Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About hartfoml
hartfoml
Motivator
Member since:
10-05-2010
06-05-2020
Community Statistics
| Posts | 584 |
| Solutions | 20 |
| Karma Given | 37 |
| Karma Received | 122 |
| Member Since | 10-05-2010 |
Activity Feed
- Got Karma for Re: Multiple Where Claus in the same search. 01-14-2022 04:00 PM
- Karma Re: How to search and filter emails of the same subject where "Support@email.com" is the sender? for lguinn2. 06-05-2020 12:48 AM
- Karma Re: Who to split up $SPLUNK_DB and colddb for lycollicott. 06-05-2020 12:48 AM
- Karma Re: create summary index in transforms.conf for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Can I manualy create "_telemetry" index on older version indexer. 06-05-2020 12:48 AM
- Got Karma for Re: Can I manualy create "_telemetry" index on older version indexer. 06-05-2020 12:48 AM
- Got Karma for Re: How to get Linux OS logs off a Splunk server, where Splunk is started as a non root account, to index in an indexer cluster?. 06-05-2020 12:48 AM
- Got Karma for What permissions can I give a role that will allow users to share searches and dashboards?. 06-05-2020 12:48 AM
- Got Karma for how to convert dbquery search to dbxquery search. 06-05-2020 12:48 AM
- Got Karma for how to convert dbquery search to dbxquery search. 06-05-2020 12:48 AM
- Got Karma for Re: How to allow users to share their dashboard?. 06-05-2020 12:48 AM
- Got Karma for Why is Splunk Web limited to 50 users when using Scripted Authentication Input for RSA & TFTI?. 06-05-2020 12:48 AM
- Karma Re: How to convert a timestamp field to epoch format? for vasanthmss. 06-05-2020 12:47 AM
- Karma Re: How to write a search and set up an alert using the metadata command to find hosts that are not reporting in? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Why am I seeing repeated LMDirective warnings in the splunkd.log and how to troubleshoot this? for aaronkorn. 06-05-2020 12:47 AM
- Karma Re: Can VMware and DataOntap share the same DCN for Masa. 06-05-2020 12:47 AM
- Got Karma for Firewall indexing latency: How to track when syslog is read by file monitor when the log is seen in search GUI?. 06-05-2020 12:47 AM
- Got Karma for Re: Firewall indexing latency: How to track when syslog is read by file monitor when the log is seen in search GUI?. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 1: How to enrich the dbquery output to show the database name that systems come from?. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 1: How to enrich the dbquery output to show the database name that systems come from?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
01-26-2012
10:25 AM
I have an event field called `LastBootUpTime=20120119121719.125000-360'
I am trying to convert this to a more readable format by using this convert command
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(LastBootUpTime) AS BootTime
this is not working. What am I missing??
... View more
- Tags:
- convert
- timeformat
01-20-2012
12:08 PM
1 Karma
Used the SoS app
This app will show you
S.o.S - Splunk on Splunk > Metrics > Incoming Network Throughput
this shows the network data comeing into splunk on what ports
After checking with my lunix admin and looking in SoS I confrunted the firewall guy and they did not make the change requiered.
... View more
01-20-2012
12:02 PM
4 Karma
here is the short answer
Splunk> Manager » Apps » windows » Permissions
select "all apps" at the lower left corner of the GUI
MODERATOR EDIT: this issue is fixed in version 4.5.1 of the app, available now on Splunkbase.
... View more
01-20-2012
12:00 PM
1 Karma
Here is the long answer from support
it seems that the default.meta for the Windows app includes an entry for [props] being exported system wide. In other words the props configurations which refer to the lookup tables are made Global, thus reference-able by all apps, however the lookups are not.
The solution would be to either
make the Windows app Global under App permissions OR make all the lookup table files Global under Manager/Lookups OR edit local.meta under etc/apps/windows/metadata and enter:
[props]
export = none
... View more
01-20-2012
11:59 AM
here is the short answer
Splunk> Manager » Apps » windows » Permissions
select "all apps" at the lower left corner of the GUI
... View more
01-20-2012
11:55 AM
Thanks I really appreciate the help
Now I need to read up on how to implement forms
I got you code. I'll let you know if I can figure out how to implement it.
Mike H.
... View more
01-20-2012
07:40 AM
I am monitoring the CPU use of the Splunk UF using WMI on my windows systems
I have this search;
source="WMI:LocalProcesses" Name=splunkd host="SYS20"| bucket _time span=1h | stats avg(PercentProcessorTime) AS "Average % CPU" by _time
this lets me see the Splunk UF CPU use over time for "sys20"
I can make this a dashboard without a problem.
My question is how do I make a dashboard with a pull-down list of "system names" and "Search time" so that I can make the dashboard available for system owners so they can see how much of the CPU resource Splunk is using on there system.
I have been using Splunk for 1 1/2 years and am at version 4.3 but I am not a developer.
Any help would be great.
... View more
- Tags:
- dashboards
01-18-2012
02:43 PM
5 Karma
The lookup table 'wmi_version_range_lookup' does not exist. It is referenced by configuration 'WMI:Version'
The lookup table 'windows_vendor_info_lookup' does not exist. It is referenced by configuration 'source::*:System'
Any ideas what this means
... View more
01-18-2012
12:15 PM
I asked my Firewall admin to change the port for syslog to the Splunk indexer.
He changed it from 514 to 1514.
He said he made the change but I am not seeing the incoming log data.
I'm sure the indexer host firewall port is open.
Where would I go to see what data is coming in on what port?
Does splunk tag the data with the indexer connection information?
... View more
- Tags:
- syslog
01-12-2012
02:18 PM
This is the real answer. thanks this fixed the issue. you are a regex guru. thanks again
... View more
01-11-2012
02:58 PM
OK I think I understand well not relay
So if I want to use case to get a variable named siteName and I have three possible sites identified by three possible IP’s I would normally use this
'| eval siteName = case (Destination_IP == "199.47.”, dropbox.com, Destination_IP == “85.17.30.", megadownload.net, Destination_IP == "195.122.131.*", rapidshare.com)'
But this isn’t working and the multiple matches are not working. Do you have any other suggestions for CASE
... View more
01-11-2012
01:13 PM
Opps the match doesn't seem to work in case
'| eval siteName = case(match(Destination_IP, "^199.47..$"), "dropbox.com",match(Destination_IP, "^85.17.30.$"), "megadownload.net",match(Destination_IP, "^195.122.131.*$"), "rapidshare.com")'
... View more
01-11-2012
11:42 AM
Here is what I am using:
| eval siteName = case (Destination_IP == "199.47.*", dropbox.com)
I have tried everything and it is not working. Do you think it is because of the numbers "199.47.*"?
... View more
01-04-2012
09:04 AM
I am doing a monitor file input of a nessas scan data files.
Splunk reads the files in as one event per line.
The report on each system scaned is between the following to tags in the data file
<ReportHost name="xxx.xxx.xxx.xxx">
</ReportHost>
there can be as many as 3 or 4 hundred lines between these tags
I have two questions
1) What is the best way to put the data into splunk so that all the "ReportHost" info is together for searching reporting on each system?
2) how do I get the multi event information already in the splunk index together into one event for each ReportHost so that I can use the existing data to develop reports?
... View more
- Tags:
- nessus
12-27-2011
08:13 AM
1 Karma
I am using this search to get license use over 30 days
index="summary_indexers" | timechart partial=f span=1d sum(kb) as KB | eval gb=round(KB/1048576,1) | convert timeformat="%A - %m/%d" ctime(_time) AS DATE | table DATE gb
This gives ma b bar chart with one bar per day.
I would like to put a RED SLA line at the license limit so that the managers can clearly see where the License SLA will be violated and how close we are to that line.
... View more
12-21-2011
10:51 AM
I am using this rex command
| rex max_match=100 "(?i)<severity>(?P<Severity>[^<]+)"
When I add this to the props.conf like this
EXTRACT-Severity = max_match=100 (?i)<severity>(?P<Severity>[^<]+)
I get no return at all
If I use this in the props.conf
EXTRACT-Severity = (?i)<severity>(?P<Severity>[^<]+)
I only get the first return in the event not all the other possible returns in the event
Can anyone help with this rex conversion to props.conf
... View more
- Tags:
- rex
12-20-2011
10:15 AM
I have a dashboard with multiple graphs based on the WMI info from one system. I am putting the WMI info in a selected index and only the systems that I am monitoring with the specific WMI counters are in that index.
I would like to change all the searches in search graphs in the dashboard by selecting a host name from a pull down list.
I am on version 4.2.5 do I need to have a developer do this or do I have to wait till 4.3 comes out to get this kind of dashboard functions as a beginner.
... View more
- Tags:
- dashboards
12-15-2011
08:15 AM
Great this is exactly what I needed. If it's not too much trouble can you post the unzip code you used. Thanks ever so much. I am using Founstone too and want to get the scan data directly without the operator having to uncompress the reports.
... View more
12-14-2011
09:43 AM
As you can see by the sample
shows up three times in the same event
... View more
