• Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index indexes internal license License usage Linux linux audit Login Logon malware Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Splunk Jobs
  • Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index indexes internal license License usage Linux linux audit Login Logon malware Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Splunk Jobs

Members

Profile picture of wrangler2x

wrangler2x

@wrangler2x Active 1 year, 6 months ago
  • Activity
  • Profile
  • Posts
  • Personal
  • Mentions
  • Favorites
  • Profile picture of wrangler2x
    6 years, 7 months ago

    wrangler2x commented on the post, List Deployment Apps and the associated serverClass

    In reply to: wrangler2x wrote a new post | rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, serverclasses as serverClass | eval line=1 | accum line | […] View

    Well dang — I meant to remove the line ‘| search title = OIT*’ before I saved this and I forgot. Now I can’t seem to edit it.

    Just remove that line and it will work fine. On my Deployment Server all my DAs begin with ‘OIT’ so that’s why that is there.

    One caveat — I don’t think the deployment info in REST was available on 5.x. I’m on 6.5.2

  • Profile picture of wrangler2x
    6 years, 7 months ago

    wrangler2x wrote a new post

    | rest /servicesNS/nobody/system/deployment/server/applications/
    | search title =*
    | rename title as DeploymentApplication, serverclasses as serverClass
    | eval line=1 | accum line
    | fields line […]

    • Profile picture of wrangler2x
      wrangler2x replied 6 years, 7 months ago

      Well dang — I meant to remove the line ‘| search title = OIT*’ before I saved this and I forgot. Now I can’t seem to edit it.

      Just remove that line and it will work fine. On my Deployment Server all my DAs begin with ‘OIT’ so that’s why that is there.

      One caveat — I don’t think the deployment info in REST was available on 5.x. I’m on 6.5.2

      • Profile picture of SplunkNinja
        SplunkNinja replied 6 years, 7 months ago

        wrangler2x,
        I’ve updated the query to reflect what you said in the comment. Not sure why you can’t edit, let me know if the issue persists.

        Thanks for posting and sharing!

  • Profile picture of wrangler2x
    6 years, 8 months ago

    wrangler2x commented on the post, List forwarders generating socket errors due to unkown SSL protocol

    In reply to: wrangler2x wrote a new post If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can […] View

    I have a bad paste in my first comment back to @john117, where I said “Take a look at…” The paste should have been $SPLUNK_HOME/etc/system/default/transforms.conf

  • Profile picture of wrangler2x
    6 years, 8 months ago

    wrangler2x commented on the post, List forwarders generating socket errors due to unkown SSL protocol

    In reply to: wrangler2x wrote a new post If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can […] View

    Also, it is mentioned here in Splunk Answers:
    https://answers.splunk.com/answers/105246/dns-resolution-in-a-search.html

  • Profile picture of wrangler2x
    6 years, 8 months ago

    wrangler2x commented on the post, List forwarders generating socket errors due to unkown SSL protocol

    In reply to: wrangler2x wrote a new post If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can […] View

    Take a look at https://gosplunk.com/list-forwarders-generating-socket-errors-due-to-unkown-ssl-protocol/#comments

    If you have this stanza, you should be able to use the dnslookup (and if not, you can just remove that line and references to it from the search):

    [dnslookup]
    external_cmd = external_lookup.py clienthost clientip
    fields_list =…[Read more]

  • Profile picture of wrangler2x
    6 years, 8 months ago

    wrangler2x wrote a new post

    If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can generate these errors. This […]

    • Profile picture of john117
      john117 replied 6 years, 8 months ago

      Thanks for sharing! I do not have a default “dnsLookup” in my environment. Did you build this with an app or acquire it from your networking team and upload it as a lookup?

      If the query works the way I think it works, this is pretty neat!

    • Profile picture of wrangler2x
      wrangler2x replied 6 years, 8 months ago

      Take a look at https://gosplunk.com/list-forwarders-generating-socket-errors-due-to-unkown-ssl-protocol/#comments

      If you have this stanza, you should be able to use the dnslookup (and if not, you can just remove that line and references to it from the search):

      [dnslookup]
      external_cmd = external_lookup.py clienthost clientip
      fields_list = clienthost,clientip

      However, I’ve added a local version to my account and it looks like this:

      [dnslookup]
      disabled = 0
      external_cmd = /opt/splunk/etc/apps/search/lookups/external_lookup.py host ip
      fields_list = host, ip

      So in my search I’m using ‘host’ and ‘ip’ instead of ‘clienthost’ and ‘clientip’

      You can do that or modify my search to use ‘clienthost’ and ‘clientip’ instead.

      When I do this in the search:

      | lookup dnsLookup ip OUTPUT host as ForwarderInDNS

      I’m passing ip in place of clientip because of my transform, and when it returns host I’m using ‘as’ to rename it.

    • Profile picture of wrangler2x
      wrangler2x replied 6 years, 8 months ago

      Also, it is mentioned here in Splunk Answers:
      https://answers.splunk.com/answers/105246/dns-resolution-in-a-search.html

    • Profile picture of SplunkNinja
      SplunkNinja replied 6 years, 8 months ago

      Thanks wrangler2x!

    • Profile picture of wrangler2x
      wrangler2x replied 6 years, 8 months ago

      I have a bad paste in my first comment back to @john117, where I said “Take a look at…” The paste should have been $SPLUNK_HOME/etc/system/default/transforms.conf

  • Profile picture of wrangler2x
    6 years, 9 months ago

    wrangler2x wrote a new post

    For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file c […]

  • Profile picture of wrangler2x
    8 years, 4 months ago

    wrangler2x commented on the post, Potential Suspicious Activity in Windows

    In reply to: john117 wrote a new post Potential Suspicious Activity in WindowsThe following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show […] View

    I get the following error running this search (Splunk 6.1.5):

    Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.

  • Profile picture of wrangler2x
    8 years, 6 months ago

    wrangler2x commented on the post, Every index explicitly granted to a role

    In reply to: ItsJohnLocke wrote a new post Self explanatory, maps roles to indexes. Useful if you have a lot of indexes! | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields […] View

    Add

    | stats values(role) by index

    at the end to get a by-index summery of roles.

  • Profile picture of wrangler2x
    8 years, 10 months ago

    wrangler2x became a registered member

  • Profile picture of wrangler2x
    8 years, 10 months ago

    wrangler2x became a registered member

  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored