Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About sonicZ
sonicZ
Contributor
Member since:
12-16-2010
03-23-2024
Community Statistics
| Posts | 117 |
| Solutions | 3 |
| Karma Given | 54 |
| Karma Received | 20 |
| Member Since | 12-16-2010 |
Activity Feed
- Posted Re: Verifying TLS 1.2 Cipher suites disabled? on Security. 06-07-2022 11:00 AM
- Posted Verifying TLS 1.2 Cipher suites disabled? on Security. 06-04-2022 07:19 AM
- Posted Re: Tracking indexing per source - without _internal index access on Getting Data In. 03-24-2022 10:04 AM
- Karma Re: Tracking indexing per source - without _internal index access for richgalloway. 03-24-2022 09:58 AM
- Posted Re: Tracking indexing per source - without _internal index access on Getting Data In. 03-24-2022 09:52 AM
- Posted Tracking indexing per source - without _internal index access on Getting Data In. 03-24-2022 09:43 AM
- Got Karma for Using stats instead of transaction. 12-29-2021 08:18 PM
- Posted Re: Using stats instead of transaction on Splunk Search. 12-29-2021 02:40 PM
- Posted Re: Using stats instead of transaction on Splunk Search. 12-29-2021 02:30 PM
- Posted Using stats instead of transaction on Splunk Search. 12-28-2021 01:55 PM
- Posted Re: Rest api error on get _raw events on Splunk Dev. 09-20-2021 06:23 AM
- Posted Rest api error on get _raw events on Splunk Dev. 09-19-2021 07:02 PM
- Karma Re: enabling search head on a single clustered indexer for nickhills. 06-05-2020 12:50 AM
- Karma Re: enabling search head on a single index in a index cluster for adonio. 06-05-2020 12:50 AM
- Karma Re: Can someone explain the Splunk 6 clustered bucket directory structure/naming conventions? for dxu_splunk. 06-05-2020 12:47 AM
- Karma Re: Can someone explain the Splunk 6 clustered bucket directory structure/naming conventions? for sowings. 06-05-2020 12:47 AM
- Karma Re: How to write a search for a multikv timechart? for lguinn2. 06-05-2020 12:47 AM
- Karma Re: Has anyone worked on alternatives or have a number of saved searches to replace or modify the current Splunk App for Unix and Linux? for araitz. 06-05-2020 12:47 AM
- Karma Re: Is it possible to migrate summary indexes from Splunk 4 to Splunk 6? for srioux. 06-05-2020 12:47 AM
- Got Karma for Is it possible to migrate summary indexes from Splunk 4 to Splunk 6?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 |
09-19-2012
05:16 PM
2 Karma
Currently i am populating my summary index with a list of malware listed ips with
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other
the inputlookup watchlist_ip_lookup.csv file has two columns, the watch_type is optional as sometimes it's blank
watch_ip, watch_type
2.187.19.0, C2
49.244.116.184,
46.63.167.216, C2
.... etc
How would i include the watch_type field in all the results for my summary index?
... View more
09-07-2012
03:34 PM
Thanks Ayn, i changed domain to my "watch_list" header in the csv and that works for me 🙂
Edit:
actually i removed the NOT too, this and it seems to work
index=someindex NOT uri="/dot_clear.gif" earliest=-1h [|inputlookup watchlist_string_lookup | eval query="uri=".watch_string."" | fields query] | lookup ga ip as clientip | table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other
... View more
09-07-2012
10:18 AM
I am currently matching a list of "bad ips" with a search such as this
index=someindex NOT uri="/dot_clear.gif" [| inputlookup watchlist_ip_lookup.csv | rename watch_ip as clientip | fields + clientip] | dedup clientip | lookup ga ip as clientip | table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other
how can i do a similar search with a partial text match in say the URI, say from sourcetype access_combined searching on a partial domain match like .*somedomain.com.* ?
I would like to use these domain strings in a inputlookup table like the ip list i attached above
possibly with a rex match on the uri? i am just not getting the format right.
Thanks.
... View more
08-08-2012
10:46 AM
Kristian, our IT guys were using older pre-universal forwarder clients for a while. I was looking for the updated strings to use for the universal forwarder. Thanks for the link to the docs didnt catch that.
... View more
08-07-2012
05:24 PM
Our old msi install string does not seem to work for our manual installs with newer splunk 4.3.x agents
we used the following string on older installs, any ideas why this does not work with the automated msi installer?
msiexec.exe /i splunk-4.1.6-89596-x64-release.msi WINEVENTLOGAPPCHECK=1 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=1 WINEVENTLOGFWDCHECK=1 WINEVENTLOGSETCHECK=1 WMICHECK_CPUTIME=1 WMICHECK_LOCALDISK=1 WMICHECK_FREEDISK=1 WMICHECK_MEMORY=1 AUTOSTARTSERVICE_SPLUNKD=1 AUTOSTARTSERVICE_SPLUNKWEB=0 SPLUNK_APP=SplunkLightForwarder FORWARD_SERVER="spfd.shared-bo.ilg1.vrsn.com:9997" LAUNCHSPLUNK=0
... View more
08-07-2012
10:02 AM
I didnt realize but looks like we can filter and forward from indexer to indexer now using forwardedindex whitelist blacklist
http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad#Filter_data_by_target_index
So something like this might work?
[tcpout]
defaultGroup = indexer_external
disabled = false
[tcpout:indexer_external]
indexAndForward = true
disabled = false
server = indexer_ip:9997
forwardedindex.filter.disable = false
forwardedindex.2.whitelist = externalIndexName
... View more
08-06-2012
03:11 PM
Hello,
We have a requirement that certain indexes(SSO and SSO_Summary for this example) in our index cluster send to another external offsite network's splunk forwarder/indexer environment. Can we forward just the "SSO and SSO_Summary" from our index cluster level to this other offsite splunk environment?
We have specific silos that each Splunk agent / intermediate forwarder
cannot talk to other silos intermediate forwarder tiers or end points agents. Because we have these restricted silos, we cannot forward data as easily as some of the standard Splunk examples.
(like the data cloning examples)
So an example silo has Splunk data routing as follows
Front end silo: end points(many) -> Intermediate forwarder(pair) ->
Back end silo: end points(many) -> Intermediate forwarder(pair) ->
Shared silo -> index cluster(4 indexers all Front end, back end data forwards to here)
The only examples i see is forwarding ALL index content or data routing based on events content using regular expressions, how would i just forward specific indexes?
We would have a VPN in place to do this, just checking if this is possible
We are trying to avoid forwarding from the end point agents to the external Splunk environment due to security considerations.
Thanks
... View more
- Tags:
- forwarding
- vpn
07-25-2012
03:36 PM
Thanks for the reply Dwaddle, it's lower risk data for us a not so critical index(in terms of needing data for audits etc)
I'll compare space savings before / after.
... View more
07-25-2012
01:25 PM
We have a NFS mount on a EMC NS 480 and about enable dedup to see if we can reduce the size of a cold storage mount point. Any ramifications enabling dedup?
even though splunk's data is compressed, will it help restore some disk space?
... View more
07-18-2012
08:19 PM
1 Karma
It's probably not best practice but, is there a way to have the summary index results clickable drilldown link to the raw events(by host for example)
I saw some examples here on answers using convertoIntentions XML or somesuch but the answers seemed bit old.
Any examples appreciated.
... View more
07-16-2012
03:38 PM
Hey d would the internal regex macro be constructed with the answer i posted in ? http://splunk-base.splunk.com/answers/49995/looking-to-replace-a-custom-python-syslog-filter
... View more
07-16-2012
01:03 PM
Hey Gerald, how ya been??
I'll give macro's a try, I had to read up on them as not really used them before.
It seems like this will work, after testing the search with the following syntax, using a macro definition as so
regex _raw!="(\[sysd\.NOTICE\]\: WDOG\: Strobing the watchdog)|(\[sysd\.NOTICE\]\: WDOG\: Uptime" "System memory)|(ACE-4-313004\: Denied ICMP)|(.*list [a-zA-Z0-9\-]+ denied)|(ras\d+.*Connected to \S+ port \d+)"
and using a search string to call the macro should work
index=net sourcetype=syslog source="/logs/syslog/central_netlog_repository.log" | `net_macro`
I plan to maintain the regex's to filter out certain events going forward.
Basically i am trying to replace a python script that filtered out log events with all these matching regex's, from our "net" index. This was a previously asked question.
http://splunk-base.splunk.com/answers/49995/looking-to-replace-a-custom-python-syslog-filter
... View more
07-13-2012
04:03 PM
Also i read Lowell's answer and specified sourcetype and index in the log as well as putting all new eventtypes created in a specific application, hopefully this helps performance.
http://splunk-base.splunk.com/answers/4217/performance-considerations-for-eventtypes
... View more
07-13-2012
03:47 PM
I am in the process of making individual event types for about 175 types of log events from routers/firewall devices.
can we include regex's in the event type search syntax? Some sample log events that would each be their own eventType
.*list [0-9]+ denied
SEC-6-IPACCESSLOG
ras\d+.*Connected to \S+ port \d+
ras\d+.*Closed connection to \S+ port \d+
\d+\.\d+\.\d+\.\d+\s+.*?(?:start|stop).*?service=shell
Finally when i get all the 170 event types created i'll include them into a single event type which will include all of them in the search
sourcetype=syslog index=net eventtype=someEventType1 AND eventtype=someEventType2 AND eventtype=someEventType3
etc etc...Will this be pretty inefficient if i go this route?
Any alternate ways i should do this would be appreciated.
... View more
- Tags:
- eventtypes
- regex
- sear
07-13-2012
10:59 AM
I think the regex's could definitely be improved, i do like the idea of summary indexing and using shorter period searches.
I am thinking of creating an eventtype with all the various log events, and then having the dashboard show events NOT
Not sure how well that will perform but it would at least be relying on the splunk search commands rather then a external python script scraping millions of events.
... View more
07-07-2012
08:22 AM
1 Karma
Hey Drainy, yeah i was hoping something might have changed with the | delete command to reclaim space, that's my main goal is getting back precious disk blocks 🙂
Our current retention policy is good, (manager wants to keep 1-2 yrs worth of cold storage data) it's that these older buckets were around before my time. Splunks retention policy cant delete a bucket if it's newest event does not fall into the retirement policy date range so some of those buckets i show above span db_Sep2011_Jun2006 so this is a pain.
... View more
07-06-2012
02:36 PM
Looking to expire some really old 2005-2006 data in some of our older buckets with wide bucket spans, some stretch from earliest date-2011 to oldest 2006.
This index is taking up a few terrabytes of cold storage and i would like to reduce it
In the past i recall we cannot expire buckets if the earliest events are within the frozenTimePeriodInSecs value, is there a way to just delete the old events?
here's the bucket examples
drwx--x--x 4 root root 2048 Oct 5 2011 db_1316171253_1151333680_1591
drwx--x--x 4 root root 2048 Oct 5 2011 db_1316186570_1148764640_1593
drwx--x--x 4 root root 1024 Oct 5 2011 db_1316187080_1163161371_1585
drwx--x--x 4 root root 1024 Oct 5 2011 db_1316215973_1146088931_1595
drwx--x--x 4 root root 1024 Oct 5 2011 db_1316217599_1149873438_1587
drwx--x--x 4 root root 1024 Oct 5 2011 db_1316261550_1143637536_1597
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316262900_1147121232_1596
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316275823_1144749944_1594
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316283607_1143766728_1598
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316303999_1143409080_1592
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316317510_1143947712_1599
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316351098_1143646976_1600
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316370771_1144292776_1601
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316423496_1143689504_1603
drwx--x--x 4 root root 1024 Oct 6 2011 db_1316437356_1144262888_1604
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316512974_1146488376_1609
drwx--x--x 3 root root 1024 Oct 7 2011 db_1314489599_1272192960_1719
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316523360_1144554816_1608
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316563199_1143628240_1602
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316563199_1144056216_1605
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316563199_1146463960_1606
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316563199_1145669992_1607
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316581963_1144563144_1613
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316600608_1144622992_1614
drwx--x--x 4 root root 2048 Oct 7 2011 db_1316614176_1146094296_1615
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316627896_1145345824_1616
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316649599_1144204064_1610
drwx--x--x 4 root root 1024 Oct 7 2011 db_1316649599_1150239440_1611
drwx--x--x 4 root root 1024 Oct 8 2011 db_1316649599_1143870472_1612
drwx--x--x 4 root root 1024 Oct 8 2011 db_1316676544_1143990200_1618
drwx--x--x 4 root root 1024 Oct 8 2011 db_1316696944_1144613920_1619
drwx--x--x 4 root root 1024 Oct 8 2011 db_1316707239_1146104336_1620
... View more
06-15-2012
10:23 AM
1 Karma
I've got the GeoASN application installed in our distributed environment(4 indexers so far 1 search head) running the script seems to be generating the generic red error bar saying "results may be incorrect"
Search used:
index=www sourcetype=access_combined splunk_server="splunk*-d*" | lookup ga ip AS clientip | stats count by country, org
error is as follows
Script for lookup table 'ga' returned error code 1. Results may be incorrect
How do we go about troubleshooting this and resolving the error? I am checking python.log web_access and web_service so far nothing pops out as to what the problem is.
basically want to either resolve or in the meantime squelsh the error until we can resolve it.
... View more
06-07-2012
04:06 PM
Hello Currently we have a Network operations dashboard that displays charted logs from routers/switches/firewalls syslog messages, we use this as our primary network alert dashboard.
We are using a python script with a few hundred lines of regex strings to basically scrape over all incoming log alerts from our "net" index and only display log events NOT matching these filters.
So one of our searches is as follows, the "netcritical" is our python script that is streaming log events to filter out from Splunk results.
index=net | netcritical | search netcritical=true | timechart limit=0 useother=f c by host | rename c as "Alert Count"
In this way we see any legitimate alerts and new alerts from various devices that we were not looking for but filter out logs that are noisy/we dont care about.
It's worked well in our environment so far but it's not scaling well as we increase the amount of network devices writing to syslog. Our dashboard is taking a long time to load as it's parsing far too many logs.
Can anyone offer some suggestions on the best way to replace this filter?
We want to keep everything in the same "net" for log consistency but looking for alternate solutions within Splunk.
... View more
05-14-2012
12:29 PM
yep that was it lookup was looking for "ip" field while access_combined defaults to clientip
... View more
05-14-2012
12:25 PM
hey Ayn, yeah i did a | rename clientip as ip and it seems to work.
... View more
05-11-2012
04:25 PM
Having some trouble getting the GeoASN app working in my lab environment
http://splunk-base.splunk.com/apps/22284/geoasn
I followed the instructions to compile and copy the C SDK, Python SDK to my search head
testing via command line seems to work
[root@spweb2-s1-inf bin]# /app/splunk/bin/splunk cmd python ga.py < ga.csv
ip,country,asn,org
200.148.108.124,Brazil,27699,DE SAO PAULO S/A - TELESP
203.129.108.100,Japan,10000,Nagasaki Cable Media Inc.
192.168.10.10,RFC1918,0,RFC1918
10.10.20.20,RFC1918,0,RFC1918
172.10.20.30,Unknown,0,Unknown
172.19.20.21,RFC1918,0,RFC1918
172.32.1.1,Unknown,0,Unknown
172.31.1.1,RFC1918,0,RFC1918
172.33.1.1,Unknown,0,Unknown
However testing in the ui does not populate the country, asn fields etc
sourcetype="access_combined" | lookup ga ip
Lookup file and app permissions are all set to global read/write but no change with the new fields populating.
... View more
05-07-2012
05:40 PM
We just upgraded our environment to 4.3.2 from 4.2.3 and see this message spamming our splunkd.logs on both hot/warm and cold data partitions
05-08-2012 00:33:30.407 +0000 INFO timeinvertedIndex - Unable to read raw size file="/data/splunk/var/lib/splunk/transient/db/db_1335815136_1335613695_110/.rawSize": No such file or directory
05-08-2012 00:33:30.407 +0000 INFO timeinvertedIndex - Unable to read raw size file="/data/splunk/var/lib/splunk/transient/db/db_1335957976_1335815156_111/.rawSize": No such file or directory
05-08-2012 00:33:30.407 +0000 INFO timeinvertedIndex - Unable to read raw size file="/data/splunk/var/lib/splunk/transient/db/db_1336089130_1335957977_112/.rawSize": No such file or directory
05-08-2012 00:33:58.700 +0000 INFO timeinvertedIndex - Unable to read raw size file="/data2/colddb/os/db_1323061363_1323023831_1192/.rawSize": No such file or directory
05-08-2012 00:33:58.714 +0000 INFO timeinvertedIndex - Unable to read raw size file="/data2/colddb/os/db_1322956802_1317593989_1193/.rawSize": No such file or directory
05-08-2012 00:33:58.767 +0000 INFO timeinvertedIndex - Unable to read raw size file="/data2/colddb/os/db_1313294562_1311652962_1195/.rawSize": No such file or directory
What does this mean and is there a way to resolve it?
... View more
04-10-2012
02:25 PM
Our populating search was this btw:
index="vip" sourcetype=vipservices
| transaction TR startswith="Operation Start" endswith="Operation End"
| eval elapsed_wait=elapsed_operation-elapsed_request
| sistats count, avg(elapsed_operation) as total-avg, perc80(elapsed_operation) as total-80, perc90(elapsed_operation) as total-90,
perc95(elapsed_operation) as total-95, perc98(elapsed_operation) as total-98, perc99(elapsed_operation) as total-99,max(elapsed_operation) as total-max,
avg(elapsed_responder) as resp-avg, max(elapsed_responder) as resp-max,
avg(elapsed_request) as req-avg, max(elapsed_request) as req-max,
avg(elapsed_wait) as wait-avg, max(elapsed_wait) as wait-max
by host, JURHASH, OP
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-23-2024
12:02 AM
|
