All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Nicolas2203  With the anonymized sourcetype you are overwriting the original _TCP_ROUTING with output_externalhf: DEST_KEY = _TCP_ROUTING FORMAT = output_externalhf  However with mydevice:clon... See more...
Hi @Nicolas2203  With the anonymized sourcetype you are overwriting the original _TCP_ROUTING with output_externalhf: DEST_KEY = _TCP_ROUTING FORMAT = output_externalhf  However with mydevice:clone you are *not* overwriting the existing _TCP_ROUTING, instead you are also adding _SYSLOG_ROUTING but this does not overwrite the _TCP_ROUTING. You will need to apply a transform to mydevice:clone to set _TCP_ROUTING to a blank value to prevent it using the original local_indexers output.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Ok so if I understand, when I clone a sourcetype, he will clone it's destination too ? Not sure to understand, I have some other log sources that I clone, and forward to a secondary splunk with th... See more...
Ok so if I understand, when I clone a sourcetype, he will clone it's destination too ? Not sure to understand, I have some other log sources that I clone, and forward to a secondary splunk with the same clone methods. Cloning the sourcetype to sourcetype:anonymized In the transforms I applied on the cloned sourcetype some regex for anonymization And this sourcetype is routed via _TCP_ROUTING to an output that is a heavy forwarder that route to the secondary splunk. For example  Transforms.conf [firewall_log-clone] CLONE_SOURCETYPE = firewall_log:clone REGEX = .* DEST_KEY = _TCP_ROUTING FORMAT = output_externalhf Props.conf [firewall_log] TRANSFORMS-clone = firewall_log-clone This is working, logs are properly sent to an HF that will forward those logs to a secondary splunk But it's not syslog log source so maybe this is the difference ? Thanks for the help
Hi @yuanliu ,  I think I was pretty clear).  I need the same functionality like in Studio  -  "Select matched" . But, anyway thank you for your efforts.
have you solved the issue?
Like I said above, there are a million ways to do this.  But you have to decide the exact behavior.  In the demo dashboard I posted, I used preselect.  You can edit the input to select these 4 as def... See more...
Like I said above, there are a million ways to do this.  But you have to decide the exact behavior.  In the demo dashboard I posted, I used preselect.  You can edit the input to select these 4 as default selection. An alternative behavior could be a special selection that has label "all 4" and the four values as value.  Implementation details will depend on how you use the token and so on.  There are other alternatives.  You need to be clear in describing how you want the UI to behave.
As @bowesmana diagnoses, default field extraction stops at 50K.  You can change this in limits.conf.  The stanza is [kv], property name is maxchars. I recommend that you fix another problem @livehyb... See more...
As @bowesmana diagnoses, default field extraction stops at 50K.  You can change this in limits.conf.  The stanza is [kv], property name is maxchars. I recommend that you fix another problem @livehybrid hinted at: You should extract id field from message field, not from _raw, i.e., | rex field=message "(SENDER|RECEIVER)\[(?<id>\d+)\]"  
Can you post your exact search
Note: The 10 result limit for map is a soft limit, you can go more with the maxsearches=X setting, but again, map is rarely useful. Glad you got a working solution.  
Is your data JSON? If so, Splunk will only extract the first 5K of the JSON object in an event. I'm not totally sure if it has that 5k limit for other auto kv field extraction.  
You could add an untable index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" | timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false | untable ... See more...
You could add an untable index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" | timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false | untable _time USER Mem_Used_GB | where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256 | sort Mem_Used_GB desc | head 20
Hi @jialiu907  Sorry, I took your original timechart field eval which I believe may be incorrect. I do not have test data to check this but please can you try the following in place of the previous ... See more...
Hi @jialiu907  Sorry, I took your original timechart field eval which I believe may be incorrect. I do not have test data to check this but please can you try the following in place of the previous stats block? | stats sum(eval(RSZ_KB/1024/1024)) as Mem_Used_GB by _time, USER  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I am getting an error with the stats command after trying your query.  Error in 'stats' command: The argument 'eval((sum(RSZ_KB)/1024/1024))' is invalid.
i do have access to it its under index=falcon with a sourcetype="crowdstrike:events:sensor or crowdstrike*". Just trying to find a full proof way to view 100% of the hosts that have the agent install... See more...
i do have access to it its under index=falcon with a sourcetype="crowdstrike:events:sensor or crowdstrike*". Just trying to find a full proof way to view 100% of the hosts that have the agent installed with each of the hosts source IP. if I could get a true and false statement saying no crowdstrike  agent is installed on the list that would be great. But sadly im not that versed at Splunkfu. 
I'm having issues getting this to work.  I posted my  search in a earlier post. I was told not to use the eval _raw line, I've tried removing it and I have used | eval msgTxt=" and it is still not ... See more...
I'm having issues getting this to work.  I posted my  search in a earlier post. I was told not to use the eval _raw line, I've tried removing it and I have used | eval msgTxt=" and it is still not working. What am I doing wrong? Please help. thanks
Hi @Ghost  Its generally not advisable to run index=* if you can avoid it - do you know where you crowdstrike data is being ingested, and are you able to confirm that you have access to it?  Did ... See more...
Hi @Ghost  Its generally not advisable to run index=* if you can avoid it - do you know where you crowdstrike data is being ingested, and are you able to confirm that you have access to it?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @jialiu907  After you have applied your timechart you no longer have "Mem_Used_GB" as each field/column is the name of the USER containing the value. If you used "stats" instead of you "timechart... See more...
Hi @jialiu907  After you have applied your timechart you no longer have "Mem_Used_GB" as each field/column is the name of the USER containing the value. If you used "stats" instead of you "timechart" you would get the "Mem_Used_GB" column however you wont get the _time element in. It isnt clear what your usecase is but if you use bin and stats you might get the desired outcome? index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" | bin span=1m _time | stats sum(eval(RSZ_KB/1024/1024)) as Mem_Used_GB by _time, USER | where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256 | sort Mem_Used_GB desc | head 20  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello, Got tasked with finding all hosts that didnt have the crowdstrike agent installed and running into problems with my searches.  Ive used the following "CSFalconservice.exe | stats count by ho... See more...
Hello, Got tasked with finding all hosts that didnt have the crowdstrike agent installed and running into problems with my searches.  Ive used the following "CSFalconservice.exe | stats count by host" & "index=*sourcetype="crowdstrike:events:sensor" | stats count by host" but its not giving me the information per each individual hosts.   V/r Ghost
Seems my download is going in fits and starts. It's continuing, but not consistent.
I am looking for a range of number within my results of my search query but I am getting no results back after adding in a where clause.  This is my original search query.  index=os sourcetype=ps... See more...
I am looking for a range of number within my results of my search query but I am getting no results back after adding in a where clause.  This is my original search query.  index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" | timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=no | sort Mem_Used_GB desc | head 20 This is some of the results.   This is the new search where I am looking for a range of data between 128 and 256 and I am getting no results back, even with events matched. I have also played with time line and range of the where clause and still nothing. index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" | timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=no | where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256 | sort Mem_Used_GB desc | head 20  
There is, but odd it would connect and download part of the file.