Splunk Frequently Asked Questions (FAQ)

Questions

How Do I Generate Virus, Malware, and IDP events for Testing?

The signatures are tripped only when malicious events occur. You will need to get a live virus and send it across the firewall if you want to see those kind of events.

Why Does the Summary Dashboard Take So Long to Render?

The summary dashboard is running "RAW" searches for all it's data. In a future release there will be summary indexing to make that faster.

Why Does the MAC Address from Template 257 Have Hyphens?

Here is a sample event:

tid=257 session_id=3322458887 src_mac=C2-EA-E4-59-98-62 dest_mac=4C-4E-35-F2-1E-00 src_ip=10.0.35.13 dest_ip=192.168.168.51 initiator_GW-IP_Addr=67.115.118.1 responder_GW-IP_Addr=10.197.6.1 src_int=1 src_port=38474 dest_port=443 init_to_resp_pkts=5 init_to_resp_octets=252 resp_to_init_pkts=0 resp_to_init_octets=0 start_time="2014-08-05 14:26:56" end_time="2014-08-05 14:27:37" tcp_flag=11 protocol=6 app_id=49177 user=6042094214588661776

As you can see, the src_mac and dst_mac have hyphens in them:

src_mac=C2-EA-E4-59-98-62 dest_mac=4C-4E-35-F2-1E-00

There is a bug in Splunk. Sending the values in with a colon causes Splunk to discard them. So to prevent values being discarded, a hyphen is used instead.