cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
roberteves
Explorer
Member since: ‎11-11-2019
‎04-06-2021
Community Statistics
Posts 8
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-11-2019
Activity Feed
View All

Re: Not receiving any logs from Okta

by in All Apps and Add-ons
‎04-06-2021 11:45 AM
‎04-06-2021 11:45 AM
Do you know what that means? Is it some configuration for logging on the server side or in the Okta app on the Splunk server? ... View more

Not receiving any logs from Okta

by in All Apps and Add-ons
‎04-02-2021 11:47 AM
‎04-02-2021 11:47 AM
I've installed the Okta Identity Cloud Add-on for Splunk. There was an attempt to configure it a while ago but wasn't tested much. When looking at it again I noticed that there was a 401 Unauthorized error when trying to make the API request. I had the admin create a new token and I configured the token and input in the app. I don't see any errors in the logs, in the app log it does show the message "No logs returned". I know there were both failed and successful attempts to log in to that Okta. Is there anything else I can check on the Splunk or Okta side?         2021-04-02 14:44:05,498 INFO pid=7784 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling 2021-04-02 14:44:05,541 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: log_limit 2021-04-02 14:44:05,569 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: log_limit 2021-04-02 14:44:05,582 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_collectLogs sees an existing next link value of: https://[redacted].oktapreview.com/api/v1/logs, picking up from there 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: max_log_batch 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: skip_empty_pages 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: http_request_timeout 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: allow_proxy 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: bypass_verify_ssl_certs 2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: custom_ca_cert_bundle_path 2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=setup_util.py:log_info:117 | Customized key can not be found 2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | Use of the proxy has been enabled through explicit definition of allow_proxy 2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled! 2021-04-02 14:44:05,821 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_okta_caller n_val does not match our valid pattern with 0 results, store the current URL: https://[redacted].oktapreview.com/api/v1/logs 2021-04-02 14:44:05,822 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_okta_caller we will now stash n_val with: https://[redacted].oktapreview.com/api/v1/logs 2021-04-02 14:44:05,842 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=Zero logs returned         ... View more
Labels

Re: Splunk app ingesting excess data

by in All Apps and Add-ons
‎02-10-2021 09:14 AM
‎02-10-2021 09:14 AM
Sorry for the delay, I was thinking it might be something like that. Making those changes resolved the issue. Thanks! ... View more

How to resolve SSL error with tcp-ssl input?

by in Getting Data In
‎02-10-2021 09:08 AM
‎02-10-2021 09:08 AM
I have a Splunk server which is receiving data on a tcp-ssl port successfully for a particular application (SecureCircle). I'm trying to set up a new port to receive data from Palo Alto firewalls but it's running into an the following error:       WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'       I'm using the same certificate an SSL configuration for both ports so I know that the cert is fine. It's not a self singed cert. It's valid until 2022. I've been looking through some old posts with similar errors but none of them seemed to match my issue.  Below is my Port and SSL configuration from the btool inputs command       /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf [SSL] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf allowSslRenegotiation = true /opt/splunk/etc/system/default/inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 /opt/splunk/etc/system/default/inputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/local/inputs.conf host = splunkhost.mydomain.com /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf requireClientCert = false /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf serverCert = /opt/splunk/etc/auth/splunkhost.mydomain.com/splunkhost.mydomain.com.pem /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf sslPassword = [Redacted] /opt/splunk/etc/system/default/inputs.conf sslQuietShutdown = false /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf sslVersions = tls1.2 /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf [tcp-ssl://6514] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf host = splunkhost.mydomain.com /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf index = pan_logs /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf sourcetype = pan:log       The configuration for the working port is:       /opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf [tcp-ssl://8443] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/local/inputs.conf host = splunkhost.mydomain.com /opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf index = dlp /opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf sourcetype = SecureCircle       ... View more
Labels

Re: Splunk app ingesting excess data

by in All Apps and Add-ons
‎12-30-2020 01:06 PM
‎12-30-2020 01:06 PM
Thanks, I'm not really familiar with the output from that, but I do see this:   /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf [monitor:///var/log] /opt/splunkforwarder/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf blacklist = (lastlog|anaconda\.syslog|audit\.log.*) /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf disabled = 0 /opt/splunkforwarder/etc/system/local/inputs.conf host = <my host> /opt/splunkforwarder/etc/apps/OpenEMPI/local/inputs.conf index = oempi /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf whitelist = (\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)     Why would it be combining the configuration from those two apps? I understand system defaults may be used where they're not specified in an app, but I expected these to be two separate apps and the configuration for either wouldn't affect the other ... View more

Splunk app ingesting excess data

by in All Apps and Add-ons
‎12-30-2020 11:53 AM
‎12-30-2020 11:53 AM
Hi all, somewhat new to Splunk, hopefully I'll describe the issue well... I've setup a deployment app to forward logs from an (non-splunk) application for which there is no current app on Splunkbase. I configured the index and log file locatiosn to go to the index oempi. I configured a specific server class for these servers. I also have a server class for Splunk App for *nix which has these servers as well as other Linux servers used for other purposes. That app is configured to send data to the os index. For some reason I'm getting all the data from the Splunk App for *nix in the oempi index  as well as the os index. Below are the settings for the two apps:       head Splunk_TA_nix/local/inputs.conf # Copyright (C) 2020 Splunk Inc. All Rights Reserved. [default] index = os [script://./bin/vmstat.sh] interval = 60 sourcetype = vmstat source = vmstat disabled = 1           head OpenEMPI/local/inputs.conf [default] index = oempi [monitor:///sysnet/openempi/openempi-3.5.7/logs] whitelist=(\.log|\.out|\.txt) disabled = 0 [monitor:///sysnet/openempi/openempi-3.5.7/openempi-entity-3.5.7/logs] whitelist=(\.log) disabled = 0     ... View more

Minimum requirements for the Splunk Fundamentals 1...

by in Training + Certification Discussions
‎11-11-2019 09:52 AM
‎11-11-2019 09:52 AM
What are the minimum requirements for a Splunk VM for the Splunk Fundamentals 1 course? I can see the reference hardware at https://docs.splunk.com/Documentation/Splunk/6.5.0/Capacity/Referencehardware but that's a bit much just for a VM for the course. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-06-2021 03:50 PM
Karma given to
View All