Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About km1986
km1986
Path Finder
Member since:
09-23-2019
3 weeks ago
Community Statistics
| Posts | 23 |
| Solutions | 1 |
| Karma Given | 7 |
| Karma Received | 5 |
| Member Since | 09-23-2019 |
Activity Feed
- Posted How to get user details associated with 'aadUserId' field in logs from 'Microsoft Graph Security API Add-On for Splunk'? on All Apps and Add-ons. 12-26-2022 07:23 AM
- Got Karma for Re: Unable to Collect SMBServer/Audit logs. 11-23-2021 03:35 PM
- Posted Re: Cisco eStreamer encore 8.1.2 Data Ingestion Issue on Getting Data In. 11-23-2021 12:58 PM
- Posted Re: Unable to Collect SMBServer/Audit logs on Getting Data In. 11-23-2021 12:47 PM
- Karma Re: Unable to Collect SMBServer/Audit logs for adobrzeniecki. 11-23-2021 12:47 PM
- Posted Re: Unable to Collect SMBServer/Audit logs on Getting Data In. 11-18-2021 02:47 AM
- Tagged Re: Unable to Collect SMBServer/Audit logs on Getting Data In. 11-18-2021 02:47 AM
- Posted Cisco eStreamer encore 8.1.2 Data Ingestion Issue on Getting Data In. 11-10-2021 08:28 PM
- Posted Re: Unable to Collect SMBServer/Audit logs on Getting Data In. 11-01-2021 11:59 AM
- Posted Threat Connect logs going into lastchanceindex on All Apps and Add-ons. 09-17-2021 11:03 PM
- Posted Re: DataParserVerbose - Accepted time format has changed error on Getting Data In. 07-16-2021 09:17 AM
- Posted Question on subnet configuration in Hurricane Labs App for Shodan on All Apps and Add-ons. 07-14-2021 05:53 AM
- Karma Re: Splunk DBConnect 3.1.1 Build 34 There was an error processing your request. It has been logged (ID XXXXXXXXXXXXXXX). for woodcock. 11-25-2020 11:22 PM
- Posted Re: Splunk DBConnect 3.1.1 Build 34 There was an error processing your request. It has been logged (ID XXXXXXXXXXXXXXX). on All Apps and Add-ons. 11-25-2020 11:21 PM
- Posted Question on HEC configuration on Getting Data In. 11-19-2020 03:03 AM
- Karma Re: Compatibility between search head in splunkcloud and on-prem search head for richgalloway. 11-06-2020 08:31 AM
- Posted Compatibility between search head in splunkcloud and on-prem search head on Deployment Architecture. 10-30-2020 07:17 AM
- Got Karma for Re: Download link for Splunk 6.6.0. 10-23-2020 08:58 AM
- Posted Re: Download link for Splunk 6.6.0 on Installation. 10-23-2020 08:30 AM
- Got Karma for Re: Download link for Splunk 6.6.0. 10-23-2020 07:03 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
12-26-2022
07:23 AM
Hi All,
How to get user details associated with 'aadUserId' field in logs from 'Microsoft Graph Security API Add-On for Splunk'. Does https://splunkbase.splunk.com/app/3757have to be installed to get the user name/user email ID?
... View more
Labels
- Labels:
-
administration
-
configuration
11-23-2021
12:58 PM
The inputs.conf had the stanza pointing to the wrong directory, also sourcetype name was missing after the upgrade. Had to connect the path and add the sourcetype name to fix
... View more
11-23-2021
12:47 PM
1 Karma
I was able to fix it. It was permissions on Windows Event Logs. Used https://support.umbrella.com/hc/en-us/articles/115004063808-Using-wevtutil-to-check-Event-Log-permissions as reference to correct the channel access string for Microsoft-Windows-SMBServer/Audit. Thanks for the suggestion.
... View more
11-18-2021
02:47 AM
Was splunkd running as SYSTEM or as a domain account? I tried both, restarted Splunk services and the DS, but while other Event IDs are coming as expected the Event ID 3000 (SMBServer Audit) logs are not coming in. Now that it is certain the path is correct, I'm thinking if it something related to permissions.
... View more
- Tags:
- nkd
11-10-2021
08:28 PM
Hi All, I have recently upgraded Splunk HF from 7.3.x to 8.1.2 and also the Cisco eStreamer (Encore) app from 3.6.x to 4.8.1. Both upgrades went fine and cisco:estreamer:data logs were coming in fine till 1.5 hours post-upgrade after which logs stopped coming in. The file estreamer.log in /opt/splunk/etc/apps/TA-eStreamer/bin/encore doest show any ERROR ( INFO Running. 3500 handled; average rate 4.86 ev/sec;). Also, I'm able to see logs populating in /opt/splunk/etc/apps/TA-eStreamer/data. However, it appears logs are not getting updated in cisco:estreamer:data sourcetype. There are other log sources relayed from the HF to cloud which do not have any issues (ruled out any network connectivity issues between HF and splunkcloud). Has anyone else seen similar issues?
... View more
Labels
- Labels:
-
heavy forwarder
-
scripted input
09-17-2021
11:03 PM
I was looking at installing https://splunkbase.splunk.com/app/3075/ in Splunkcloud. The documentation here -> https://training.threatconnect.com/learn/article/threatconnect-application-for-splunk-user-guide-kb-... does not specify if it needs to be installed on IDM or can be installed on SH. I went ahead and installed on my ES SH and configured the app, but now the logs are coming into lastchanceindex. Has anyone installed this in splunkcloud and got this working?
... View more
Labels
- Labels:
-
configuration
-
installation
07-16-2021
09:17 AM
@lukasmecir : Can you please update if you were able to determine a fix for this? I'm seeing the same issue. Thanks.
... View more
07-14-2021
05:53 AM
Hi All, I have come across quite a few old posts around subnet configuration in Hurricane Labs App for Shodan (https://splunkbase.splunk.com/app/1767/) and questions around IP subnet configuration in 'Configure Subnets'. Can someone who has already set this up help with the below questions: 1. Is CIDR supported in 'configure subnets' 2. I have a list of around 100 subnets in CIDR notation, how do I go about configuring the same in 'Configure Subnets' (I tried pasting the complete list but I'm not sure that is working). Does the list have to be a separated by Commas? Appreciate any support/guidance anyone can provide.
... View more
Labels
- Labels:
-
configuration
11-25-2020
11:21 PM
Thanks, this helped me when I faced the same issue
... View more
11-19-2020
03:03 AM
Hello, I have data inputs configured with HEC coming in to index=A and source=http:sourcename1. I now have logs of similar type which I want to come into the same index (i.e index=A) and with the same source i.e. http:sourcename1, but which would require me to setup a new HEC connection with a new token. Please let me know if this is possible? Thanks.
... View more
Labels
- Labels:
-
HTTP Event Collector
10-30-2020
07:17 AM
Hello All, Our SH in Splunk cloud will be upgraded to 7.2.10.2 from v7.0.13. Our on - prem SH is on 7.0.5. As per the document here. "The search head must be at the same or a higher level than the search peers. See the note later in this section for a precise definition of "level" in this context." Would it be safe to say we do not have to upgrade the on-prem Search Head for now? Thanks for the inputs.
... View more
Labels
- Labels:
-
distributed search
10-23-2020
08:30 AM
1 Karma
It is a temporary google drive link. If it benefits others, the engineer also mentioned that for older releases which are not supported, a splunk support ticket is necessary.
... View more
10-23-2020
06:38 AM
1 Karma
Thanks @richgalloway , @inventsekar . I contacted Splunk support and they were able to provide me the download link.
... View more
10-23-2020
01:56 AM
1 Karma
Thanks @richgalloway . So I need to upgrade from v6.4.2 to v7.3.1.1 and the docs state I need to first go to the intermediate version 6.6.x. I tried doing what you suggested but it looks like there is no download URL where I might be able to change the version to get the one that I'm looking for.
... View more
10-21-2020
11:39 PM
1 Karma
Hello All, I was looking for download link for Splunk enterprise 6.6.1 but it appears it is not listed here https://www.splunk.com/en_us/download/previous-releases.html#tabs/linux . Is there any other download link available?
... View more
Labels
- Labels:
-
Linux
09-30-2020
02:09 PM
Hello All, We are upgrading Splunk Heavy Forwarder from v6.4.0 to v7.3.1.1 and we were evaluating the need to upgrade add-ons installed on the HF to ensure compatibility with v7.3.x. We have narrowed down the add-ons which require an upgrade on the HF, but are unsure if they need to be upgraded to the same version as HF on SH/IDX also (in Splunkcloud) for the field extraction to happen properly? Below are the apps: Any guidance is appreciated, thanks. https://splunkbase.splunk.com/app/1620/ https://splunkbase.splunk.com/app/1915/ https://splunkbase.splunk.com/app/1747/
... View more
Labels
- Labels:
-
heavy forwarder
09-24-2020
09:41 AM
Thanks @gcusello, this worked. I think I had an issue with the splunk test instance which was not indexing logs properly since I was seeing issues with some other logs as well. I spun up a fresh instance and tried it and it worked.
... View more
09-07-2020
08:01 AM
Hey @gcusello The files are located on the Heavy Forwarder (/var/log/palo). I have double-checked the regex, it seems to be fine. None of the logs are getting indexed at all, even the ones not of 'USERID' type, which is why I was thinking if something is wrong in the props/transforms? Below is a sample: Sep 7 03:29:28 ttt-tt-ttt-9 1,2020/09/07 03:29:28,000000000000000,USERID,end,2304,2020/09/07 03:29:18,172.17.132.5,172.17.130.68,0.0.0.0,0.0.0.0,tttttt-tttttttt,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/2,default,2020/09/07 03:29:18,386215,1,50473,53,0,0,0x64,udp,allow,260,102,158,2,202 0/09/07 03:28:47,0,any,0,10906416,0x8000000000000000,ttt-tt-ttttt-ttttt,ttt-tt-ttttt-ttttt,0,1,1,aged-out,324,327,0,0,,tttttttttttt,from-policy,,,0,,0,,N/A,0,0,0,0,tttttttt-tttt-tttt-tttt-tttttttttttt,0
... View more
09-07-2020
07:29 AM
Hello All, I'm trying to prevent the 'USERID' events from getting indexed by making the following changes on my Heavy Forwarder. However, after adding the TRANSFORMS-null statement and the [setnull] stanza in transforms.conf, I'm not seeing any logs getting indexed at all. Any guidance is appreciated inputs.conf [monitor:///var/log/palo] disabled = false sourcetype = pan:traffic props.conf [pan:traffic] TRANSFORMS-null = setnull TZ = America/New_York TRANSFORMS-host = paloalto-host DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = true disabled = false pulldown_type = true transforms.conf [paloalto-host] SOURCE_KEY = _raw FORMAT = host::$1 DEST_KEY = MetaData:Host [setnull] REGEX = ^(?:[^,\n]*,){3}USERID DEST_KEY = queue FORMAT = nullQueue
... View more
Labels
- Labels:
-
heavy forwarder
-
props.conf
-
transforms.conf
03-12-2020
11:46 AM
Hello,
I'm trying to integrate the TA-symantec_atp with the EDR console. When I provide the EDR URL and the password (client_id:client_secret), I'm seeing the below error.
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)
... View more
09-23-2019
08:33 PM
I saw same issue today. eNcore Version 3.5.8 ; FMC version 6.2.3.14
I realized that the hostname provided to generate the certificate in FMC was not the same as that of the splunk server on which the eNcore app is being installed.
I re-generated the certificate with the same hostname as the Splunk server and the issue resolved.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
Karma given to
