Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About packet_hunter
packet_hunter
Contributor
Member since:
01-08-2016
06-05-2020
Community Statistics
| Posts | 328 |
| Solutions | 6 |
| Karma Given | 2 |
| Karma Received | 12 |
| Member Since | 01-08-2016 |
Activity Feed
- Got Karma for is there a way to search who has access to an index?. 03-30-2021 04:37 PM
- Karma Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? for gjanders. 06-05-2020 12:49 AM
- Got Karma for Re: What is the most efficient way to correlate fields from different sourcetypes in the same index by an asset_id key. 06-05-2020 12:49 AM
- Got Karma for Re: Best way to send Windows event logs from a Windows 12 server to indexers?. 06-05-2020 12:49 AM
- Got Karma for What index should sysmon data go into and how /where to change the index?. 06-05-2020 12:49 AM
- Got Karma for Re: Universal Forwarders are phoning home but the indexes are not populating. 06-05-2020 12:49 AM
- Karma Re: keep receiving error on two scheduled alerts? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for what is the best addon / app to use with [iplocation] for a geographical visual dashboard?. 06-05-2020 12:48 AM
- Got Karma for How to rename column and row labels after using transpose?. 06-05-2020 12:48 AM
- Got Karma for How to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local ?. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to set conditions for an alert to "sendmail" custom messages based on different values of certain fields?. 06-05-2020 12:48 AM
- Got Karma for Re: How to stitch together a session by userid with dissimilar formats. 06-05-2020 12:48 AM
- Got Karma for Re: How to send JSON data (sent via HTTP POST) to a heavy forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Best way to check email logs for recipients that are on a list. 06-05-2020 12:47 AM
- Posted Re: How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 09:26 AM
- Posted Re: How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 07:59 AM
- Posted How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 07:28 AM
- Posted Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? on Getting Data In. 10-24-2017 07:17 AM
- Posted Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? on Getting Data In. 10-24-2017 07:17 AM
- Posted Re: What index should sysmon data go into and how /where to change the index? on All Apps and Add-ons. 10-23-2017 12:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-08-2017
11:29 AM
ok I am tracking now, thank you.
... View more
04-10-2017
07:12 AM
Thank you for the instructions. When I checked we had that already setup outputs.conf like that.
I am currently trying to find out where we went wrong but as I move thru the flow I will find it and post the resolution.
Currently the security appliance acts as a server to the heavy fwder, and we don't need inputs.conf because the appliance sends host, sourcetype, index, time. I think we just mis-configured where we assigned the index to... but still looking
... View more
04-26-2017
03:23 AM
We have done the following things after doing R & D.
1.Changed date range from real time to today.
2.Set dashboard refresh time to every 5 minutes.
3.Summary indexing
4.Report acceleration
5.Scheduled this search every 5 minutes so it will save in the cache.
6.Search query optimization.
7.Auto restart splunk daily at 2:00 AM UTC so that memory will be released.
8.Set high priority to this dashboard.
7.Set high priority to this scheduled search.
8.Run stats tables first then start charts.
9.Changed the delimer of raw data from text files method to new way which will reduce the time while converting raw data to fields of delimiting proccess.
10.Reduce the number of indexes and source type
After all this my dashboards loading time reduced from 3 minutes to less than 10 seconds.
Super fast
... View more
03-09-2017
12:49 PM
thanks very helpful
... View more
02-20-2017
03:00 PM
Its gotta be correct per your logic, its just hard to verify because I have so many fwdrs.
... View more
11-19-2019
12:34 AM
Wow thats a clever search, thank you
... View more
02-20-2017
12:55 PM
Not sure if you are still looking at this... but in my splunk DMC instance, under settings>monitor console> Forwarders: Instance, I can see the KB/s data rate per universal forwarder, however I cannot see a GB/day volume anywhere.
Do you have some search syntax to convert KB/S to GB/day volume? Or is there another report somewhere?
Thank you
... View more
02-04-2017
01:02 PM
As an alternative, may I suggest sendresults ? I've used this to send different results to different people within the same alert, it also works by using eval's as above...
... View more
01-26-2017
02:41 PM
1 Karma
You need to specify the indexes else, it only shows data from the index set as your "indexes searched by default" in your user/role.
|tstats values(sourcetype) WHERE index=* by index
... View more
01-26-2017
03:00 PM
It works Thank you
... View more
01-09-2017
01:35 PM
fyi, I found the problem, when I kick off the security app, a bunch of real-time searches occurred when the dashboard load.... |grep id=rt revealed the issue. Thanks again.
... View more
12-27-2016
10:32 AM
perhaps, most of the time the 101 results worked, ultimately I need the original example to rule out any possible error.
Thanks
... View more
01-05-2017
07:55 AM
The data loss (loss of historical logs) is still TBD. I created a new question regarding the errors if anyone has any pointers. Thank you everyone for your replies.
... View more
12-22-2016
09:41 AM
Thank you very much I will give it a shot and let you know how it goes.
... View more
12-23-2016
06:46 AM
Thank you, this should help a lot.
... View more
12-11-2016
08:34 AM
Thank you for suggestion, it is very good and I am making a note of it for future use.
... View more
12-07-2016
09:40 AM
I am not suggesting having each source in a separate index. If that makes sense for you then go ahead.
Having a high number of indexes can cause a problem. Having many indexes and many buckets within those indexes could lead to Splunk running out of file handles.
... View more
11-22-2016
06:18 PM
I must be blind, but I can count on you. Thank you again.
... View more
10-18-2016
11:06 AM
Thx, I got it to work!
Is there a way to increase the zoom to a street level with this map?
... View more
09-21-2016
11:12 AM
have not tested it yet, waiting for something to roll in and trigger it, but I think you are right (as usual), thank you.
... View more
08-24-2016
07:53 AM
Thank you!!!
Lately I have been using online regex tester to test my rex code but apparently what works in the online tester doesn't always work... any other testing suggestions other than the obvious- "RTFM again" (which I am going to do)?
... View more
08-24-2016
08:05 AM
Thank you for the reply and interesting observation.
My problem is that I often need to search a number of internet src IPs that are unrelated but I will try ordering them and see it that does anything. My primary effort is too speed up the search process without summary indexing b/c the IPs of concern change frequently.
Thank you again for your reply, I will let you know the results of my testing if there is anything identifiable.
... View more
08-23-2016
06:22 AM
David Thank you for the reply.
Please advise regarding how I can "chat offline" with you.
I agree that Core / ES could do this as well, but I was wondering if UBA had a better pattern / decision engine.
Can you provide a brief description of the requirements for ES and Core to do this? I imagine you need smtp headers and proxy logs?
Thank you
... View more
