Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About paulbannister
paulbannister
Communicator
Member since:
09-30-2016
03-30-2021
Community Statistics
| Posts | 76 |
| Solutions | 8 |
| Karma Given | 22 |
| Karma Received | 16 |
| Member Since | 09-30-2016 |
Activity Feed
- Got Karma for Re: DB Connect 3.1.4 Data Duplication & Rising Col Issue. 12-19-2023 06:27 AM
- Posted Re: Crowdstrike Stream Stops Woking on Getting Data In. 03-30-2021 09:50 AM
- Posted Re: Syndication Input (RSS/ATOM/RDF) Add-On on All Apps and Add-ons. 03-17-2021 03:32 AM
- Posted Crowdstrike Stream Stops Woking on Getting Data In. 03-17-2021 03:31 AM
- Posted Re: Configuring Splunk TA for microsoft teams on All Apps and Add-ons. 02-10-2021 05:20 AM
- Posted Re: Syndication Input (RSS/ATOM/RDF) Add-On on All Apps and Add-ons. 01-18-2021 07:41 AM
- Posted Re: Dropped events with Splunk Add-on for ServiceNow on Getting Data In. 01-18-2021 03:57 AM
- Posted Syndication Input (RSS/ATOM/RDF) Add-On on All Apps and Add-ons. 01-18-2021 03:54 AM
- Tagged Syndication Input (RSS/ATOM/RDF) Add-On on All Apps and Add-ons. 01-18-2021 03:54 AM
- Tagged Syndication Input (RSS/ATOM/RDF) Add-On on All Apps and Add-ons. 01-18-2021 03:54 AM
- Posted Re: Microsoft Teams Add-on for Splunk on a Cloud IDM on All Apps and Add-ons. 11-25-2020 12:39 AM
- Posted Re: Dropped events with Splunk Add-on for ServiceNow on Getting Data In. 11-24-2020 07:40 AM
- Posted Microsoft Teams Add-on for Splunk on a Cloud IDM on All Apps and Add-ons. 11-24-2020 07:37 AM
- Tagged Microsoft Teams Add-on for Splunk on a Cloud IDM on All Apps and Add-ons. 11-24-2020 07:37 AM
- Tagged Microsoft Teams Add-on for Splunk on a Cloud IDM on All Apps and Add-ons. 11-24-2020 07:37 AM
- Tagged Microsoft Teams Add-on for Splunk on a Cloud IDM on All Apps and Add-ons. 11-24-2020 07:37 AM
- Tagged Microsoft Teams Add-on for Splunk on a Cloud IDM on All Apps and Add-ons. 11-24-2020 07:37 AM
- Posted Re: Hi team, i need to extract the locale field in BOLD , can you help me with it on Splunk Search. 11-17-2020 07:58 AM
- Posted Re: Hi team, i need to extract the locale field in BOLD , can you help me with it on Splunk Search. 11-12-2020 06:10 AM
- Posted Dropped events with Splunk Add-on for ServiceNow on Getting Data In. 11-12-2020 03:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-31-2019
06:10 AM
1 Karma
Unsure if this is still required or unanswered by try this as it worked for us, patience may be need if the directory is large and a full restart of the UF if you're using one:
[fschange:\servername\E$\Monitor]
index=sservice
sourcetype=MonitorDir
fullEvent=true
pollPeriod=60
recurse=true
sendEventMaxSize=100000
signedaudit=false
disabled=0
... View more
11-15-2018
02:39 AM
We managed to resolve this issue on our instance and from memory it turned out to be a conflict with Java and the folder structure, in our case we had a scripted input that was causing the issue as it was using a conflicting naming convention, once this script was amended the issue was resolved
Apologies for the vagueness in the description but it might help you look in the right direction for another potential solution
... View more
10-05-2018
06:47 AM
Hi There,
I'm assuming that you have already created the field "Response_time" prior to the case statement? What isse are you running into with the search?
... View more
10-05-2018
06:10 AM
Hi There,
Might need a few more details on this, are you look to join fields together to making the 4 columns into 2 or omit 2 columns completely?
... View more
10-05-2018
06:07 AM
Apologies, try this:
|eval Response_time=
case(Response_time>3000, "gt3SEC", Response_time>1000 AND Response_time<3000, "bet1-3Sec", Response_time<1000, "lt1Sec")
... View more
10-05-2018
06:00 AM
Hi There,
You may want to try a case statement for this, unless there are any other variables you need to create:
|eval FIELDNAME=case(Response_time>3000, Response_time="gt3SEC", Response_time>1000 AND Response_time<3000, Response_time="bet1-3Sec", Response_time<1000, Response_time="lt1Sec")
... View more
09-21-2018
03:32 AM
Hi There,
Would the below documentation be of use to you:
http://dev.splunk.com/restapi
http://docs.splunk.com/Documentation/Splunk/7.1.3/RESTTUT/RESTbasicexamples
... View more
09-21-2018
03:29 AM
Hi There,
It may be worth putting the index=windowseventlogs & index=linuxauditlogs within the inputs.conf on the Heavy Forwarder as well for the relevant inputs, ensure you restart the service after making the amendment
... View more
06-26-2018
04:03 AM
Hi There,
Can you expand on the problem a little more, such as what the data looks like and your expected outcome? At first glance from the above data my thoughts would be to use the CHART command by the field in question
... View more
06-26-2018
04:01 AM
Hi There,
That seems a tad bit more than a medium size csv you have there, how many records have you got within it? Have you looked into utilising a KV store instead?
... View more
06-04-2018
12:24 PM
Hi There,
Unless I'm missing something you can simply input whatever you like into the "Message" section when you edit your alert, apologies if I've misunderstood what you're asking for
... View more
06-04-2018
12:20 PM
Hi There,
Have you tried creating the query without the join, if you searched both sourcetypes and played around with transactions by the shower_id you might be able to get the result you are looking for. Might require a few evals to sort out the required fields but should be an option to get around the limitations of the join command
... View more
05-15-2018
05:02 AM
Might be unrelated, I had a similar issue with a large JSON input doing this even with Truncate set to 0
It was resolved by setting the "Response Handler" in the input to "JSONArrayHandler", this was an API input however so unsure if it relates to yours... but I thought I'd share just in case
... View more
03-29-2018
06:59 AM
"Mozilla\/(?P<FIELD_NAME>[^"]+)
As above with the REGEX being greedy, the attached regex will also generate the name for your new field.... just replace "FIELD_NAME" with the desired name of your new field
As a side note https://regex101.com/ is a fantastic place to experiment with/hone your REGEX skills
... View more
03-20-2018
08:02 AM
Hi There,
You could quite possibly be looking for the inputlookup and outputlookup commands, if you were to write a search using the index that has your csv data in then you could use the above commands to essentially create a new lookup file to be used elsewhere as an automatic lookup
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Outputlookup
... View more
03-07-2018
06:29 AM
Indeed, you'd have to table all the presidents afterwards and fillnull to get those zeroes, that could get tedious, are we also assuming that both pocket and wrist have been classified under the watch field?
... View more
03-07-2018
06:13 AM
Hi There,
Short answer would be... both
Slightly longer answer depends of whether you want any historical data to work with/how long it will take to run the search over a months worth of data, or if you're happy to just populate with data from the time you click go
I'm assuming you've done everything you can to optimise the search you have, if that's the case then summary index is definitely the way to go
... View more
01-16-2018
02:40 AM
1 Karma
Hi There,
We had the same issue with updating our credentials on our cloud instance and to get Splunk Support to assist, apparently it is a know issue but what we did was exactly what you did.... delete the passwords.conf to allow the new credentials to take, an absolute pain as it left us without data for a few days
... View more
12-04-2017
01:13 AM
Thanks for the nudge to re-visit the datetime.xml method, after stripping right back to basics and building from the ground up I managed to get it to parse the timestamp correctly with a custom config and stress level has now been greatly reduced
... View more
12-04-2017
12:52 AM
The source doesn't remove all 0's from the data, merely the initial 0 from the time field ( so 07:04 would be displayed as 704 in the csv) so this is most likely how the source system has the export field formatted. We have looked into pre-formatting the csv but this involves a manual step using excel which I am trying to avoid (although we may try and setup an idiot proof macro if needed, but again I'd rather avoid a manual step) and unfortunately the source system doesn't allow much in the form of customization of exports
... View more
12-04-2017
12:47 AM
The data will index just fine in the above case, as I'm using old data as it is anyway to test, the only issue occurs when it the time is before midday and the first 0 is omitted from the time field, in which case Splunk defaults to the event time of the previous event
... View more
12-01-2017
07:53 AM
I'm currently monitoring a directory of CSV files with a universal forwarder (UF) that has the timestamp split across 2 fields, which isn't a problem if the time is after midday:
14-Nov-17,SOME_RANDOM_DATA,1525
Which gives me the following correct timestamp (11/14/17 3:25:00.000 PM)
However before midday the time appears in a 3 digit format:
14-Nov-17,SOME_RANDOM_DATA,740
Which should give me (11/14/17 7:40:00.000 AM), but Splunk just won't recognize the 3 digit format.
I've tried every combination of Date\Time format variables I can think of and even made an attempt at a custom datetime config but all to no avail.
I hoping I'm overlooking a simple solution but any insight anyone can offer will be greatly appreciated.
... View more
11-28-2017
12:32 AM
Do have bit more detail about how you are calling the lookup and what your report looks like? i.e is this an automatic lookup or are you calling in within the report
... View more
10-23-2017
07:18 AM
No worries, sometimes we all look so hard for the complicated issues that we miss the obvious ones, happy splunking!
... View more
10-20-2017
06:43 AM
1 Karma
Do your users have write permissions for the app the lookup's are situated in?
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-30-2021
01:11 PM
|
Karma given to
