About stwong

stwong · ‎05-21-2019

Hi, we've a simple web application in PHP that queries user's status from different sources (e.g. LDAP, Oracle DB, etc.). Possible to search Splunk by passing arguments like username, time selector, etc. to a predefined report, and gives result in html ? Sorry for the newbie question. Thanks. /stwong

stwong · ‎12-20-2018

Thanks. Found that it's done by a transform in the CIM add-on $SPLUNKE_HOME/etc/apps/Splunk_SA_CIM/default/props.conf. Thanks a lot.

stwong · ‎12-20-2018

Thanks and agree. But when expanding the event fields on web interfrace, we can see that the "action" attribute is set to "success", not "login attempt".

stwong · ‎12-20-2018

Hi, thanks for your help. I'm just interest to know which configuration makes Splunk changed value of "action" into something different to that stated in the events...

stwong · ‎12-20-2018

Hi, We're looking for web GUI log in attempts from index=_audit. Note that for event like following: Audit: [timestamp=12-20-2018 12:15:38.921, user=user123, action=login attempt, info=succeeded, src=12.34.56.78][n/a] the "action" field is set to "success" instead of "login attempt". Was it set somewhere? Sorry for the newbie question. Thanks a lot. Regards EDIT: removed the ip address

stwong · ‎11-05-2018

thanks a lot.

stwong · ‎11-04-2018

Hi all, We have a simple dashboard containing 3 panels with some charts and tables. When we use the PDF schedule, the labels in the x-axis of the charts are overlapped. We tried to change the paper size to A3 and the paper layout to Landscape, but it didn't help — the chart doesn't aware of change its paper size/orientation. We're using Splunk v7.0. Would anyone please help? Thanks and rgds /st wong

stwong · ‎06-22-2018

Noted and thanks. Will try it out.

stwong · ‎06-21-2018

It should be on heavy forwarder or indexer Got it. Will this overrides host part for all data with sourcetype=syslog? Chances are we hope to use host_segments for syslog data on some UF, while keep using host in log content for some other UF. Sorry to bother again. Thanks a lot.

stwong · ‎06-21-2018

stupid me. sorry for the newbie mistake... Just put following in props.conf but seems no effect. [source::/ssd///cyrus.log] TRANSFORMS = TRANSFORMS-host = splunk btools props list shows the setting is correct. Would you help? Thanks again.

stwong · ‎06-21-2018

tried but seems not working - still gets hostname from log content. My inputs.conf looks like following: [monitor:///ssd///cyrus.log] ignoreOlderThan=1d disabled = false TRANSFORMS = TRANSFORMS-host = host_segment = 3 index = test sourcetype = cyrus Did I miss anything? Thanks and rgds

stwong · ‎06-21-2018

Got it. Thanks a lot.

stwong · ‎06-20-2018

Hi all, Seems we have to override the sourcetype to sourcetype other than 'recognized' ones (e.g. syslog) in order to make host_segment work. e.g. [monitor:///ssd/*/*/cyrus.log] disabled = false host_segment = 3 index = test sourcetype = cyrus However, for some cases, we hope to make use of sourcetype from Splunk (e.g. syslog) but use host_segment instead of host parsed in the log content for that particular sourcetype. Possible to do that at inputs.conf without touching other config files like props.conf or transform.conf? Sorry for the newbie question. Thanks and regards

stwong · ‎05-08-2018

Hi, we want to block malicious IP address in firewall as alert action. We run python script to block such IP address through REST api. It seems okay. However, we're requested to unblock such blocked IP address automatically after blocking for 15 minutes. Is it possible to do so through Splunk? Besides, shall we use webhook instead of running external scripts ? We're using Splunk 7.0. Thanks a lot. Regards, /ST Wong

stwong · ‎03-28-2018

Hi, it works perfectly. Thanks a lot.

stwong · ‎03-27-2018

Thanks, but can appendcols do something like following? ..| stats values(field3) as field3, values(field4) as field4, values(field5) as field5 by "either field1 or field2" ? and also hope to avoid subsearches. Thanks and rgds

stwong · ‎03-27-2018

Hi, I got data that have some fields missing in some events, e.g. field1 field2 field3 field4 field5 A val1 B val2 A B val3 C val5 D val4 C D val6 and want to group by either field1 or field2 to make output like this: field1 field2 field3 field4 field5 A B val2 val1 val3 C D val4 val5 val6 I tried to avoid join, subsearch, or transaction. Is it possible? Sorry for newbie question. Thanks and rgds /st wong

stwong · ‎02-20-2018

Hi, thanks for your help. The first part of the output table (start, end connId, clientIP) gives 9 lines from Search 1. The second part of the output table (start1, end1, Acct_Session_Id, NAS_IP_Address, User_Name) returns identical rows, i.e. the same set of values repeated 9 times. I wonder if the usetime option works for transactions in the 2 searches. I tried using map and seems it works as expected. Thanks again. Rgds

stwong · ‎02-14-2018

Hi all, We're trying to combine 2 searches: Search 1: application transaction log ...| transaction connId | eval start=_time | eval end=_time+duration | table start, end, connId, clientIP Search 2: VPN log ...| transaction Acct_Session_Id | eval start1=_time | eval end1=_time+duration | table start1, end1, Acct_Session_Id, NAS_IP_Address, UserName We hope to combine the search by: start<=start1 end>=end1 clientIP=NAS_IP_Address Giving a table of: start, end, connid, start1, end1, clientIP, start1, end1, Acct_Session_id, NAS_IP_Address, UserName Tried with left join like "search1 | eval NAS_IP_Address = clientIP | join type=left usetime=true earlier=false NAS_IP_Address [search 2]" but failed. Would anyone please advise? Thanks and rgds. /ST Wong

stwong · ‎10-20-2017

Hi Giuseppe, Thanks. Will try it out. /STwong

stwong · ‎10-20-2017

Thanks, We've to use indexAndForward=true for forwarding to third party, correct? Thanks again.

stwong · ‎10-20-2017

Thanks, but we hope to forward to-be-fronzen data to external server (e.g. a syslog server) for archiving.

stwong · ‎10-17-2017

Hi all, Our Splunk server is getting data through several channels, e.g. universal forwarders, TCP input (e.g. OPSEC LEA of Checkpoint data), SNMP, DB connection, etc.). We hope to make a copy of these data (either raw or indexed) to external server (e.g. syslog) for long term archiving. We're looking for any recommended solution. Would anyone please help? Thanks a lot. Rgds

stwong · ‎09-30-2017

Hi, we added timepicker to a simple dashboard consists of base search as following, but it's not working. Using full search in panels the timepicker works properly. Would anyone please help? We're using 6.5.4. Thanks a lot. <form> <label>Dashboard 1</label> <search id="baseSearch"> <query>sourcetype=syslog </query> <earliest>$time_tok1.earliest$</earliest> <latest>$time_tok1.latest$</latest> </search> <fieldset submitButton="false"> <input type="time" token="time_tok1" searchWhenChanged="true"> <label></label> <default> <earliest>-1mon@mon</earliest> <latest>@mon</latest> </default> </input> </fieldset> <search base="baseSearch"> <query> stats count by Type </query> <earliest>$time_tok1.earliest$</earliest> <latest>$time_tok1.latest$</latest> </search>

stwong · ‎09-29-2017

Thanks for all your replies. We're doing query to correlate some windows event, and keep all fields in all 3 related events. some of the fields in different events have the same field name. event a: field1 -> find event b field2 -> find event c field3 field 20... event b: field 1 field 10 field 11 field 20 event c: field 2 field 15 field 16 field 20 Seems using join repeatedly + rename works. Thanks again. /st

Posts	139
Solutions	0
Karma Given	28
Karma Received	8
Member Since	‎05-02-2012

Online Status	Offline
Date Last Visited	‎05-08-2024 06:29 AM

Error in Observability Cloud Service Jump Start Gu...

Palo Alto Networks Add-on PANOS compatibility

co-relate random events

Help with Regex in transaction endswith

Splunk Add-on for Microsoft Office 365 - failed to...

JSON timestamp parsing- When events are being fed ...

Macro definition = ()

Tell setup wizard to use python2.7 on Splunk 8.1.1...

Join by time range

How to display time in panel?

How to search Splunk from external web application...

Re: Can you help us find web GUI log in attempts f...

Re: Can you help us find web GUI log in attempts f...

Re: Can you help us find web GUI log in attempts f...

Can you help us find web GUI log in attempts from ...

Re: Can you help us format the dashboard PDF sched...

Can you help us format the dashboard PDF schedule ...

Re: Can you override sourcetype at inputs.conf wit...

Re: Can you override sourcetype at inputs.conf wit...

Re: Can you override sourcetype at inputs.conf wit...

Re: Can you override sourcetype at inputs.conf wit...

Re: Can you override sourcetype at inputs.conf wit...

Can you override sourcetype at inputs.conf without...

"Automate" alert actions

Re: correlate data without subsearch or transactio...

Re: correlate data without subsearch or transactio...

correlate data without subsearch or transaction

Re: How to join 2 searches using time range?

How to join 2 searches using time range?

Re: Archive raw and/or indexed data to external sy...

Re: Archive raw and/or indexed data to external sy...

Re: Archive raw and/or indexed data to external sy...

Archive raw and/or indexed data to external syslog...

timepicker not working for base search in dashboar...

Re: Help with a join command