bin/splunk edit user admin -password $PASSWORD -auth admin:changeme How the password can be mentioned during installation on Splunk version7.3.3.?I tried using -auth parameter but no luck.
... View more
Labels
- Labels:
-
universal forwarder
02-23-2021
03:32 AM
How UF will be installed on newer version of Splunk with no default password "changeme"??
... View more
09-15-2020
07:25 AM
Yes have restarted the splunk service after applying changes to the conf files. Actually it did worked on Friday ,the day changes were applied but it is not working after that .
... View more
09-15-2020
04:37 AM
https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519664#M87857
... View more
09-15-2020
04:36 AM
Hi,I am trying to remove some of the sensitive information to be indexed by Splunk. But these configurations are not working ,even after getting the configuration reflected over btool and validating the regex over SPL. Anyone can assist? props.conf [o365:management:activity] TRANSFORMS-anonymize = info-anonymizer KV_MODE = json TRUNCATE = 10485760 transforms.conf [info-anonymizer] DEST_KEY = _raw FORMAT = $1$2 REGEX = (.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(\"ResultsTruncated\"\:.*) Have already Validated regex over SPL, It is working fine. |regex _raw="(.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(\"ResultsTruncated\"\:.*)" and |rex field=_raw "(?<before>.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(?<after>\"ResultsTruncated\"\:.*)" |eval _raw=before+""+after
... View more
Labels
09-15-2020
04:11 AM
Hi @lguinn2 , I am trying to remove some of the sensitive information to be indexed by Splunk. But these configurations are not working ,even after getting the configuration reflected over btool and validating the regex over SPL. Can you please have a look on it? props.conf [o365:management:activity] TRANSFORMS-anonymize = info-anonymizer KV_MODE = json TRUNCATE = 10485760 transforms.conf [info-anonymizer] DEST_KEY = _raw FORMAT = $1$2 REGEX = (.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(\"ResultsTruncated\"\:.*) Have already Validated regex over SPL, It is working fine. |regex _raw="(.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(\"ResultsTruncated\"\:.*)" and |rex field=_raw "(?<before>.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(?<after>\"ResultsTruncated\"\:.*)" |eval _raw=before+""+after
... View more
01-18-2019
04:53 AM
Hi ,
I know about the internal forwarding but I was experimenting with the REST API Modular Inputs..and I came across this question
... View more
01-18-2019
03:39 AM
I was trying to send the data from one Splunk instance to another Splunk Instance using REST API Modular Input but there was Zero events populated with the configured input for the same.
This is the endpoint that i specified :https://:8089/services/saved/searches
... View more
- Tags:
- splunk-enterprise
10-01-2018
06:06 AM
C:\WINDOWS\system32>cd C:\Users\payal.s\Downloads\splunk-sdk-java-1.6.4\dist\examples
C:\Users\payal.s\Downloads\splunk-sdk-java-1.6.4\dist\examples>java -jar explorer.jar
Exception in thread "AWT-EventQueue-0" java.lang.RuntimeException: Received fatal alert: handshake_failure
at com.splunk.HttpService.send(HttpService.java:451)
at com.splunk.Service.send(Service.java:1295)
at com.splunk.HttpService.post(HttpService.java:348)
at com.splunk.Service.login(Service.java:1124)
at com.splunk.Service.login(Service.java:1103)
at com.splunk.Service.connect(Service.java:189)
at com.splunk.examples.explorer.Program$1.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$300(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.splunk.HttpService.send(HttpService.java:445)
... 20 more
... View more
08-16-2018
03:18 AM
1 Karma
I installed this add-on/app on Heavy Forwarder and configured inputs as:
Name: oms_test_env
Interval: 60
Index: main
Resource Group: xxxx
Workspace Name: xxxx
Subscription ID: xxxxx
Tenant ID: xxxx
Application ID: xxxx
Application ID: xxxx
Log Analytics Query: search *
Start Date: 15/08/2018 00:00:00
Event Delay/ lag Time: 15
... View more
08-14-2018
04:35 AM
@jkat54 @dpanych
Hi, I have checked each line and could not find any syntax errors or problem with indents. I modified the script, but am still getting same exit code.
Also, I am using query as search * and I am putting workspace name instead of workspaceID in inputs.conf.
Could you please help on this. Any definitive date you are going to repackage app.
import os
import sys
import time
import datetime
def validate_input(helper, definition):
inputs=helper.get_input_stanza()
for input_name, input_item in inputs.iteritems():
max_count = str(input_item["max_count"])
start_date = str(input_item["start_date"])
if int(max_count) <= 0:
helper.log_error("Max count must be greater than zero (0); found max_count=" + str(max_count))
try:
valid_date = datetime.datetime.strptime(start_date, '%d/%m/%Y %H:%M:%S')
except ValueError:
helper.log_error("Start date must be in the format of dd/mm/yyyy hh:mm:ss")
pass
def collect_events(helper, ew):
import adal
import json
import requests
# Go through each input for this modular input
inputs=helper.get_input_stanza()
for input_name, input_item in inputs.iteritems():
# Get the values, cast them as floats
resource_group = str(input_item["resource_group"])
workspace = str(input_item["workspace_id"])
query = str(input_item["oms_query"])
max_count = str(input_item["max_count"])
subscription_id = str(input_item["subscription_id"])
tenant_id = str(input_item["tenant_id"])
application_id = str(input_item["application_id"])
application_key = str(input_item["application_key"])
# Date and delta
if helper.get_check_point('last_date'):
start_datetime = datetime.datetime.strptime(helper.get_check_point('last_date'),'%d/%m/%Y %H:%M:%S')
else:
start_datetime = datetime.datetime.strptime(str(input_item['start_date']),'%d/%m/%Y %H:%M:%S')
now = datetime.datetime.now()
now_dt = now.replace(microsecond=0)
# URLs for authentication
authentication_endpoint = 'https://login.microsoftonline.com/'
resource = 'https://management.azure.com/'
# Get access token
context = adal.AuthenticationContext('https://login.microsoftonline.com/' + tenant_id)
token_response = context.acquire_token_with_client_credentials('https://management.azure.com/', application_id, application_key)
access_token = token_response.get('accessToken')
# Add token to header
headers = {
"Authorization": 'Bearer ' + access_token,
"Content-Type":'application/json'
}
# URLs for retrieving data
uri_base = 'https://management.azure.com'
uri_api = 'api-version=2017-10-01-preview'
uri_subscription = 'https://management.azure.com/subscriptions/' + subscription_id
uri_resourcegroup = uri_subscription + '/resourceGroups/'+ resource_group
uri_workspace = uri_resourcegroup + '/providers/Microsoft.OperationalInsights/workspaces/' + workspace
#uri_search = uri_workspace + '/search'
# Build search parameters from query details
search_params = {
"query": query,
"top": max_count,
"start": start_datetime.strftime('%Y-%m-%dT%H:%M:%S'),
"end": now_dt.strftime('%Y-%m-%dT%H:%M:%S')
}
# Build URL and send post request
#uri = uri_search + '?' + uri_api
uri = uri_workspace + '?' + uri_api
response = requests.post(uri,json=search_params,headers=headers)
# Response of 200 if successful
if response.status_code == 200:
# If debug, log event
helper.log_debug('OMSInputName="' + str(input_name) + '" status="' + str(response.status_code) + '" step="Post Query" search_params="' + str(search_params) + "'")
# Parse the response to get the ID and status
data = response.json()
'''
search_id = data["id"].split("/")
id = search_id[len(search_id)-1]
status = data["__metadata"]["Status"]
# If status is pending, then keep checking until complete
while status == "Pending":
# Build URL to get search from ID and send request
uri_search = uri_search + '/' + id
uri = uri_search + '?' + uri_api
response = requests.get(uri,headers=headers)
# Parse the response to get the status
data = response.json()
status = data["__metadata"]["Status"]
'''
else:
# Request failed
helper.log_error('OMSInputName="' + str(input_name) + '" status="' + str(response.status_code) + '" step="Post Query" response="' + str(response.text) + '"')
# Print the results of the search to std_out
for i in range(len(data["tables"][0]["rows"])):
data1 = "{"
#This nested loop goes through each field, in each event, and concatenates the field name to the field value
for n in range(len(data["tables"][0]["rows"][i])):
field = str(data["tables"][0]["columns"][n]["name"])
value = str(data["tables"][0]["rows"][i][n]).replace('"',"'").replace("\\", "\\\\").replace("None", "")
if value == "":
continue
else:
data1 += '"%s":"%s",' % (field, value)
data1 += "}"
data1 = data1.replace(",}", "}")
event = Event()
event.stanza = input_name
event.data = data1
ew.write_event(event)
#Delta
state = now_dt.strftime("%d/%m/%Y %H:%M:%S")
helper.save_check_point('last_date', state)
******
... View more
