Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-06-2023
05:37 AM
1 Karma
See if this helps. It assumes the holidays are in a file called 'holidays.csv'. The lookup contains (at least) two columns called "Begins" and "Ends", which are timestamps in the format mon/day/yea...
See more...
See if this helps. It assumes the holidays are in a file called 'holidays.csv'. The lookup contains (at least) two columns called "Begins" and "Ends", which are timestamps in the format mon/day/year hour:min. index=error-logs status=401 NOT [| inputlookup holidays.csv
``` Build a search string to exclude dates in the lookup file ```
| eval search="_time>=" . strptime(Begins,"%m/%d/%Y %H:%M") . " _time<=" . strptime(Ends,"%m/%d/%Y %H:%M")
| fields search
| format
``` Remove quotes from the search string ```
| eval search=replace(search, "\\\"", "")]
| stats count This tells Splunk to search the error-logs index for events with status 401 and timestamps (_time field) not given in holidays.csv.
10-06-2023
05:21 AM
1 Karma
Hi All... Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists I have added 24 small videos of rex... Completely for Splunk newbies and beginners...
See more...
Hi All... Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists I have added 24 small videos of rex... Completely for Splunk newbies and beginners. hope this helps somebody, thanks.
10-06-2023
05:05 AM
wow, definitely a case of "your mileage may differ"... this is just a small sample of these alerts here, and on the ones triggered by Splunk, they still seem to function OK: ADPClientService.exe, ve...
See more...
wow, definitely a case of "your mileage may differ"... this is just a small sample of these alerts here, and on the ones triggered by Splunk, they still seem to function OK: ADPClientService.exe, version: 4.1.38.0, time stamp: 0x62c69205 AUEPMaster.exe, version: 1910.24.6.725, time stamp: 0x5d39726f AdAutoUpdateSDK.dll, version: 0.0.0.0, time stamp: 0x61dc3463 AdskAccessServiceHost.exe, version: 1.27.0.4, time stamp: 0x61dc35ae AdskUpdateCheck.exe, version: 1.27.0.4, time stamp: 0x61dc3558 CcmProfiler.dll_unloaded, version: 5.0.9106.1000, time stamp: 0x642d9f3d FMEngine.dll, version: 19.2.2.234, time stamp: 0x60451558 KERNEL32.DLL, version: 10.0.17763.4720, time stamp: 0xa2ec4df3 KERNELBASE.dll, version: 10.0.19041.3393, time stamp: 0x6b4de7c9 OUTLOOK.EXE, version: 16.0.10402.20023, time stamp: 0x64ef06a7 smartscreenps.dll, version: 10.0.19041.3031, time stamp: 0x92650ce8 PDFMEngine.dll, version: 23.6.20320.0, time stamp: 0x64f8d26b RPCRT4.dll, version: 10.0.17763.4644, time stamp: 0x565f63ab RtkAudUService64.exe, version: 1.0.0.176, time stamp: 0x5c6f93ad VCRUNTIME140.dll, version: 14.16.27033.0, time stamp: 0x5d30eadf biwinrt.dll, version: 10.0.17763.2989, time stamp: 0x790cc0bc splunk-winevtlog.exe, version: 2304.1280.25713.15594, time stamp: 0x64713ec1
10-06-2023
04:51 AM
1 Karma
Yes, Sure. 1) On the UF download page, you can find the curl command for downloading the UF agent. copy that curl command and run it in your Solaris, it will download the UF agent package. 2) a...
See more...
Yes, Sure. 1) On the UF download page, you can find the curl command for downloading the UF agent. copy that curl command and run it in your Solaris, it will download the UF agent package. 2) after downloading the UF package, you can install it using the steps listed here: https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_Solaris Let us know if any queries you have got, thanks.
10-06-2023
04:39 AM
Hi Splunkers! I would like to extract detection_method value, "Access Protection" file_name="HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\", detection_method="Access Protecti...
See more...
Hi Splunkers! I would like to extract detection_method value, "Access Protection" file_name="HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\", detection_method="Access Protection", vendor_action="IDS_ACTION_WOULD_BLOCK", Thanks, Manoj Kumar S
Labels
- Labels:
-
field extraction
10-06-2023
03:53 AM
Depending on your data (which it would have been useful for you to share), you might be able to count the occurrences of each entitlement for each role for last Saturday and the previous Saturday, an...
See more...
Depending on your data (which it would have been useful for you to share), you might be able to count the occurrences of each entitlement for each role for last Saturday and the previous Saturday, and where the count in not 2, there has been a change.
10-06-2023
03:50 AM
1 Karma
You need to define the format or at least how to find and extract the fields you want from the events in the logs. Just giving the file extension does not define the format. Assumptions can sometimes...
See more...
You need to define the format or at least how to find and extract the fields you want from the events in the logs. Just giving the file extension does not define the format. Assumptions can sometimes be made about .csv file formats, for example, but lesser-known formats, not so much.
10-06-2023
03:45 AM
1 Karma
It is not possible with standard column charts. You either have stacked column or separate columns, not a mixture.
10-06-2023
03:28 AM
.. but that is your own post. sorry.
10-06-2023
03:28 AM
thank u for ur response my friend its usefull but i know only the big pack its avaible for solaris thats what i need and thats what im using on a red hat and now i want to install on a Solaris 11.4 i...
See more...
thank u for ur response my friend its usefull but i know only the big pack its avaible for solaris thats what i need and thats what im using on a red hat and now i want to install on a Solaris 11.4 if u lknow how i can make via Terminal on solaris for install and download i will apreciated
10-06-2023
03:27 AM
Oh! If the issue is tied toWinEventLog://ForwardedEvents maybe you'd like to also comment on splunk-winevtlog.exe keeps crashing post. I also stumbled of this input stanza on my investigation, but on...
See more...
Oh! If the issue is tied toWinEventLog://ForwardedEvents maybe you'd like to also comment on splunk-winevtlog.exe keeps crashing post. I also stumbled of this input stanza on my investigation, but on our estate, we're not enabling it.
10-06-2023
03:25 AM
Thank you for your reply
10-06-2023
03:23 AM
Hi, I have total four fields lets say a,b,c and d. i want to show 'a' as a separate column and 'b','c' and 'd' as stacked and beside 'a' along with the sum of fields ('b'+'c'+'d') so that the count ...
See more...
Hi, I have total four fields lets say a,b,c and d. i want to show 'a' as a separate column and 'b','c' and 'd' as stacked and beside 'a' along with the sum of fields ('b'+'c'+'d') so that the count of these fields would come on the top of their column so that we can easily compare field 'a' with the count of rest. Note:- I don't want separate column which would give sum of these three field. Click visualization select column chart Click format and enable the stack mode. select show data values as on Click chart overlay and Click the text box and select Total field. makeView as Axis as off Click Apply. After the above steps that i had mentioned, I can see the total on the top along with the line, I don't need line, Can you please help me in this. Thanks in Advance! Manoj Kumar S
Labels
- Labels:
-
chart
10-06-2023
03:11 AM
1 Karma
Hi @DANITO115 ...on Solaris only Universal Forwarder can be installed and logs can "collected" from the Solaris. Indexer / Search Head, HF, LM, DS, etc can not be installed. image is from ...
See more...
Hi @DANITO115 ...on Solaris only Universal Forwarder can be installed and logs can "collected" from the Solaris. Indexer / Search Head, HF, LM, DS, etc can not be installed. image is from https://docs.splunk.com/Documentation/Splunk/9.1.1/Installation/Systemrequirements As you are a new member, Karma / upvotes are appreciated by everyone. if this post solves your issue, pls accept it as solution, so question will move to answered queue. thanks.
10-06-2023
03:07 AM
Hi @gcusello , It works, Thanks for your response!
10-06-2023
02:54 AM
Sorry but this is not my case. I have no other application faulting in my application event viewer, only splunk-winevtlog.exe is crashing. Moreover if I disable the [WinEventLog://ForwardedEvents] in...
See more...
Sorry but this is not my case. I have no other application faulting in my application event viewer, only splunk-winevtlog.exe is crashing. Moreover if I disable the [WinEventLog://ForwardedEvents] input it stops crashing, meaning that there is something related to it (maybe the amount of events, maybe the renderXml phase, I don't know). We first set ForwardedEvents size to 8 GB in EventViewer, I believed this was the issue so I tried with 256 MB but it still crashes. I also tried to remove any whitelist/blacklist instruction from inputs (I read there is a know issue about that) with no luck. When the process crashes I got this on splunkd.log: 10-06-2023 11:42:39.214 +0200 WARN TcpOutputProc [6564 indexerPipe] - Pipeline data does not have indexKey. [_path] = C:\Program Files\Splunk\bin\splunk-winevtlog.exe\n[_raw] = \n[_meta] = punct::\n[_stmid] = tMwn7kh87nMs0iK\n[MetaData:Source] = source::WinEventLog\n[MetaData:Host] = host::PRD-LOGCOLL-SRV\n[MetaData:Sourcetype] = sourcetype::WinEventLog\n[_done] = _done\n[_linebreaker] = _linebreaker\n[_conf] = source::WinEventLog|host::PRD-LOGCOLL-SRV|WinEventLog|\n I would be more than glad to confirm that it's a "non issue" but in my case events are not collected or seem to be collected partially with huge delays. Regards Alessandro
10-06-2023
02:05 AM
Help me out to ingest .act and .authlog file format in splunk.
Labels
- Labels:
-
inputs.conf
-
universal forwarder
10-06-2023
01:59 AM
1 Karma
Hi @smanojkumar, after the BY cluse you should add only the fields to use for aggregation. The other fields can be added to the stats command suing the values option. So if you want to aggregate o...
See more...
Hi @smanojkumar, after the BY cluse you should add only the fields to use for aggregation. The other fields can be added to the stats command suing the values option. So if you want to aggregate only for name and you want the other fields, you could use: | stats
count AS num
values(country) AS country
values(state) AS state
values(scope) AS scope
values(event) AS event
values(description) AS description
BY name As you can read at https://docs.splunk.com/Documentation/SCS/current/SearchReference/StatsCommandOverview Ciao. Giuseppe
10-06-2023
01:56 AM
Hello, I have an index where data is ingested once a week. Objective of ingesting this data is to identify if there is any change to a field value from last week to current. I need help writing a SP...
See more...
Hello, I have an index where data is ingested once a week. Objective of ingesting this data is to identify if there is any change to a field value from last week to current. I need help writing a SPL that can help me detect the change if there is one. For more context here's an example, The relevant fields are: Role Entitlement I need to find out if there has been any change to the entitlements to that role between data ingested on this Saturday and the past. Any help would be appreciated. Thanks
Labels
- Labels:
-
stats
