-
6 years, 2 months ago
wrangler2x commented on the post, List Deployment Apps and the associated serverClass
In reply to: wrangler2x wrote a new post | rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, serverclasses as serverClass | eval line=1 | accum line | […] ViewWell dang — I meant to remove the line ‘| search title = OIT*’ before I saved this and I forgot. Now I can’t seem to edit it.
Just remove that line and it will work fine. On my Deployment Server all my DAs begin with ‘OIT’ so that’s why that is there.
One caveat — I don’t think the deployment info in REST was available on 5.x. I’m on 6.5.2
-
6 years, 2 months ago
wrangler2x wrote a new post
| rest /servicesNS/nobody/system/deployment/server/applications/
| search title =*
| rename title as DeploymentApplication, serverclasses as serverClass
| eval line=1 | accum line
| fields line […] -
6 years, 3 months ago
wrangler2x commented on the post, List forwarders generating socket errors due to unkown SSL protocol
In reply to: wrangler2x wrote a new post If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can […] ViewI have a bad paste in my first comment back to @john117, where I said “Take a look at…” The paste should have been $SPLUNK_HOME/etc/system/default/transforms.conf
-
6 years, 3 months ago
wrangler2x commented on the post, List forwarders generating socket errors due to unkown SSL protocol
In reply to: wrangler2x wrote a new post If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can […] ViewAlso, it is mentioned here in Splunk Answers:
https://answers.splunk.com/answers/105246/dns-resolution-in-a-search.html -
6 years, 3 months ago
wrangler2x commented on the post, List forwarders generating socket errors due to unkown SSL protocol
In reply to: wrangler2x wrote a new post If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can […] ViewTake a look at https://gosplunk.com/list-forwarders-generating-socket-errors-due-to-unkown-ssl-protocol/#comments
If you have this stanza, you should be able to use the dnslookup (and if not, you can just remove that line and references to it from the search):
[dnslookup]
external_cmd = external_lookup.py clienthost clientip
fields_list =…[Read more] -
6 years, 3 months ago
wrangler2x wrote a new post
If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can generate these errors. This […]
-
Thanks for sharing! I do not have a default “dnsLookup” in my environment. Did you build this with an app or acquire it from your networking team and upload it as a lookup?
If the query works the way I think it works, this is pretty neat!
-
Take a look at https://gosplunk.com/list-forwarders-generating-socket-errors-due-to-unkown-ssl-protocol/#comments
If you have this stanza, you should be able to use the dnslookup (and if not, you can just remove that line and references to it from the search):
[dnslookup]
external_cmd = external_lookup.py clienthost clientip
fields_list = clienthost,clientipHowever, I’ve added a local version to my account and it looks like this:
[dnslookup]
disabled = 0
external_cmd = /opt/splunk/etc/apps/search/lookups/external_lookup.py host ip
fields_list = host, ipSo in my search I’m using ‘host’ and ‘ip’ instead of ‘clienthost’ and ‘clientip’
You can do that or modify my search to use ‘clienthost’ and ‘clientip’ instead.
When I do this in the search:
| lookup dnsLookup ip OUTPUT host as ForwarderInDNS
I’m passing ip in place of clientip because of my transform, and when it returns host I’m using ‘as’ to rename it.
-
Also, it is mentioned here in Splunk Answers:
https://answers.splunk.com/answers/105246/dns-resolution-in-a-search.html -
Thanks wrangler2x!
-
I have a bad paste in my first comment back to @john117, where I said “Take a look at…” The paste should have been $SPLUNK_HOME/etc/system/default/transforms.conf
-
-
6 years, 3 months ago
wrangler2x wrote a new post
For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file c […]
-
7 years, 11 months ago
wrangler2x commented on the post, Potential Suspicious Activity in Windows
In reply to: john117 wrote a new post Potential Suspicious Activity in WindowsThe following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show […] ViewI get the following error running this search (Splunk 6.1.5):
Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.
-
8 years ago
wrangler2x commented on the post, Every index explicitly granted to a role
In reply to: ItsJohnLocke wrote a new post Self explanatory, maps roles to indexes. Useful if you have a lot of indexes! | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields […] ViewAdd
| stats values(role) by index
at the end to get a by-index summery of roles.
-
8 years, 4 months ago
wrangler2x became a registered member
-
8 years, 4 months ago
wrangler2x became a registered member
Well dang — I meant to remove the line ‘| search title = OIT*’ before I saved this and I forgot. Now I can’t seem to edit it.
Just remove that line and it will work fine. On my Deployment Server all my DAs begin with ‘OIT’ so that’s why that is there.
One caveat — I don’t think the deployment info in REST was available on 5.x. I’m on 6.5.2
wrangler2x,
I’ve updated the query to reflect what you said in the comment. Not sure why you can’t edit, let me know if the issue persists.
Thanks for posting and sharing!