Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ehoward
ehoward
Path Finder
Member since:
06-01-2011
11-03-2022
Community Statistics
| Posts | 40 |
| Solutions | 3 |
| Karma Given | 2 |
| Karma Received | 6 |
| Member Since | 06-01-2011 |
Activity Feed
- Got Karma for Re: How to search backwards from a event time in a workflow action?. 11-03-2022 08:27 AM
- Posted Re: How to search backwards from a event time in a workflow action? on Splunk Search. 11-03-2022 08:09 AM
- Posted Re: How to search backwards from a event time in a workflow action? on Splunk Search. 11-03-2022 06:25 AM
- Got Karma for Re: How to search backwards from a event time in a workflow action. 11-01-2022 12:14 PM
- Posted Re: How to search backwards from a event time in a workflow action on Splunk Search. 11-01-2022 12:02 PM
- Posted Re: How to search backwards from a event time in a workflow action on Splunk Search. 11-01-2022 10:43 AM
- Posted How to search backwards from a event time in a workflow action? on Splunk Search. 11-01-2022 09:10 AM
- Tagged XML in Windows Evenlogs and xpath on Splunk Search. 12-21-2020 11:23 AM
- Tagged XML in Windows Evenlogs and xpath on Splunk Search. 12-21-2020 11:22 AM
- Tagged XML in Windows Evenlogs and xpath on Splunk Search. 12-21-2020 11:21 AM
- Posted XML in Windows Evenlogs and xpath on Splunk Search. 12-21-2020 06:41 AM
- Got Karma for Re: /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py is pulling down many duplicate events. 06-05-2020 12:49 AM
- Karma Re: Help with date Regex for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Regex for arpwatch extractions for MuS. 06-05-2020 12:46 AM
- Got Karma for Re: multivalue fields and fields.conf. 06-05-2020 12:45 AM
- Got Karma for Re: multivalue fields and fields.conf. 06-05-2020 12:45 AM
- Got Karma for Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.. 06-05-2020 12:45 AM
- Posted Re: App no longer working after moving to indexer cluster on All Apps and Add-ons. 03-16-2018 11:27 AM
- Posted App no longer working after moving to indexer cluster on All Apps and Add-ons. 03-16-2018 11:16 AM
- Tagged App no longer working after moving to indexer cluster on All Apps and Add-ons. 03-16-2018 11:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-03-2022
08:09 AM
1 Karma
OK. I now have the correct solution. It is based on this other post https://community.splunk.com/t5/Splunk-Search/Setting-earliest-and-latest/m-p/489703 Basically adding the following to the search string in my Workflow action set the correct relative earliest date when I pass in _time from the original search latest=$_time$ [| makeresults | eval earliest=relative_time($_time$,"-4h@s")| format "(" "" "" "" "" ")"]
... View more
11-03-2022
06:25 AM
Well it looks like the solution I thought I had does not work. I was doing a head command on my results. That worked great when there was a recent prior event to pivot on. When there was no authentication event with a matching IP the search took forever, indicating that the search defined in the Workflow Action is not honoring the earliest Earliest Time in the Time range setting for the Workflow action. So the question still remains how to pass in a modified earliest time with a value that is an offset(like 4 hours ago) from the passed in $_time$ variable from the original search in a Workflow action.
... View more
11-01-2022
12:02 PM
1 Karma
So, it looks like I can use a relative time setting ( -4h@s) in the earliest Earliest Time in the Time range setting for the Workflow action and pass in the $_time_$ as the latest value in my passed query and it works!
... View more
11-01-2022
10:43 AM
As this is being triggered as a workflow action from the Event Menu for a specific Event, I am not working off of the original search, I am working off the Event Menu that only has the original fields in the logged event for that sourcetype. I tried creating a calculated field called fourhoursago for the sourcetype that was an eval of the value of _time minus 4 hours and tried passing it to the workflow action as earliest=$fourhoursago$ but it would not accept the calculated field. .
... View more
11-01-2022
09:10 AM
I created a workflow action of off some netflow logs. I want to pass the source IP from the netflow and pass it to another search what looks at authentication logs from another log source to see the user that most recently authenticated PRIOR to the event that I am triggering the workflow from. I can pass _time to the new search as latest=$_time$ but I cannot seem to set earliest to what I want (in this case 4 hours before the passed $_time$ variable. How I can I properly set earliest to 4 hours before $_time$ so the workflow search looks back 4 hours from the event I am pivoting off of?
... View more
- Tags:
- workflow actions
Labels
- Labels:
-
fields
12-21-2020
06:41 AM
Can anyone advise on how to extract the fields in the following sample Eventlog Entry using xpath? I can't see to get the syntax right since the Component field repeats. I really want to pull all the fields under RequestAuditComponent type ----------- SNIP -------------- 2/21/2020 09:26:55 AM LogName=Security SourceName=AD FS Auditing EventCode=1201 EventType=0 Type=Information ComputerName=ADFS.contoso.com User=ADFS_Svc Sid=S-1-2-19-1257343421-143158401-1347568098-54312 SidType=1 TaskCategory=3 OpCode=Info RecordNumber=36801840 Keywords=Audit Failure, Classic Message=The Federation Service failed to issue a valid token. See XML for failure details. Activity ID: 22cf1b39-bdc5-44ec-a216-411192f514d0 Additional Data XML: <?xml version="1.0" encoding="utf-16"?> <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit"> <AuditType>AppToken</AuditType> <AuditResult>Failure</AuditResult> <FailureType>GenericError</FailureType> <ErrorCode>N/A</ErrorCode> <ContextComponents> <Component xsi:type="ResourceAuditComponent"> <RelyingParty>http://fs.contoso.com/adfs/services/trust</RelyingParty> <ClaimsProvider>N/A</ClaimsProvider> <UserId>myuser@contoso.com</UserId> </Component> <Component xsi:type="AuthNAuditComponent"> <PrimaryAuth>N/A</PrimaryAuth> <DeviceAuth>false</DeviceAuth> <DeviceId>N/A</DeviceId> <MfaPerformed>false</MfaPerformed> <MfaMethod>N/A</MfaMethod> <TokenBindingProvidedId>false</TokenBindingProvidedId> <TokenBindingReferredId>false</TokenBindingReferredId> <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel> </Component> <Component xsi:type="ProtocolAuditComponent"> <OAuthClientId>N/A</OAuthClientId> <OAuthGrant>N/A</OAuthGrant> </Component> <Component xsi:type="RequestAuditComponent"> <Server>http://fs.contoso.com/adfs/services/trust</Server> <AuthProtocol>WSFederation</AuthProtocol> <NetworkLocation>Extranet</NetworkLocation> <IpAddress>10.0.0.1</IpAddress> <ForwardedIpAddress>10.0.0.1</ForwardedIpAddress> <ProxyIpAddress>N/A</ProxyIpAddress> <NetworkIpAddress>N/A</NetworkIpAddress> <ProxyServer>AZW-XADFS01</ProxyServer> <UserAgentString>Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:83.0) Gecko/20100101 Firefox/83.0</UserAgentString> <Endpoint>/adfs/ls/</Endpoint> </Component> </ContextComponents> </AuditBase>
... View more
Labels
- Labels:
-
field extraction
03-16-2018
11:27 AM
The cluster is site local and the test alert I am using is a one time alert with a specific time in cron so I don't think it is a time window issue. This is really an issue with the "Alert Manager" App.
... View more
03-16-2018
11:16 AM
We recently moved from a Single Indexer/Search head to Search head pointing to an indexer cluster and now I am finding that the "Alert Manager" Trigger action for alerts no longer functions properly. Triggered alerts do not appear to be making into the App defined "alerts" index. In know the "alerts" index works because I can shove events into it using the SPL "collect" command.
... View more
10-30-2017
07:37 AM
It turns out this was not just happening with Web Events, its just that Web Events are the most numerous among the dupes.
... View more
10-30-2017
07:36 AM
The subject header in my Ticket with Sophos is "Customer is reporting API integration with Sophos central event logging is returning multiple instances of web events."
... View more
10-30-2017
07:36 AM
The first search means have had 296 events that were duplicated at least once in the logs.
In my case I had event that were being duplicate over 11 times. Since the API retrieval limit is 1000 my logs can never get caught up because so many of the 1000 events retrieved are dupes.
I am still trying to get Sophos to make resoltion of this issue a priority. I would encourage you and any other Sophos customers to contact them and make your voice heard.
... View more
10-24-2017
05:53 AM
If you comb through the duplicates in your events (using the command I used to check for dupes in Splunk) you will see quite a few events are duplicated at least 11 times (at least in my case). This massive number of duplicates spamming the logs, coupled with the 1000 Event limit per API retrieval, means that it is almost certain that you will fall behind in getting your newest events. I am still waiting on Sophos Support to get this resolved. I would encourage you to put in your own ticket to encourage Sophos to get this resolved.
... View more
10-23-2017
06:27 AM
Nick, Sophos has received my trouble report and replicated my issue using my API key and the reference Python script they publish for downloading events. Definitely a problem on the Sophos Cloud side of things.
... View more
10-23-2017
06:24 AM
denrose, this issue is now known to Sophos. I have a ticket in with the Sophos Global escalation team to get this resolved. Sophos appears to be storing multiple duplicate events in Sophos Cloud logs. For reasons I cannot even fathom they do not appear to to using any sort of Key field in their log data store to prevent duplicate entries from being recorded.
... View more
10-12-2017
01:45 PM
1 Karma
After much troubleshooting this appears to be an issue with the Sophos API. We use Sophos WebControl and the API seems to returning an insane amount of duplicate WebControl events. I am going to open a ticket with Sophos.
... View more
10-12-2017
01:32 PM
I reverted to the Sophos API scripts. It looks like Sophos WebControl events get repeated like crazy when they are pulled down via the API. I am going to modify your Python script to use a Python dictionary to dump dupes.
Actually, I need to open a support ticket with Sophos. There are so many repeat events that the damn cursor can not keep up due to the 1000 event API retrieval lmit.
Thank you for responding to my questions.
... View more
10-12-2017
01:10 PM
Well, I'm foxed. I'm going to revert to the Sophos scripts for now. Maybe I can normalize the data later so your App can display it.
... View more
10-12-2017
01:00 PM
I may disable your App and revert to using the sample scripts in the Sophos API reference documentation with a cron job to pull down the events in JSON format and see if I get any dupes. That will allow me to determine if there is something flaky with my API key.
Assuming that works is there any chance of recoding your App to use the Sophos retrieval scripts to pull in the KV values?
... View more
10-12-2017
12:47 PM
The cursor file in /tmp gets re-written every time the script runs. I can see the timestamp change and I have confirmed that the value changes. Is there a chance that there is an issue with pulling out the correct cursor value when the script runs? More importantly, are you seeing the dupe issue in your own environment?
... View more
10-12-2017
12:39 PM
Alas, no. My Splunk server is running Debian Linux.
... View more
10-12-2017
10:54 AM
It appears that when the script pulls down new events from the API those same events they keep getting downloaded every subsequent run. I am running a Realtime search for the newest EventId (fieldname 'id)' that popped up in and I get getting the same event being added into my Splunk index every time the script hits its script execution interval as defined in inputs.conf.
... View more
10-12-2017
07:48 AM
I like the App. I wish I knew whether the duping issue was unique to my environment (or API key)
... View more
10-12-2017
07:46 AM
I assume that you also use Sophos Cloud. Can you replicate my dupe issue in your environment using the above searches?
... View more
10-12-2017
07:27 AM
Well, I appreciate the effort you put into the App. I was wondering why you decided to create your own sophos_events.py log retrieval script for your App instead of using the official Sophos script at (https://github.com/sophos/Sophos-Central-SIEM-Integration. ) I wonder if there is something with the eventCursor (or my API key) that is screwed up.
... View more
10-12-2017
07:22 AM
The following queries show that I am getting massive amounts of dupes from this script
source="/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" | stats count values(host) values(source) values(sourcetype) values(index) by _raw | WHERE count>1
search source="/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" | eval dupfield=_raw | transaction dupfield maxspan=1s keepevicted=true
I don't know if it is your script or something is foobared with my API key.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-03-2022
09:49 AM
|
