Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About lmyrefelt
lmyrefelt
Builder
Member since:
09-06-2011
06-05-2020
Community Statistics
| Posts | 191 |
| Solutions | 13 |
| Karma Given | 41 |
| Karma Received | 55 |
| Member Since | 09-06-2011 |
Activity Feed
- Got Karma for Re: How to disable scheduled searches via command line interface?. 06-13-2025 08:00 PM
- Got Karma for Re: Adding a navigation menu. 12-13-2021 09:53 AM
- Karma How is the removal of IT data block signing, Audit signing, and Event hashing features in Splunk 6.2 going to affect the Splunk for PCI Compliance App? for gfuente. 06-05-2020 12:47 AM
- Karma Error in 'databasePartitionPolicy': Max Raw Size Limit Exceeded for jjozwik702. 06-05-2020 12:47 AM
- Karma TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd for joshuamcqueen. 06-05-2020 12:47 AM
- Karma Re: How do I disable Transparent Huge Pages (THP) and confirm that it is disabled? for jwelch_splunk. 06-05-2020 12:47 AM
- Karma Are Key/Value Store data counted as Splunk license? for sunrise. 06-05-2020 12:47 AM
- Karma Re: Are Key/Value Store data counted as Splunk license ? for mgroves_splunk. 06-05-2020 12:47 AM
- Karma Re: Universal Forwarder not able to read all logs for frmaasdam. 06-05-2020 12:47 AM
- Karma Re: Is it possible to control where to write replicated data (hot/warm/cold) in cluster (single/multi) for Splunk 6.x? for luhadia_aditya. 06-05-2020 12:47 AM
- Karma Re: Has anybody been successful with configuring the Splunk Support for Active Directory app on Splunk 6.1.1? for m4him7. 06-05-2020 12:47 AM
- Karma Re: Hiding navigation bar - invisible in dashboards, briefly visible while switching between them for arkadyz1. 06-05-2020 12:47 AM
- Karma Re: Restricting index access from apps for kml_uvce. 06-05-2020 12:47 AM
- Got Karma for Re: How to apply a custom TIME_FORMAT specific to source with a wildcard in Props.conf?. 06-05-2020 12:47 AM
- Got Karma for Re: How to find when splunk is not indexing?. 06-05-2020 12:47 AM
- Got Karma for Re: How to stop the eventgen and how to get the number of events generated by eventgen?. 06-05-2020 12:47 AM
- Got Karma for Re: Why did we get TMG Firewall logs for 2 days, but suddenly stopped with my current inputs.conf configuration?. 06-05-2020 12:47 AM
- Got Karma for Re: Why did we get TMG Firewall logs for 2 days, but suddenly stopped with my current inputs.conf configuration?. 06-05-2020 12:47 AM
- Got Karma for Re: Why did we get TMG Firewall logs for 2 days, but suddenly stopped with my current inputs.conf configuration?. 06-05-2020 12:47 AM
- Got Karma for Re: Monitoring Indexers from Search head. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 |
06-17-2014
03:58 AM
1 Karma
In Splunk 5 using advanced xml, you get what you want using the / editing the following module
<module name="EventsViewer" layoutPanel="resultsAreaLeft"> <param name="segmentation">full</param> <param name="reportFieldLink">report_builder_format_report</param> <!-- Override display # of lines to 1000 --> <param name="maxLines">0</param> <param name="maxLinesConstraint">1000</param>
You seem to have the same possibilites in splunk 6;
http://docs.splunk.com/Documentation/Splunk/6.1/AdvancedDev/ModuleReference
Hope it helps! 🙂
... View more
1.No
2. No, not really
3. No
I found dshpritz answer here helpfull;
http://answers.splunk.com/answers/49525/splunkdlog-error-message
Running; find /path/to/splunk/apps -iname *.meta -exec grep -il "nobody" {} ; gives me all objects owned by nobody and thus i can easily change it to an more appropriate context / user .
Hope it helps 🙂
... View more
06-17-2014
02:41 AM
No
No, not really
No
I found dshpritz answer here helpfull;
http://answers.splunk.com/answers/49525/splunkdlog-error-message
Running; find /path/to/splunk/apps -iname *.meta -exec grep -il "nobody" {} \; gives me all objects owned by nobody and thus i can easily change it to an more appropriate context / user .
Hope it helps 🙂
... View more
06-12-2014
05:33 AM
sorry ... Your problem is that you dont want splunk to do extractions on the whole multiline event ? Your regex seems to hit and extract all the fields ? So for each event you get multiple values for one field ? And this is not what you want ?
If this is not what you want, perhaps you should add more captures groups to your regex and name the fields with field_1/field_2 etc etc ?
... View more
06-12-2014
04:40 AM
I dont think m = multiline is enough you need a g as in global as well to for the regex to hit and extract multiple fields from this event if it is to span over multiple lines / events
... View more
05-05-2014
03:17 PM
They are not in the internal indexes ( or so i believe 😉 ) , but rather they are in the $SPLUNK_HOME/var/run/splunk/dispatch/your_search_with_"cryptic"_name_dir/ in one of the logs, or csv there ( search.log ? )
You should be able to download this from the job-inspector .
... View more
05-05-2014
02:49 PM
Hi, did you check on apps.splunk.com ?
More so on this app here ; http://apps.splunk.com/app/1340/ ?
... View more
05-05-2014
02:45 PM
I am interested in the same thing, i have not yet started on it, but i think a good start could be hidden here; http://docs.splunk.com/Documentation/Splunk/6.0.3/AdvancedDev/EventRendering
But that i guess is another discussion / question 🙂
... View more
05-05-2014
02:41 PM
You are right and it seems pretty official ... good thing we will have the option to choose at a later stage ...
http://answers.splunk.com/answers/123430/how-to-update-geoip-database-for-iplocation-command
... View more
05-05-2014
02:28 PM
This is somewhat supposed to be back in 6.0.2 but now in the UI. If you go into your app in forwarder-management and choose edit, but do nothing and choose save, it will do a reload.
... View more
05-05-2014
01:52 PM
Take a look at the following answer and see if it is not applicable for you as well ?
http://answers.splunk.com/answers/131703/indexing-epoch-times-in-db-connect
... View more
05-05-2014
01:43 PM
1 Karma
In addition to MarioM:s answer you should be able to get "forwarder Management" to be activated as well after the first Splunk forwarder "calls home" .
... View more
05-05-2014
01:40 PM
Did you add the --Y and --m into the event example as an clarification ?
otherwise you could try;
TIME_PREFIX = \d{numberOfDigits}\s++
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %Y%m%d
TIME_FORMAT = --Y%Y--m%m--d%d
... View more
05-05-2014
01:32 PM
as backup, the data should be generated when you first run /using the data models in the pivot if i don't remember wrong, so there should not be any point in making backups of them. If you create your own data models for your data, you should take a backup of the data model configuration.
... View more
05-05-2014
01:29 PM
indexes.conf - tstatsHomePath for datamodels
indexes.conf - tsidxStatsHomePath for accelerations
indexes.conf - summaryHomePath for summary data
... View more
05-05-2014
01:25 PM
The summary directory you see are for summary databases , this one seems to be generated by the deployment monitor app.
Your tsdix files should go in the data model_summary dir if you do not tell them otherwise (in / via indexes.conf , look for tsidx_homepath or similar)
By default summary data should go to $SPLUNK_HOME/var/lib/splunk/database/summary
... View more
04-28-2014
05:51 AM
you will, but you will not be able to utilize any distributed map(reduce) function on geoip / geostats part,that will be on the search head
... View more
04-15-2014
02:08 AM
I am generating the lookup table basicly as per Your "example" .. and i dont think that really matters ... what i want to know if any combination (where they are 2 or more, like A+b, B+C, C+A, D+F , etc etc OR users C+A+H ) of these users have recieved the same email.
... View more
04-14-2014
07:24 AM
update with small log example
... View more
04-14-2014
07:03 AM
I have already as per somesoni2:s suggestion a search that generates a lookup file that i in turn can use to check "todays" results.
However i belive i need to do a field join on all the possible combinations of recipients and check that agains a similar field join with "todays" multiple reciepients. Some kind of for loop over the recipients ?
... View more
04-14-2014
07:00 AM
we dont have a sourcetype for "spam / evil emails" but we have other kind of indicators , except from the fact that it is multiple target emails for / to a set of users
... View more
04-14-2014
06:51 AM
HI and thanks for such a quick answer, from the top of my head i dont think it i will give what i am looking for.
I am not really intressted to know if the same users has recieved "yet another spam / evil mail" but rather that if any combination of the same users / recipient that "yesterday" recieved "evil email" also today, together recieved another "evil email" .
... View more
04-14-2014
06:13 AM
Hi,
Lets say that I have 10 users that are getting the same "spam" email sent to them. I would now like to be able to save these 10 email address and do a search over the last hour / 4 hours / 24 hours / whatever and see if any kombination of those same 10 users (or so) have recieved the same kind of message even in the future.
Lets say my users are named
A,B,C,D,E,F,G,H,I,J
and they all recieved the same kind of "spam" email yesterday.
I would now like to know if either of them, in combination recieved the "same email" again / together.
IE. did user A and B recieved the same email from "unkown source" OR did for exemple user E and G recieve the same email today ?
If so i would like to have an alert.
I was thinking to use some kind of lookup table for this ? However it is not really clear to me how i can go about to check if any combination of my users (in the lookup) received the same email ( as recipients together ) .
Is the question clear enough ?
Thanks!
I have already as per somesoni2:s suggestion a search that generates a lookup file that i in turn can use to check "todays" results.
However i belive i need to do a field join on all the possible combinations of recipients and check that agains a similar field join with "todays" multiple reciepients. Some kind of for loop over the recipients ? I am pretty sure i need to group together the possible combination of recipients and do a search for any of these kombinations ?
small log example;
<22>Apr 14 16:16:09 Maillogs_syslog: Info: MID 92013738 ICID 64542651 From: evil@badmuthefcker.com
<22>Apr 14 16:16:09 Maillogs_syslog: Info: MID 92013738 ICID 64542651 RID 0 To: A@mail.com
<22>Apr 14 16:16:09 Maillogs_syslog: Info: MID 92013738 ICID 64542651 RID 1 To: B@mail.com
<22>Apr 14 16:16:09 Maillogs_syslog: Info: MID 92013738 ICID 64542651 RID 2 To: C@mail.com
<22>Apr 14 16:16:10 Maillogs_syslog: Info: MID 92013738 Subject '=?utf-7?B?U09TUEVDSEE6IEFDVFVBTElaQUNJK0FOTS1OIERFIENVRU5UQQ==?='
... View more
03-18-2014
07:17 AM
It is my impression that FSchange was not working too good and stable on Windows, and that could be the reason for its deprecation.
However i agree With you and it will be intressting to see how they choose to solve this for the ESS and PCI apps.
... View more
02-14-2014
04:39 AM
you could try the New setting in web.conf;
splunkdConnectionTimeout =
* Number of seconds to wait before timing out when communicating with splunkd
* Must be at least 30
* Values smaller than 30 will be ignored, resulting in the use of the default value
* Defaults to 30
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
