|
|
@@ -1,11 +1,10 @@
|
|
|
# Splunk NGA Data Pull Request Notes
|
|
|
|
|
|
-Stand up a new "search head" that just has splunk installed on it, no need to configure the splunk instance. the splunk instance will query the actual search head and pull the data out. See hurricane labs python script.
|
|
|
+Stand up a new "search head" that just has Splunk installed on it, no need to configure the Splunk instance. The Splunk instance will query the actual search head and pull the data out. See Hurricane Labs python script. [The Best Guide for Exporting Massive Amounts of Data From Splunk](https://hurricanelabs.com/splunk-tutorials/the-best-guide-for-exporting-massive-amounts-of-data-from-splunk/)
|
|
|
|
|
|
-https://hurricanelabs.com/splunk-tutorials/the-best-guide-for-exporting-massive-amounts-of-data-from-splunk/
|
|
|
-
|
|
|
-https://jira.xdr.accenturefederalcyber.com/browse/MSOCI-1013
|
|
|
+[Jira MSOCI-1013 ticket - SPIKE: NGA CheckPoint Log Export Request](https://jira.xdr.accenturefederalcyber.com/browse/MSOCI-1013)
|
|
|
|
|
|
+```
|
|
|
vpc-05e0cf38982e048db
|
|
|
|
|
|
subnet-0a2384bce743cf303
|
|
|
@@ -25,13 +24,13 @@ delete key pair when done from AWS and the bastion host! bradp
|
|
|
delete svc-searches from nga splunk SH when done
|
|
|
|
|
|
delete 1TB EBS volume when done
|
|
|
+```
|
|
|
|
|
|
|
|
|
-
|
|
|
-search "index=network sourcetype=qos_syslog CA98C333-F830-0B45-A543-4450CDFDA84A 1571414560 Accept 47048" -output rawdata -maxout 0 -max_time 0 -uri https://10.2.2.122:8089
|
|
|
-
|
|
|
+`search "index=network sourcetype=qos_syslog CA98C333-F830-0B45-A543-4450CDFDA84A 1571414560 Accept 47048" -output rawdata -maxout 0 -max_time 0 -uri https://10.2.2.122:8089`
|
|
|
|
|
|
|
|
|
+```
|
|
|
start fail
|
|
|
1019_1020export.raw
|
|
|
1018_1019 times:
|
|
|
@@ -82,10 +81,10 @@ i=7000
|
|
|
start time 2019-09-15T17:30:00
|
|
|
stop time 2019-09-16T12:45:00
|
|
|
|
|
|
+```
|
|
|
|
|
|
|
|
|
-
|
|
|
-
|
|
|
+```
|
|
|
#from my mac
|
|
|
aws s3 ls s3://nga-mdr-data-pull
|
|
|
aws s3 cp nga-splunk-pull.zip s3://nga-mdr-data-pull
|
|
|
@@ -96,4 +95,5 @@ aws --profile=mdr-prod s3 presign s3://nga-mdr-data-pull/nga-splunk-pull.zip --e
|
|
|
https://nga-mdr-data-pull.s3.amazonaws.com/nga-splunk-pull.zip?AWSAccessKeyId=ASIAW6MA4LDMBGUOE7Q6&Signature=6WZ9KdHfH4rj28Ey5hrTib8HcHM%3D&x-amz-security-token=FQoGZXIvYXdzEFIaDCbQsc24x7kkQnhLQSL%2FAV4UBSVowGvhyMyS41rQtbtnmznvrbIu5Y9CCrxJ65RP%2BMeHz7Jkwu8BFEzNeeIT5M6Dfcd1NdFkqXBjE54y6G6HujSSLPk8gp2UqGDKkqMDE3qzrXfHRKaIlMInkACQi6VPpRDjFYGnnILS8vO5gjzqr9HUAsIgfVwpEuVf%2FPBbEcuUH87kZS6FqyQHTBc%2BcPk8KetsX2IuLmpOVAysip3IGgx2duVETNqKH0uXOM%2FUBygyJ7gD3DLoQWqCHQvxG0AfO0vEkRAZxgLKSDm6E2c8d9mJ5I6yXl2xBK7ii5bKWmhWtnPGYrErVFTxhfqeI6SHwzJOsLlNdkAC6nSKRyi1wMztBQ%3D%3D&Expires=1572625186
|
|
|
|
|
|
|
|
|
-tail -1 1018_1019export.raw
|
|
|
+tail -1 1018_1019export.raw
|
|
|
+```
|
Jeremy Cooper [AFS MBP]