I had to install splunk and UF. Splunk Indexer is CentOS 6.4 Windows 2003 has been installed UF.

Collected and transmitted to the well. Well as indexing.

However, the error comes forwarders.

Error MSG : ERROR WinRegistryApi - RegKey::open - RegOpenKeyExW returned error 2: 지정된 파일을 찾을 수 없습니다.

90,000 an hour or so out.

I am trying to get the Cisco sourcetype for ASA data to work. cisco:asa I have installed the TA on the heavy forwarder, Indexer and Search Head.

In the TA folder, I created a local dir and put the props in the local dir. I am logging to the file system using rsyslog so I set the source to the path to the rsyslog file

[source::/opt/logs/all_logs] TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

This is not working. All I get is cisco_asa as the sourcetype for all ASA traffic.

Any ideas?

Thanks

Ed

I have Websense data coming in to my ES app and it reports fine but it does not correlate Websense defined category number with human readable names.

e.g. most common category #18... well that lovely but I need to be able to read that that is shopping.

I have the numbered list and how it correlates in a csv. How do I make ES use that information? Lookup table seems to be perhaps the correct route?

Hi All,

Running Splunk 6 and using the Universal Forwarder (Version 6.0.182611) to forward IIS to splunk. Indexing is working correctly however we have had license breaches in the last 2 days since adding the IIS source where I believe we should have had spare capacity.

Question:

The size of the log files on the server (~120mb yesterday) doesn't seem to match the indexing size even closely. Running the search for yesterday (Only 1 IIS server currently so only 1 sourcetype=iis):

sourcetype=iis | eval size=len(_raw) | stats sum(size)

This search shows it at around around 700mb. Is there a trick to IIS and log usage? How would a 120mb log file consume so much more that its actual size?

This question seems similar to http://answers.splunk.com/answers/129381/iis-log-over-my-licensing which no one has responded.

Any tips, clues, links etc....

Brad

Is there any splunk query to combine to types of chart into 1? example

timechart count by owner timechart count by status

Hi All,

SPLUNK Version : 5.0.4

I have installed the Windows Security Operations Manager App in my Splunk Box and also i have been receiving events from one my my Windows Server. I have configured universal forwarder for forwarding logs from the Windows Server.

Following is the search query :

windowsindexwindowssourcetype ( EventCode=528 OR EventCode=4624) Logon_Type=10 | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | timechart count by User

Here when i search for the following it provides me result windowsindexwindowssourcetype ( EventCode=528 OR EventCode=4624) Logon_Type=10

But when i add the following eval command it does not work. eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1))

I have the same events coming into a Splunk 6.X box. there everything works fine.

Can someone please your thoughts on this.

Sample Device Logs:

LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=tspm-xxx-win8-3.XX.sec TaskCategory=Logon OpCode=Info RecordNumber=7732 Keywords=Audit Success Message=An account was successfully logged on.

Subject: Security ID: NT AUTHORITYSYSTEM Account Name: TSPM-X-WIN8-3$ Account Domain: CMS Logon ID: 0x3e7

Logon Type: 10

New Logon: Security ID: CMSAdministrator Account Name: administrator Account Domain: CMS Logon ID: 0xf404a Logon GUID: {B7FDAF51-1A1B-881C-B2C5-F243F99AE501}

Process Information: Process ID: 0xce4 Process Name: C:WindowsSystem32winlogon.exe

Network Information: Workstation Name: XXXX-XXX-XX Source Network Address: X.X.X.X Source Port: 58775

Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

We are getting this error:

[psb_cloudera] IOException - Error while waiting for MapReduce job to complete, job_id=[!cloudera-node1.ngid.centurylink.net:8088/cluster/app/application_1400017911623_0008 job_1400017911623_0008], state=FAILED, reason=Application application_1400017911623_0008 failed 2 times due to AM Container for appattempt_1400017911623_0008_000002 exited with exitCode: 1 due to: Exception from container-launch: org.apache.hadoop.util.Shell$ExitCodeException:

Pig, Impala, Hive and everything else works. i can run samples fine, other MR2 jobs work. Can one send a sample of the provider configuration?

Thanks

Hi , I have a requirement to present a report to show three jobs and what time they start every day.

Eg:

                abc           xyz           lmn
05/10/14        21:30         21:30         21:40
05/11/14        21:35         21:45         21:40
05/12/14        21:30         22:00         21:50

All these three jobs run everyday so I want to plot time when they started as the time might differ for each job everyday.

I want to show a button and if the user click on it the it should show the dropdown. Is there any way to do this? I am using sideview utils app.

Hi i am using checkboxes using sideview utils. I am displaying graph using timechart. Based on what values i select in checkbox, the graph has to display. The selected values should get passed to timechart. But the values are'nt getting passed. I am unable to figure out why it is happening.Can anyone tell me what is wrong in the below code?

<module name="Search" layoutpanel="panel_row2_col1" autorun="False"> <param name="search"> index=winserver_perf sourcetype="PerfmonMk:$sourcetype$" host="$host$" | timechart avg($counter$) </param> <module name="JobProgressIndicator"/> <module name="ValueSetter"> <param name="arg.charting.legend.placement">right</param> <param name="arg.charting.chart">line</param> <param name="arg.charting.axisTitleX.text">Time</param>
<param name="arg.charting.axisTitleY.text">$statistic$($counter$)</param> <param name="arg.charting.chartTitle">$host$ : $sourcetype$ : $statistic$($counter$)</param>
<param name="arg.charting.chart.nullValueMode">connect</param> <module name="JSChart"> <param name="height">300px</param> <param name="width">100%</param> </module> </module> </module> </module>

<module name="Search" layoutPanel="panel_row2_col2" >
      <param name="search">index="winserver_perf" source=PerfmonMk:$sourcetype$ earliest=-30m latest=now | transpose | regex column="\b[A-Z][a-zA-Z_/]*|%[_A-Za-z]*" | dedup column | table column </param>

                  <module name="Checkboxes" layoutPanel="panel_row2_col2">
        <param name="name">counter</param>
        <param name="valueField">column</param>
        <param name="labelField">label</param>
        <param name="separator">+OR+</param> 
        <param name="template">"$value$"</param>
        <param name="outerTemplate">( $value$ )</param>

Hi, Can anyone help me how do we identify data elements that can help generate charge back report. Is it possible in Splunk to generate Chargeback Report ?

Thanks in Advance.

I am getting the following error. Does anyone know what the error code should look like and where it should go? The table 'cisco_asa_event_codes' points to the event_code.csv found in TA-cisco_asa app but if it's trying to correlate between another apps event_code.csv, I can't find it.

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'cisco:asa' and lookup table 'cisco_asa_event_codes'.

I have been attempting to setup the Cisco IPS app for Splunk 6. However I am getting the following error in the sdee_get.log:

INFO - Checking for exsisting SubscriptionID on host: <IPADDRESS>
INFO - No exsisting SubscriptionID for host: <IPADDRESS>
INFO - Attempting to connect to sensor: <IPADDRESS>
INFO - Successfully connected to: <IPADDRESS>
ERROR - Connecting to sensor - <IPADDRESS>: URLError: <urlopen error [Errno 8] _ssl.c:521: EOF occurred in violation of protocol>

where <ipaddress> is the IP address of the IPS. Does anyone have any thoughts into what the error is? Any help is greatly appreciated

I want to use a 'where' clause (which allows the comparison of two fields) as a pivot constraint. My original search is

index=maillog (event=SEND OR event=RECEIVE)

Which gives me all the successful mail handling events. The input source breaks out the root domain of the sender and receiver into individual fields, and I want to be able to say

| where sender_domain=receiver_domain

In a standard search, this was easy. I'd like to use this in pivot, but I can't figure out how to make the 'where' clause a child constraint of the main search, so I can say "show me the maillog of internal communications."

Help, please?

I'm setting up my splunk forwarder on a generalized image that will be sysprep'd. I want to include perf counters, such as .NET CLR Memory, Process, and others that I want to be process specific.

As it appears to me with all the process-specific counters, I can only select processes that are currently running. What I would like to do is select something like "all running processes" because in my use case, I want to see all processes that would be installed on the machines after sysprep. I'm not concerned with gathering too much info on processes I don't care about as long as I cover any and all of them. Can anyone think of a way to retrieve this or any possible workarounds?

Also, I'm finding that the .NET CLR Memory counters are only global and not process specific. Is there a way to retrieve ones that are not just global but per process?

Any help or insight is greatly appreciated.

Thanks!

I have recently installed splunk 6, almost certain this worked fine in splunk 5...

I have extracted a number of fields from one index into another using the "| collect index=events" function. Now I have the fields in the new index and the raw data contains the key values i expected, but they are not being auto extracted by splunk?

I have also tested this with some other data which also doesn't extract, and turned on verbose mode.

Example data:

time="2013/06/06 15:15:15" data="test" seconddata="test2"

05/09/2013 23:45:39 +0100, info_search_time=1381837886.531, bytes=214, client_ip="192.168.0.1", company=test1, destination_ip="10.0.0.1", domain="example.com", method=GET, reason="Not Found", status=404, uri="/test-env"

Question: Is there some global setting to turn on KV extraction? Otherwise is it something I have broken?

Thanks,

Michael

thanks all in advance for your time. I am trying to create a field validation on my dashboard. My fieldset on dashboard is following:

<fieldset autoRun="true" submitButton="true" >  
<input type="text" token="startdate" searchWhenChanged="true" name="sdate" id="sdate">
  <placeholder>Last Month</placeholder>
  <default></default>
  <label>Select a Start Date:</label>
</input>
</fieldset>

And I am trying to retrieve values from my dashboard with the following JS code in app/static directory:

var unsubmittedTokens = mvc.Components.get('default');
var submittedTokens = mvc.Components.get('submitted');
var urlTokens = mvc.Components.get('url');
var startDate = mvc.Components.get('sdate');
submittedTokens.on('change:startdate', function(){
    // When the token changes...
    if(!submittedTokens.get('startdate')) {
        alert("no token");
    } else {
        alert("got a token");
        var startdate = document.getElementsByName('sdate').value;
        alert(startdate);
    }
});

I couldn't start my validation functions since somehow I can't get value of the field to JS. I want my validation to work in input textfields whenever a field value changes. I can get value "undefined" with getelementbyName function above. But I can't get what user entered into textfield.

I would be appreciated if someone can help me with above, moreover, if there is an easier way to validate fields on form-Dashboard, you could share it as well.

I m a new splunker, thanks again for your time&efforts.

Hi Folks,

I've been ingesting scan data, nessus type, into Splunk. When I view the Vulnerability center I see Unknown as signature, in the New Vulnerabilities table, as well as vendor_product being remote_searches.

I figure this is bad data. Where can I look to see why I am ingesting this?

Hi i am using checkboxes module with sideview. I have to pass the values that i select in checkbox drand display graph for that. If i select "%_Processor_Time" then i should get graph displaying avg(%_Processor_Time). If i select two option like %_Processor_Time and %_DPC_Time then graph should get displayed for both.

For now the the query is getting passed like this.

search index=winserver_perf sourcetype="PerfmonMk:Processor" host="adwas1701" | timechart avg(Avg(%_Processor_Time))

If i select two option in checkbox then query looks like this.

index=winserver_perf sourcetype="PerfmonMk:Processor" host="adwas1701" | timechart avg(Avg(%_Processor_Time),Avg(%_DPC_Time))

There are two avg's getting passed in query. I dunno how to remove that.

<module name="Checkboxes" layoutPanel="panel_row2_col2">
        <param name="name">column</param>
        <param name="valueField">column</param>
        <param name="labelField">label</param>
        <param name="separator">,</param> 
        <param name="template">Avg($value$)</param>
        <param name="outerTemplate">$value$</param>

                <module name="Search" layoutPanel="panel_row2_col1" autoRun="False">
                  <param name="search"> index=winserver_perf sourcetype="PerfmonMk:$sourcetype$" host="$host$"  | timechart avg($column$) </param>
                  <module name="JobProgressIndicator" /> 
                 <module name="ValueSetter" >

<param name="arg.charting.legend.placement">right</param> <param name="arg.charting.chart">line</param> <param name="arg.charting.axisTitleX.text">Time</param>
<param name="arg.charting.axisTitleY.text">$statistic$($column$)</param> <param name="arg.charting.chartTitle">$host$ : $sourcetype$ : $column$</param>
<param name="arg.charting.chart.nullValueMode">connect</param> <module name="JSChart"> <param name="height">300px</param> <param name="width">100%</param> </module> </module> </module> </module>

Can anyone please help me in finding out what is the mistake in the above code? Thanks in advance!

Have recently installed Splunk 6 Enterprise and realize that the Cisco IPS addon only states 5.0 support not 6.0 but was hoping I could get it to pull the SDEE data from my Cisco IPS.

Running: IPS-4260-K9 Build Version: 7.0(4)E4 Current Signature version: IPS-sig-S756-req-E4.pkg

Installed the version 2.0.0 of the addon and the Cisco Security Suite and am getting my ASA firewall working with providing the syslog data to the suite but unable to get the IPS addon to successfully connect to pull data.

Out of the box I receive:

12/10/13 8:17:43.000 AM
Tue Dec 10 08:17:43 2013 - ERROR - Connecting to sensor - 139.67.126.218: URLError: <urlopen error="" [errno="" 8]="" _ssl.c:521:="" eof="" occurred="" in="" violation="" of="" protocol=""> host = splunk.serv14.eiu.edu source = /opt/splunk/var/log/splunk/sdee_get.log sourcetype = sdee_connection 12/10/13 8:17:42.000 AM
Tue Dec 10 08:17:42 2013 - INFO - Successfully connected to: 139.67.126.218 host = splunk.serv14.eiu.edu source = /opt/splunk/var/log/splunk/sdee_get.log sourcetype = sdee_connection 12/10/13 8:17:42.000 AM
Tue Dec 10 08:17:42 2013 - INFO - Attempting to connect to sensor: 139.67.126.218 host = splunk.serv14.eiu.edu source = /opt/splunk/var/log/splunk/sdee_get.log sourcetype = sdee_connection 12/10/13 8:17:42.000 AM
Tue Dec 10 08:17:42 2013 - INFO - No exsisting SubscriptionID for host: 139.67.126.218 host = splunk.serv14.eiu.edu source = /opt/splunk/var/log/splunk/sdee_get.log sourcetype = sdee_connection 12/10/13 8:17:42.000 AM
Tue Dec 10 08:17:42 2013 - INFO - Checking for exsisting SubscriptionID on host: 139.67.126.218

I have seen a similar posting on the answers site with no real answers.

I attempted to hack my ssl.py file to change the PROTOCOL_VERSION to be SSLv3 instead of the default TLSv1 and that seemed to get closer but still had SSL errors as well as it seemed to break my ability to search for splunk apps (wierd). So I backed that off and was hoping someone could give me the straight scoop on whether this is even something I should pursue or if there was going to be some modification to the addon to work with Splunk 6?

Thanks.

Brian Murphy Eastern Illinois University