All Posts

Top

All Posts

I don't have much experience with ingest actions but my understanding is that they indeed can be called later in the event's path - on already parsed data. Remember though that they do have limited f... See more...
I don't have much experience with ingest actions but my understanding is that they indeed can be called later in the event's path - on already parsed data. Remember though that they do have limited functionality.
I just tried, but unfortunately this is not working. I'm still running into the same issue where the search is not using the JavaScript variable. In the below code, I even tried "+splQuery+" but noth... See more...
I just tried, but unfortunately this is not working. I'm still running into the same issue where the search is not using the JavaScript variable. In the below code, I even tried "+splQuery+" but nothing.   var splQuery = "| makeresults"; var SearchManager = require("splunkjs/mvc/searchmanager"); var mysearch = new SearchManager({ id: "mysearch", autostart: "false", search: "" }); mysearch.settings.set("search", splQuery);​    
In the end, after struggling with this for several days, I thought to myself, this is leading me nowhere. I wanted to have the fields to follow each other like this: (TIME)(SUBSECOND) (HOST) I had... See more...
In the end, after struggling with this for several days, I thought to myself, this is leading me nowhere. I wanted to have the fields to follow each other like this: (TIME)(SUBSECOND) (HOST) I had the idea to concentrate on adding the whitespace before HOST, and not after TIME or SUBSECOND. This approach had also its problems because spaces at the start of the FORMAT string seem to be ignored, but here I managed to get around that: https://community.splunk.com/t5/Getting-Data-In/Force-inclusion-of-space-character-as-a-first-character-in/m-p/709157 This way I could let go the question of addomg whitespaces conditionally. Though I could not solve this very problem, my overall problam is now solved.
@tscrogginsThanks for the idea. It worked, though I added my own set of modifications to it. As a final touch I would like to put the relevant part of my config here, so as to contribute it back to ... See more...
@tscrogginsThanks for the idea. It worked, though I added my own set of modifications to it. As a final touch I would like to put the relevant part of my config here, so as to contribute it back to the community:   [md_host] INGEST_EVAL = _raw=" _h=".host." "._raw [md_subsecond] SOURCE_KEY = _meta REGEX = _subsecond=(\.\d+) FORMAT = $1$0 DEST_KEY = _raw [md_time] SOURCE_KEY = _time REGEX = (.*) FORMAT = _ts=$1$0 DEST_KEY = _raw  
Hi Team, Version: Splunk Enterprise v9.2.1 We are trying to capture user generated data so we have created forms with Classic Dashboard utilising HTML, CSS and JS. Our current approach to capturi... See more...
Hi Team, Version: Splunk Enterprise v9.2.1 We are trying to capture user generated data so we have created forms with Classic Dashboard utilising HTML, CSS and JS. Our current approach to capturing data is outputting everything to a csv file and then import it back into Splunk. Short term and with little data, this isn't a drama and can we display the data how we want to but I can see the long-term issues (unable to update without outputting the whole file again) so we are looking for different ways to capture this.  One option is KV Stores where we can update the specific information that needs changing, but we are also looking at HEC and ingesting the data directly into Splunk. I am not a front-end expert so I have encountered an issue I'm not sure of how to get by. We can use curl after allowing the port through out firewall and that returns success, even though Splunk does not ingest, but I want to do this directly via JS. My dashboard is built using HTML and has a <button>, my JS has an EventListener("click", function) which works as we have been using alerts and console.logs while fault finding. It seems to be failing at the fetch:   const data = { event: "myEvent", index: "myIndex", details: { myDetails } }; fetch("https://myServer:8088/services/collection/event", { method: "POST", headers: { "Authorization": "Splunk myToken", }, body: JSON.stringify(data) })   But we receive the following error:   Uncaught (in promise) TypeError: Failed to fetch at HTMLButtonElement.submit (eval at _runscript (dashboard)), <anonymous>)   Every online search says to check the URL (which is correct) or the token (which is correct). With the Curl not ingesting and the above error, would anyone have any other suggestions as to what the cause might be? p.s. While we are still maturing with Splunk, this dashboard and the JS is being run from a Search Head. Regards, Ben
Hello, I’m trying to tune Machine Learning Toolkit in order to detect authentication abuse on a web portal (based upon Lemon LDAP-NG). My logs look like this: (time/host/... header) client=(IP add... See more...
Hello, I’m trying to tune Machine Learning Toolkit in order to detect authentication abuse on a web portal (based upon Lemon LDAP-NG). My logs look like this: (time/host/... header) client=(IP address) user=(login) sessionID=(session-id) mail=(user email address) action=(various statuses: connected / non-existent user / wrong pwd…)   I would like to train the Machine Learning Toolkit so that I can detect anomalies. Those anomalies can be: - that client has made auth attempts for an unusual number of logins - that client has made auth attempts for both non-existing and existing users - …   So far it fails hard.   I’ve trained a model like this on approx. a month of data:   index="webauth" ( TERM(was) TERM(not) TERM(found) TERM(in) TERM(LDAP) ) OR TERM(connected) OR TERM(credentials) linecount=1 | rex "action=(?<act>.*)" | eval action=case(match(act,".* connected"), "connected", match(act,".* was not found in LDAP directory.*"), "unknown", match(act, ".* credentials"),"wrongpassword") | bin span=1h _time | eventstats dc(user) AS dcUsers, count(user) AS countUsers BY client,_time,action|search dcUsers>1|stats values(dcUsers) AS DCU,values(countUsers) AS CU BY client,_time,action| eval HourOfDay=strftime(_time,"%H") | fit DensityFunction CU by "client,DCU" as outlier into app:TEST     Then I’ve tested the model on another time interval where I know there is a big anomaly, by replacing the fit directive by "apply (model-name) threshold=(various values)". No result.   So I guess I’m not on the right track to achieve this. Any help appreciated!  
On dev and your own lab you could do almost anything like you are willing, but in production and also test for other you should follow Splunk’s validated architecture https://docs.splunk.com/Documenta... See more...
On dev and your own lab you could do almost anything like you are willing, but in production and also test for other you should follow Splunk’s validated architecture https://docs.splunk.com/Documentation/SVA/current/Architectures/About. Of course you could play how you are implementing LB etc, but I strongly recommend to use external as those are also HA versions.
This was an excellent explanation about raw, cocked and parsed data! One thing to add here. If HF has done ingest action stuff for data then next hf/indexer can manage that data again.
Here is one conf presentation which could help you https://conf.splunk.com/files/2019/slides/FN1570.pdf?_gl=1*1l6tz7s*_gcl_aw*R0NMLjE3MzA4NDM5NTUuRUFJYUlRb2JDaE1JcFpEUWtaakdpUU1WbEZPUkJSMENNZ2YzRUFBWU... See more...
Here is one conf presentation which could help you https://conf.splunk.com/files/2019/slides/FN1570.pdf?_gl=1*1l6tz7s*_gcl_aw*R0NMLjE3MzA4NDM5NTUuRUFJYUlRb2JDaE1JcFpEUWtaakdpUU1WbEZPUkJSMENNZ2YzRUFBWUFpQUFFZ0pVbFBEX0J3RQ..*_gcl_au*MTIyNzAyMTUzNC4xNzMxNTA5NTYz*FPAU*MTIyNzAyMTUzNC4xNzMxNTA5NTYz*_ga*MTM3Njk1MTUzMy4xNzIzMzcyODc0*_ga_5EPM2P39FV*MTczNzI4NDk0Ny4yMjYuMS4xNzM3Mjg1MTE2LjAuMC4xMTE5MjkyNjg2*_fplc*eW9LSGpxJTJGQjlXVm8zVzk5UTZwNHB5ZkEwcW96TjdlaURYUzF1RkY3d0tORVlQaXQ2N2pSaU9aUzNqQXhvVUQ2SkpJcFB6JTJGSHZiZlJyOXE5dFJHUVlvMmRiZmM4a0FYTzlvRGVqUkgyV3hDOEthY3Y1Y1c5SWJEWUNMaVBadyUzRCUzRA.. But as @PickleRick said there could be many reasons behind that issue.
Cased a case with Splunk, they acknowledged it and replied that they are aware of it and it a limitation which will be fix in upcoming release since it requires code level changes and there is not wo... See more...
Cased a case with Splunk, they acknowledged it and replied that they are aware of it and it a limitation which will be fix in upcoming release since it requires code level changes and there is not workaround for it for now.    
Ok… this question and the answers are a bit older, but maybe my post could help other Splunkers. You need up to two kinds of services: Splunk (with Splunk Web) as an SH Cluster Member and a Load Bal... See more...
Ok… this question and the answers are a bit older, but maybe my post could help other Splunkers. You need up to two kinds of services: Splunk (with Splunk Web) as an SH Cluster Member and a Load Balancer (optional). "Optional" because you can also configure it so that User A has to use SHC Node 1, User B has to use SHC Node 2, and User C has to use SHC Node 3, or keep the other nodes as a kind of hot spare. …If you choose a Load Balancer (which makes sense outside of Dev or Test environments), it does not necessarily need to be an external one for a Search Head Cluster. A customer used a 3-node SH Cluster in production. On 2 nodes, an additional Apache instance was installed as an LB and configured for high availability (HA) by swapping the Virtual IP for the SH Cluster. I just finished the Splunk Cluster Administration Course. There they use just 3 virtual machines for a multisite cluster and SH cluster with deployer and manager node. Kind Regards SierraX
Good idea, I tried it, but unfortunately it doesn't seem to work. I have this configured:   [md_host] SOURCE_KEY = MetaData:Host REGEX = ^host::(.*)$ FORMAT = \ _h=$1 $0 DEST_KEY = _raw [md_subsec... See more...
Good idea, I tried it, but unfortunately it doesn't seem to work. I have this configured:   [md_host] SOURCE_KEY = MetaData:Host REGEX = ^host::(.*)$ FORMAT = \ _h=$1 $0 DEST_KEY = _raw [md_subsecond_default] SOURCE_KEY = _meta REGEX = _subsecond=(\.\d+) FORMAT = $1$0 DEST_KEY = _raw [md_time_default] SOURCE_KEY = _time REGEX = (.*) FORMAT = _ts=$1$0 DEST_KEY = _raw   And I get this:   0x0040: e073 339e e073 339e 3232 3738 205f 7473 .s3..s3.2278._ts 0x0050: 3d31 3733 3732 3739 3038 315c 205f 683d =1737279081\._h= 0x0060: 7370 6c75 6e6b 2d68 6620 5f69 6478 3d5f splunk-hf._idx=_      But I agree, this would have been the most elegant solution.
Well... apart from the obvious cheap shot at your "splint" (but I suppose it might have been auto-correct), there is an issue of "how would you do it better"? Remember that there are many factors at ... See more...
Well... apart from the obvious cheap shot at your "splint" (but I suppose it might have been auto-correct), there is an issue of "how would you do it better"? Remember that there are many factors at play here - amount of available space, retention time requirements, different types of storage. The current bucket management machinery does allow for quite a bit of flexibility but you can't just produce storage out of thin air.
Apart from @tscroggins 's solution you could try escaping your initial space. It should show the config parser that there is a non-space character so your key-value pair in config is split properly b... See more...
Apart from @tscroggins 's solution you could try escaping your initial space. It should show the config parser that there is a non-space character so your key-value pair in config is split properly but since the space doesn't normally need escaping it shouldn't hurt.
OK. Let me add my three cents to what the guys already covered to some extent. There are two separate things here. One is "index and forward" setting. By default Splunk receives and processes data... See more...
OK. Let me add my three cents to what the guys already covered to some extent. There are two separate things here. One is "index and forward" setting. By default Splunk receives and processes data from inputs and indexes it and sends to outputs (if any are defined). If you disable "index and forward", it will still process and send data but it will not save the events to local indexes. So you disable this setting on any Splunk component which is not supposed to store data locally (in a well-enginered environment only an all-in-one server or an indexer stores indexes; all other components should forward their data to indexer tier). A Heavy Forwarder is just a fancy name for a Splunk Enterprise (not Universal Forwarder!) instance which does not do local indexing and doesn't have any other roles (actually if you were to nitpick, any other component like SH or DS could technically be called a HF as well since it processes at least its own logs, and forwards them). Another thing is the type of data. With Splunk there are three distinct "stages" of data. Firstly you have the raw data. That's the data you're receiving on simple TCP/UDP inputs, read from files, pull with modular inputs and so on. This is a completely unprocessed data as it is returned by the source. If raw data is processed at the UF, it's being "cooked" - a data stream is split into chunks (not single events yet!), each chunk is assigned some metadata (the default four - host, source, sourcetype, index) and that's it. This is the cooked data. If raw data or cooked data is processed at the HF or indexer, it's getting parsed - Splunk applies all props and transforms applicable at index time (splits the stream into separate events, parses out the timestamp from events, does all the fancy index-time mangling...). After this stage you get your data as "cooked and parsed" (often called just "parsed" for short). If the UF receives cooked or parsed data, it just forwards it. If a HF/indexer receives already parsed data it doesn't process it, just forwards/indexes it. So the data is cooked only once and parsed only once on its path to the destination index. There is one additional case - if you're using indexed extractions on a UF, it produces already cooked and parsed data. Sending uncooked data is a very special case when you're sending data to an external non-splunk receiver. In this case you're actually "de-cooking" your data. But this is a fairly uncommon case. So here you have it - a HF normally cooks and parses the data it receives (unless it's already parsed) and sends it to its outputs. So you don't need to do anything else by default to have your data cooked and parsed.
You could adjust your approach to list a time window instead of specific number of events <base search> | eval match_time=if(<match_conditions>,_time,null()) | filldown match_time | where _time-m... See more...
You could adjust your approach to list a time window instead of specific number of events <base search> | eval match_time=if(<match_conditions>,_time,null()) | filldown match_time | where _time-match_time<=<time_limit>  
This is a problem I have been struggling with for years. I don’t understand why the splint platform can’t do this itself. It’s even more complicated because the TSIX and the raw data both have compr... See more...
This is a problem I have been struggling with for years. I don’t understand why the splint platform can’t do this itself. It’s even more complicated because the TSIX and the raw data both have compression ratios which are individual to each index so to do this properly not only do you need to know the number of days you wish to keep the size of that data but also the compressor ratio for each of these indexes 
Take a look at this example, where it sets the search property outside the initial constructor https://dev.splunk.com/enterprise/docs/developapps/visualizedata/addsearches/searchproperties i.e. ... See more...
Take a look at this example, where it sets the search property outside the initial constructor https://dev.splunk.com/enterprise/docs/developapps/visualizedata/addsearches/searchproperties i.e. // Update the search query mysearch.settings.set("search", "index=_internal | head 2");
Hi @BrianLam, You can retrieve the search results using the search/v2/jobs/{search_id}/results endpoint. See https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fv2.2Fjobs... See more...
Hi @BrianLam, You can retrieve the search results using the search/v2/jobs/{search_id}/results endpoint. See https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fv2.2Fjobs.2F.7Bsearch_id.7D.2Fresults. The search_id value is specific to the instance of the search that generated the alert. It's a simple GET request. The default output mode is XML. If you want JSON output, pass the output_mode query parameter as part of the GET request: https://splunk:8089/services/search/v2/jobs/scheduler__user__app__xxx_at_xxx_xxx/results?output_mode=json  
Hi @wowbaggerHU, You can use INGEST_EVAL as a workaround: # transforms.conf [md_host] INGEST_EVAL = _raw:=" h=\"".host."\" "._raw