If I have a lookup table that contains the following: error,priority
Unable to find any company of ID,P2
500 Internal Server Error,P1 And result query with fields: 500 Internal Server Error:...
See more...
If I have a lookup table that contains the following: error,priority
Unable to find any company of ID,P2
500 Internal Server Error,P1 And result query with fields: 500 Internal Server Error: {xxx} Unable to find any company of ID: xxx Using the below query only brings back direct matches: <search query> | lookup _error_message_prority error AS ErrorMessage OUTPUTNEW Priority AS Priority Is there a way to use wildcards, 'like' or 'contains' when using lookup tables in Splunk Cloud?
Hello! According to ITSI documentation (https://docs.splunk.com/Documentation/ITSI/4.17.1/Configure/KVPerms) there is a KV store called "maintenance_calendar" that contains maintenance window detail...
See more...
Hello! According to ITSI documentation (https://docs.splunk.com/Documentation/ITSI/4.17.1/Configure/KVPerms) there is a KV store called "maintenance_calendar" that contains maintenance window details. I need to run some searches on the schedules, but I cannot access the data in the KV store due to the error: Is it possible to achieve what I am looking to do? Thank you and best regards, Andrew
Hi @ApolloJ, at first use always the index in the main search to have faster searches. then the uri is missed in your timechart and in the round option the approx is missed. Please try something l...
See more...
Hi @ApolloJ, at first use always the index in the main search to have faster searches. then the uri is missed in your timechart and in the round option the approx is missed. Please try something like this: index=your_index uri="/myappli/*"
| timechart span=10s sum(round(bytes/1024/1024,2)) AS MB BY uri Ciao. Giuseppe
Hi @AL3Z, blacklisting is in inputs.conf. transformas.conf and props.conf is the second solution described in the above link used to filter logs on Indexers or Heavy Forwarders (if present), when y...
See more...
Hi @AL3Z, blacklisting is in inputs.conf. transformas.conf and props.conf is the second solution described in the above link used to filter logs on Indexers or Heavy Forwarders (if present), when you cannot filter logs on the Universal forwarder. It isn't your situation: you have to find the exact regex, please try with my first regex, to insert in the blacklist option of your inputs.conf Ciao. Giuseppe
Hi @gcusello , I had gone through your one of the answer in the post https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999 , But in my case there is no Transfo...
See more...
Hi @gcusello , I had gone through your one of the answer in the post https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999 , But in my case there is no Transforms.conf in my windows_ta app,H ow we can apply the same in my case and stop the logs from ingesting into splunk ? Thanks
Hi, I want to simply know bandwidth usage by url (I span on 10s for not flooding) then I divide by 10 I wrote this, it seems ok (but not sure) - is it correct ? uri="/myappli/*" | timechart su...
See more...
Hi, I want to simply know bandwidth usage by url (I span on 10s for not flooding) then I divide by 10 I wrote this, it seems ok (but not sure) - is it correct ? uri="/myappli/*" | timechart sum(eval(round(bytes/1024/1024))) AS MB span=10s Thanks
Assuming IP comes in from the look up as a multi-value field, you could try something like this: | inputlookup lookup_A
| eval tag="A"
| append
[ | inputlookup lookup_B
| eval tag="B" ]
| mvexpa...
See more...
Assuming IP comes in from the look up as a multi-value field, you could try something like this: | inputlookup lookup_A
| eval tag="A"
| append
[ | inputlookup lookup_B
| eval tag="B" ]
| mvexpand IP
| stats values(tag) as tag by Hostname IP
| nomv tag
| where tag="B"
Hi community Splunk, I have a issus when install Splunk Enterprise Security in Deployer. I have Splunk enviroment, it have 3 Search Head Cluster, 2 Indexer Cluster and 1 Master Node (Master Node is r...
See more...
Hi community Splunk, I have a issus when install Splunk Enterprise Security in Deployer. I have Splunk enviroment, it have 3 Search Head Cluster, 2 Indexer Cluster and 1 Master Node (Master Node is roles of Deployer and License Master) and all version Splunk Enterprise in each components is 9.1.0.2. I want to install Splunk ES 7.2 Apps to Search Head Cluster with guild of Splunk (https://docs.splunk.com/Documentation/ES/7.2.0/Install/InstallEnterpriseSecuritySHC ) . When i install Splunk ES Apps in Deployer, an error occurs as this image : Please help me the solution of this issue. Thanks for all the contributions!
Hi Thanks, we will try this, just one thing to mention, this is happening on one install and working on another install. Both have the same Spunk version 9.0.1. Regards Robert
Hi @AL3Z , it's a regex, instead these are Splunk fields: try only the regex. the EventCode=4688 is inside the regex, so you don't need to repeat it. Ciao. Giuseppe
Hi @kyoshiike, at first you have to identify the indexes where proxy and firewall logs are stored. then you have to identify the key )e.g. src or src_ip to correlate events. The transaction comman...
See more...
Hi @kyoshiike, at first you have to identify the indexes where proxy and firewall logs are stored. then you have to identify the key )e.g. src or src_ip to correlate events. The transaction command is a command to use only in defined situations because it's a very slow command, it should be used only when you haven0t fields to use as correlation keys and you must use startswith and(or endswith strings to correlate events. In your case, you could use stats, see my approach and adapt to your requirement: index=firewall OR index=proxy
| stats
dc(dst_port) AS dst_port_count
dc(dst) AS dst
BY src in this way you know id a src is calling more destinations or more ports. Anyway, the approach is to put all in the main search and use the correlation key in a stats command, identifying what to search. The options to use in the stats command are many, for this reason I hinted to follo the Splunk Search Tutorial. ciao. Giuseppe