Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About _smp_
_smp_
Builder
Member since:
03-10-2015
Community Statistics
| Posts | 222 |
| Solutions | 3 |
| Karma Given | 94 |
| Karma Received | 31 |
| Member Since | 03-10-2015 |
Activity Feed
- Got Karma for How do you use an eval command to calculate 'latest' for use in a search?. 12-21-2023 01:29 PM
- Posted Re: ScriptRunner - "Couldn't start child process" error when trying to execute a custom alert action script? on All Apps and Add-ons. 09-18-2023 10:30 AM
- Karma Re: Is There a Way to Enforce Visualization in a Drilldown Search? for martin_mueller. 09-15-2023 07:21 AM
- Got Karma for Re: How to create email line break for an alert. 06-26-2023 09:28 AM
- Got Karma for Re: Why is KV Store initialization failing on one of our add-on to receive logs?. 03-03-2023 09:24 AM
- Posted Re: Overlay multiple fields in Dashboard Studio Column Chart on Dashboards & Visualizations. 02-15-2023 11:02 AM
- Posted How can I overlay multiple fields in Dashboard Studio Column Chart? on Dashboards & Visualizations. 02-15-2023 09:49 AM
- Karma Re: "constant login time" for scelikok. 01-11-2023 09:41 AM
- Karma What is "constant login time" setting and what is it for? for templets. 01-11-2023 09:40 AM
- Karma Re: Why is KV Store initialization failing on one of our add-on to receive logs? for khusain_splunk. 09-01-2022 07:35 AM
- Posted Has anyone developed 'Proofpoint TAP Modular Input' sourcetype eventtypes/tags? on All Apps and Add-ons. 06-21-2022 07:29 AM
- Posted Re: Splunk DB Connect - pad block corrupted on Other Usage. 01-13-2022 05:59 AM
- Karma Re: How to add two query results in xml dashboard? for kamlesh_vaghela. 01-03-2022 12:05 PM
- Posted Re: TypeError: mvc.createService is not a function on All Apps and Add-ons. 09-08-2021 06:27 AM
- Karma Re: scripted input python variables for gkanapathy. 05-21-2021 09:30 AM
- Posted Windows UF ignores CSV header until restart on Getting Data In. 05-11-2021 08:59 AM
- Karma Re: Cisco eStreamer eNcore 4.0.9 Add-on for Splunk 8.1.0.1 for gurlest. 04-30-2021 08:44 AM
- Karma Re: Cisco eStreamer eNcore 4.0.9 Add-on for Splunk 8.1.0.1 for gurlest. 04-30-2021 08:44 AM
- Karma Re: Cisco eStreamer eNcore 4.0.9 Add-on for Splunk 8.1.0.1 for gurlest. 04-30-2021 08:44 AM
- Posted Re: Find the Distance Between Two or More Geolocation Coordinates on Reporting. 04-27-2021 11:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 |
06-14-2016
12:53 PM
Thank you for the response. That seems to calculate the values correctly, but is there a way to display the results in the format I noted?
... View more
06-14-2016
06:18 AM
As I continue to scan Answers, I came across this which is pretty much what I'm after:
index=main | stats count by host severity
Pretty simple. However, is there a way to group them by host, instead of separate lines for each unique combination of values?
... View more
06-14-2016
05:57 AM
Thanks for the reply. This is close, but not quite. There are two problems with this output:
1) There is a "NULL" value for every group of severities, and the count is 0.
2) Aside from the Count of Null values (0), there is only one other Count, instead of counting each Severity.
The output looks like this:
XXX.XX.XXX.XXX NULL 0
critical 901
high
informational
low
medium
... View more
06-13-2016
08:22 PM
I know this is probably very trivial to most, but I am a pretty new user. I am struggling quite a bit with a simple task: to group events by host, then severity, and include the count of each severity. I have gotten the closest with this:
| stats values(severity) as Severity, count(severity) by severity, host
This comes close, but there are two things I need to change:
1) The output includes an duplicate column of the severities
2) The output contains the host in each row of output.
Is it possible to group by host, then severity, and include a count for each severity? Like this?
serverA Low 20
Medium 15
High 11
serverB Medium 6
High 15
... View more
06-03-2016
05:50 AM
Me too, comment above.
... View more
06-03-2016
05:47 AM
1 Karma
I have the same experience with Splunk 6.3.3 and Cisco Enterprise Security 3.1.1. Logging in with non-admin user works fine. When I try with a user in an admin role, I am prompted to the app setup page. When I click the button, there is a delay of ~30s and then I get these errors (I intentionally obfuscated the username in the path):
Splunk could not perform action for resource apps/local/Splunk_CiscoSecuritySuite Splunkd daemon is not responding: ("Error connecting to /servicesNS/username/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: ('The read operation timed out',)",)
There was an error retrieving the configuration, can not process this page.
... View more
06-03-2016
05:44 AM
I wanted to chime in that disabling the eventtype also fixed my warnings. As a new Splunk user, I wasn't aware that you could disable eventtypes. Thanks for posting.
... View more
05-31-2016
06:20 AM
Thanks for your reply, but I'm not sure I understand what you are suggesting I do. The event comes in with a sourcetype of syslog, which is what I thought the requirement was. Can you advise on what additional config I need to do?
... View more
05-27-2016
01:16 PM
Hi, thanks very much for this app. Can you confirm if this event from a Nexus 7K be sourcetyped to cisco:ios?
May 27 15:08:26 mydevice.mydomain.com : 2016 May 27 20:18:35.777 UTC: May 27 20:18:35 %KERN-6-SYSTEM_MSG: [36173794.518668] sd 1:0:0:0: [sdc] ASC=0x0 ASCQ=0x0 - kernel
... View more
05-05-2016
06:35 AM
Hi,
Relative newbie here. I have a host that is splitting large messages into multiple syslog messages. The beginning of the message contains two timestamps, but the trailing messages only contain one. The messages arrive like this:
May 5 08:12:16 myhost.company.com 05/05/16 08:12:16.392 [part1]
May 5 08:12:16 myhost.company.com [part2]
May 5 08:12:16 myhost.company.com [part3]
Miraculously, I somehow managed to get the messages combined into a single by editing the props.conf:
NO_BINARY_CHECK = true
MAX_EVENTS=50000
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)\w+\s+\d+\s+\d+:\d+:\d+\s+\w+\.\w+\.\w+\.\w+\s\d+\/\d+\/\d+\s+\d+:\d+:\d+\.\d+
And this seems to work fine, but what I noticed is that the timestamps from the two trailing messages are also included in the combined event, kind of like this:
May 5 08:12:16 myhost.company.com 05/05/16 08:12:16.392 [part1]May 5 08:12:16 myhost.company.com [part2]May 5 08:12:16 myhost.company.com [part3]
Is there a way to break the events based on the second timestamp in the first message, but strip out the timestamps from the following two messages?
... View more
04-21-2016
03:26 PM
Ah, great point. I'm sorry I didn't include that obvious detail. I want to use the timestamp at the beginning of the message. I'll fix my original post.
... View more
04-21-2016
02:45 PM
Thanks for the response, but the second timestamp begins at byte #56. Shouldn't Splunk ignore it?
... View more
04-21-2016
07:38 AM
1 Karma
I'm getting "DateParserVerbose - Failed to parse timestamp" from a syslog source. I'm a pretty inexperienced Splunk user, but the TIME_FORMAT value is %b %d %H:%M:%S , which looks right to me??? I want to parse the timestamp at the beginning of the message.
Here's a sample message:
Apr 21 15:38:31 10.144.15.220 device01: *osapiBsnTimer: Apr 21 15:38:31.784: #NFA_V9-3-FAIL_SEND_MSG: [PS] nfa_timer.c:67 The system has failed to Send Msg to the NetFlow Task - One Second Timer Message could not be sent. Return Code (1)
Here's the warning:
04-21-2016 15:38:31.587 +0200 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Apr 21 15:38:31 2016). Context: source::udp:3514|host::10.144.15.220|syslog|
And here's the sourcetype definition:
[syslog]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG =
HEADER_MODE =
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 32
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
NO_BINARY_CHECK = true
REPORT-syslog = syslog-extractions
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = ^
TRANSFORMS = syslog-host
TRUNCATE = 10000
category = Operating System
description = Output produced by many syslog daemons, as described in RFC3164 by the IETF
detect_trailing_nulls = false
disabled = false
maxDist = 3
priority =
pulldown_type = true
sourcetype =
... View more
04-13-2016
11:12 AM
Thank you for your clarification.
... View more
04-12-2016
10:54 AM
The admin role was the problem. On my SH that was working, the admin role was restricted to internal and non-internal indexes. The SH which was broke, there were no selected indexes. After I added both internal and non-internal indexes to the admin role, I get the search results I was expecting.
Thank you.
This dialog box is confusing to me though. What is the default for the admin role - internal/non-internal, or nothing? The description for the dialog box explicitly states "Restrict", so my assumption is that if no indexes are selected, then there no restrictions. Am I wrong about this?
... View more
04-12-2016
09:58 AM
As a pretty new user, I recently installed the Universal Forwarder on a Linux server, created a file input, and forwarded to an indexer. This was working fine. Then as a result of a support case, I had to change the role from a UF to a Search Head in Distributed Search. After doing this and configuring the SH to forward its logs to the indexer, I am unable to return any results with a simple index=_internal search. Yet I can get results from all the non-internal indexes just fine. I have another SH (non-clustered) that works, and I have closely compared the Roles, but found no differences.
After searching the forum, I found a number of references to outputs.conf - here's mine:
[indexAndForward]
index = false
[tcpout]
defaultGroup = indexer
forwardedindex.filter.disable = true
indexAndForward = false
Not sure what else to look for?
... View more
04-11-2016
05:55 AM
Yep, you were right. Sorry for the newbie question, I'm still getting familiar with the product.
Only four panels?
... View more
04-06-2016
03:11 PM
Whoa, sorry about the long title there.
Thanks for the response. You were right, I enabled visibility...but that was because I can't figure how to view the data. The doc claims to create include "prebuilt dashboard panels", but I'm not seeing any. What am I supposed to do after installing the add-on?
... View more
04-06-2016
01:24 PM
I recently installed the Splunk Add-on for InfoBlox as a fairly new Splunk user, and there seems to be a conflict between that and the Cisco ISE add-on. When I click on the Infoblox app in the search interface, I see all the ISE menus and search data. The data appears to be indexed correctly, as the search sourcetype=infoblox* pulls back events. Here's a screenshot of how the menu looks - not sure how to troubleshoot this?
... View more
03-18-2016
09:06 AM
1 Karma
This was so easy. I already had distributed search set up, so all I had to do was create the indexes.conf, remove the outputs.conf, and restart.
This makes so much more sense given our global network architecture. Thanks so much!!!
... View more
03-18-2016
08:55 AM
Thank you very much, it is nice to hear a definitive response. I have read the manual, but I don't think I was at the point in my deployment where it made much sense to me. Now that I'm a little farther down the road, the doc sinks in a little deeper each time I read it.
Thanks again.
... View more
03-18-2016
08:00 AM
Hello. I'm a new Splunk user, and I'm quite uncertain about how to index some distributed data. I have one SH and multiple Indexers located around the globe. Each of these Indexers has a local log file that I want to be able search through with SH. Today I have configured a file input on each Indexer and I Forward this data to one Indexer that has the actual index.
I did it this way because it was intuitive and easy for me to understand - and it works. But I started wondering if this is the "right" or "best" (or only?) way to do this. Instead of Forwarding to a single Indexer, is it possible (preferable?) to create local indexes on each Indexer, index it locally, and configure the SH to spread the query across all the Indexers? If it's possible, what are the factors that go into this decision? I assume the local indexes just need to be the same name?
Thanks.
... View more
03-17-2016
06:07 AM
No problem, I appreciate your willingness to try and help. I realize this thread has gone beyond where it should, so I opened a support case yesterday. I'll post an update when I have one.
... View more
03-16-2016
02:08 PM
Only because that's the string somesoni2 asked me to use. It seemed odd to me, but I'm a newbie. The value of user that I see in the top ten is a set of five asterisks.
... View more
03-16-2016
01:45 PM
Thank you. Yes, that fooled me once but somesoni2 straightened me in one of his earlier replies.
... View more
- « Previous
- Next »
Contact Me
Karma from
Karma given to
