Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About christianubeda
christianubeda
Path Finder
Member since:
07-24-2018
04-29-2021
Community Statistics
| Posts | 79 |
| Solutions | 0 |
| Karma Given | 20 |
| Karma Received | 4 |
| Member Since | 07-24-2018 |
Activity Feed
- Got Karma for How to compare the value of a field (search) with the value of a csv field when you have to adapt a field first. 11-26-2020 03:03 PM
- Posted How to compare the value of a field (search) with the value of a csv field when you have to adapt a field first on Splunk Search. 11-26-2020 02:15 PM
- Karma Re: Shuold I upgrade my universal forwarders when after I upgrade my HF? for gcusello. 06-05-2020 12:51 AM
- Karma Re: Splunk upgrade 6.5.2 to 7.3.4 for gcusello. 06-05-2020 12:51 AM
- Got Karma for Splunk upgrade 6.5.2 to 7.3.4. 06-05-2020 12:51 AM
- Karma Re: How do you install a search head? for dkeck. 06-05-2020 12:50 AM
- Karma Re: Eventtype 'wineventlog_security' does not exist or is disabled. for DavidHourani. 06-05-2020 12:50 AM
- Karma Re: Can I ignore some words form a field? for mayurr98. 06-05-2020 12:50 AM
- Karma Re: How to build a dynamic dashboard for ad events? for woodcock. 06-05-2020 12:50 AM
- Karma Re: What I have to write in/opt/splunk/etc/system/local/server.conf? Indexer server + SH standalone for mayurr98. 06-05-2020 12:50 AM
- Karma Re: Could you give me step-by-step instructions on how to have an indexer and a search head? for kmorris_splunk. 06-05-2020 12:50 AM
- Karma Re: How many resources would I need to receive 150 GB per day? for DavidHourani. 06-05-2020 12:50 AM
- Karma Re: How many resources would I need to receive 150 GB per day? for DavidHourani. 06-05-2020 12:50 AM
- Karma Re: How many resources would I need to receive 150 GB per day? for mdessus_splunk. 06-05-2020 12:50 AM
- Karma Re: How do you delete old data from an index? for ManchitMalik. 06-05-2020 12:50 AM
- Karma Re: How do you delete old data from an index? for Vijeta. 06-05-2020 12:50 AM
- Karma Re: How do you delete old data from an index? for woodcock. 06-05-2020 12:50 AM
- Karma Re: How do you delete old data from an index? for ChrisG. 06-05-2020 12:50 AM
- Karma Re: How can I make my data go from warm to cold after 3 months? for snigdhasaxena. 06-05-2020 12:50 AM
- Got Karma for Re: How many resources would I need to receive 150 GB per day?. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
05-27-2019
09:38 AM
It would be possible to detect an increase in volume per server.
This is my current search that looks global but would need one per server without having to create 100 search one by src_Ip = ...
index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=allowed earliest=-1w
| timechart count span=1d perc95(avg)
| where strftime(_time, "%A") == strftime(now(),"%A")
| timewrap w
| rename "* ago" as * | eval avg=Total/3.0 | rename latest_week as Today 1week_before as Lastday _time as Date | eval ChangePercent = (Today - Lastday) / 100 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date) | where ChangePercent > 0.20
Thank you!
... View more
- Tags:
- splunk-enterprise
05-27-2019
09:30 AM
Hi team!
I need to detect a volume of daily traffic. I would like to be able to compare it with the same day of the week before.
If I exceed 20% that creates an alert.
This is my actual search but it is not working.
index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=teardown src_ip=10.0.11.23 earliest=-4w | eval gb=bytes/1024/1024/1024
| timechart sum(gb) span=1h
| where strftime(_time, "%A") == strftime(now(),"%A")
| timewrap w
| rename "* ago" as * | addtotals "2w" "3w" "4w" | eval avg=Total/3.0 | rename latest_week as Today 1week_before as Lastday _time as Date | eval ChangePercent = (Today - Lastday) / 100 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date) | where ChangePercent > 0.2
Thank you!
... View more
05-12-2019
04:27 PM
Hi team!
I want to compare last week with avg last three months.
This is my code right now. I need some help pls.
sourcetype="sophos*" * severity=high earliest=-90d@d
| timechart span=1month count
| timewrap month series=short
| eval mean=(s1+s2)/2
| where s0 < mean | table s0 mean | rename s0 AS "Last Week" mean AS "Avg last 3 months"
Cuold you give me some advice pls?
Thank you a lot.
... View more
05-09-2019
03:43 PM
Hi team!
I dont get events from Sophos Central.
What can I check first?
Thank you
... View more
- Tags:
- splunk-enterprise
05-08-2019
09:30 AM
Hi koshyk,
I installed the app Windows Addon in the DHCP server, then I copy this in te inputs.conf
###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt =
sourcetype = DhcpSrvLog
index = main
But still it doesn't work.
I recibe event from CPU, network, windows events but no from dhcp.
... View more
05-08-2019
06:34 AM
1 Karma
Thank you! It works
... View more
05-08-2019
04:43 AM
Hi team!
I have this warning in every single dashboard.
It happends to you?
... View more
- Tags:
- splunk-enterprise
05-08-2019
04:07 AM
Hi team!
I want to detect Duplication detection of IPs detected by DHCP server.
I have no Idea what to check...
Have this
Windows EventID code = 13. Possible indication of IP Spoofing
Do You have done something similar?
... View more
- Tags:
- splunk-enterprise
05-08-2019
03:15 AM
Hi team!
I have this error:
But the Indexter is here. What appends?
... View more
- Tags:
- splunk-enterprise
05-07-2019
01:01 PM
First of all thank you for your response koshyk.
It did´t work. I always obtain the same number. I want to compare today events agaitns average last week events. If today event are >20 last week avg event I have to now.
_time WeeklyAverage_4weeks_before WeeklyAverage_3weeks_before WeeklyAverage_2weeks_before WeeklyAverage_1week_before WeeklyAverage_latest_week
2019-05-01 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-02 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-03 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-04 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-05 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-06 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-07 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
... View more
05-07-2019
08:33 AM
Hi team!
I want to create an alert. I will compare today events vs lastweek avg events. If today is > 20%avgweek I will recibe an alert
This is my search right now but I can not obtain weekly average for every week.
index=* EventCode=5140 eventtype=wineventlog_security | timechart span=1d count as A | eventstats avg(A) as WeeklyAverage
Any suggestion?
... View more
- Tags:
- splunk-enterprise
05-07-2019
03:20 AM
Hi team!
I need to do that:
Eventcode = 4624 and 4634 with Logon Type = 10. An event will be generated if an access volume above normal is detected. Deviation of 20% vs weekly average.
This is my search right now;
index=* index=* (EventCode=4624 OR EventCode=4634) eventtype=wineventlog_security
| stats values(host), values(EventCodeDescription), values(Changes), values(Account_Domain), values(action) by _time
| rename values(host) as Host, values(EventCodeDescription) as Description, values(Changes) as Changes, values(Account_Domain) as "Account Domain", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
But I dont know how to detected a Deviation of 20% vs weekly average. I mean, how can I do that?
Thank you a lot.
... View more
- Tags:
- splunk-enterprise
04-24-2019
09:48 AM
Hi team
With my admin user I can see all app logos.
I just create a new user. With read only role. He have apps but he cannot see logo apps.
I dont know why
Its about role problems?
Thank you!
... View more
- Tags:
- splunk-enterprise
03-27-2019
01:16 AM
Hi team!
I need to get information from some Windows DCs.
How can I install and configure the universal forwarder? There is some guide, I have not found too much information.
For DCs to send information to my collector, do I have to open a port?
Once the information in the collector how I send it to the indexer. Is there any configuration guide?
Thank you!
... View more
- Tags:
- splunk-enterprise
03-26-2019
03:11 AM
Hi team!
I installed my splunk in default path /opt/splunk...
But I only have 20 GB in / and 500GB free space in /home
What shuold I do? I can not give more space to /
Shuold I move my indexers to /home?
Help please...
Thank you!
... View more
- Tags:
- splunk-enterprise
03-05-2019
02:53 AM
Hi team!
What ports do I need to open and in what direction, I do not know if I leave any.
Is there any communications table?
Thank you a lot.
... View more
- Tags:
- splunk-enterprise
02-07-2019
09:09 AM
Hi Vijeta,
I only have matches if the IP from my csv is in the first 10000 lines. Actually I have 9000000 lines in my csv. So It didn`t work.
If I do that |inputlookup append=t ipsmalware2.csv I see al files. The problem is when I try to match them...
... View more
02-07-2019
08:56 AM
Hi,
Yes, I have 9000000 unique IP.
... View more
02-07-2019
08:32 AM
This is the query
index=cesa_paloalto sourcetype="pan:traffic" type=TRAFFIC vendor_action=allow | join src_ip [| inputlookup append=t ipsmalware2.csv | eval src_ip=Ip]
| stats values(src_ip)
I introduced 5 IP's in my csv
Line 1 OK
Line 9999 OK
Line 10004 Fail
Line 12000 FAIL
Line 222333(last one) FAIL
... View more
02-07-2019
07:33 AM
Hi team!
I have a problem.
I want to match two fields. The first one is an src_ip from an indexer(traffic events) the second one is an IP from a CSV.
My CSV has 9.000.000 lines and inputlookup only can read the first 10.000 lines...
how can I do it??
... View more
- Tags:
- csv
- splunk-enterprise
02-06-2019
08:14 AM
Hi sir!
It didn't work...
I introduced 5 IP's in my csv
Line 1 OK
Line 9999 OK
Line 10004 Fail
Line 12000 FAIL
Line 222333(last one) FAIL
It only read first 10000 lines I think...
I need a csv with 9 millions lines... what can I do now?
... View more
02-04-2019
03:13 AM
Hi team!
I import a CSV file via lookup and use this search.
index=cesa_paloalto sourcetype="pan:traffic" type=TRAFFIC vendor_action=allow | join src_ip [| inputlookup append=t ipsmalware2.csv | eval src_ip=Ip]
| stats values(src_ip)
It should match IPs, but if I write an IP in the end of the file, it never matches!
The file is 25MB and 222916 lines
Splunk has a limit? It can't read all lines, I think.
What should I do?
Thank you!
... View more
01-23-2019
08:07 AM
I actually installed my 10Gb licese in the indexer...
What can I do now?
... View more
01-23-2019
07:59 AM
It's okey.
Actually them connected!
... View more
01-23-2019
02:11 AM
Hi Sir!
I actually conected them but I have this error. In the SH
Waiting for requisite number of peers to join the cluster. - https://x.x.x.x:8089. Cluster has only 0 peers (waiting for 1 peers to join the cluster).
In the Indexer this one.
Waiting for requisite number of peers to join the cluster. - https://127.0.0.1:8089. Cluster has only 0 peers (waiting for 1 peers to join the cluster).
What can I do?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-29-2021
12:29 PM
|
