Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About ragedsparrow
ragedsparrow
Contributor
Member since:
10-27-2014
03-07-2023
Community Statistics
| Posts | 111 |
| Solutions | 26 |
| Karma Given | 35 |
| Karma Received | 36 |
| Member Since | 10-27-2014 |
Activity Feed
- Got Karma for Re: Splunk says bundle directory contains a large lookup file in .delta file but the .delta file does not contain a large lookup. 03-22-2023 08:23 PM
- Got Karma for Re: Which Sourcetype for NGIPS?. 04-12-2022 01:51 AM
- Posted Re: Which Sourcetype for NGIPS? on All Apps and Add-ons. 04-08-2022 02:05 PM
- Karma Re: Adding additional fields at the Universal Forwarder: Why are apps are fighting over the _meta field? for PickleRick. 04-08-2022 01:51 PM
- Posted Re: How to view host disk encryption status on Splunk Search. 04-08-2022 01:44 PM
- Posted Re: Splunk free - setting up a distributed environement (Search Head, 1 IDX, 1 UF, maybe a deployment server) on Deployment Architecture. 05-07-2021 10:19 AM
- Posted Re: Splunk free - setting up a distributed environement (Search Head, 1 IDX, 1 UF, maybe a deployment server) on Deployment Architecture. 05-07-2021 10:08 AM
- Posted Re: Drilldown options only include link to url on Dashboards & Visualizations. 05-04-2021 10:24 PM
- Karma Re: change event handler not working for token from within the same input for meleperuma. 05-04-2021 10:08 PM
- Got Karma for Re: change event handler not working for token from within the same input. 05-04-2021 10:02 PM
- Posted Re: change event handler not working for token from within the same input on Dashboards & Visualizations. 05-04-2021 09:57 PM
- Posted Re: Are there any automated scripts to back up the kvstore on each Splunk server as part of a basic back? Daily or weekl on Splunk Enterprise. 05-04-2021 09:33 PM
- Posted Re: filter on results of subsearch for the second search on Installation. 05-04-2021 09:21 PM
- Got Karma for Re: Splunk App Infrastructure end of life?. 05-04-2021 09:19 PM
- Posted Re: Splunk App Infrastructure end of life? on Splunk Enterprise. 05-04-2021 09:14 PM
- Posted change event handler not working for token from within the same input on Dashboards & Visualizations. 05-04-2021 09:11 PM
- Posted Re: getALERTS THROUGH WHATSAPP on Splunk Enterprise. 10-30-2020 02:09 PM
- Karma Re: What is the ideal DMC architecture for large environments? for richgalloway. 06-16-2020 08:29 AM
- Posted Re: What is the ideal DMC architecture for large environments? on Deployment Architecture. 06-09-2020 02:20 PM
- Posted Re: How to get data from F5 Bigip log on Getting Data In. 06-09-2020 02:01 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-09-2019
06:11 PM
You would extract the date from the file in a search and then set the token using the results of that search. Then reference your token in the title.
Setting a token using a search: https://answers.splunk.com/answers/442254/how-to-set-a-token-from-a-base-search-in-my-dashbo.html
Referencing a token in a title: https://answers.splunk.com/answers/639501/referencing-token-value-in-panel-title.html
... View more
04-03-2019
06:34 PM
So, the SplunkUniversalForwarder app holds the configurations that normally define default inputs and settings for a Universal Forwarder. It can be utilized like any other app, though, as you can see here. It doesn't mean that the UF was installed via an app, only that the app named SplunkUniversalForwarder is where the previous person stored their custom configurations. They may also have put their outputs.conf configuration in there as well, so to add the new indexer, you would just need to modify the outputs.conf to include it.
... View more
04-03-2019
12:14 PM
Awesome! Glad I could help!
... View more
04-03-2019
11:18 AM
Is there any way you could share the full output of the btool (with anything sensitive obfuscated)? It's not typical for Splunk to be forwarding a file input and it not show up in the btool output.
Something like the below example should work in Powershell:
./splunk btool inputs list --debug | Out-File -FilePath C:\temp\inputs.log
Usually there are 3 locations that Splunk monitors files:
$SPLUNK_HOME$/etc/system/local/inputs.conf
$SPLUNK_HOME$/etc/apps/APPNAME/default/inputs.conf
$SPLUNK_HOME$/etc/apps/APPNAME/local/inputs.conf
Depending on how well the previous admin followed best practice, they may have also modified: $SPLUNK_HOME$/etc/system/default/inputs.conf ... However, this scenario is not typical is is highly advised against. Using the btool is a way to find out, in an aggregated fashion, where the conf file is in the Splunk system that you may be looking for.
... View more
04-03-2019
10:27 AM
Try this:
./splunk btool inputs list --debug | findstr syslog
That might work a little better than Select-String
... View more
04-03-2019
09:14 AM
I think this would work:
| rex field=source "(?<logdir>\/[\W\w]+\/[\W\w]+\/)(?<date>[^\/]+)\/file_(?<filename>[^\d]+)\_(?<processid>\d+)\_(?<extension>.+)"
I tested it here:
| makeresults
| eval source="/default/folder/20190402/file_EMEA_IRE_DUB_8964_txt"
| rex field=source "(?<logdir>\/[\W\w]+\/[\W\w]+\/)(?<date>[^\/]+)\/file_(?<filename>[^\d]+)\_(?<processid>\d+)\_(?<extension>.+)"
... View more
04-03-2019
09:08 AM
The Server roles are typically central around your function as well as populating the monitoring console dashboards. Enterprise Splunk has the ability to function as any of these roles. If you take the server role off of one of the servers, that typically is only used for ensuring that the monitoring console places/removes that server from the relevant dashboard. You still have the ability to utilize all of the functions that Splunk Enterprise has to offer, you just typically don't utilize functions that you don't need for that server's role (i.e. Having search peers on indexers).
Does that clear anything up?
... View more
04-03-2019
08:10 AM
If you only want the filename, I think @FrankVI or @vnravikumar would be a good approach. If you want it all parsed out:
| rex field=source "(?<logdir>\/[\W\w]+\/[\W\w]+\/)(?<date>[^\/]+)\/file_(?<filename>[^\_]+)\_(?<processid>[^\_]+)\_(?<extension>.+)"
Here is what I used to test it:
| makeresults
| eval source = "/default/folder/20190403/file_PARADOX_7747_txt"
| rex field=source "(?<logdir>\/[\W\w]+\/[\W\w]+\/)(?<date>[^\/]+)\/file_(?<filename>[^\_]+)\_(?<processid>[^\_]+)\_(?<extension>.+)"
... View more
04-03-2019
07:15 AM
These are Splunk server roles for the Monitoring Console dashboard, so even if your server was a Staging server, it would still be a Search Head, Indexer, etc. These roles are defined so that the Monitoring Console knows that they need to be included in the proper dashboards. What you can do, in a distributed monitoring environment is set Custom Groups, where you could group it as a Staging Server, Prod SHC, Prod IDX Cluster, etc.
... View more
04-03-2019
07:07 AM
It does.
https://www.splunk.com/blog/2010/10/27/splunk-for-dst.html
... View more
04-03-2019
06:58 AM
You could do a search in Splunk to view the source of the logs. This should tell you where the log files are written.
| metadata type=sources index=<insert Index Here> | table source
You can also try this:
| tstats count where index=<insert index here> by index sourcetype source
Either of these should tell you how the data is coming in. If it is being written to a log file by your syslog server and then being picked up by a Splunk forwarder, you can use those btool commands to find out which configuration is being used to read the log files.
... View more
04-02-2019
03:44 PM
Hey @bobmc859 Bobm
$SPLUNK_HOME$ needs to be your base install path. In your case it would be:
C:\Program Files\SpunkUniversalForwarder\
Try that. If setting that doesn't work, just substitute it in the command:
C:\Program Files\SpunkUniversalForwarder\bin\splunk btool list inputs --debug
C:\Program Files\SpunkUniversalForwarder\bin\splunk btool list outputs --debug
... View more
04-02-2019
12:07 PM
Can you search the data from the 2nd indexer on the Search Head?
For the Monitoring Console, you will have to go to Settings -> General Setup and add the Indexer Server Role for the new indexer. Then it should start showing up in the dashboards.
... View more
04-02-2019
12:01 PM
1 Karma
Does something like this work?
index=abc slice_played slicer=Latency externalUserID="$ext$" assetID="806d682119ac46d18b9f4a5f3dc20b10"
| dedup time, sessionID
| stats sum(duration) as "x_seconds"
| appendcols
[ index=abc slice_played slicer=Latency externalUserID="$ext$" assetID!="806d682119ac46d18b9f4a5f3dc20b10" assetID!="5c117f3141244a3a9d6899395b5c65aa" assetID!="d4da85ca8a474316a958a1d164d51483"
| dedup time, sessionID
| stats sum(duration) as "y_seconds"]
| eval Result=(x_seconds/y_seconds)*100
| fields Result
That is how I would start.
... View more
04-02-2019
11:46 AM
I think this usually comes up in the splunkd.log:
02-15-2019 09:56:05.815 ERROR StatsProcessor - Reached limit max_mem_usage_mb (200 MB), results may be incomplete! Please increase the max_mem_usage_mb in limits.conf .
You may be able to build an alert using something like this as a base search:
index=_internal sourcetype=splunkd component=StatsProcessor log_level=ERROR max_mem_usage_mb
I haven't encountered this error, so this is just my best guess here.
... View more
04-02-2019
11:24 AM
Hey @bobmc859 !
One of the most useful tools you will have is btool. To find where a file is being monitored try using this:
$SPLUNK_HOME$/bin/splunk btool inputs list --debug
It will give you the location for your inputs locations for any file monitors you are using. You can also do this for outputs.conf:
$SPLUNK_HOME$/bin/splunk btool outputs list --debug
This is where I would start.
Here are some good links as well:
https://www.splunk.com/blog/2017/05/02/inheriting-a-splunk-enterprise-deployment.html
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations
... View more
02-27-2019
10:46 AM
1 Karma
If you aren't going to use it, you can remove eventgen.conf from the app (or rename it to something like eventgen.bak). The TA has no spec file for the eventgen.conf file and that may be what is causing this error. This error will not affect the function of the
... View more
02-26-2019
01:39 PM
1 Karma
So, one thing that you have to remember is that you need to have the data present in your output for the alert condition to pick it up. E.g. You have to have category in your final table or output.
For this, would you be able to modify your search to look like this?
sourcetype=abcd user=john ation=login
|eval Date=strftime(now(), "%m/%d/%Y")
|lookup mydates.csv Date OUTPUTNEW category
|search NOT category=holiday
|table category Date
|stats count(action)
and then your alert condition could be:
search count =0
I think the reason that you are not getting anything with your alert condition is since you are doing a stats, the category field is no longer present anymore in the final result, so I would think that you either need to make it available in your final result, or filter it out in your search.
... View more
02-14-2019
10:29 AM
I think I got what I was needing to happen here. Taking lakshman239, I took another look at the lookup and realized I wasn't able to match with wildcards on the MAC and hostname columns in the lookup. So, I modified the transforms.conf:
[dhcp_lookup]
match_type= CIDR(cidr_ip), WILDCARD(lookup_mac), WILDCARD(lookup_hostname)
After that, I reqorked the query and realized I could simplify it as well:
index=dhcp_index sourcetype="infoblox:dhcp" signature IN (DHCPACK, DHCPREQUEST)
| eval unified_mac=if(isnull(src_mac),dest_mac,src_mac)
| eval unified_ip=if(isnull(src_ip),dest,src_ip)
| eval unified_host=if(isnull(src_nt_host),if(isnull(dest_nt_host),"Unknown", dest_nt_host),src_nt_host)
| lookup dhcp_lookup cidr_ip AS unified_ip, lookup_mac AS unified_mac, lookup_hostname AS unified_host OUTPUT Notes
| where Notes!="OK" AND isnotnull(Notes)
| table _time action signature src_ip src_nt_host src_mac dest dest_nt_host dest_mac Notes
| sort -_time
This now gives me the Notes column that I was needing as well as filters down the base query results.
... View more
02-14-2019
10:24 AM
That makes sense. I had tried it in the past, but let me see what I can figure out.
... View more
02-14-2019
10:03 AM
Hey Vijeta, This does not work. I get 0 results returned.
... View more
02-14-2019
09:11 AM
1 Karma
I have a DHCP search that I filter based on a lookup:
index=DHCP_IDX sourcetype="infoblox:dhcp" signature IN (DHCPACK, DHCPREQUEST)
| eval unified_mac=if(isnull(src_mac),dest_mac,src_mac)
| eval unified_ip=if(isnull(src_ip),dest,src_ip)
| eval unified_host=if(isnull(src_nt_host),if(isnull(dest_nt_host),"Unknown", dest_nt_host),src_nt_host)
| search
[| inputlookup dhcp_lookup
| eval unified_mac=lookup_mac
| eval unified_ip=cidr_ip
| eval unified_host=lookup_hostname
| fields unified_mac, unified_ip, unified_host]
| table _time action signature src_ip src_nt_host src_mac dest dest_nt_host dest_mac
| sort -_time
Inside this lookup are 4 columns: cidr_ip, lookup_mac, lookup_hostname, and Notes
Right now, the outer search is being filtered by the first 3 fields. However, I need to find a way to add in the Notes column to the outer search for the results.
An example row for the dhcp_lookup would be:
cidr_ip | lookup_mac | lookup_hostname | Notes
0.0.0.0/0 | aa:22:33:44:11:55 | * | Bad Device by MAC
I need to be able to use Wildcards in the MAC and Hostname columns, but I need to somehow add the Notes column as a field into the outer search while still filtering using the lookup.
Any ideas?
... View more
12-17-2018
09:16 AM
We have downloaded and installed the Splunk DomainTools TA in our clustered environment. However, we are getting the following error:
[HTTP 403] Client is not authorized to perform requested action
We have the list_storage_passwords capability assigned (from here) to the groups that need to modify and manage the configurations, but we still keep getting the error.
What capabilities do we need to have assigned to those who need access to change configurations in the app? Admin can make changes, but not Power.
... View more
06-11-2018
08:25 AM
Hey @rmens,
Currently, the alert message is hard coded into the python script, so you would need to modify the python script to change the alert message:
You will want to change this specific line only in telegram.py inside the bin folder:
message = "<b>****SPLUNK ALERT MESSAGE***</b>\n<b>Splunk Search</b>: {0} \n<b>SEVERITY</b>: {1} \n<b>MESSAGE</b>: {2} \n<b>Results Link</b>: {3}".format(splunkSearch, severity, message, resultsLink)
To This:
message = "{0}".format(message)
That should only send the alert message. I have not tested this, but it should work.
I will work on making the alert more versatile as well for things like this and will hopefully have something to release in the next week or so.
... View more
03-30-2018
09:08 PM
Excellent! I had been playing around with something similar, but didn't have a way to test it. Thank you for sharing your solution!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-07-2023
02:14 PM
|
Karma from
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Karma given to
