Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About soumyasaha25
soumyasaha25
Contributor
Member since:
09-16-2015
12-14-2022
Community Statistics
| Posts | 104 |
| Solutions | 5 |
| Karma Given | 0 |
| Karma Received | 14 |
| Member Since | 09-16-2015 |
Activity Feed
- Posted What is the capability needed to view Adaptive responses section in incident review page on ES? on Splunk Enterprise Security. 12-14-2022 03:00 AM
- Posted Re: large number of inputs maxing out HF on Knowledge Management. 07-01-2022 01:21 AM
- Posted How to stop large number of inputs maxing out HF? on Knowledge Management. 07-01-2022 12:46 AM
- Tagged How to stop large number of inputs maxing out HF? on Knowledge Management. 07-01-2022 12:46 AM
- Got Karma for Re: Phantom App for Splunk not respecting Global field mappings. 06-27-2022 09:44 AM
- Posted Re: Phantom App for Splunk not respecting Global field mappings on Splunk SOAR. 06-27-2022 01:47 AM
- Posted Phantom App for Splunk not respecting Global field mappings on Splunk SOAR. 02-03-2022 06:40 AM
- Posted delete top notable event from the "Top Notable Events" panel in ES Security Posture page on Splunk Enterprise Security. 11-29-2021 02:55 AM
- Posted Re: Search Scheduler Searches Skipped on Splunk Search. 11-11-2021 07:41 AM
- Posted Re: Splunk search query on Splunk Search. 11-11-2021 07:30 AM
- Got Karma for Re: Search Scheduler Searches Skipped. 11-10-2021 08:17 AM
- Posted Re: Search Scheduler Searches Skipped on Splunk Search. 11-10-2021 08:11 AM
- Posted Re: Table colouring by overall range on Dashboards & Visualizations. 11-10-2021 07:31 AM
- Posted Migrate ES correlation rules to a custom app on Splunk Enterprise Security. 09-15-2021 03:10 AM
- Posted REST API Modular Input add on stopped reading data on Getting Data In. 05-19-2021 12:58 AM
- Posted heavy forwarder of higher version than indexers on Splunk Enterprise. 03-18-2021 08:41 AM
- Got Karma for Re: No message was deserialized prior to calling the DispatchChannelSink. Parameter name: requestMsg. 01-08-2021 04:47 AM
- Posted Re: Splunk Indexers sending too much of data to search heads on Splunk Enterprise. 11-12-2020 12:31 AM
- Posted Splunk Indexers sending too much of data to search heads on Splunk Enterprise. 11-03-2020 04:34 AM
- Got Karma for Re: Email alert changes. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-01-2019
03:22 AM
the easiest way to achieve this without any major changes is to click on the "list" dropdown and change it to "raw" .
JSON data
Changed to Raw event data
... View more
01-15-2019
02:29 AM
to answer your questions:
1. do you meant I should copy "$Splunk_Home\etc\system*default*props.conf" file to "$Splunk
_Home\etc\system*local*props.conf" ? and modify the parameter "truncate = 0".
Ans: yes, you can do it
2. Does this method will influence "Search" App? - yes, the \etc\system\local directory takes precedence over \etc\system\default , check thispage for more information on splunk directories and their precedence
3. And how to create an empty APP in Splunk ? - look here
... View more
12-18-2018
04:13 AM
is there any particular reason why you want to merge 3 lines of raw data into 1 rather than breaking them into 3 separate events, as you get a significant boost to processing speed when you use LINE_BREAKER to delimit multi-line events as opposed to using SHOULD_LINEMERGE to reassemble individual lines into multi-line events.
... View more
12-17-2018
05:52 AM
actually, i am looking for a password reset of my splunk.com account. (when i try to login to www.splunk.com) from the login section.
... View more
12-17-2018
03:42 AM
how can i reset splunk.com login password, the email id in the account has a typo, so the reset password option is not working. i only remember my username.
... View more
10-18-2018
02:06 AM
yes you can use the outputlookup command for it. see more details about it here
... View more
10-09-2018
06:09 AM
index=opennms sourcetype=event | stats values(eval(strftime(_time,"%Y-%m-%dT%H:%M:%S"))) as time_new list(nodeid) as hostname count by eventuei
Note: The assumption here is that you have the hostnames in the field "nodeid"
index=opennms sourcetype=event | stats values(nodeid) as hostname count by eventuei | fields - eventuei
after running this search go to the visualization tab and select chart type as "clolumn chart" and then save it as a dashboard
index=opennms sourcetype=event | timechart span=1h distinct_count(nodeid) as hostcount - for "total no. of hosts in my company" save it as a dashboard panel
i will look into it again when i have some more time, meanwhile can you check if the above searches work/meet your requirements.
... View more
08-22-2018
07:24 AM
Thanks a lot for your response.
... View more
08-22-2018
02:12 AM
when i ran the commands as suggested by you, i got the below results, i was of the view that
2.6G ./apps
2.6G .
328K ./system
56K ./users
48K ./kvstore_s_SA-
is it safe to blacklist the apps directory entirely, we have a huge dependency on the TA and app for AWS. on further troubleshooting i found that the lookup aws_description.csv is taking up close to 2.3 GB. is it safe to blacklist the aws_description.csv lookup, since we would require aws description data for alerts and reports.
In case i need to blacklist, will the below setting work
[replicationBlacklist]
<name for lookup directories> = (.../lookups/...)
<name for bin and jardirectories> = (.../(bin|jars)/...)
... View more
08-21-2018
08:51 AM
currently half of my searchheads are shutdown (auto shutdown due to issues within Splunk) and the remaining are not able to query the indexers
The problem is caused by a large knowledge bundle.
when i checked the .bundle files on the SHs, it is a huge (~340 MB) file with what looks like a huge python code.
i have maxBundleSize set to 2048(which is the default)
i have a blacklist in distsearch.conf which is as below:
[replicationSettings]
maxBundleSize = 2048
[replicationBlacklist]
<name for bin directories> = (.../bin/*)
<name for InstallDirectories> = (.../install/*)
<name for AppServerDirectories> = (.../appserver/*)
<name for allAppUIDirectories> = (.../default/data/ui/*)
<name for allOldDefaultDirectories> = (.../default.old.*)
My questions is: is there any way to check what files/apps are included in this bundle that is causing issues and if those items are required or can be excluded.
... View more
08-09-2018
04:21 AM
can you post some sample events that you are getting, please mask any confidential data also the fields that you want to extract from the sample events.
also, you can consider installing Splunk App for Windows Infrastructure, that has inbuild parsing rules to extract these information.
... View more
08-09-2018
04:06 AM
1 Karma
refer this blog post
... View more
08-06-2018
01:58 AM
oh. yes..figured it out. this had completely slipped my mind. Thanks
... View more
08-05-2018
12:36 PM
Is there a way to check the field extraction regexes for a particular sourcetype (say a sourcetype from the TA for AWS - aws:cloudwatchlogs:vpcflow?
I have reasons to believe that a few of the extractions are not working properly and extracting junk/irrelevant data. Is there a way to modify the extractions for the sourcetype of the add on?
I really would prefer not to create a new sourcetype with custom extractions as much as possible.
... View more
08-02-2018
09:21 AM
try this
your search | rex field=_raw ".*?\<Header\sname\=\"\$(?P<header_name>.*?)\"\>\s+\<Value\>(?P<value>.*?)\<\/Value\>"
... View more
08-02-2018
08:16 AM
can you try defining it in props and transforms
props.conf
[yourSourceType]
NO_BINARY_CHECK = 1
TIME_FORMAT = %a %b %d %H:%M:%S %T %Y
pulldown_type = 1
REPORT-xmlkv = xmlkv-alternative
transforms.conf
[xmlkv-alternative]
REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
FORMAT = $1::$2
... View more
08-01-2018
09:18 AM
1 Karma
are you sure splunk is not reindexing the log files, also is are these log files rotated into a zip file in the same directory.
... View more
07-16-2018
02:34 AM
yes, as @PowerPacker pointed out below, you can run a scheduled search and set "run script" in alert actions to delete the index.
... View more
07-12-2018
04:16 AM
Do you want the data to be deleted permanently from the index (disk) or just want it to be unsearchable while still retaining the data on the indexes (disks).
... View more
07-06-2018
03:37 AM
Hi, your requirement seems quite similar to one that i had last year.
My solution then was to save the list of error strings in a lookup file, then run the below query on it
index = abc sourcetype="xyz"
| rename _raw as rawText
| eval match_string=[|inputlookup search_string.csv |stats values(search_string) as query | eval query=mvjoin(query,",") | fields query | format "" "" "" "" "" ""]
| eval match_string=split(match_string,",")
| mvexpand match_string
| where like(rawText,"%"+match_string+"%")
| stats values(host) AS HostName count by match_string
mind you its a very heavy search query, but works fine with small data volumes. here the lookup file is saved as search_string.csv which has only one column named as "search_string".
Do let me know if this works for you. if so dont forget to hit the accept button.
... View more
06-19-2018
08:25 AM
can you post the query that you are running in Splunk (if required please mask sensitive data).
... View more
06-19-2018
07:40 AM
yes, sorry. we had disabled it later. can you try to put the stanza with disabled = 0
... View more
06-19-2018
06:38 AM
1 Karma
try this
<your base search> | rex field=_raw ".*\]\s*(?<some_field>[^\n\r]+)"
... View more
06-19-2018
03:05 AM
can you check if you have the input OperatingSystem enabled in your inputs.conf
sample stanza below
[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
index = windows
i had a similar issue long time back enabling this input resolved it. Hope it works for you as well
... View more
06-19-2018
01:25 AM
Splunk suggests THP to be turned off, but certain applications , that are running on the servers on which the forwarders are installed, have an underlying dependency on THP. so do verify it before disabling it.
can you check which files are consuming the most of the disk space and post it here.
Also, are you getting a consistent high disk space utilization on the server, or it is just an occasional spike.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-14-2022
03:06 AM
|
