×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
MuS
SplunkTrust
Member since: ‎02-05-2011
Tuesday
Community Statistics
Posts 4458
Solutions 814
Karma Given 2144
Karma Received 3944
Member Since ‎05-02-2011
Activity Feed
Topics I've Started
View All

Re: How to match match IP addresses with a lookup ...

by SplunkTrust in Splunk Search
‎08-04-2016 02:59 PM
1 Karma
‎08-04-2016 02:59 PM
1 Karma
Hi phudinhha, you're lookup for the match_type = CIDR() http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration in transforms.conf . See this example https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html Hope this helps ... cheers, MuS ... View more

Re: Looking at the job inspector, why is startup.h...

by SplunkTrust in Splunk Search
‎08-04-2016 02:22 PM
‎08-04-2016 02:22 PM
Hi cegoes, looking at the docs http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/ViewsearchjobpropertieswiththeJobInspector you can find this about the search.handoff : The time elapsed between the forking of a separate search process and the beginning of useful work of the forked search processes. In other words it is the approximate time it takes to build the search apparatus. This is cumulative across all involved peers. If this takes a long time, it could be indicative of I/O issues with .conf files or the dispatch directory. So, this value is cumulative and this means that if you have a large environment, you will see much higher numbers than with a single-instance splunk. As stated in the docs a high number in the search.handoff can indicate some problem in your environment. Some hints can be find here in this answers https://answers.splunk.com/answers/247024/how-to-troubleshoot-why-startuphandoff-in-the-sear.html Hope this helps ... cheers, MuS ... View more

Re: splunkbase colored background

by SplunkTrust in All Apps and Add-ons
‎08-04-2016 01:26 PM
‎08-04-2016 01:26 PM
@Kukkadapu, there is no special app for that it is based on Markdown as mentioned in the link of gkanapathy ... View more

Re: How do I use results from a search in my custo...

by SplunkTrust in Splunk Search
‎08-04-2016 01:25 PM
‎08-04-2016 01:25 PM
Take a look at the docs, as usual everything you need is in there 😉 This http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Customsearchcommandshape will show an excellent example of a custom command which will use the previous search results, do stuff with it and return something to Splunk. cheers, MuS ... View more

Re: Should I use a heavy forwarder or indexer for ...

by SplunkTrust in Getting Data In
‎08-03-2016 07:08 PM
‎08-03-2016 07:08 PM
Firewall logs are the primary reason for possibly using a heavy forwarder. If those logs are coming in over syslog I suggest to read this excellent post http://www.georgestarcher.com/splunk-success-with-syslog/ cheers, MuS ... View more

Re: How do I use results from a search in my custo...

by SplunkTrust in Splunk Search
‎08-03-2016 01:49 PM
1 Karma
‎08-03-2016 01:49 PM
1 Karma
Hi sjoerdcopier, the important thing is to import the splunk.Intersplunk module in your script: import splunk.Intersplunk and read the results from the search into your script: myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() # getting search results form Splunk for r in myresults: # loop the results This way your script can pick up fields from the previous search results and it should work as expected if your search results contain a field called url (just rename uri to url ) or change your script to use uri instead of url . The link posted by @somesoni2 provides useful information as well. Hope this helps ... cheers, MuS ... View more

Re: How to change syslog host to a specific source...

by SplunkTrust in Getting Data In
‎08-02-2016 09:01 PM
‎08-02-2016 09:01 PM
I second the above approach, but if this is not possible for you to do; here is an example how to re-write the sourcetype based on the hostname https://answers.splunk.com/answers/369375/how-do-i-set-different-source-types-on-one-data-in-1.html this example uses a TCP input but applies to syslog over UDP as well 😉 cheers, MuS ... View more

Re: How do you show events on a timeline?

by SplunkTrust in Splunk Search
‎08-02-2016 07:59 PM
‎08-02-2016 07:59 PM
little update ping with a new idea ... View more

Re: How do you show events on a timeline?

by SplunkTrust in Splunk Search
‎08-02-2016 06:40 PM
1 Karma
‎08-02-2016 06:40 PM
1 Karma
Hi chustar, you can combine both searches and simply use: your base search here | timechart count(sign_ins) AS sign_ins first(promo_email) AS promo_email by date_hour But be aware that you should not use the date_* fields; see this answer to learn more on that https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html Hope this helps ... cheers, MuS Update: The problem is that you want to show numbers and strings on a timechart, therefore this is tricky. But there is an eval trick where you can use values and make them field names 😉 Take a look at this run everywhere command which will count kbps and use the first source of each hour as the filed name: index=_internal source=* | bin _time span=1h | streamstats first(source) AS first_source_by_hour by _time | fields first_source_by_hour kbps | eval {first_source_by_hour}=kbps | timechart span=1h sum(*) AS * | fields - kbps The result in a bar chart will look like this: So, you could use your email promo instead of source and show it this way. ... View more

Re: Regex help!

by SplunkTrust in Splunk Search
‎08-02-2016 02:34 PM
1 Karma
‎08-02-2016 02:34 PM
1 Karma
Hi kranthi851, try this regex: your base search here | rex max_match=0 "cn=(?<myNewField>[^,]+)" | do more here .... The new field will be called myNewField just change it to what fits your use case. Hope this helps ... cheers, MuS ... View more

Re: How to highlight the lowest value in a statist...

by SplunkTrust in Splunk Search
‎08-02-2016 02:08 PM
‎08-02-2016 02:08 PM
Hi dbcase, install the dashboard example app https://splunkbase.splunk.com/app/1603/ and have a look at the Table Element with Data Overlay examples found here: http://yoursplunkserver:8000/en-US/app/simple_xml_examples/simple_table_data_overlay?earliest=0&latest= Hope this helps ... cheers, MuS ... View more

Re: Why am I missing fields in search results runn...

by SplunkTrust in All Apps and Add-ons
‎08-01-2016 08:43 PM
2 Karma
‎08-01-2016 08:43 PM
2 Karma
Hi ccsfdave, I'm using the sentiment app on Splunk 6.4.2 and it works. I index twitter feeds and use base search here | sentiment twitter text | more Splunk-Fu here to get the sentiment analysis done on the event field text using the twitter dataset. The result will have a new field called sentiment , but it looks like you got confused by the commands the app includes and the returned fields. The App will include these commands: This app includes: two trained datasets (twitter and imdv) three search commands: sentiment to predict user sentiment language to predict what language an event is written in tokens to make it easier to tokenize terms and phrases for analyzing text heat to measure how emotionally charged a text is Hope this helps ... cheers, MuS ... View more

Re: How to get a deleted dashboard to stop sending...

by SplunkTrust in Dashboards & Visualizations
‎08-01-2016 01:48 PM
3 Karma
‎08-01-2016 01:48 PM
3 Karma
Hi stoelpin, this sounds like some report rather than a dashboard. To find this saved search you can run this rest search on your search head (if you have only one SH) or on your SH's (if you have multiple) or on your SHC captain (if you have a SHC): | rest /servicesNS/-/-/saved/searches/ | where is_scheduled=1 AND 'action.email'=1 | table eai:acl.app title This will return all saved searches that are scheduled and are setup to send an email. If you still cannot find the saved search, check the scheduler log for the name or SID and also check the splunk logs to find the sender of this email. Hope this helps ... ... View more

Re: How to merge two field values into one?

by SplunkTrust in Splunk Search
‎08-01-2016 01:32 PM
1 Karma
‎08-01-2016 01:32 PM
1 Karma
Hi jenniferleenyc, take this run everywhere search : | gentimes start=-1 | eval foo1="Oct 7 12:58:21 2016", foo2="08/01/16" | eval boo1=strptime(foo1, "%b %e %H:%M:%S %Y"), boo2=strptime(foo2, "%m/%d/%y") | table foo1 foo2 boo1 boo2 This will create some dummy fields and using strptime you will parse the values of foo1 and foo2 into epoch values which later can be compared. See the docs on strptime http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions#Date_and_Time_functions This function takes a time represented by a string, X, and parses it into a timestamp using the format specified by Y. For more information on the time format option see http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Commontimeformatvariables Hope this helps ... cheers, MuS ... View more

Re: Splunk as a syslog server

by SplunkTrust in Getting Data In
‎08-01-2016 01:23 PM
‎08-01-2016 01:23 PM
updated 😉 ... View more

Re: How to use custom tiles in Splunk maps offline...

by SplunkTrust in Dashboards & Visualizations
‎07-08-2016 04:39 PM
‎07-08-2016 04:39 PM
@RBosch, Splunk supports map zoom level between 0-9 not 10-19 see docs http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Geostats I have in my custom map directory 349526 png files and can access them by calling this URL http[s]://yoursplunkservername:yourport/en-GB/static/app/appname/mapdirectory/9/1/1.png Please verify this, also check the Splunk web logs for any hint. cheers, MuS ... View more

Re: Null Question

by SplunkTrust in Splunk Search
‎07-07-2016 01:13 PM
‎07-07-2016 01:13 PM
something very similar will probably not work, because everyone will used the provided sample and if you use it on your real data....well, don't expect it to work. Only real events will provide real solutions. ... View more

Re: Should a summary index be created on both Sear...

by SplunkTrust in Getting Data In
‎07-06-2016 05:40 PM
‎07-06-2016 05:40 PM
Please accept this answer if it solved your problem - thanks 🙂 ... View more

Re: Should a summary index be created on both Sear...

by SplunkTrust in Getting Data In
‎07-06-2016 03:32 PM
‎07-06-2016 03:32 PM
No, summary index events do not count against the license usage - from the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configuresummaryindexes : Summary indexing volume is not counted against your license, even if you have several summary indexes. In the event of a license violation, summary indexing will halt like any other non-internal search behavior. ... View more

Re: Should a summary index be created on both Sear...

by SplunkTrust in Getting Data In
‎07-06-2016 02:43 PM
‎07-06-2016 02:43 PM
As I said, it will not create anything on the search head in the summary index - all events are forwarded to the indexers. ... View more

Re: Should a summary index be created on both Sear...

by SplunkTrust in Getting Data In
‎07-06-2016 02:37 PM
‎07-06-2016 02:37 PM
You will get the internal and summary from the moment you enable the forwarding on the search heads. What are your concerns? It will not effect your license usage, since internal logs and summary event do not count against your license usage. ... View more

Re: Should a summary index be created on both Sear...

by SplunkTrust in Getting Data In
‎07-06-2016 02:24 PM
‎07-06-2016 02:24 PM
If you only want to forward events for the summary index, you need to apply some route and filtering http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad but why would you do that? Forward everything, specially the _internal events you will need them in case of troubleshooting 😉 ... View more

Re: DNS Resolution: How to convert a hostname ente...

by SplunkTrust in Dashboards & Visualizations
‎07-06-2016 02:13 PM
1 Karma
‎07-06-2016 02:13 PM
1 Karma
Hi peters1901, this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's: ip,host 192.168.56.10,master 192.168.56.11,node1 192.168.56.12,node2 192.168.56.13,node3 Using this dash board you will be able to search in index=_internal for an IP based on the select host name in the drop down: <form> <label>Host name to ip search</label> <fieldset submitButton="true"> <input type="dropdown" token="host" searchWhenChanged="true"> <label>Host</label> <search> <query>index=_internal host=* | dedup host | table host</query> </search> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> </input> </fieldset> <row> <panel> <chart> <search> <query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query> <earliest>0</earliest> <latest></latest> </search> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="count">10</option> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> </chart> </panel> </row> </form> Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉 Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup_example you can replace the text file based lookup with a script based lookup. Hope this helps to get you started ... cheers, MuS ... View more

Re: Should a summary index be created on both Sear...

by SplunkTrust in Getting Data In
‎07-06-2016 01:38 PM
4 Karma
‎07-06-2016 01:38 PM
4 Karma
Hi jagadeeshm, It might sound strange, but yes you need to add the index to the search head as well. Don't worry about storing data on the search head, because if you setup data forwarding on your search head and tell Splunk just to forward the local event and not to store it you will have no local summary data on the search head. See the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/Forwardsearchheaddata about the best practice to forward logs from search heads to the indexers. The option indexAndForward = false is the one which prevents Splunk from keeping a local copy of your events. Hope this helps ... cheers, MuS ... View more

Re: Trouble ignoring events

by SplunkTrust in Getting Data In
‎07-05-2016 09:00 PM
‎07-05-2016 09:00 PM
or a Heavy weight forwarder - don't forget to restart the Splunk instance after you added the config files. ... View more
Contact Me
Online Status
Offline
Date Last Visited
Tuesday
Karma from
Karma given to