Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About stephanefotso
stephanefotso
Motivator
Member since:
12-11-2014
4 weeks ago
Community Statistics
| Posts | 395 |
| Solutions | 56 |
| Karma Given | 0 |
| Karma Received | 148 |
| Member Since | 12-11-2014 |
Activity Feed
- Got Karma for Re: "bucket _time span=..." has no affect on search results. 09-27-2023 08:57 AM
- Got Karma for Re: Why am I getting this error? - "Error in 'outputlookup' command: The lookup table 'Permission denied for collection 'mycollection'' is invalid.". 09-21-2023 01:07 AM
- Got Karma for Re: How do I access my local Splunk enterprise instance from another local computer on my network?. 02-04-2023 10:55 PM
- Got Karma for Re: Making a chart and I want to change columns header names from Windows eventlog EventCodes to something readable. 01-19-2022 02:53 PM
- Got Karma for Re: how to sort() version values.. 12-17-2020 06:03 AM
- Posted Re: How do I access my local Splunk enterprise instance from another local computer on my network? on Security. 12-13-2020 12:42 PM
- Posted Re: how to sort() version values. on Splunk Search. 12-13-2020 11:55 AM
- Got Karma for Re: Is it possible to create an alert that depends on another alert to be triggered?. 09-18-2020 08:16 AM
- Got Karma for Re: How to combine two values from separate searches to get an average?. 06-05-2020 12:47 AM
- Got Karma for Re: Starting Splunk Enterprise. 06-05-2020 12:47 AM
- Got Karma for Re: I have created an alert and setup email for it but its not working. 06-05-2020 12:47 AM
- Got Karma for Re: No Visualisation although enough values. 06-05-2020 12:47 AM
- Got Karma for Re: Making a chart and I want to change columns header names from Windows eventlog EventCodes to something readable. 06-05-2020 12:47 AM
- Got Karma for Re: Making a chart and I want to change columns header names from Windows eventlog EventCodes to something readable. 06-05-2020 12:47 AM
- Got Karma for Re: How to display the average of the week as a straight line overlay in a timechart?. 06-05-2020 12:47 AM
- Got Karma for Re: How to display the average of the week as a straight line overlay in a timechart?. 06-05-2020 12:47 AM
- Got Karma for Re: How to display the average of the week as a straight line overlay in a timechart?. 06-05-2020 12:47 AM
- Got Karma for Re: How to calculate percentage and display this on a timechart?. 06-05-2020 12:47 AM
- Got Karma for Re: How to edit my search to output results to separate rows based on multiple values?. 06-05-2020 12:47 AM
- Got Karma for Re: how to generate error count report. 06-05-2020 12:47 AM
Topics I've Started
No posts to display.
04-15-2015
02:54 PM
5 Karma
Tere is an app wich can help you manage your alerts as you need: http://challengepost.com/software/alert-manager
Concerning my own researches here is what i was able to do.
First, notice that the _internal index let you manage your alerts. For example, you can get your alert thread_id which can be AlertNotifierWorker-0 AlertNotifierWorker-1,.......................
Each alert has a unique AlertNotifierWorker, which is increment each time the alert is triggered.
Now let suppose that you have two alerts.
Alert1 with thread_id=AlertNotifierWorker-0 and currentcount0 as the current count of alerts triggered,
Alert2 with thread_id=AlertNotifierWorker-2 and currentcount2 as the current count of alerts triggered.
suppositions:
1. We have schedulded Alert1 to triggered at 5 min window
2. We have scheduled Alert2 to triggered at 1 min window, only if Alert1 is triggered.
3. the started time is 6 am.
4. Alert1 is always triggered
Conditions:
Alert1 is triggered when the word "error" is seen for the last 5min in your events.
Alert2 if Alert1 is triggered, means, currentcount0>currentcount2.
initialisations:
if you
Algorithm
At 6H:5min am, Alert1 is triggered, AlertNotifierWorker-0 is increment, means AlertNotifierWorker-0==1
At 6H:6min am, Alert2 is triggered, because AlertNotifierWorker-0>AlertNotifierWorker-2. AlertNotifierWorker-2 is then increment, means AlertNotifierWorker-2==1.
From 6H:6min To 6H: 9min, Since AlertNotifierWorker-0==AlertNotifierWorker-2, no alert is triggered.
At 6H:10min, Alert1 is triggered, means AlertNotifierWorker-0==2
At 6H:11min am, Alert2 is triggered, because AlertNotifierWorker-0>AlertNotifierWorker-2. AlertNotifierWorker-2 is then increment, means AlertNotifierWorker-2==2.
From 6H:6min To 6H: 9min, Since AlertNotifierWorker-0==AlertNotifierWorker-2, no alert is triggered.
.........................
...............................and so on
implementation
Alert1:
search query: index=* OR index=_* "error"
Launch the search and save it as an alert, and set it as described above
Alert2:
Search qury:
index=_internal sourcetype=scheduler thread_id=AlertNotifier* NOT (alert_actions="summary_index" OR alert_actions="") thread_id="AlertNotifierWorker-0"|stats count(thread_id) as currentval|join [search index=_internal sourcetype=scheduler thread_id=AlertNotifier* NOT (alert_actions="summary_index" OR alert_actions="") thread_id="AlertNotifierWorker-2"|stats count(thread_id) as currentval2 ] |where currentval>currentval2 |stats values(currentval) values(currentval2)
Set it to triggered as said above, and let me know if any questions.
... View more
04-15-2015
02:43 PM
Thansks Markthompson. Also do not forget to take a look at the problem you asked at the address bellow.
http://answers.splunk.com/answers/227198/use-rangemap-to-change-color-of-whole-panel.html#answer-228158.
... View more
04-15-2015
06:22 AM
I'm sorry it is possible. I did it and it is working.
... View more
04-15-2015
02:13 AM
Here is my new solution also with regular expressions. Since you are using a csv file with headers, here is what you can do with i think.
sourcetype=csv index=myindex |rex "(?<fields_Name>pen)"|stats count by fields_Name
Now let suppose that you have a csv like this
state percentage
A1 10
B1 20
A3 10
A2 4
C1 1
B2 12
C2 15
Here is the search to write
source="wildcard.csv"|rex "(?<fields_Name>[^\d])"|stats sum(percentage) by fields_Name
Wich is giving the table bellow:
count
A 24
B 32
C 15
Thanks!
... View more
04-14-2015
06:46 PM
4 Karma
I propose that you use the map command.
index=a sourcetype=sta|stats count by sourcetype |map search="search index=b sourcetype=stb empID=$employeeID$"|table empAddress
Take this as a template:
index=_internal sourcetype=* user=*|stats count by user sourcetype|map search="search index=_audit user=$user$"|table action
... View more
04-14-2015
06:11 PM
First index report.csv
Second, with eng.csv follow this steps to create your lookup definition : http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchTutorial/Usefieldlookups
Third just type
source=report.csv|stats count by cat, Name
If you still have problems creating the lookup, let me know.
... View more
04-14-2015
05:51 PM
1 Karma
Hello!
First of all, i need you to follow the link bellow, to undertand how an ip address can be bigger than an other.
http://stackoverflow.com/questions/3664986/how-would-you-compare-two-ip-addresses-to-see-which-one-is-greater
Second let suppose that you want to trigger an alert when a single IP address exceeds the address for the proxy (let's say it's address is 10.1.1.50).
Third, i will use a regular expression to extract each octed of the ip address with the proxy address, before make my comparision.
Fourth, you just need to lauch the search, save it as an alert an configure it as you need. Tested, and it is working perfectly.
Here is the query:
index=websrv sourcetype=iis NOT "10.1.1.3" NOT "10.1.2.3" c_ip=*| rex "c_ip=(?<firstoct>\d+)\.(?<secondoct>\d+)\.(?<thirdoct>\d+)\.(?<fourthoct>\d+)\s" | eval exceed=if((firstoct)>10, 1,if( (firstoct==10) AND (secondoct>1) ,1,if((firstoct==10) AND (secondoct==1) AND (thirdoct>1),1,if((firstoct==10) AND (secondoct==1) AND (thirdoct==1) AND (fourthoct>1),1,0))))|where exceed==1|timechart values(exceed) by c_ip
Please let me know, if any issue
... View more
04-14-2015
04:56 PM
Where did you put your file? Make shure you have put it in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/local. And let me know again.
Thanks
... View more
04-14-2015
04:11 PM
Ubdate your props.conf like this and let me know if ok.
# props.conf
[unique_apache_custom]
REPORT-r1 = uniquel_apache_custom_fields
... View more
04-14-2015
09:50 AM
Let me know if your satisfy!!!
... View more
04-14-2015
09:27 AM
Yes of course! You can create your owne index via the settings tab through splunk web, and then choose it when indexing your data.
Or you can redirect your events into your new index with the collect command as follows:
your base search | collect index=newindzx
... View more
04-14-2015
09:01 AM
Try the collect command. something like this:
............ | collect index=newindex
For more informations, take a look here: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect
... View more
04-14-2015
08:54 AM
OK. Here you go:
your base search |rex "lable=(?<conter1>[^,]),(?<conter2>[^,]),(?<conter3>[^\s]+)"|rex "Event=(?<cont1>\d+),(?<cont2>\d+),(?<cont3>\d+)\s"|eventstats values(count1) as counter1 by conter1|eventstat values(count2) as counter2 by conter2|eventstat values(count3) as counter3 by conter3|table counter1 counter2 counter3
... View more
04-14-2015
06:13 AM
1 Karma
you don't need to test like this. My query suppose that you have a field named clientip, with IPV6 IP addresses in your events. To test with a value of clientip try this:
your base search | eval network=if(cidrmatch("2001:0000::/32","2001:0000:4136:e378:8000:63bf:3fff:fdd2"), "local", "other")
I think it will work
... View more
04-14-2015
05:57 AM
No, just to say you need to host your splunk instance before, Since you must be in the cloud to access to mail servers, which allow the email sending.
... View more
04-14-2015
05:26 AM
1 Karma
you can get raw events. Let suppose You create an alert that send an email when the word error is find for the last 1 hours and it would send an email when found.
Here is the query with the _internal index: index=_internal "error" . A search like this will provide events, that you can decide to get in your mail the same way you get it in splunk web when simply type the query, by silply include raw events when configuring your email action.
... View more
04-14-2015
04:55 AM
Yes : You can include Inline listing of results, as a table, raw events, or CSV file whent configuring your email actions.
For more informations, take a look here: http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions
... View more
04-14-2015
04:17 AM
I don't know how are your events but something like this may help. I hope
your base search |rex "lable=(?<conter1>[^,]),(?<conter2>[^,]),(?<conter3>.*+)"|rex "Event=(?<cont1>\d+),(?<cont2>\d+),(?<cont3>\d+)\s"|eventstats count(count1) as counter1 by conter1|eventstat count(count2) as counter2 by conter2|eventstat count(count3) as counter3 by conter3|table counter1 counter2 counter3
... View more
04-14-2015
02:03 AM
2 Karma
Hello! I Firs i suggest that you follow this doc: https://blog.icann.org/wp-content/uploads/2010/07/ipv6-address-types.pdf
Then, for example to use the cidrmatch() for 2001:0000:4136:e378:8000:63bf:3fff:fdd2 address, you can just do something like this:
........... | eval network=if(cidrmatch("2001:0000::/32",clientip), "local", "other")
which compare the IP addresses in the clientip field to a subnet range, and give the value local to the network if the value of clientip falls in the subnet range, Otherwise, network=other.
... View more
04-13-2015
11:58 PM
Is your splunk instance is installed in the cloud? or locally?
If locally, check the external exchange server that you use to send emails.
... View more
04-13-2015
05:36 PM
I propose that you simply use the map command: Try something like this:
index=search1 | stats count by address1 name station| map search="search index=search2 address2=$address1$ "
... View more
04-13-2015
05:22 PM
Why don't you try the map command?
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Map
... View more
04-13-2015
12:47 AM
Are you shure it is working? Replace the = < by <=, and let me know if this ok.
... View more
04-12-2015
02:41 PM
It depend on you. Here are some examples you can use!
srcMac=* time=*|stats first(time) by srcMac|head X
or
srcMac=* time=*|stats first(time) by srcMac |where like(srcMac, "f0:a2:%:82:b0:c%")
or
srcMac="*25:82*" time=*|stats first(time) by srcMac
........................................
... View more
04-11-2015
03:17 PM
Hello!
Since you need events , not a statistic table, i 'm going to propose a regular expression instead of the fieldsummary command wich is very interesting..
I don't know how are your events, but i think this will help :
sourcetype=csv index=myindex |rex "\s(?P<fields_Name>[^=]+)=pen"
How does it work?
The rex command will match all pen values of field1_name field2_name field3_name field4_name .... ..... .........................fieldn_name and will create a new field called fields_Name which values are only fields having pen as a value.
So you will have only events with pen as the value of , field1_name field2_name field3_name field4_name .... ..... .........................fieldn_name
If you have indexed the tutorialdata.zip,Take this as a template and see how it works:
source="tutorialdata.zip:*"|rex "\s(?P<field_Name>[^=]+)=7026"|stats count by field_Name
... View more
