Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About maciep
maciep
Champion
Member since:
09-18-2013
10-22-2024
Community Statistics
| Posts | 826 |
| Solutions | 118 |
| Karma Given | 98 |
| Karma Received | 251 |
| Member Since | 09-18-2013 |
Activity Feed
- Got Karma for Re: How do I stop datamodel accelerations from turning themselves back on?. 08-19-2024 09:33 AM
- Got Karma for Re: What is the correct way to edit conf files and propagate changes in a search head cluster ?. 06-12-2024 09:48 AM
- Got Karma for Re: How do I stop datamodel accelerations from turning themselves back on?. 12-06-2023 11:53 AM
- Posted Re: Join query with condition and comparison on Splunk Search. 01-20-2023 06:43 AM
- Got Karma for Re: How can I return specific results using head and tail commands?. 01-20-2023 04:22 AM
- Posted Re: Join 3 sources without join on Splunk Search. 11-28-2022 10:03 AM
- Got Karma for Re: Join 3 sources without join. 11-28-2022 06:33 AM
- Got Karma for Re: Join 3 sources without join. 11-25-2022 04:30 PM
- Posted Re: Join 3 sources without join on Splunk Search. 11-25-2022 08:12 AM
- Got Karma for Re: How to join search based on multiple values?. 11-16-2022 01:48 AM
- Got Karma for Re: How do I stop datamodel accelerations from turning themselves back on?. 10-26-2022 12:56 AM
- Got Karma for Re: Unable to distribute to peer from search head. 10-10-2022 09:14 AM
- Posted Re: Error in 'eval' command: The expression is malformed on Dashboards & Visualizations. 09-29-2022 04:58 AM
- Got Karma for Re: Heavy Forwarder data loss prevention. 09-22-2022 08:05 AM
- Posted Re: Heavy Forwarder data loss prevention on Splunk Cloud Platform. 09-22-2022 05:42 AM
- Posted Re: How to event break on multiple dashes? on Splunk Enterprise. 09-22-2022 05:23 AM
- Posted Re: How to join search based on multiple values? on Splunk Search. 09-16-2022 12:26 PM
- Posted Re: How to compare 2 Search's percentage results? on Splunk Search. 09-16-2022 11:43 AM
- Got Karma for Re: [udp://:portnumber] Event Blacklist. 09-14-2022 05:45 AM
- Posted Re: [udp://:portnumber] Event Blacklist on Getting Data In. 09-14-2022 04:10 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 7 | |||
| 0 | |||
| 0 | |||
| 1 |
03-13-2015
04:11 PM
I'm not sure what else you have you tried, but maybe put pipe to fillnull before your stats. Also in your example, isn't the field called list(upcCode) not upcCode after your stats? Meaning, the upcCode field in the where clause doesn't exist anymore at that point?
... View more
03-12-2015
07:54 PM
Yes, you can use rex. Here is one example. I'm sure there are better regular expressions to use, but this should give you an idea (not sure if all of your fields will be formatted just like your example)
origfield would be the original field you want to pull the data out of, and newfield would be the result you want.
....| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"
... View more
03-11-2015
07:33 PM
Maybe you want to use eventstats instead of streamstats?
http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/
... View more
03-11-2015
06:40 PM
2 Karma
I'm not positive but it looks like you're applying the setnull transform first. And since the regex for that stanza is "." then it will match everything...so everything is getting sent to the nullQueue (i.e. getting trashed). Maybe try putting it last in the list? Or possibly in another setting below the first. Maybe something like this?
[apache_log]
TRANSFORMS-set1=setparsing1, setparsing
TRANSFORMS-set2=setnull
Also, you may still need to escape the slashes (/) in the regex for your other stanzas with a backslash. For example:
about\/history\/company_at_a_glance
I recommend going to a site like regex101 to verify that your regex matches your data first.
Hope that helps a little.
... View more
03-05-2015
06:44 AM
If it helps, we were able to find our issue with the following search:
index=_internal configuration_check rest sourcetype=python_modular_input
In our case, we had a correlation search that was created but something happened - maybe during creation or replication (sh cluster) that kind of hung. Someone tried to delete the search in Slunk Web which looked like it worked. But in fact, it was still there on the back end. Once found, we deleted it and restarted splunk. That resolved it for us.
Thanks,
... View more
02-20-2015
05:29 AM
Were you able to figure out what was causing that to continually fire? We just noticed it in our environment this morning as well - same message showing up on the hour. We're still in the middle of our implementation and will reach out to our PS resource as well.
... View more
10-14-2014
10:27 AM
Yes, probably has to do with your account.
I think your role needs write perms at the app level in order to share the macro with the app. And you need to be an admin to share it across all apps.
... View more
10-14-2014
04:42 AM
A coworker of mine dug up this answer from 2012. I'm guessing not a whole lot has changed in this respect since then.
Splunk as a SCOM substitute
... View more
10-10-2014
08:46 AM
Hi Seema,
Are you referring to netcool omnibus? We currently run a script after an alert is triggered to send traps over to netcool. The script we used is based on a template that I think is available on Splunk's site.
Our searches that fire alerts are formatted in a consistent way so we know which ticketing group the alert goes to, what the priority should be, the message, etc.
See the reply from aaronkorn on the following answer thread.
Traps from Splunk
... View more
10-09-2014
06:26 AM
Thanks for the feedback, Jeremiah. We currently use splunk in a similar way, alerting on errors in log files as requested by various app/support teams for example. And I agree that having the OS metric data would be nice for event correlation.
... View more
10-09-2014
04:57 AM
We already have Splunk installed and are using it pretty heavily. The use cases consist mainly of various log files or databases, and we have provided multiple teams with dashboards for the apps/systems.
Now my management would like us to evaluate Splunk as an enterprise monitoring tool. In other words, as a replacement for something like SCOM, ITM, Up.Time, etc. For us, that would mean monitoring/alerting for about 10k servers (Windows, Linux, Unix) for memory, disk, processors, services, processes, sql, exchange, web sites etc.
Is anyone trying to use Splunk in that capacity and on that scale? I know the data is on the servers and there are apps out there to collect most of it. But I'm a little leery of bringing all of that data back to the infrastructure and searching on it there. As opposed to most other monitoring tools, that have an agent that receives some sort of policy and only sends alerts/status back to the infrastructure.
And then there's the management of it all. Different servers with different alerting needs, thresholds, polling intervals and recurrence. Not to mention the requirement to be able to take action against a server depending on an issue, e.g. restarting service or cleaning up disk space.
As is usually the case, I'm sure it can be done. But I feel like we would be shoehorning Splunk into that type of solution, and it may be more trouble than it's worth.
If anyone out there has any relevant experience and could share some advice/guidance, that would be great.
Thanks!
... View more
04-01-2014
10:04 AM
antlefebvre, it may be Splunk's only solution. But my scripts (powershell, vbscript, kix, etc) can all bring back more than 1000 objects per search. So speaking of Active Directory in general, it's not the only solution.
... View more
04-01-2014
09:55 AM
Exactly, we don't really have that option to increase the limit in AD. I wish Splunk worked like most other apps I've dealt with in the past (still need to open enhancement request). In a nutshell:
Just check AD when a user tries to log in. If the user should have access, check to see if their account exists. If they should but not created in Splunk yet, create it then. If it does exist, verify roles/etc based on current membership and update splunk account accordingly.
There's no need query AD for every user at once...especially if you're unwilling to modify the page size.
... View more
03-19-2014
04:19 AM
1 Karma
I understand that is a solution, but it's not going to happen in our environment. And if that is Splunk's only solution, then I need to open an ehancement request, because they need to improve the way they do ldap integration.
... View more
03-06-2014
05:16 AM
3 Karma
Hi all,
I know this has been covered before here, but I'm still struggling with it. How do we tell Splunk to return more than 1000 users per LDAP strategy. I've tried increasing the size limit and the max number of precache users, but that hasn't helped.
For example, I have a strategy right now that's filtering for 4 groups with a total number of users (nested) at about 1200. My size limit for the strategy is 5,000 and precahce users is 10,000. But I'm still receiving the Size Limit warning in my logs for that strategy.
And I know the size limit configuration mentions "The number actually returned is subject to the limit imposed by the LDAP server." But that just doesn't make sense to me. Every other technology that queries AD can get around those limits. I feel like Splunk should be able to as well.
Is there something I'm missing or just not understanding? It's frustrating because we just have to keep creating more and more strategies. If that's the only way, then that's what we'll do (assuming every group has less than 1000 members). But I hope there's another way now or will be in the future.
We are currently on Splunk 6.0
Thanks for any insight!
... View more
02-05-2014
11:35 AM
Thanks for the info. After talking with BB guy here, it sounds like we might be able to use the TA for bes 5 and then the Exchange client access logs for bes 10.
... View more
02-05-2014
05:07 AM
1 Karma
I was hoping somebody could clarify something for me. With the "Splunk for Exchange" app, is Blackberry Enterprise Server supported?
For version 2.0, 2.1 and 2.1.1 the release notes all say that support for BES was depreciated. But they also all include BES in the About section of the documentation as Optional. It is not mentioned at all in the release notes for 2.1.2, but is included the About section for this latest release too.
Does anyone know if it supported in version 2.1.2. I did install the app in our test environment, and I'm not sure which TA I would deploy to a BES server. I do know there is a separate add-on available BES 5.03, which I don't think is related to the Exchange app.
Thanks!
... View more
- Tags:
- blackberry
- exchange
01-31-2014
05:33 AM
That's an interesting idea but I would run it by our Splunk contacts before trying it, because it seems a little too "easy". I have a feeling if you have a true test environment like we do, they'll probably want you to pay for the licenses.
... View more
01-31-2014
05:21 AM
That makes sense. It's too bad that we don't have a test master to test this stuff.
So it sounds like our internal question now will be whether the risk is higher for our test env to affect prod or for prod to run out if we give too many licenses to test.
... View more
01-31-2014
04:59 AM
Oh ok, I must have misread that. When I went to create a new pool as a test (to see the options, etc), all of the indexers were available to add to it. But I didn't actually try to finish creating it though, so maybe it wouldn't have let me continue?
They are all in the auto generated pool right now which is configured for any indexer that connects.
... View more
01-31-2014
04:43 AM
We currently have one license pool that all of our indexers draw from. With a new initiative to get more people involved/introduced to Splunk using our test environment, we are thinking of creating a new test pool for that environment. The idea being that we protect our prod indexers from any accidental mishaps in the test environment - that test indexer will only be able to draw from the new test pool.
At the same time, though, we don't have a lot of licenses all together. So we might want to give our prod indexers the ability to draw from the test pool as well, if they need it.
I think I read that one indexer can draw from multiple pools. If that's the case, how is it decided which pool it will draw from? Essentially, I'd like the prod indexers to draw from the prod pool until it's empty, and only then start drawing from the test pool.
Would it work like that? Or maybe there's a better way? If not, we'll probably just keep the two pools completely separate.
Thanks!
... View more
01-09-2014
09:46 AM
Thanks! I haven't found the search I'm looking for yet, but tbh, I'm not 100% sure which search I'm looking for - still need to get some info from the user.
But I did find a bunch of savedsearches.conf files and looks like that's where the info will be.
... View more
01-09-2014
08:07 AM
Hi all,
Is there any way to see/modify the email setting for an advanced dashboard in 6.0. We're trying to troubleshoot an issue that we think is related to a dashboard that was built in 5.0 with advanced xml and scheduled to send a pdf on schedule. In 6.0, we don't can't see those email settings on the dashboard, but it still does send the pdf on its schedule.
We'd like to find out who that dashboard is getting emailed to and possibly modify the target list. Is there anyway we can find that info on the server?
Thanks!
... View more
12-12-2013
11:58 AM
It didn't work for me either but got me down the right path. Unless I was doing something wrong, I had to rename user to title to join it to the rest data. I also added the timestamp and limited it to the role I'm interested in. The results look accurate. Using Splunk 6 by the way (didn't mention it earlier)
index=_audit action="login attempt" | eval last=max(timestamp) | dedup user | rename user as title | join title [| rest /services/authentication/users] | search roles=cerner | table title roles last | sort title
Thanks for your help!!
... View more
12-12-2013
07:38 AM
Is there anyway to list users who have logged into Splunk along with the Splunk roles they are mapped to? I can get the first part with the search below, but I don't know how to tie their roles to the results.
index=_audit action="login attempt" | dedup user | sort user | table user
... View more
- Tags:
- logon
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-22-2024
07:27 AM
|
Karma from
Karma given to
