I worked my way around this with checkboxes and inputs stanzas.  If box one is checked, run mydef1, etc...  Was hoping there was a built-in way of doing this with the TA's Input button.  This let me have one Input with different ways of running it. stanzas = helper.input_stanzas for stanza in stanzas: if helper.get_arg('input_name1', helper.get_input_stanza_names()) == True: from modinputs.mymodule1 import mydef1 mydef1(helper,ew,ta_name,data) if helper.get_arg('input_name2', helper.get_input_stanza_names()) == True: from modinputs.mymodule2 import mydef2 mydef2(helper,ew,ta_name,data)   ... View more

It looks like the cryptography module, when installed, becomes specific to your OS's security considerations. In addition, I was unable to get OpenSSL to install on my Mac without having issues with the cryptography module's trust. This would have caused problems trying to package this up for migration to other machines, so I pivoted to using popen and the OS's version of pyOpenSSL. Here is the code from the modular input:   ta_home = os.path.dirname(os.path.dirname(__file__)) cert_crawler=ta_home+"/bin/certificate_crawler.py" python_path="/usr/bin/python3" openssl_reply = Popen([helper.get_arg('python_path'), cert_crawler]+host_args, stdin=PIPE, stdout=PIPE, stderr=PIPE) output,error = openssl_reply.communicate()    certificate_crawler.py Then accepts the arguments, passing them to a readCerts() function to perform the socket.do_handshake()   from optparse import OptionParser #Parse options passed by the calling modular input parser = OptionParser() (options, args) = parser.parse_args() host = args[0] ip = args[1] port = args[2] timeout_seconds = args[3] result = readCerts(host,ip,port,timeout_seconds)   ... View more

I have an F5 Health Monitor in place to determine when the Splunk service backed by Apache/Kerberos on a search head has dropped. This will pull those members out of the pool and prevent connections from heading that way. The changes: In F5, I created a new health monitor called Splunk_Apache_https_monitor. This monitor sends a HEAD request to the pool members to test the connection. This is the header I built for that HEAD request: HEAD / HTTP/1.1\r\nHost:myco.com\r\nUser-agent: MYCO_F5_User_Agent The HTTP 1.1 standard calls for a header that has a host and user-agent directive, but they don’t really have to mean anything in our configuration to pass the check. I made them agnostic with a host of “myco.com” and User-agent of “MYCO_F5_User_Agent” so we know where it’s coming from and can apply it to all the things. The monitor checks the response from the header request and this regex parses for any service interrupting http status codes that might arise. HTTP/1\.[01] [2-4]0[0-6] You can see these F5 requests in the /etc/httpd/logs/splunkweb-access_log. This is a health check that sees the backend of Splunk is active: 111.222.333.444 - - [18/Feb/2021:13:47:41 -0800] "HEAD / HTTP/1.1" 303 - "-" "MYCO_F5_User_Agent" This is a health check that reports Splunk is down, but Apache is running: 111.222.333.444 - - [18/Feb/2021:13:47:41 -0800] "HEAD / HTTP/1.1" 503 - "-" "MYCO_F5_User_Agent" On the Splunk side, I modified the /etc/httpd/conf.d/splunkweb.conf file’s <Location “/” > directive to bypass the kerberos request for the F5 IP addresses. See below. <Location "/"> ProxyPass https://localhost:8000/ ProxyPassReverse https://localhost:8000/ RequestHeader set Remote-User "%{REMOTE_USER}s" SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login at MYCO.COM" KrbAuthRealms MYCO.COM KrbMethodK5Passwd Off Krb5Keytab "/etc/krb5.keytab" Require valid-user KrbMethodNegotiate On KrbLocalUserMapping On #removes @MYCO.COM from REMOTE_USER #Only allow users through who provide a kerberos ticket, but igore this rule for F5 IPs Deny from all Allow from 111.222.333.444 Satisfy any </Location> ... View more

Create a table for your events, with columns IP, event time and event timestamp. The timestamp will help you calculate the time period between consecutive events (tip: use "eval") Sort this table by IP and then by event time. Use "streamstats" to handle your search results in a streaming manner. Add the option current = f (false) to handle every new event individually. Compare the new event's user and timestamp with your last kept event. - If the new IP is different from the previous IP, keep the event (remember that our table is primarily sorted by IP, so we deal with all requests from each IP at a time) - If the difference between the new event's timestamp and the last kept timestamp is more than 3600 seconds, keep the event. - If the last kept IP is null, it means we are dealing with our first event, so keep the event. - Drop all other events. Perform a count over your previous search to obtain the total number of visits. tip: keeping specific events with streamstats can be done using the "where" command ... View more