Goal: Being able to alert off the latest event if the event is more than 300 seconds and is not blank or "non-productive". Here is my current search and the results: Every incident is an...
See more...
Goal: Being able to alert off the latest event if the event is more than 300 seconds and is not blank or "non-productive". Here is my current search and the results: Every incident is an open or a closing of an event. If the incident is blank, that signifies a closing of the previous event. If the incident has a string, that is the current open event. In my ideal scenario, I would alert based on any incident where I have a string value within the incident field, current duration has surpassed 300 seconds, and I don't have a value in the total duration field. However, when I try to add a filter for | where total duration = "", no results are returned at all.. Which I am confused about since the latest totalduration event is blank since streamstats is false... Any help or tips greatly appreciated!
Hello Experts, We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some sea...
See more...
Hello Experts, We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some searches . Highlights --> old backup has primary and replication buckets as it was cluster backup. --> we are planning to setup a test machine(indexer/search head) for the above and ask storage team to mount (~450TB (primary and secondary ) buckets). Do you think it is a right approach ? is there anything that we need to consider before we ask a test machine (8GB RAM , 4 CPU) and storage team to mount 450TB(backup) to this test machine .
Hi @anooshac, the second regex is correct, as you can check at https://regex101.com/r/kpyTLl/2, in Splunk is different when you have backslashes, so you can try: | rex field=your_field "^\w*:\\\\\...
See more...
Hi @anooshac, the second regex is correct, as you can check at https://regex101.com/r/kpyTLl/2, in Splunk is different when you have backslashes, so you can try: | rex field=your_field "^\w*:\\\\\w*\\\\\w*\\\\\w*\\\\\w*\\\\(?<filename>.*)" as you can check using the following search: | makeresults
| eval my_field="C:\a\b\c\abc\xyz\abc.h"
| rex field=my_field "^\w*:\\\\\w*\\\\\w*\\\\\w*\\\\\w*\\\\(?<filename>.*)" Ciao. Giuseppe
I had this same issue after upgrading to Splunk 9.1.0.2 and found there was a missing choice value under the All Pools option inside of the view $SPLUNK_HOME$/etc/apps/splunk_monitoring_console/defau...
See more...
I had this same issue after upgrading to Splunk 9.1.0.2 and found there was a missing choice value under the All Pools option inside of the view $SPLUNK_HOME$/etc/apps/splunk_monitoring_console/default/data/ui/views/license_usage_historic.xml You will need to go in and manually update the xml at CLI or with the text editor of your choice. Adjust the choice value for the input from the blank value to the asterisk wildcard as shown below. <input type="dropdown" searchWhenChanged="true" token="pool">
<label>Pool</label>
<showClearButton>false</showClearButton>
<fieldForLabel>name</fieldForLabel>
<fieldForValue>value</fieldForValue>
<search>
<query>
| rest splunk_server=$splunk_server$ /services/licenser/pools | rename title AS pool | search [rest splunk_server=$splunk_server$ /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval name=pool | eval value="pool=\"". pool . "\"" | table name value
</query>
</search>
<choice value="*">All Pools</choice>
<default>All Pools</default>
<change>
<condition value=" ">
<set token="size_search">dmc_licensing_stack_size_srch</set>
<set token="sz_clause">stacksz</set>
</condition>
<condition value="*">
<set token="size_search">dmc_licensing_pool_size_srch</set>
<set token="sz_clause">poolsz</set>
</condition>
</change>
</input>
If HEC server is continuously sending 503 reply with "Server is busy", you can discard this reply. If HEC server is intermittently sending 503 reply with "Server is busy", then first understand fo...
See more...
If HEC server is continuously sending 503 reply with "Server is busy", you can discard this reply. If HEC server is intermittently sending 503 reply with "Server is busy", then first understand following fields. events_processed=number of events successfully inserted into pipeline queue http_input_body_size=http POST payload size sent by HEC client HEC server knows the http POST payload size, but it does not know how many events the payload has. So after inserting events_processed events into the pipeline queue, HEC server receiver thread finds that now the pipeline queue is blocked. It still has some unknown number of events un-processed. Waits for 1 sec for the queue to have space to insert next event. If still not enough space in the queue, then HEC server drops remaining events of the payload and replies 503 "Server is busy". To mitigate this problem, always ensure the parsingqueue is atleast 10 times more than the max POST payload. In server.conf [queue=parsingQueue]
maxSize = <minimum 10 x (max expected POST payload size)>
Hi @jip31, you have to set the OR condition before the subsearch, something like this: index=toto ([ | inputlookup test.csv OR inputlookup test2.csv | eval user=Domain."\\"Sam | table user ] OR [ |...
See more...
Hi @jip31, you have to set the OR condition before the subsearch, something like this: index=toto ([ | inputlookup test.csv OR inputlookup test2.csv | eval user=Domain."\\"Sam | table user ] OR [ | inputlookup test2.csv | eval user=Domain."\\"Sam | table user ])
| table _time user Ciao. Giuseppe
Hi @NunnuN, let me understand: do you want to take only the E_MAILs in the index that match with the lookup or what else? if you want the matching E-MAILs, you have to use a subsearch like the foll...
See more...
Hi @NunnuN, let me understand: do you want to take only the E_MAILs in the index that match with the lookup or what else? if you want the matching E-MAILs, you have to use a subsearch like the following: index="data" sourcetype="entities" [ | inputlookup 20230904_NeverLoggedIn.csv | rename E_MAIL AS EXTERNAL_EMAIL | fields EXTERNAL_EMAIL ]
| table EXTERNAL_EMAIL CATEGORY Ciao. Giuseppe
Hi @anooshac, wher there are more backslashes there is an issue, so please try: | rex field=your_field "^\w:\\\\w+\\\\w+\\\\w+\\\\w+(?<filename>.*)" ciao. Giuseppe
Hi @Dustem, the approach is the same: index=wineventlog EventCode IN (4768,4769,4770)
| stats
dc(EventCode) AS EventCode_count
values(EventCode) AS EventCode
BY user
| where EventCode_c...
See more...
Hi @Dustem, the approach is the same: index=wineventlog EventCode IN (4768,4769,4770)
| stats
dc(EventCode) AS EventCode_count
values(EventCode) AS EventCode
BY user
| where EventCode_count=1 AND EventCode=4769 in this way you have the users where there's the EventCode 4769 but not one of the others. Ciao. Giuseppe
Greetings. I am quite new to Splunk and read a lot of sources. However, I have a hard time to find my answer about the join and eval functions. I have a first search on an index. I want to filter ...
See more...
Greetings. I am quite new to Splunk and read a lot of sources. However, I have a hard time to find my answer about the join and eval functions. I have a first search on an index. I want to filter this search with values of one field in a csv I import as lookup. Example: index="data" sourcetype="entities" | table EMAIL EXTERNAL_EMAIL CATEGORY And I have the inputlookup inputlookup 20230904_NeverLoggedIn.csv How do I compare the field EXTERNAL_EMAIL from the index to the E_MAIL field in the csv file as a filter? Many thanks for the help.
