Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About sc0tt
sc0tt
Builder
Member since:
12-17-2012
06-05-2020
Community Statistics
| Posts | 166 |
| Solutions | 8 |
| Karma Given | 42 |
| Karma Received | 33 |
| Member Since | 12-17-2012 |
Activity Feed
- Karma Re: Is it possible to use a DB lookup in DB Connect 2 like in version 1? for jcoates. 06-05-2020 12:49 AM
- Karma Re: API key required for Google Maps Add-on for pjpmccarthy. 06-05-2020 12:48 AM
- Karma Re: API key required for Google Maps Add-on for ragedsparrow. 06-05-2020 12:48 AM
- Got Karma for API key required for Google Maps Add-on. 06-05-2020 12:48 AM
- Got Karma for DB Connect v2 lookup ORA-00933: SQL command not properly ended. 06-05-2020 12:48 AM
- Got Karma for DB Connect v2 lookup ORA-00933: SQL command not properly ended. 06-05-2020 12:48 AM
- Karma Re: How to determine why Splunk 6.2.1 shut down unexpectedly? for thomrs. 06-05-2020 12:47 AM
- Karma Re: How to extract date from a field name in a csv file? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Is it possible to lock a Splunk user account on failed logins? for m4him7. 06-05-2020 12:47 AM
- Karma Re: Is there a best practice for counting distinct values over periods of time? for sideview. 06-05-2020 12:47 AM
- Karma Re: Is it possible to schedule a PDF delivery for forms in Splunk 6.2? for grundsch. 06-05-2020 12:47 AM
- Karma Re: Is it possible to schedule a PDF delivery for forms in Splunk 6.2? for grundsch. 06-05-2020 12:47 AM
- Karma Re: How to extract filename form Source field for gyarici. 06-05-2020 12:47 AM
- Got Karma for Is there a best practice for counting distinct values over periods of time?. 06-05-2020 12:47 AM
- Got Karma for Re: How to quit summary backfill script?. 06-05-2020 12:47 AM
- Got Karma for Re: Why Splunk for Excel Export does not export and show full list of logs in Excel sheet?. 06-05-2020 12:47 AM
- Got Karma for Is there any benefit of creating accelerated reports on top of other accelerated reports?. 06-05-2020 12:47 AM
- Got Karma for Using the REST API Modular Input to get weather data. 06-05-2020 12:47 AM
- Got Karma for Is it possible to schedule a PDF delivery for forms in Splunk 6.2?. 06-05-2020 12:47 AM
- Got Karma for Is it possible to schedule a PDF delivery for forms in Splunk 6.2?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
06-09-2015
01:13 AM
I created a user role that restricts search capabilities to certain sources, but there are fields I would like to hide from the user and exclude the _raw data. Is there a way to do this?
Edit: I've expanded this question and I may have found a partial solution, but I'm unable to restrict a user from searching data that I don't want them to.
Example event:
source=my_source user_id=123456 user_secret=99999999 login_status=successful
I restricted the search terms of the user role to source="my_source" user_id=123* . In addition, I created calculated fields for user_secret and _raw and set the eval expression to null() . This restricts the user to see only events in my_source where the user_id starts with 123 and hides the fields user_secret and _raw , but it doesn't prevent the user from being able search data that they are not privy to.
For example, this search
source=my_source 99999999 | table user_id login_status user_secret _raw
will return
user_id login_status user_secret _raw
123456 successful (null) (null)
Even though I've restricted the search and hide fields, a user would still be able to deduce that the secret for user 123456 is 99999999.
Am I missing something? Is there a way to limit which data/fields a user can search? Another possible solution is to create a separate index but that doesn't seem very efficient to me since data would be duplicated.
This is somewhat related to a separate question I asked Can users be restricted to only search data models?. I think this may be a viable solution as well.
... View more
06-03-2015
12:44 AM
2 Karma
As @davebrooking mentioned, streamstats should be able to do this your search | sort -field | streamstats count
... View more
06-02-2015
11:36 AM
This looks great! Definitely going to be trying this out. Marking this as the accepted answer since it seems to be the only possible way to accomplish this.
... View more
06-02-2015
06:16 AM
I'd like to give certain user roles the ability to search data models. However, I don't want them to be able to view the data in search. Is this possible?
... View more
06-01-2015
03:04 AM
Thanks. I lost track of this question but the need continues to arise. It would be great if you could send me a copy of your script.
... View more
06-01-2015
02:45 AM
Thanks, we don't have LDAP set up but it seems it may be the only way to accomplish this.
... View more
05-31-2015
01:51 AM
Is it possible to lock a Splunk user account if there are multiple failed login attempts? I've created an alert for such events, but was wondering if there was a way to lock an account as well.
... View more
04-12-2015
02:12 AM
Thanks for the detailed response. In the end, I've gone with the second search for now. This creates about 10% of the raw events. It's still more data than I would like to have, but I think it's sufficient for now. Maybe I'll set a short retention policy on this index to prevent it from increasing in size too much.
... View more
04-08-2015
07:14 AM
In an environment that provides reporting across many different time zones, should summary searches run under a user set to the default system time, GMT time, or doesn't it matter since Splunk will adjust the time based on the user's time zone?
... View more
04-05-2015
11:36 AM
1 Karma
I would like to count unique users by day, week, and month. I'm not really sure what's the preferred Splunk method to do this. I've been experimenting with different searches and summary indexes/accelerated reports. I'm struggling with determining the most efficient solution.
I believe populating a summary index with a daily search such as
search | sistats dc(user_id) BY field1, field2, field3
will work. However, my concern is that since there are many unique users the index can become quite large. Changing the search to something like
search | stats count BY user_id, field1, field2, field3
is another option but this would create many events which I don't think would be any more efficient than just searching the source events.
Are there any recommended solutions for counting distinct users over periods of time?
... View more
04-04-2015
08:07 AM
1 Karma
I ended up using pkill fill_summary_index and deleting the lock file in $SPLUNK_HOME/etc/apps/myapp/log/ . Things seem to be back to normal now.
... View more
04-04-2015
04:31 AM
I was running a backfill script and it seems to have got hung up. How can I quit the script?
Will pkill -f fill_summary_index work?
... View more
04-02-2015
02:55 PM
Thanks for the info. It seems that accelerated reports are the preferred method for summaries, but for similar searches maybe it's more efficient to use summary indexes.
... View more
I'm wondering if there is any benefit of creating accelerated reports on top of other accelerated reports?
For example:
Accelerated report 1
search | bin _time span=5m | stats c as count_5m by _time interesting_fields
Accelerated report 2
search | bin _time span=5m | stats c as count_5m by _time interesting_fields | bin _time span=1h | stats sum(count_5m) as count_1h by _time interesting_fields
Accelerated report 3
search | bin _time span=5m | stats c as count_5m by _time interesting_fields | bin _time span=1h | stats sum(count_5m) as count_1h by _time interesting_fields | bin _time span=1d | stats sum(count_1h) as count_1d by _time interesting_fields
The idea being that search #1 may be good for searches that are within the last day, search #2 being used for searches that are within the last 30 days, and search #3 being used for all time. Since they all use the same base summary, is there any benefit of doing something like this or would it be better to create 3 distinct searches so that 3 separate summaries are created (5m, 1h, 1d)?
... View more
- Tags:
- acceleration
- report
03-25-2015
07:09 AM
3 Karma
Is it possible to schedule a pdf delivery for forms in Splunk 6.2? If not, is there a way to create a variable that can be used throughout the dashboard so that the pdf delivery is possible?
... View more
03-08-2015
04:14 AM
I agree that having a date field with date value would be ideal, but this is how the file is currently provided. After further investigation, it seems that Splunk was moved to a new directory on the server because of space constraints and the path was set to the old directory. Thanks for your help anyways!
... View more
03-08-2015
03:38 AM
I have a lookup file that is recreated daily and the last field is the current date.
item id 2015-03-08
item1 1
item2 2
item3 3
When doing a lookup the date field name does not match the current date value in the csv. It is an older date.
Example :
| inputlookup my_lookup
item id 2015-02-28
item1 1
item2 2
item3 3
Previously, I would get whatever date field was in the csv. When I check the lookup definitions the supported fields are listed as item, id, 2015-02-28 . How can I have Splunk return the current date field name in the csv and not the old field name?
... View more
02-02-2015
07:12 AM
Thanks for all the suggestions. It seems that it may be a memory usage related to the fact that Splunk 6.2.1 ignores user time zone setting for cron scheduled searches and runs cron scheduled searches in relation to system time instead. We have many saved searches scheduled across multiple time zones but now they are all running at the same EST time which is using more resources.
... View more
02-01-2015
01:48 AM
Splunk (6.2.1) unexpectedly shut down and needed to be restarted. There were no issues with the server so the issue seems to be specific to Splunk. Is there a way to determine the root cause? Any specific log entries that should be checked?
... View more
01-26-2015
12:36 AM
Is there any update on this? We've just upgraded to version Splunk 6.2 and all of our jobs are executing off schedule.
... View more
09-16-2014
03:12 AM
1 Karma
As @martin_mueller mentioned, older Excel versions have a limit of ~65,000 rows; Excel 2007+ has a row limit of ~1,000,000.
... View more
07-28-2014
04:50 AM
Brilliant! Just what I needed.
... View more
07-28-2014
04:43 AM
It is the column header. For example:
Id, Status for 2014-28-07
01, active
02, inactive
... View more
07-28-2014
04:31 AM
1 Karma
I'm struggling with extracting a date value from a field name in a csv file. I have a field named "Status for 2014-28-07". I want to extract the date portion of the field name in order to determine if the file was generated for the current date. I know that having a separate date field would simplify things, but this is how the file is generated.
What's the best way to do this?
... View more
07-13-2014
02:46 AM
Thanks for the info. I'll look into those options.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
