Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tmarlette
tmarlette
Motivator
Member since:
09-12-2011
06-24-2022
Community Statistics
| Posts | 297 |
| Solutions | 36 |
| Karma Given | 33 |
| Karma Received | 48 |
| Member Since | 09-12-2011 |
Activity Feed
- Got Karma for Re: Migrating deployment server - check my work please :). 02-06-2025 07:44 AM
- Got Karma for Re: How to get multiple lookups to work in a single search?. 05-04-2024 09:36 AM
- Posted uptime / downtime pct over 30 days on All Apps and Add-ons. 12-28-2021 09:02 AM
- Posted When alert triggers, add detail to inline table on Splunk Search. 09-29-2021 12:47 PM
- Karma Re: Conditional field alias / rename for mayurr98. 06-05-2020 12:49 AM
- Got Karma for Re: How can I monitor root-owned logs while running Splunk as a non-root user?. 06-05-2020 12:49 AM
- Got Karma for Re: SSO mode permissive but 401 Unauthorized when accessing with an unknown user. 06-05-2020 12:49 AM
- Got Karma for Re: How do I tell if we are using Splunk Web?. 06-05-2020 12:49 AM
- Got Karma for Re: How do I tell if we are using Splunk Web?. 06-05-2020 12:49 AM
- Got Karma for Re: Why is the CPU usage showing 80-100% (falsely)? -- Search help. 06-05-2020 12:49 AM
- Got Karma for Re: What is meant by Splunk integration?. 06-05-2020 12:49 AM
- Got Karma for Re: How does version change/upgrade affect Splunk Apps And Add-on configuration file in distributed Environment. ?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How to filter Windows Event 4663 at indexing time?. 06-05-2020 12:49 AM
- Karma Re: Why am unable to uninstall Splunk universal forwarder? for nmohammed. 06-05-2020 12:48 AM
- Karma Re: How to edit my eval replace / trim statement to format domain information? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Regex - DNS formatting for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to remove "missing" forwarders from the Distributed Management Console? for hexx. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-09-2013
12:42 PM
I'm probably not be explaining it properly.
Basically I just want to plug in an IP address, and look up say something like the the geo-ip information.
Let's say I get a phone call and somebody gives me their IP address. I would like to plug that IP into splunk, and have it return say the city, state and zip. does that make sense?
In this use case, i'm just looking to use this for it's look up feature.
... View more
08-07-2013
08:00 AM
I am attempting to use splunk to look up IP addresses that users punch in to our system. The reason for this is to find out what network they are on in correlation to our security policies. I am currently doing this in a look up table, but I am looking to be able to set the ip address value, and just look up the CIDR match in the lookup table.
I have that transform already written, and the transform is working successfully.
Basically, i am looking to have my users be able to type in "ip_addr= < set by user > | lookup ip__lookup" into a query bar, and have it use the lookup table to do the CIDR match, and turn out the network name as the value.
I know there are very talented people on here, so i'm looking for any suggestions you have!
Thank you!
... View more
06-17-2013
08:32 AM
This should be easy, I honestly just don't remember how I did this in the past. In the "Searches & Reports" menu, there is a way to group saved searches, but I have forgotten how. Could someone please refresh my memory?
I am using Splunk 5.0.1.2
... View more
- Tags:
- savedsearch
- search
06-06-2013
07:40 AM
bucketing is exactly what I was looking for as far as the count for the time span! Thank you!
This gives the most recent offenders/instances, though I am looking for information on only the top ten offenders.
It's almost like I would need to run a search first to find the top ten offenders, then break out each user into a '_time" bucket and show their stats per hour individually? I'm guessing here 😃
... View more
06-06-2013
06:30 AM
Almost! The result set I get now is the ten (limit=10) most recent offenders.
I thought the 'top' command was the way to go, but I can't seem to get the search to roll it's results to the top command and have it output the data.
... View more
06-05-2013
02:49 PM
It looks like I'm getting the latest 20 users, which are not the top offenders I am looking for.
... View more
06-05-2013
02:28 PM
So i'm attempting to count a specific event type, per user, per hour. I only want the tope ten users, and I thought the 'top' command would do it, but I'm hitting a snag. The top command doesn't output any data at all.
I'm looking for this data to output in a table format with the fields time,user,count.
I attempted to use the following search query:
host=< myhost > eventtype=< my event type > | timechart span=1h count by user useother=false
Thank you!!
... View more
05-13-2013
06:13 AM
That's OK... I just used the regex statements to filter out all of the unwanted events in the search itself. It doesn't seem like there is a way to do it in props / transforms.conf
Thank you !
... View more
05-13-2013
06:11 AM
I was using DB Connect 1.0.8, so I just upgraded and followed your instructions here. Worked perfectly. Thank you!
... View more
05-10-2013
07:03 AM
I just installed DB Connect on my system, and it is working fine when I am logged in as an administrator, but when I log in as a regular user Splunk throws an error:
error message that I get:
PARSER: Applying intentions failed Unknown search command 'dbinfo'.
I am assuming that this is a permissions based issue, and I was just looking for what Splunk permission would allow users to use DB Connect?
Thank You!
... View more
- Tags:
- Splunk DB Connect 1
05-01-2013
11:33 AM
I've tried to use your suggestion of
field!=value however it is not taking. I assume my syntax is wrong. this ONLY returns the results that I don't want to see.
This is my search string:
sourcetype=www source=< mysource > hck!=health hck!=Health
... View more
05-01-2013
09:13 AM
In this case i'm looking in web logs. Some of the fields periodically (such as useragent) end up with a null value because of internal machine queries. this throws off some our analytics.
I have to keep the events, simply because they are web events, and the values change. not everything that connects to our web environment has a null value for the useragent field.
I'm looking to see if there is a way that I can simply exclude the 'null' results on the back end, as opposed to doing it in the search query?
... View more
04-30-2013
02:50 PM
is it possible to exclude specific results in a field from the search in the props.conf? I suppose more specifically on the backend?
Currently I am using a series of regex statements to exclude some values such as:
< mysearch > | regex < field1 >!= < value > | regex < field1 >!= < value >
is there a better way to do this?
... View more
- Tags:
- props.conf
- regex
04-26-2013
02:21 PM
Also, there is a parameter for 'auto run' in the pulldown module. If you change this to 'false' it may help you as well. by default I believe it's set to yes.
if you're using the sideview editor just 'edit' all parameters on that module in your specific view. You will see it when you scroll to the bottom.
... View more
04-26-2013
02:15 PM
I have had success in this using scripting languages.
We use perl / bash or if you have windows you can use batch files to copy the UI files mentioned above to a new location.
Also... keep in mind that if you don't share your UI views globally, they may also be in the
/opt/splunk/etc/users/< user name >/ folder
... View more
04-26-2013
02:01 PM
I keep getting a message on top of my search app, that says:
"The running job "rt_1367002880.1350" was canceled or remotely expired"
I assume that this is because there was a realtime search that kept running after I left the page. I was wondering if anyone knew how to stop this, or at least see how many RT searches there are running and how I can stop them?
... View more
04-23-2013
08:17 AM
Then it is quite realistic that I don't know what i'm looking at. I'm more of a network guy, so please forgive me.
... View more
04-22-2013
02:30 PM
So I am extracting fields using the standard field transforms, and many of my uri results and user agents are returning the value: "-"
There is useful data there, so I am attempting to figure out why this is happening if i'm using the standard field extraction / transforms.
Please see examples of config below:
Log String:
2013-04-22 17:05:48 W3SVC195900357 POST - 443 - HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5466) - - 200 0 0 1278 700 10
Results for field URI="-"
PROPS.CONF
[iis]
[REPORT-iis = iis_logging_combined]
TRANSFORMS.CONF:
[iis_logging_combined]
DELIMS = " "
FIELDS = date,time,sitename,computername,ip,method,uri-stem,uri-query,port,username,ip,version,(User-Agent),(Cookie),(Referer),host,status,substatus,win32-status,bytes,bytes,time-taken
Somehow i'm still showing my results in (User-Agent) and "uri-query" as a value of "-". Does anyone know why or how this could be occurring?
Thank you!
... View more
- Tags:
- extraction
- field
- iis
04-17-2013
07:38 AM
1 Karma
I have some old iis logging going on in our web logs, and I am looking to rename some of the fields that I'm pulling out via transforms.conf.
The fields that I'm looking to rename in props look like this.
I would like to change "ip" to "clientip"
I would like to change "uri-query" to "uri"
and a few more.
Can this be done in the props.conf?
Travis
... View more
- Tags:
- props.conf
- rename
04-17-2013
07:33 AM
1 Karma
At long last, I have found my issue, and to make a long story short, it wasn't this question at all, it was an SSL certificate error.
I needed to turn on the SSL encryption on the indexer before any forwarder would begin talking to it.
The above commands work wonderfully to scrub the clients that are speaking to the deployment server after it's setup.
... View more
12-13-2012
11:29 AM
2 Karma
I am attempting to search a field, for multiple values.
this is the syntax I am using:
< mysearch > field=value1,value2 | table _time,field
The ',' doesn't work, but I assume there is an easy way to do this, I just can't find it the documentation.
Does anyone have any ideas?
... View more
- Tags:
- search
11-29-2012
07:08 AM
It does happen automagically, but you can make any sourcetype extract the same fields with the transform. start taking a look at props.conf, and transforms.conf for general iis field extractions.
... View more
- « Previous
- Next »
