Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About adamsaul
adamsaul
Communicator
Member since:
10-10-2016
06-05-2020
Community Statistics
| Posts | 60 |
| Solutions | 5 |
| Karma Given | 6 |
| Karma Received | 7 |
| Member Since | 10-10-2016 |
Activity Feed
- Karma Re: How to route to an Index based on SourceType AND Host combination in inputs.conf? for gjanders. 06-05-2020 12:48 AM
- Karma Re: Why has support been removed in 6.5.0 for universal forwarders on Windows 7, and is there a workaround? for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Why can't I download the Splunk Add-on for Check Point OPSEC LEA from Splunkbase? for TStrauch. 06-05-2020 12:48 AM
- Karma Re: How to edit inputs.conf to restrict data collected from a monitored TCP input to specific hosts? for lguinn2. 06-05-2020 12:48 AM
- Karma Re: How to blacklist two different hosts in inputs.conf? for richgalloway. 06-05-2020 12:48 AM
- Karma Re: How to import CPU load from Check Point logs? for richgalloway. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a function to get the Count of the week in an year ?. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a function to get the Count of the week in an year ?. 06-05-2020 12:48 AM
- Got Karma for Re: TA-Microsoft-AD default indexes - are they needed?. 06-05-2020 12:48 AM
- Got Karma for Re: How to edit my search to extract numeric values with rex and create a line chart?. 06-05-2020 12:48 AM
- Got Karma for Re: Need advice on a complex field extraction. 06-05-2020 12:48 AM
- Got Karma for Re: Need advice on a complex field extraction. 06-05-2020 12:48 AM
- Got Karma for Re: Need advice on a complex field extraction. 06-05-2020 12:48 AM
- Posted Re: How to replace a dynamic string in an event? on Splunk Search. 02-25-2020 10:25 AM
- Posted Re: systemctl start SplunkForwarder fails error=203 on Splunk Dev. 02-25-2020 10:10 AM
- Posted Re: Splunk forwarders on clustered nodes monitoring the same files on Getting Data In. 06-30-2017 10:03 AM
- Posted Re: Why is the deployment server unable to push apps to search head clusters? on Deployment Architecture. 06-30-2017 09:44 AM
- Posted Re: How to make a line chart that shows the up time of a forwarder? on Getting Data In. 12-12-2016 07:53 AM
- Posted Re: Splunk Add-on for Box: Why am I receiving "Failed to Grant access" error when trying to set up the add-on in our production environment? on All Apps and Add-ons. 12-08-2016 09:58 AM
- Posted Re: How to edit inputs.conf to restrict data collected from a monitored TCP input to specific hosts? on Getting Data In. 12-07-2016 12:05 PM
Topics I've Started
No posts to display.
12-05-2016
11:06 AM
1 Karma
Sankarms,
Here is an example you can paste directly into your Splunk search bar, to extract the length found and label it as 'length':
| makeresults | eval example="[27/Oct/2016:20:08:57 --0700] WBLBSdFyTFYAAHPuH1kAAAAM Content-length: 0" | rex field=example "Content-length:\s*(?<length>\d+)"
If the content above looks good, your search should be as follows:
"Content-length: " | rex field=_raw "Content-length:\s*(?<length>\d+)" | stats count(length)
... View more
10-20-2016
12:14 PM
Hi Jawid,
I don't believe there is due to the license agreement imposed by Splunk and that their apps are hosted on CDN's at unique ID'd URL's
... View more
10-20-2016
12:11 PM
Hi Jawid,
Try editing the following file and see if that helps. Also, check your '/etc/resolv.conf' to be sure it is pointing at the DNS you intended
::$SPLUNKHOME/etc/splunk-launch.conf
#Add proxy settings as needed, then restart the splunk server
#This one is for a proxy with no authentication
http_proxy=proxy.local:80
#Use the one below for a proxy with authentication
http_proxy=a_user:a_password@proxy.local:80
... View more
10-20-2016
08:01 AM
Try opening a command prompt using "Run as Administrator", 'cd' to the location of the installer and attempt that way
... View more
10-20-2016
07:46 AM
Windows 2008 R2 is still currently supported
... View more
10-19-2016
11:56 AM
Thank you for accepting! I'm glad I could help.
Some index names are queried by 'apps' but for the most part, most apps play it safe by querying across all accessible indexes and looking for a specific 'sourcetype' instead.
... View more
10-19-2016
11:41 AM
Almost looks as if the field is a 'multi-value' field.
Try this:
nomv statement | rex field=statement "(?<field1>[^\s]+)
... View more
10-19-2016
11:06 AM
I think it is giving you the match and sub-match or the match array, which is why it appears twice.
Does appending max_match=1 to the end of your 'rex' search help?
... View more
10-19-2016
10:49 AM
Sorry about that. I left off the named group.
I'm not sure why that is not matching, @sundareshr appears to working. I just added a bit for the beginning of the line.
... View more
10-19-2016
10:34 AM
rex field=statement "(^\w+)"
... View more
10-19-2016
10:01 AM
Jason,
Your deployment server handles clients, if 'siem2' is an indexer, it accepts data inputs. Therefore, on your indexer, you simply need to add a input for /opt/logs/tmcm/ like below.
::$SPLUNKHOME/etc/system/local/inputs.conf
[monitor:///opt/logs/tmcm]
index=<index of your choice>
#You do not need the whitelist (this is an example below and is commented out)
#If you want to include certain file names from the 'tmcm' directory
#whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
disabled = 0
... View more
10-19-2016
09:29 AM
Dharanesha,
Windows 2008 is not listed as supported for 6.4.3. Support shows up to 6.3.7
... View more
10-19-2016
08:59 AM
1 Karma
kungfu,
The indexes are only needed if you do not plan to change the default location that some of the inputs are configured to send data to.
I would also like to say that I would recommend keeping the windows and unix separate, in case down the road you decide to limit the access to specific data (be it Windows or *Nix).
Therefore, maybe make indexes as such to make searching easier but still separates operating system.
#Windows Security Events
index = win_security
#*Nix Security Events
index = nix_security
#Therefore when you execute a search, do the below to access both sets of data
index = *_security
... View more
10-19-2016
08:18 AM
Can you provide some sample data and the data you want extracted?
Be sure to use the code sample format when you post
... View more
10-19-2016
07:47 AM
Delly,
Adding the app to the indexers will then allow you to configure the data inputs. From there, you will choose which index the data goes to. I've included some screenshots of what you should see on your indexers after the add-on is added.
... View more
10-18-2016
02:27 PM
The queries to SC should be done via REST, either HTTP(TCP:80) or HTTPS(TCP:443)
Indexes will be needed to be created. You can expedite this process by installing the add-on to your Indexers or creating a Search Head bundle and deploying it as such to your Indexers.
http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Updatepeerconfigurations
... View more
10-18-2016
02:20 PM
1 Karma
Technically you have capturing groups as well, but I also used non-capturing groups so that Splunk doesn't interpret any other data (not that it should).
Glad it worked for you!
... View more
10-18-2016
02:11 PM
How about using a quantifier? This will restrict it to the first match
rex field=statement "(?[^\s]{1})"
Your use of the "+" (plus sign) indicates to 'regex', one or more matches
... View more
10-18-2016
01:03 PM
Jack,
Sorry for the misunderstanding.
When you say remote Azure server, you mean the instance in which you have deployed the Azure Add-On?
If you are talking about the Add-On, then the files I mentioned above are configuration files you would find on the Splunk Universal Forwarder
... View more
10-18-2016
12:50 PM
::$SPLUNKHOME/etc/system/local/inputs.conf
[default]
host = <hostname>
::$SPLUNKHOME/etc/system/local/server.conf
[general]
serverName = <hostname>
pass4SymmKey = $1$foobar
Check the above files and make sure they have the hostname you would like. If you are running on a NIX platform, also check the /etc/hostname file.
... View more
10-18-2016
12:41 PM
You're welcome!
... View more
10-18-2016
12:30 PM
The above is assuming you do not want to keep the surrounding " 's
... View more
10-18-2016
12:27 PM
2 Karma
arkadyz1,
Try this reg-ex:
(?:CommonPrefix\.1\.name=\")(\w*)(?:\")(?:.*)(?:CommonPrefix\.1\.status=\")(\w*)(?:\")
... View more
10-18-2016
12:12 PM
2 Karma
prakashbhanu407,
index=foo_bar | eval WeekOfYear= strftime(_time, "%V")
The above will format the time to the 'WeekOfYear'. From there, you can perform a modulus against the week like below.
index=foo_bar | eval WeekOfYear = strftime(_time, "%V") | eval ret_val = WeekOfYear % 2
Therefore, if ret_val == 0, it's EVEN. ret_val == 1, it's ODD.
... View more
10-17-2016
10:53 AM
Glad to hear that! I'm glad I could help!
Have a good day.
Adam
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
