Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About jip31
jip31
Motivator
Member since:
03-22-2018
09-16-2024
Community Statistics
| Posts | 1728 |
| Solutions | 11 |
| Karma Given | 9 |
| Karma Received | 19 |
| Member Since | 03-22-2018 |
Activity Feed
- Posted help to connect splunk with servicenow on Dashboards & Visualizations. 09-13-2024 05:56 AM
- Posted Re: help on heat_map_visualization on Dashboards & Visualizations. 09-13-2024 03:49 AM
- Posted Re: help on heat_map_visualization on Dashboards & Visualizations. 09-13-2024 03:37 AM
- Posted Re: help on heat_map_visualization on Dashboards & Visualizations. 09-13-2024 02:15 AM
- Posted Re: help on heat_map_visualization on Dashboards & Visualizations. 09-13-2024 01:43 AM
- Posted Re: help on heat_map_visualization on Dashboards & Visualizations. 09-13-2024 01:41 AM
- Posted Re: help on heat_map_visualization on Dashboards & Visualizations. 09-13-2024 12:57 AM
- Posted help on heat_map_visualization on Dashboards & Visualizations. 09-12-2024 10:31 PM
- Posted How to measure applicative availability on Splunk Enterprise. 09-04-2024 08:47 AM
- Posted Re: Help to make my apps CIM compliant on Splunk Enterprise. 07-24-2024 02:11 AM
- Posted Help to make my apps CIM compliant on Splunk Enterprise. 07-23-2024 10:38 AM
- Posted Re: help to calculate _indextime on Splunk Dev. 07-17-2024 12:24 AM
- Posted Re: help to calculate _indextime on Splunk Dev. 07-16-2024 11:51 PM
- Posted help to calculate _indextime on Splunk Dev. 07-16-2024 11:16 PM
- Posted Re: help on under label token on Splunk Dev. 07-16-2024 08:40 AM
- Posted help on under label token on Splunk Dev. 07-16-2024 02:16 AM
- Posted Re: help on custom_table_icon_set_rangemap viz on Splunk Enterprise. 06-04-2024 02:41 AM
- Posted Re: help on tag on Splunk Enterprise. 02-16-2024 12:46 AM
- Posted Re: help on tag on Splunk Enterprise. 02-16-2024 12:30 AM
- Posted help on tag on Splunk Enterprise. 02-15-2024 10:19 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-11-2018
08:20 PM
HI
sorry the exact request is :
index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" | dedup host | stats count | rename count AS "Number of machines" | eventstats sum(count) as Total | eval percent=round((count/Total)*100,1) | eval host=host."(count: ".count.", percent: ".percent.")" | fields - count
... View more
04-02-2018
11:24 PM
index="wineventlog" (sourcetype="wineventlog:application" SourceName=*endpoint* SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by Type SourceName eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog\:") AND Type=="Critique"), "Winevents", true(),"OTHERS")
... View more
04-02-2018
11:21 PM
hi
it doesnt works
this is my final code below and the error message :
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by Type SourceName eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog:") AND Type=="Critique"), "Winevents", true(),"OTHERS")
Error:
Error in 'stats' command: The argument 'SourceName=case(match(SourceName,^McAfee),McAfee, (Type==Avertissement AND match(sourcetype,WinEventLog:Microsoft-Windows-TaskScheduler\/Operational)),Task Scheduler Operational, (match(sourcetype,^WinEventLog:Microsoft-Windows-TaskScheduler\/Operational)),Task Scheduler Sysmon, (match(sourcetype,^WinEventLog:) AND Type==Critique), Winevents, true(),OTHERS)' is invalid
... View more
04-02-2018
10:03 AM
in fact i use this request:
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by SourceName Type
i just have a problem for the sourcetype "wineventlog" because his sourcename is variable
so i would like to rename this sourcetype as "Windows Events"
i trie with rename but it dont works! syntax problem?
thanks
... View more
04-02-2018
09:53 AM
HI
i want to format my label charts but it dont works
do i have to add this code in a specific place??? beetween tags???hi
i put a css file in C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\static
and i added this code in my html file but it doesn t works
here is the css file content:
text-label{
font-size: 20px !important;
fill: black !important;
font-weight: bold!important;
}
what is the problem please???
thanks
... View more
- Tags:
- splunk-enterprise
04-02-2018
08:08 AM
thanks
BUT
what i need is static field
this my entire request :
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=) OR (sourcetype="wineventlog:" "Type=Critique" RecordNumber) | stats count by Type SourceName
for the first part of the request i want "McAfee" instead "McAfee Endpoint" for the second i want "Task Scheduler Operational" for the third "Task Scheduler Sysmon" and for the last "WinEvents"
so the idea is to rename sourcename or sourcetype or to add a new column with static fields
but i dont know how to do
could you help me please???
... View more
04-02-2018
06:11 AM
hi
i use this code on a count report
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) | stats count by Type
and i would like to add a column on the report for the 3 sourcename
for example, for index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") i would like to have a Dashboard like this :
SourceName Type Count
McAfee EndPoint Security Avertissement 225
Thanks for your help
... View more
- Tags:
- splunk-enterprise
04-01-2018
11:55 PM
Hello and thanks
i succeed to do my fits pie chart 🙂
but there is Something very stranhe
in my count report i have to 3 entrie :
RCAgentMgr 11
SMS Agent Host 288
Service de transfert intelligent en arrière-plan 1418
But in the chart i havent the entrie "RCAgentMgr" and for the entrie Service de transfert intelligent i have the same number of events!
do you have an idea please???
... View more
04-01-2018
12:41 AM
i just have to find Microsoft-Windows-WER-SystemErrorReporting and EMET events in W10
A idea???
Thanks
... View more
03-31-2018
03:48 AM
Hi
In a Dashboard i use this code for doing a data synthesis
index="wineventlog" sourcetype="wineventlog:*" "Type=Critique" OR "Type=Avertissement" | stats count by Type
i would like to do a pie chart which gives me the percentage of critique and the percentage of avertissement
could you help me please?
thanks
... View more
- Tags:
- splunk-enterprise
03-31-2018
01:09 AM
Hi
I would like To Snow What is The best Way To monitore crash application in Windows?
Registry? Eventviewer?
Thanks
... View more
- Tags:
- splunk-enterprise
03-30-2018
02:14 AM
hi
i use this code to monitore the hdd free space
index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="% Free Space" | eval Value = round(Value, 2). "%" |table _time host Value
but this code give me the free space and not the buzy space
i have 89% free so i would to have instead 11% busy
how can i do please??
... View more
- Tags:
- splunk-enterprise
03-28-2018
09:30 AM
hi
no not to ingest directly
i have to check the size file of CBS.log" in an SPL command on many machines
if i see that this file is > to 1 GO i have to receive an email
what do you thing about this code?
source="C:\Windows\Logs\CBS.log" | eval esize=len(_raw) | stats sum(esize) by sourcetype
or do i need File/Directory Information Input Add-on?
Thanks
... View more
03-28-2018
06:44 AM
Hi
I want to monitor a log file in "C:\Windows\Logs\CBS.log" in an SPL command
Is it possible with wineventlog or with anotherway please?
regards
... View more
- Tags:
- splunk-enterprise
03-26-2018
10:53 AM
oh thanks!
sorry i a m rouky and i didnt male any elearning so it s difficut for me
i have a last question
when we wrire an spl command how do we do to know the exact name of a field in the index
we are obliged to display fils like this :
index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
thanks again
... View more
03-26-2018
10:29 AM
sorry i have forgotten "error"
so index=main | followTail = 0 AND _TCP_ROUTING = "pnlogGroup"| "error" | table disabled time range 120 minute??
... View more
03-26-2018
10:04 AM
so index=main | followTail = 0 AND _TCP_ROUTING = "pnlogGroup" | table disabled time range 120 minute??
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-16-2024
03:53 AM
|
Karma given to
