Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About dpanych
dpanych
Communicator
Member since:
01-06-2016
06-05-2020
Community Statistics
| Posts | 64 |
| Solutions | 5 |
| Karma Given | 9 |
| Karma Received | 14 |
| Member Since | 01-06-2016 |
Activity Feed
- Karma Re: Why isn't this field transform working? for harsmarvania57. 06-05-2020 12:50 AM
- Karma Re: Why am I unable to configure Microsoft OMS Modular Inputs TA? for jkat54. 06-05-2020 12:49 AM
- Karma Re: Why am I unable to configure Microsoft OMS Modular Inputs TA? for jkat54. 06-05-2020 12:49 AM
- Karma Re: Log Analytics (OMS) API updated - NEW working code in here. for jkat54. 06-05-2020 12:49 AM
- Karma Re: How can I make a copy of the App and replace microsoft_trace_url to use MailDetailMalware API? for jconger. 06-05-2020 12:49 AM
- Karma Re: How to index the message trace report with local timestamp for wstarowicz. 06-05-2020 12:49 AM
- Got Karma for Why am I unable to configure Microsoft OMS Modular Inputs TA?. 06-05-2020 12:49 AM
- Got Karma for Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?. 06-05-2020 12:49 AM
- Got Karma for Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?. 06-05-2020 12:49 AM
- Got Karma for Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?. 06-05-2020 12:49 AM
- Got Karma for Log Analytics (OMS) API updated - NEW working code in here.. 06-05-2020 12:49 AM
- Got Karma for Log Analytics (OMS) API updated - NEW working code in here.. 06-05-2020 12:49 AM
- Got Karma for Re: Log Analytics (OMS) API updated - NEW working code in here.. 06-05-2020 12:49 AM
- Got Karma for Re: Log Analytics (OMS) API updated - NEW working code in here.. 06-05-2020 12:49 AM
- Got Karma for Re: Log Analytics (OMS) API updated - NEW working code in here.. 06-05-2020 12:49 AM
- Got Karma for Re: Issue in Microsoft Log Analytics Add-on(Formerly Know as OMS). 06-05-2020 12:49 AM
- Karma Re: Join two searches together and create a table for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How can I build a Dashboard/Search to use optional Text inputs? for gokadroid. 06-05-2020 12:48 AM
- Got Karma for How to set up an alert to trigger if EventB from IndexB happens within 1 minute after EventA from IndexA?. 06-05-2020 12:48 AM
- Got Karma for How do I join on fields from two different sources with the two events being no more than 1 minute apart?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
12-28-2016
11:29 AM
I do not see anything at that location, but I found some crash logs dated beginning of 2016 (crash-2016-xxxx) in %splunk_home%/var/log/splunk; I think those are irrelevant. Is that behavior normal as the indexer processes and indexes data?
... View more
12-28-2016
11:16 AM
One of the six indexers we have were unresponsive today. I couldn't login through the web interface and ssh'ing to the server was very slow. I figured it's an OS problem, rebooted the server, and things seem to be clear. While looking at the logs, I noticed a number of splunkd dying. Is that normal? The server OS is RHEL 7x.
Dec 28 10:56:21 PRDSRV01 systemd[1]: systemd-journald.service: got WATCHDOG=1
Dec 28 10:56:23 PRDSRV01 systemd[1]: Received SIGCHLD from PID 120270 (splunkd).
Dec 28 10:56:23 PRDSRV01 systemd[1]: Child 120270 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:25 PRDSRV01 systemd[1]: Received SIGCHLD from PID 120277 (splunkd).
Dec 28 10:56:25 PRDSRV01 systemd[1]: Child 120277 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:27 PRDSRV01 systemd[1]: Received SIGCHLD from PID 121218 (splunkd).
Dec 28 10:56:27 PRDSRV01 systemd[1]: Child 121218 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:29 PRDSRV01 systemd[1]: Received SIGCHLD from PID 121211 (splunkd).
Dec 28 10:56:29 PRDSRV01 systemd[1]: Child 121211 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:31 PRDSRV01 systemd[1]: Received SIGCHLD from PID 121697 (splunkd).
Dec 28 10:56:31 PRDSRV01 systemd[1]: Child 121697 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:32 PRDSRV01 systemd[1]: Received SIGCHLD from PID 121431 (splunkd).
Dec 28 10:56:32 PRDSRV01 systemd[1]: Child 121431 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:34 PRDSRV01 systemd[1]: Received SIGCHLD from PID 121228 (splunkd).
Dec 28 10:56:34 PRDSRV01 systemd[1]: Child 121228 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:36 PRDSRV01 systemd[1]: Received SIGCHLD from PID 122819 (splunkd).
Dec 28 10:56:36 PRDSRV01 systemd[1]: Child 122819 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:38 PRDSRV01 systemd[1]: Received SIGCHLD from PID 121324 (splunkd).
Dec 28 10:56:38 PRDSRV01 systemd[1]: Child 121324 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:40 PRDSRV01 systemd[1]: Received SIGCHLD from PID 120159 (splunkd).
Dec 28 10:56:40 PRDSRV01 systemd[1]: Child 120159 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:42 PRDSRV01 systemd[1]: Received SIGCHLD from PID 120296 (splunkd).
Dec 28 10:56:42 PRDSRV01 systemd[1]: Child 120296 (splunkd) died (code=exited, status=255/n/a)
Dec 28 10:56:44 PRDSRV01 systemd[1]: Received SIGCHLD from PID 123182 (splunkd).
Dec 28 10:56:44 PRDSRV01 systemd[1]: Child 123182 (splunkd) died (code=exited, status=255/n/a)
... View more
12-06-2016
01:25 PM
That would work, but I have some events that contain only three of the four fields (UserID PID IP) - some events do not have SPID and/or IP. So if I input data into the UserID and PID text boxes, leaving SPID and IP as "*" ( UserID=Larry PID=1 SPID=* IP=* ), that does not work because the event contains fields UserID PID and does not have SPID and IP. Having "*" for SPID and IP implies that the event contains the two fields.
... View more
12-06-2016
10:56 AM
I am trying to build a dashboard with multiple Text inputs that are optional. Say I have 4 Text input boxes: UserID, PID, SPID, and IP, with Default/Load values being "*". The initial search will return all results. But say I want to just search a UserID and want to bring back all data when UserID = "This_is_a_user". If I'm searching only on UserID, I don't want the other fields being searched on. How can I do this?
(index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
| table AppID _time UsreID Session IP SystemID PID SPID Page Function FName MI LName Address Email
| sort _time
... View more
12-02-2016
01:24 PM
Figured out the cause. I guess having (1) Splunk_TA_nix - version 5.1.2 and (2) config_analytics - version 1.8 installed on Splunk 6.5.x causes the file-write issue. We removed the config_analytics app and things are working smoothly again.
... View more
11-09-2016
01:42 PM
We upgraded to 6.5.0 from 6.4.x, and now every time we attempt to save a change made to an alert, we get the following error:
In handler 'savedsearch': Could not flush changes to disk: /nobody/search/savedsearches/Test/search: ConfPathMapper: C:\Program Files\Splunk\etc\apps\search\local
On 6.4.x, saving changes worked 100% and now on 6.5.0 it does not. We didn't do anything unusual with the upgrade. What could this be? I checked both Splunk and Windows file system permissions and they both seem fine.
... View more
09-26-2016
02:59 PM
For one of our syslog devices, some events that come through only contain the syslog datetime format, while there are others that contain the syslog datetime AND a "timestamp=" field at the end of the event. What would be the best to setup timestamp recognition where it first reads the "timestamp=" field and if the event does not contain that field, then for it to look at the syslog datatime at the beginning of the event. The timestamp field and the syslog datetime are two different formats too. See below for an example.
Sep 23 23:59:57 2016 aa_wlc_01 wms[1234]: <123456> <WARN> <aa_wlc_01 192.168.000.000> |ids| AP(aa:aa:aa:aa:aa:aa@aa-aa-aa): Wireless Bridge: An AP detected a wireless bridge between transmitter aa:aa:aa:aa:aa:aa and receiver aa:aa:aa:aa:00:00. SNR value is 25. Additional Info: BSSID:aa:aa:aa:aa:aa:aa; Channel:1.
Sep 23 23:59:44 2016-09-23 23: 59:44,5 192.168.111.111 CPPM_RADIUS_Accounting_Detail aaa 1 0 id=aaa,session_id=aaa-01-aaa,acct_session_id=aaa\\aaa-aaa,type=aaa,attr_name=aaa-Location-Id,attr_value=aaa.6-aaa-aaa,timestamp=2016-09-23 23:58:35-07
... View more
09-06-2016
04:08 PM
Your solution did not seem to work. Any other suggestions?
... View more
09-06-2016
02:46 PM
I have the following syslog data and I need help extracting the timestamp field at the end of the event:
Sep 6 06:07:20 2016-09-06 06: 07:20,165 192.168.0.0 CPPM_Dashboard_Summary 17000 1 0 session_id=A00001234-01-56bcde1f,req_source=RADIUS,user_name=XXXXXXXXXX,service_name=ABC802.1X,alerts_present=0,nas_ip=192.168.1.1,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=12a3123456n2,timestamp=2016-09-06 06:05:48-07,write_timestamp=2016-09-06 06:05:50.133529-07
Sep 6 14:24:18 2016-09-06 14: 24:18,179 192.168.109.102 CPPM_System_Stat 11115 1 0 id=11112,swap_size_used=65757,slash_size_used=11166596,swap_memory_avail=6079780,system_memory_avail=3737736,cpu_raw_user=1,cpu_raw_nice=0,cpu_raw_system=13,cpu_raw_idle=87,mgmt_inf_status=up,data_inf_status=down,uptime=8291850,timestamp=2016-09-06 14:24:07.156076-07
I'm using the following props on the indexers and heavy forwarder, but the timestamp is still not parsing out:
TIME_PREFIX = ,timestamp
TIME_FORMAT = %Y-%d-%m %H:%M:%S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 350
... View more
08-26-2016
12:51 PM
We are running 6.4.1
... View more
08-26-2016
09:04 AM
1 Karma
Is there a workaround for deleting files and making sure they're gone?
... View more
08-25-2016
03:44 PM
1 Karma
We're having issues when we delete some data (with |delete) and after an indexer restarts in the clustered environment, some of the data replicated again. I did some research and found that this was a previous bug (SPL-100516). Has it been fixed?
... View more
08-04-2016
04:27 PM
I have an alert that runs every hour at the half hour mark. So at 1:30, 2:30, etc... When I run the timechart command, "| timechart count span=1h", it brings back the count of events for each hour, but I want the count of event from 1:30 to 2:30. How can I accomplish this?
(index=ABC Page="go.aspx" Refer="*signup_pro.aspx" UserName=*)
OR (index=ABC Page="signup_pro.aspx" (SID3Type=A1 OR SID3Type=A2) UserName=* SID1=* SID3=*)
OR (index=ABC Page="Registration.aspx" UserName=*)
| transaction UserName, SessionSID maxspan=60m
| table _time, UserName, SID3, SID3Type, SID1, FName1, LName1, Email, Page
| sort - _time
| search UserName=* SID1=* SID3=* SID3Type=* FName1=* LName1=* Email=* Page=go.aspx
| rename UserName AS UserSID, SID1 AS "SID1 (SSN)", FName1 AS FirstName, LName1 AS LastName
| fields - Page
... View more
07-01-2016
09:19 AM
Thank you guys, this worked!
... View more
07-01-2016
09:11 AM
I'm no regex guru, but how do I make the regex above work with the |;| delims? ---- "aaa"|;|"OIM"|;|"DELETE"|;|"29-06-2016_01-53-16"
... View more
07-01-2016
08:41 AM
So I updated the time prefix to include the delims before the sed, TIME_PREFIX = ".+"|;|".+"|;|".+"|;|"
and still no luck.
... View more
07-01-2016
08:27 AM
Here's what the logs looks like after the sed:
"host1","MON","LOGOFF","30-06-2016_11-15-01","","0"
"host2","ODS","UPDATE","30-06-2016_12-51-05","UPDATE DS_ATTRSTORE SET ATTRVAL = :B1 WHERE ENTRY = :B2 AND ATTRNAME = 'modname'","0"
"host3","ODS","UPDATE","30-06-2016_08-28-43","UPDATE DS_ATTRSTORE SET ATTRVER = :B4 || CHR(94) || :B5 || CHR(94) || :B6 , ATTRVAL = :B3 , ATTRKIND = :B2 , ATTRSTYPE = :B1 WHERE ENTRY = :B8 AND ATTRNAME = :B7","0"
... View more
06-30-2016
02:06 PM
I have logs that contain the following datetime format:
29-06-2016_00-08-17
The props contain:
[odb]
TIME_PREFIX = ".+",".+","
TIME_FORMAT = %d-%m-%Y_%H-%M-%S
MAX_TIMESTAMP_LOOKAHEAD = 50
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
pulldown_type = true
SEDCMD-01_change_delims_in_oracle_logs = s/\|;\|/,/g
SEDCMD-02_remove_the_end = s/"\|\|\?--END---\?\|\|//g
REPORT-set_delimiters_oracle_logs = REPORT-delims_odb_logs
What could be the problem?
... View more
06-30-2016
02:03 PM
So it looks like that role had access to the index, but not to the actual app itself.
... View more
06-28-2016
11:33 AM
I had them try verbose and smart mode. I found a similar thread but I don't follow: https://answers.splunk.com/answers/149742/field-parsing-works-for-admin-not-for-general-user.html
... View more
06-28-2016
10:49 AM
As the question states. We have the Splunk Add-on for Cisco ASA and just noticed that a non-admin user is not getting parsed fields for this sourcetype. I'm betting it's a permission issue, but can't pinpoint the exact cause.
... View more
05-25-2016
08:15 AM
The ldapsearch query is pulling back all the hosts for a certain OU, and then I want to search the list of hosts to see if they're "talking"/reporting to Splunk. As @somesoni2 mentioned, having a scheduled search keep the host list updated would be a great alternative.
... View more
05-24-2016
04:30 PM
My search is not returning any results..
index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*"
[|inputlookup Servers.csv | return 9999 $name]
| dedup sourceHost
| table hostname, sourceHost
| search [| ldapsearch basedn="OU=ABC,OU=Servers,OU=SMG,DC=ZZZ,DC=COM" search="(&(objectClass=computer))" attrs="name,distinguishedName" | table name | sort name | outputlookup Servers.csv]
Here was my logic which doesn't work (brain is fried for the day):
ldapsearch queries ldap for the list of host names and creates a lookup
The lookup is then used in the beginning of the search to find all hosts that are reporting to Splunk.
Does that seem correct?
... View more
05-23-2016
02:58 PM
I haven't built LDAP queries before, what would the syntax look like for the question? I'm assuming it would be in search=?
... View more
05-23-2016
02:55 PM
Got it to work! Firstly, I had to create a field alias on the UsrID field (as user).
(index=ABC Screen="1" Function="2" Action="3" FileName="BLAH" UsrID=*) OR (sourcetype=WinPrintMon type=PrintJob user=* document="getContent.pdf")
| transaction user startswith=(FileName="BLAH") endswith=(*"getContent.pdf"*) maxspan=1m
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
