Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gcusello
gcusello
Legend
Member since:
02-01-2019
Online
Community Statistics
| Posts | 7749 |
| Solutions | 1276 |
| Karma Given | 125 |
| Karma Received | 1980 |
| Member Since | 01-02-2019 |
Activity Feed
- Got Karma for Re: Run scripted input on search peer (IDX). 4 hours ago
- Got Karma for Re: How to find historical index volumes?. 6 hours ago
- Posted Re: How to create a search check on a single day which a user had done transactions for more than 3 different vendors? on Splunk Search. 9 hours ago
- Posted Re: is there a way to pass field value from search to write kind of an event in the same search using eval command ? on Splunk Search. 9 hours ago
- Posted Re: is there a way to pass field value from search to write kind of an event in the same search using eval command ? on Splunk Search. 10 hours ago
- Posted Re: Run scripted input on search peer (IDX) on Getting Data In. 10 hours ago
- Posted Re: Extracting a field from a path on All Apps and Add-ons. 10 hours ago
- Got Karma for Re: How to condense eval search query?. 10 hours ago
- Got Karma for Re: Summary Index - table command and random data removal. 13 hours ago
- Posted Re: AIX Splunk universal forwarder installation hangs after input username on Deployment Architecture. 13 hours ago
- Posted Re: Issue while installing version 8.2.6. on Installation. 13 hours ago
- Got Karma for Re: IO wait time on standalone Splunk enterprise server is very high. 13 hours ago
- Posted Re: Summary Index - table command and random data removal on Knowledge Management. 15 hours ago
- Posted Re: Find users who have done an event A, but not done an event B display as timechart span of 1 month on Splunk Search. 15 hours ago
- Karma Re: How to condense eval search query? for ITWhisperer. 15 hours ago
- Posted Re: How to condense eval search query? on Splunk Search. 17 hours ago
- Posted Re: How to find historical index volumes? on Monitoring Splunk. yesterday
- Posted Re: Make operations between two columns on Splunk Search. yesterday
- Got Karma for Re: Is is possible to have bulleted description in the Splunk Dashboard?. yesterday
- Got Karma for Re: Is is possible to have bulleted description in the Splunk Dashboard?. yesterday
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Monday
Hi @jip31, please try something like this: your_search
| rex "^(https|http):(?<url>\/\/\w+\/\w+\/)" that you can test at https://regex101.com/r/4kTIF3/1 Ciao. Giuseppe
... View more
Monday
1 Karma
Hi @alexspunkshell, if you could share a sample of your logs I could be more detailed in my answer, anyway, you have two choices: if you want to maintain separates IPs you have to find two different regexes, identifying something as difference, if you're not interested to have different field names for the two IPs, you could use the same regex. in the first case, try something like this: your_search
| rex "IP\s+addresses:\s+(?<IP1>\d+\.\d+\.\d+\.\d+).*(?<IP2>\d+\.\d+\.\d+\.\d+)" if you want also the country associated to each IP, you could use something like this (similar to @etoombs solution) : your_search
| rex "IP\s+addresses:\s+(?<Country1>[^\(]+)\((?<IP1>\d+\.\d+\.\d+\.\d+).*(?<Country2>[^\(]+)\((?<IP2>\d+\.\d+\.\d+\.\d+)" I prefer the following solution: your_search
| rex "(?<Country>[^\(]+)\((?<IP>\d+\.\d+\.\d+\.\d+)" Ciao. Giuseppe
... View more
Monday
Hi @rvk_sp_user, in this case, you need a regex to identify the logs to send to an index different than the default then you have to override index value based on that regex. in few words, on your Indexers or (if present) or your Heavy Forwarders, not on Universal Forwarders, you have to put in props.conf #props.conf
[mysourcetype]
TRANSFORMS-index = overrideindex transforms.conf # transforms.conf
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = <your_regex>
FORMAT = your_new_index Ciao. Giuseppe
... View more
Monday
Hi @rvk_sp_user, in each stanza of your inputs.conf, you can add an option to say which is the index that has to receive data from that input. in each stanza you have to insert [monitor://var/log]
index=index_for_that_input
sourcetype=sourcetype_for_that_input you could follow the instruction about getting data in at https://www.google.com/search?q=splunk+getting+data+in&rlz=1C1SQJL_itIT832IT832&oq=splunk+getting+data+in&aqs=chrome.0.69i19i59j69i60l3.4496j0j7&sourceid=chrome&ie=UTF-8 There are videos and documentation. Ciao. Giuseppe
... View more
Monday
Hi @schres1, try the XML that you can find in my first answer, it's taken from that App, Anyway, I hint to ask to install this App on a development environment because it's very useful! Ciao. Giuseppe
... View more
Monday
Hi at all,
I'm trying to implement some Use Cases from Security Essentials App, using AWS data.
I found the following problem:
I'd like to use a Use case called "Multiple Account Deletion by an Administrator" but the App tells me that there isn't the accelerated "Change" Data Model, that instead is present and accelerated.
The strange thing is that the message doesn't say that there isn't data, but that there isn't an accelerated DataModel.
Where could I search the problem?
Thank you in advance.
Ciao.
Giuseppe
... View more
Labels
- Labels:
-
other
Monday
Hi @ashidhingra, sorry there isn't a feature or tool to do this. The only approach is to create a script that uses Splunk REST API to execute a search and put the result in an Excel sheet, or schedule a search that make an outputcsv command and saves results in a csv, but there isn't something like SQL query. there is also an app (not Splunk supported) to send results to excel but I didn't use it: https://splunkbase.splunk.com/app/4369/ You could ask this to Splunk Ideas https://ideas.splunk.com/ Ciao. Giuseppe
... View more
Monday
1 Karma
Hi @elomotanpru, it's the second time that I have this message in few minutes, very strange! Anyway, go at https://splunkbase.splunk.com/app/1603/ or go in apps.splunk.com and search "Dashboard", you'll find the Dashboard Examples App. Ciao. Giuseppe
... View more
Monday
Hi @schres1, it's very strange because it runs for me! https://splunkbase.splunk.com/app/1603/ Anyway, go in apps.splunk.com and search "Dashboard Examples" you'll find the App that probably will solve your need. Ciao. Giuseppe
... View more
Monday
Hi @schres1, you should put in your dropdown as value (not as label) the value of the source to insert in the search and then pass it as a token, to better understand how to do this, I hint to install the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) where you can find an example how to do it. In other words, something like this: <form>
<label>Dropdown Form Input Element</label>
<description>Set search terms by populating a form with one or more dropdown options.</description>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="source" searchWhenChanged="true">
<label>Select a Source:</label>
<prefix>source="</prefix>
<suffix>"</suffix>
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>index=_internal | stats count by source</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<table>
<title>Table of Events for $source$</title>
<search>
<query>index=idx source="*$source$" | table _time, user, sourcetype, _raw</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">5</option>
</table>
</row>
</form> Ciao. Giuseppe
... View more
Monday
1 Karma
Hi @cecilia_cheng1, please try this: in your inputs.conf stanza [monitor://D:\*\SMT\*]
host_regex = ^\w+:(\\[^\\]+){2}\\([^\\]+) Otherwise, you could override the host value on Indexers or Heavy Forwarders in this way: props.conf #props.conf
[your_sourcetype]
TRANSFORMS-hostFromSource=hostFromSource transforms.conf #transforms.conf
[hostFromSource]
SOURCE_KEY = MetaData:Source
REGEX=^\w+:(\\[^\\]+){2}\\([^\\]+)
FORMAT = $1
DEST_KEY= MetaData:Host for more infos see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Setadefaulthostforaninput Ciao. Giuseppe
... View more
Monday
1 Karma
Hi @cecilia_cheng1, you could use the host_segment=3 but anyway, the regex to take the value is ^\w+:(\\[^\\]+){2}\\(?<host>[^\\]+) that you can test at https://regex101.com/r/hPopwS/1 Ciao. Giuseppe
... View more
Monday
Hi @jakeoftrades, let me understand: you want to exclude results where kafka_datatype="PRODUCED", is this correct? if this is your need, you could filter results in the main search of after the stats command, something like this: index="hcg_ph_t2_bigdataservices_prod" sourcetype="be:streaming-services" earliest=-3h@h latest=@h stream_type IN (Datascore_Compress, Datascore_Decompress, Eservices_Eload, Eservices_Ebills) kafka_datatype!="PRODUCED"
| eval service_details=stream_type." - ".kafka_datatype
| bucket span=90m _time
| stats sum(kafka_count) as count by _time service_details
| stats latest(count) as current_count earliest(count) as past_count by service_details in addition, you don't need to use the search command after the main search, in this way you have a slower search. Ciao. Giuseppe
... View more
Monday
1 Karma
Hi @asdinesh, after a stats command you have only the fields that you used in the stats, so you don't have _time so you cannot use timechart after the stats command. To do this, you have to add the _time field to the stats command, taking e.g. the latest value, something like this: index="x" (event="A" OR event="B")
| stats count(eval(event="A")) AS ACount count(eval(event="B")) AS Bcount latest(_time) AS _time BY userId
| where ACount >= 1 AND BCount < 1
| timechart span=1mon count AS result Ciao. Giuseppe
... View more
Sunday
1 Karma
Hi @PickleRick, I already implemented a multitenency ES installation but it was a very hard work and required the support of Splunk Professional Services. You could segregate data using different indexes for each tenant, the problem is that you have also to manually modify all Correlations Searches, all DataModels and all Threat Intelligence components to manage multitenancy, and it isn't a very easy work, especially Threat Intelligence. In conclusion: it's possible but you need an help of an ES expert Splunk Architect and maybe also of Splunk PS, and anyway consider many days to make this job (we worked for around 90 days without take in consideration the time of the customer paople). Make your considerations if it's less expensive ho manage two ES infrastructures or one multitenancy. Ciao. Giuseppe
... View more
Sunday
Hi @igor04653, as @PickleRick said, Splunk doesn't index a content twice even if the file has a different name, but the same content. If you want to index all files, also duplicating logs, you should use crcSal = <SOURCE> in this way Splunk index all files with a different filename even if they have the same content. Ciao. Giuseppe
... View more
Saturday
Hi @utk123, you should explore the Horizon Chart Viz, that you can find in the Horizon Chart App(https://splunkbase.splunk.com/app/3117/ ) or in the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/). Ciao. Giuseppe
... View more
Saturday
Hi @Santosh2, maybe the timestamp isn't correctly parsed, try to search something special of your logs in a very large time period. Then, if you're searching logs in the first 11 days of the month, try to search the 1st of may (01/05/2022) at the 5th of january (05/01/2022). Then, are you sure about index? then, try to add an asterisk at the beginning of the source, maybe there's the full path and/ot an asterisk at the end of host, maybe there's the FQDN name instead of the hostname. Ciao. Giuseppe
... View more
Friday
2 Karma
Hi @elomotanpru, you can use in your dashboard an html panel that you can format as you like (bullets, underline, bold, etc...) using the normal html tags. For more infos you can see the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) in which you can find an example about how to do this. Ciao. Giuseppe
... View more
Friday
Hi @ang3loliveira, what do you mean with transaction: the "transaction" Splunk command or in ageneral a transaction log? then what do you mean with "to sample resulting", maybe to have some few events to use as a sample? if this is your need you could run your search and add t the end the "head 10" command (or a different number) to have a sample of your logs, for more infos see at https://docs.splunk.com/Documentation/SCS/current/SearchReference/HeadCommandOverview. Ciao. Giuseppe
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
14 hours ago
|
