About MuS

MuS · ‎01-25-2016

Hi matthewjohnson, you can use something like this in your inputs.conf : [monitor://D:\syslog\...\*.syslog] which will recurses through the directories in side of syslog . Hope this helps ... cheers, MuS

MuS · ‎01-25-2016

On the UF you did set a sourcetype for the log in inputs.conf - did you? Use this sourcetype in your props.conf on the indexer and reference a stanza from transforms.conf , as well on the indexer. Restart Splunk after the changes to the conf files and any new data flowing in should be filtered and routed. If not provide all conf files please. Hope this helps ... cheers, MuS

MuS · ‎01-25-2016

Hi chaseto, could you please explain a bit more what is not clear to you? Because the docs you linked include examples and detailed steps how to configure parsing, filtering ( http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad#Filter_and_route_event_data_to_target_groups ) and routing ( http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad#Configure_routing )

MuS · ‎01-21-2016

Another side note, this post from @Gilles http://unix.stackexchange.com/questions/10735/linux-allowing-an-user-to-listen-to-a-port-below-1024 provides three possible solutions for this. From my point of view the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/installation/RunSplunkasadifferentornon-rootuser should be modified in this regard - I'll ping @docs

MuS · ‎01-21-2016

updated the answer ...

MuS · ‎01-21-2016

hmm, maybe I did misunderstood your question.... do you have a tag::uncool or only a tag for tag::cool ?

MuS · ‎01-21-2016

Hi Phil219, you can do something like this: tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total to get a count of cool things, uncool things and a total count of both events. Update Just in case there is no tag::uncool you can use this search: tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total Hope this helps ... cheers, MuS

MuS · ‎01-21-2016

Thanks for this feedback! I'm currently not able to test it, but I will do it at some later stage.

MuS · ‎01-20-2016

Hi okakizaki [Splunk], take a look at the docs of times.conf http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Timesconf and get details how to set a custom timerange. you could use something like this -y@y+3mon@mon as earliest (will be last year 1st of April) and -y@y+6mon@mon as latest - adopt as needed. Hope this helps ... cheers, MuS

MuS · ‎01-20-2016

This is the port Splunk will open for your input and it's just an example, instead of foo I used 800 .

MuS · ‎01-20-2016

Hi michael_lee, this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you. If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800: /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800 Your Sysadmin can do this for you. Hope this helps ... cheers, MuS

MuS · ‎01-20-2016

Hi michael_lee, take a look at the DB connect App https://splunkbase.splunk.com/app/2686/ which enables Splunk to connect to various DB's and poll all kind of information from the DB. Hope this helps ... cheers, MuS

MuS · ‎01-20-2016

Okay, since you want to get data from Splunk into Qlikview you should start on their side and ask there https://community.qlik.com/search.jspa?q=splunk or take a look at this answer https://answers.splunk.com/answers/89583/extracting-data-from-splunk-for-reporting-in-an-external-system.html

MuS · ‎01-20-2016

Hi _dave_b, those are the Splunk internal icons and you can find a complete list of them here http[s]://YourSplunkServer:[Yourport]/en-GB/static/docs/style/style-guide.html#icons . If you want to use your own icon, add it into $SPLUNK_HOME/etc/apps/YourApp/appserver/static and you can call it like this http[s]://YourSplunkServer:[Yourport]/en-GB/static/app/YourApp/youricon.png form the js or any other HTML code. Don't forget to either restart Splunkweb or use the _bump command after the changes http://docs.splunk.com/Documentation/Splunk/6.3.2/AdvancedDev/CustomizationOptions#Clear_client_and_server_assets_caches_after_customization Hope this helps ... cheers, MuS

MuS · ‎01-20-2016

Hi mbowman6241, run this search every 15min as planed, but have the results written to a lookup file by using the outputlookup command in the search http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Outputlookup Create a second search or Alert which facilitates the lookup using inputlookup http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Inputlookup to get the last status and compare it with the current, if they differ create an alert. Hope this makes sense ... cheers, MuS

MuS · ‎01-20-2016

Those are the default .cfg files, you have to check if either the btool log channel is set to debug or if for what ever reason Splunk is started in debug mode - see the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/Troubleshooting/Enabledebuglogging

MuS · ‎01-19-2016

Nice answer @rich7177, but isn't this question the other way around - Getting data from Splunk into the Qlikview thingy? I'm still not sure even after reading the question multiple times now 😉

MuS · ‎01-19-2016

understood and agreed 😉

MuS · ‎01-19-2016

Why not create a modular input http://docs.splunk.com/Documentation/Splunk/6.3.2/AdvancedDev/ModInputsScripts from this script? This way it will be controlled and managed from within Splunk, also it can log any errors or additional infos into splunkd.log or its own log. Yes, modular inputs do work on UF as long as you have a Python available from the OS and don't need any fancy/strange libraries for it to run. Running the rest_ta for example on an UF 😉

MuS · ‎01-19-2016

It's maybe worth reading this docs http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/HowSplunkextractstimestamps and also check the users time zone setting in the UI settings » Access controls » Users

MuS · ‎01-19-2016

Much simpler 😉 try this search in your Splunk App: | rest /services/saved/searches | search qualifiedSearch=*lookup* | table title This will list all saved searches which contain lookup . Run this command to get back all dashboards containing lookup : | rest /servicesNS/-/-/data/ui/views | search eai:data=*lookup* | table title Hope this helps ...

MuS · ‎01-19-2016

Hi pepper_seattle, This is hard to tell, because what if your lookup is setup as automatic lookup on a sourcetype? Then you would have to check all searches and see if they use the lookup by searching for events for this sourcetype. For example, of these searches which one makes use of a user-to-location lookup on sourcetype=bar? sourcetype=b* | table * sourcetype=foo | stats count by location index=baz | stats count by location Search 1 may return events matching the stanza, but there's no indication that it returns the location field Search 2 obviously uses the location field but can't return events matching the sourcetype Search 3 may or may not even have matching events in that index One other thing would be if all search uses inputlookup or lookup which will be much easier to tell by looking at the searches. Hope this helps ... cheers, MuS

MuS · ‎01-19-2016

And following this link http://blogs.splunk.com/?s=phishing you can find even more examples

MuS · ‎01-19-2016

Hi pandeyashish, here http://blogs.splunk.com/2015/07/01/phishing-what-does-it-look-like-in-machine-data/ you can find a good example on How can I use Splunk to determine Phishing emails Hope this helps ... cheers, MuS

MuS · ‎01-19-2016

You can identify Splunk employees by the [Splunk] after their username - therefore @somesoni2 is no splunkr, but he once was 😉

Posts	4458
Solutions	814
Karma Given	2144
Karma Received	3944
Member Since	‎05-02-2011

Online Status	Offline
Date Last Visited	a week ago

Report Capture app for Splunk: Exception capturing...

How to use eval if there is no result from the bas...

How to compare fields over multiple sourcetypes wi...

Splunkbase Apps update bug?

docs.splunk.com wrong link to answers

splunkbase feature request

splunkbase colored background

Captain Picard's Star fleet messages

the pony command

max throughputs of forwarders

Re: Matching Windows path in props.conf

Re: Can someone explain splunk overview for data f...

Re: Can someone explain splunk overview for data f...

Re: How should I configure a Splunk instance to ru...

Re: How can I count both events that are tagged an...

Re: How can I count both events that are tagged an...

Re: How can I count both events that are tagged an...

Re: License Master - Is there an internal query or...

Re: How to define the starting month of the year a...

Re: How should I configure a Splunk instance to ru...

Re: How should I configure a Splunk instance to ru...

Re: How to monitor a database table that is contin...

Re: How to extract Splunk data from Qlikview?

Re: Simple XML Dashboard Examples: How to add a ne...

Re: How to compare 2 searches and alert on the dif...

Re: Any reason why Btool might be continuously log...

Re: How to extract Splunk data from Qlikview?

Re: Is it possible to have rangemap's range change...

Re: Can we run a scripted input on demand?

Re: How do I edit configurations to correct the ti...

Re: Is there a way to tell if a lookup file is in ...

Re: Is there a way to tell if a lookup file is in ...

Re: How can I use Splunk to determine Phishing ema...

Re: How can I use Splunk to determine Phishing ema...

Re: How to specify source type for virtual indexes...

Join the Conversation