Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gcusello
gcusello
Legend
Member since:
02-01-2019
Online
Community Statistics
| Posts | 7762 |
| Solutions | 1278 |
| Karma Given | 125 |
| Karma Received | 1982 |
| Member Since | 01-02-2019 |
Activity Feed
- Posted Re: lifespan of new extracted fields on Splunk Search. 29m ago
- Posted Re: Issue with Universal Forwarder forwarding logs to index on Getting Data In. 3 hours ago
- Posted Re: How to append string to timechart data labels? on Splunk Search. 3 hours ago
- Posted Re: How can I get splunk data in my dot net core application. I need to read the logs either via db call, or api calls. on All Apps and Add-ons. yesterday
- Posted Re: Nullqueue not working on Getting Data In. yesterday
- Got Karma for Re: Average of values of duplicate entries. yesterday
- Posted Re: Help with alert set up on Alerting. yesterday
- Got Karma for Re: How to find a solution to not have duplicated logs?. yesterday
- Posted Re: Help with alert set up on Alerting. yesterday
- Posted Re: How to extract N digits based on field lenght on Splunk Cloud Platform. yesterday
- Posted Re: Changing CSV file header on Getting Data In. Saturday
- Posted Re: Help getting count by letter grade based on score range on Splunk Search. Friday
- Posted Re: What are the risks of running a deployment server managing clustered indexers? on Deployment Architecture. Friday
- Posted Re: How to extract N digits based on field lenght on Splunk Cloud Platform. Friday
- Posted Re: How to find a solution to not have duplicated logs? on Getting Data In. Friday
- Got Karma for Re: Run scripted input on search peer (IDX). Friday
- Got Karma for Re: How to find historical index volumes?. Friday
- Posted Re: How to create a search check on a single day which a user had done transactions for more than 3 different vendors? on Splunk Search. Friday
- Posted Re: is there a way to pass field value from search to write kind of an event in the same search using eval command ? on Splunk Search. Friday
- Posted Re: is there a way to pass field value from search to write kind of an event in the same search using eval command ? on Splunk Search. Friday
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Friday
1 Karma
Hi @Poojitha, in Summary indexes you can use only the output of streaming commands and fields isn't one of them, use table. In addition I hint to always record in Summary also "_time" to have the timestamp of the events to use in timechart command. Maybe (I'm not sure but it's difficoult to check) the problem of your missing data is related to this. Ciao. Giuseppe
... View more
Friday
Hi @asdinesh, to use earliest or latest is a your decision that doens't move the approach. If you haven't any result check the conditions, you can debug all searches deleting, one by one, rows from the end and understanding which is the one that block results. Ciao. Giuseppe
... View more
Friday
1 Karma
Hi @nicolass, you can use the OR option in the if confition of your eval command, something like this: source="test.csv" sourcetype="csv"
| stats values("MFA Factor") as MFA, values("Last Enrolled_ISO8601") as "Last Enrolled", values( "Last Used_ISO8601") as "Last Used" by User, Login
| eval MFA=if(like(MFA,"Okta%") OR like(MFA,"%FIDO%") OR like(MFA,"Google%") OR like(MFA,"Voice%"),null, MFA)
| where isnotnull(MFA) or use case instead if: source="test.csv" sourcetype="csv"
| stats values("MFA Factor") as MFA, values("Last Enrolled_ISO8601") as "Last Enrolled", values( "Last Used_ISO8601") as "Last Used" by User, Login
| eval MFA= case(like(MFA,"Okta%"),null, like(MFA,"%FIDO%"),null, like(MFA,"Google%"),null, like(MFA,"Voice%"),null)
| where isnotnull(MFA) Ciao. Giuseppe
... View more
Thursday
1 Karma
Hi @jessieb_83, as you can see at http://splunk-sizing.appspot.com/#sf=1 you should plan a capacity plan that needs as inputs the following data: average of daily data ingestion (usually I take the license value to be more sure), retention of hot and warm data (usually on month but it depends on the most frequent searches), full retention of your data, Number of Indexers, if you have an Indexer Cluster: Replication Factor. For your calculation, think that usually the real occupation of your data is: row data: 15% of the original data, indexes data: 35% of the original data. In this way you can calculate without Cluster: Hot + Warm Data: License * 0.5 * Hot_Warm_Retention / Indexers, Cold Data: License * 0.5 * Cold_Retention / Indexers. If you have a Cluster you have to moltiplicate for the Replication Factior. In addition, if you have DataModels, you have to add to the Hot_Warm Data: License * 3.4 for the Data Model Data of one year. Anyway, the best approach is to involve in the Architecture Design at least a Splunk Architect, or a Splunk Professional Services People. Ciao. Giuseppe
... View more
Thursday
Hi @nalagito, if the values of mn are always: my_mn1, my_mn2. in this case you can make operations using my_mn1 and my_mn2 as column name. Ciao. Giuseppe
... View more
Thursday
Hi @kpavan, you should explore the dc option in stats, something like this: (index=index1) OR (index=index2)
| eval ip=if(index=index1,ip_1,ip_2)
| stats dc(index) AS dc_index values(index) AS index BY ip
| eval status=case(dc_index=2,"both indexes",dc_index=1 AND index=index1,"only index1",dc_index=1 AND index=index2,"only index2")
| stats dc(ip) AS count BY status In this way you can know if an Ip is present in both the indexes or only in one of them and you can make all the operations you want. Ciao. Giuseppe
... View more
Thursday
Hi @nalagito, if the values of ColumnA and ColumnB are fixed, you can use the eval command to make the calculation you need. If instead they aren't fixed, is much more complicated. Ciao. Giuseppe
... View more
Thursday
Hi @rvk_sp_user, No, when an event with the sourcetype you defined in props.conf (mysourcetype) arrives to the Indexer or (if present) to the Heavy Forwarder, it's checked if the event contains the regex that you defined in transforms.conf: if the regex matches, the value for index that you fixed in inputs.conf is overwritten with the new value that you defined in transforms.conf (your_new_index), if it doesn't matches, original index value remains. This means that in inputs.conf you have to put the default value for index and in transforms.conf you have to put the new index value associated to a regex. If you have to assign more index values, you have to create more stanzas in props.conf and transforms.conf with different regexes. Ciao. Giuseppe
... View more
Wednesday
Hi @JoeHubner, you should see the addinfo command (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/SearchReference/Addinfo). It gives you the informations you need. Ciao. Giuseppe
... View more
Wednesday
Hi @ajdyer2000 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉
... View more
Wednesday
Hi @debjit_k, if you're speaking of the hardware reference of a Splunk Server to use as Syslog server, you are speaking of an Heavy Forwarder and you can take the values for a Stand Alore server at https://docs.splunk.com/Documentation/Splunk/8.2.6/Capacity/Referencehardware In few words: 12 CPUs, 12 GB RAM, Disk 50 GB, virtual (also physical but it isn't mandatory). In my experience this is the standard Splunk requirements, but as HF I usually use less resources: 4/8 CPUs, 8 GB RAM, Disk 50 GB, virtual . Monitoring it the load to understand if it is sufficient to manage the peaks periods. Remember the duplication of HFs and the Load Balancer, this i really important! If you haven't a Physical Load Balancer, you can use DNS to balance the traffic. Ciao. Giuseppe
... View more
Wednesday
Hi @ankurborah, good for you, see next time Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉
... View more
Wednesday
Hi @Esky73, the action you are describing is called normalization and it's usually done to normalize logs to CIM compliance. At first I hint to see if there's an Add-on that already made normalization for your logs, if there isn't I hint to use calculated fields, e.g. something like this: | eval action=case(action="Block","blocked",action="block","blocked",action="not sent","blocked",action="tagged","delivered", action="delivered","delivered", action="logged","delivered") About the multivalue, see if it's possible to extract fields in a different way or use "like" in the above condition. Ciao. Giuseppe
... View more
Wednesday
Hi @vaishnab, how did you create this report, using outputcsv command? the location I described is for this command. Ciao. Giuseppe
... View more
Wednesday
1 Karma
Hi @crucifier_0, supposing that the field names in the table are "type" and "value", you should run a search using the stats command, something like this: your_search
| stats avg(value) AS avg_value BY type Anyway, I hint to follow the Splunk Search Tutorial at https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchTutorial/WelcometotheSearchTutorial or follow some video tutorial on YouTube. Ciao. Giuseppe
... View more
Wednesday
Hi @ankurborah, it's the same thing: Search Heads cannot be managed by Deployment Server but only by Deployer. Are you sure that the Search isn't in the list of the hosts managed by the Deployment Server? Splunk Clusters (SHs or IDXs) have their own management machine (Deployer or Master Node) and Deployment Server cannot be used for this. Ciao. Giuseppe
... View more
Wednesday
Hi @ankurborah, the message you shared says that the Deployment Server cannot send a bundle to a search peer, maybe, for an error, one Indexers is in the list of the servers managed by the Deployment Server and this isn't correct because Indexers must be managed by the Master Node (or Cluster Master). Ciao. Giuseppe.
... View more
Wednesday
Hi @Aqawelska, you should calculate Finish_time-Start_time not the contrary: index="0200-pio_numb3r5_support-app" "HumanResourceImportJob" AND "transitioning from state 'Processing' to 'Succeeded'. Reason:" OR "transitioning from state 'Enqueued' to 'Processing'. Reason:" AND NOT OnStateUnapplied
| where host="AUDIINSA4919" OR host="AUDIINSA4304"
| stats
earliest(_time) AS Start_time
latest(_time) AS Finished_time
by host
| eval Latency=tostring(Finished_time-Start_time, "duration")
| table Start_time , Finished_time , Latency , host
| fieldformat Finished_time=strftime(Finished_time,"%c")
| fieldformat Start_time=strftime(Start_time,"%c") Ciao. Giuseppe
... View more
Wednesday
Hi @ankurborah, the message says that there's a replication issue from the Deployment Server to an Indexer, but what's your architecture? how many Indexers are in you architecture? why are you managing them by Deployment Server? Ciao. Giuseppe
... View more
Wednesday
Hi @super_saiyan, as hinted by @PickleRick, you have to use the SEDCMD command or use props and transforms associated to the sourcetype you're using. In few words, you have to find the regex to identify the column to exclude, e.g. if you have 100 columns divided by comma ",", you could use a regex like this: in props.conf [your_sourcetype]
TRANSFORMS-delete_column_80 = delete_column_80 in transforms.conf [delete_column_80]
REGEX = ^(([^,]+,){80})[^,]+,(([^,]+,){19})
FORMAT = $1$2
DEST_KEY = _raw For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Anonymizedata Ciao. Giuseppe
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
24m ago
|
