Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tmarlette
tmarlette
Motivator
Member since:
09-12-2011
06-24-2022
Community Statistics
| Posts | 297 |
| Solutions | 36 |
| Karma Given | 33 |
| Karma Received | 48 |
| Member Since | 09-12-2011 |
Activity Feed
- Got Karma for Re: Migrating deployment server - check my work please :). 02-06-2025 07:44 AM
- Got Karma for Re: How to get multiple lookups to work in a single search?. 05-04-2024 09:36 AM
- Posted uptime / downtime pct over 30 days on All Apps and Add-ons. 12-28-2021 09:02 AM
- Posted When alert triggers, add detail to inline table on Splunk Search. 09-29-2021 12:47 PM
- Karma Re: Conditional field alias / rename for mayurr98. 06-05-2020 12:49 AM
- Got Karma for Re: How can I monitor root-owned logs while running Splunk as a non-root user?. 06-05-2020 12:49 AM
- Got Karma for Re: SSO mode permissive but 401 Unauthorized when accessing with an unknown user. 06-05-2020 12:49 AM
- Got Karma for Re: How do I tell if we are using Splunk Web?. 06-05-2020 12:49 AM
- Got Karma for Re: How do I tell if we are using Splunk Web?. 06-05-2020 12:49 AM
- Got Karma for Re: Why is the CPU usage showing 80-100% (falsely)? -- Search help. 06-05-2020 12:49 AM
- Got Karma for Re: What is meant by Splunk integration?. 06-05-2020 12:49 AM
- Got Karma for Re: How does version change/upgrade affect Splunk Apps And Add-on configuration file in distributed Environment. ?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How to filter Windows Event 4663 at indexing time?. 06-05-2020 12:49 AM
- Karma Re: Why am unable to uninstall Splunk universal forwarder? for nmohammed. 06-05-2020 12:48 AM
- Karma Re: How to edit my eval replace / trim statement to format domain information? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Regex - DNS formatting for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to remove "missing" forwarders from the Distributed Management Console? for hexx. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-18-2017
08:48 AM
try a | stats command at the end to count the times it occurs.
index=dhcp "Renew"| join SrcIP [search index=firepower AccessControlRuleName="Block Bittorrent" | rename SrcIP as ip] | stats count by ip, nt_host
... View more
08-18-2017
08:29 AM
1 Karma
do you mean, deploymentclient.conf? I'm not familiar with the other file.
assuming you mean deploymentlcient.conf here:
so... if you are using an IP address in your deploymentclient.conf, the app your using will be useless, because as soon as you change the IP address on your DS, your forwarders lose connection. UNLESS you're going to use the same IP address, which can sometimes prove tricky.
The workaround:
use a DNS address like 'splunkds.mydoman.com' and stick that in the /etc/system/local folder of all of your forwarders. That way you can change the DNS mapping to a different IP it's basically a hot cut.
... View more
08-18-2017
08:19 AM
I gotcha, you're trying to filter the token itself. I believe that might need to be static, but don't quote me.
... View more
08-17-2017
03:03 PM
try the | join command. You can do something like
index=firepower AccessControlRuleName="Block Bittorrent" | join SrcIp [ search index=dhcp ...]
Check out docs:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Join
... View more
08-17-2017
03:01 PM
I'm a little fuzzy on what you're trying to do, however you may what to use the |timechart command
| timechart span=1h will give you hourly buckets of things
so maybe
<my_root_search>
| rex field=DURATION "(?<Mins>.{2}+):(?<Sec>.{2}+)"
| fillnull value=0
| eval secs=Mins*60+Sec
| eval duration = secs * 1000
| timechart span=1h max(duration) AS duration by JOBNAME
... View more
08-17-2017
02:53 PM
regex very well may be a better option here, but I can't see enough of your search to tell you how effective it would be
can you copy your whole search query and anonymize whatever is necessary?
for instance
index=myIndex sourcetype=mySourcetype host=myHost | stats count by host username logingId
... View more
08-17-2017
02:45 PM
So people will probably need a bit more information in order to answer this question.
This means adding details like:
1. windows or Linux or manufacture / appliance name
2. a pasted login event from your logs
3. your full search query syntax from start to finish
I'm not sure which OS or Log Type your looking at to know if your seeing login events, or connection events, or file copy events or what. There's a whole slew of login types that we're just gonna overlook here to see if I can help get you something that can work.
Assuming you have a perfect log that clarly says 'host=blah user=blah action=Login' and all of those fields are extracted properly, or something of the sort, you could try this:
<my_root_search_here> action=Login | stats count by UserName MachineName | sort - count
That should give you a table output.
... View more
08-17-2017
02:37 PM
Do both volumes need to be the same bucket type? say both volumes are hot (homePath) or both volumes are cold (coldPath)
... View more
08-17-2017
01:08 PM
Worst case scenario, add the default field date_day, then remove the field at the end of your search with |fields - date_day
https://answers.splunk.com/answers/564747/if-then-and-in-search.html
... View more
08-17-2017
01:03 PM
Gotcha.
So it's always better to use epoch time to do any comparison / matching, because it's what splunk uses on the backend.
that being the case, in your search, it looks like you're converting the values in your lookup to a new format anyway. I'm not sure what format it's in, but you may want to set your static data to epoch time, and then use that against earliest / latest. at that point your filter is just doing numbers, and you convert everything at the end to human readable:
| where DayofMth > <someEpochInteger> AND DayofMth < <someEpochInteger>
|convert is a good command to use for messing with anything in _time
... View more
08-17-2017
12:29 PM
Just so i'm understanding, let me repeat what I'm understanding.
You want a distinct count of terminals, by user INSTEAD of the values of the Terminal?
IF that's the case, try this:
|stats count(Terminal) as "Logon Attempts",values(User) as User,dc(Terminal) as Terminal, values(Action) as Action by Logon Day
IF you want an ADDITIONAL field with this data, try this:
|stats count(Terminal) as "Logon Attempts",values(User) as User,values(Terminal) as Terminal, values(Action) as Action by Logon Day
|streamstats dc(Terminal) as totLogons by User
then add the totLogons field to your table.
... View more
08-17-2017
11:56 AM
1 Karma
Check out this doc:
Router and Filter Data
Do a ctrl+f on your browser and search for setnull
... View more
08-17-2017
11:52 AM
welp.... if you have a network appliance sending syslog on port 514 to a universal forwarder, there may an issue right there. While a UF can listen for data, it can't do anything to redirect it to indexers cooked properly.
I'd check a couple of things.
is rsyslog on this machine running, and receiving this data as well and dumping it into /var/log/messages?
install a HF on this machine instead, and then use inputs/props/transforms to redirect all data from that specific IP address to a different index / sourcetype.
... View more
08-17-2017
11:48 AM
So in this search, are you trying to do a | dc(Terminal) by user ? or something? I'm not quite clear on what you are counting here
you can always use |streamstats which you can use inline with |stats .
... View more
08-17-2017
11:45 AM
still got the same result set. =(
... View more
08-17-2017
11:42 AM
Going to need some more information on this one.
are you extracting the field at search time or index time?
what does your query look like right now?
what does the result set look like right now, and how are you trying to display it?
... View more
08-17-2017
11:39 AM
There's no good cron expression for this, as Splunk only allows a single schedule.
the only way I've done safe work times before is using a lookup table, and referencing the date_day / date_hour default fields in it with a | where filter.
... View more
08-17-2017
11:37 AM
I believe you're looking for the 'between' function of the time range picker module. Have a look.
If you're trying to have the timerange picker use your lookup file's timestamp as opposed to the Splunk time, I don't know of a way to do this. Closes I have is to index your data (instead of in a lookup table) and in a single field, enter your timestamps in a splunk fiendly format, so it can plot it appropriately in time, then use the timerange picker as normal.
... View more
08-17-2017
11:29 AM
1 Karma
whatever user that is running splunk needs r/w access to $SPLUNK_HOME, and read to whatever root owned logs.
best guess here is to create a group that has read access to those logs, but retains root ownership, and add the splunk user to that group in linux.
... View more
08-17-2017
11:16 AM
So this is my filter now, I hope this explains what I'm trying to better:
index=nix sourcetype=df host=myHost10 * OR host=myHost20* | stats first(PercentUsedSpace) as pctUsed latest(Avail) as Avail by host, Filesystem, filesystem_type, Size, Used, MountedOn | where (like(MountedOn,"%") AND pctUsed > 50 AND MountedOn!="/home/work*") OR (like(MountedOn,"home/work%") AND pctUsed > 95) | sort - pctUsed
I'm looking for all mounts above 50%, and then any /home/work mounts that are above 95%, but I need them all displayed in a single table. The above query is still returning results with the /home/work below 95%.
here is an image
... View more
08-17-2017
10:51 AM
This would work, if I only had to check the /boot mount, but I need to show the results of all other mounts on the system as well. =(
... View more
08-17-2017
10:50 AM
This seems so close. I just have to choose a mount on my linux systems, otherwise the data is pointless. This is what I have
index=nix sourcetype=df host=myHost10 * OR host=myHost20*
| stats first(PercentUsedSpace) as pctUsed latest(Avail) as Avail by host, Filesystem, filesystem_type, Size, Used, MountedOn
| where (like(MountedOn,"%") AND pctUsed > 90) OR (like(MountedOn,"home/work%") AND pctUsed > 95)
| sort - pctUsed
it's showing me weird results though. It's only showing me the machines that have 'home/work' mount ABOVE 90%.
Update, the last statement was my own stupidity, please ignore that. 🙂 It's just not filtering out the >95%.
I think my filter is too vauge.
... View more
08-17-2017
10:19 AM
So migrating a DS can be a bit tricky sometimes, but ill give you some steps I've used in the past.
on the old DS
1. make a full backup of /opt/splunk/etc/* on the old DS
2. tar up the following things independantly
a. deployment apps > deployment_apps.tgz
b. system / local > local.tgz
c. apps (I use sym links from /deployment-apps to /apps on the DS to maintain up-to-date apps in a single repo. If not, you won't
need apps)
This 'should' give you the base config of your old DS. Should being operative due to editing default directories anywhere.
install Splunk on the new machine.
shut down splunk
delete /deployment apps from new server
delete /system/local from new server
un tar deployment_apps.tgz to /opt/splunk/etc
un tar local.tgz to /opt/splunk/etc/system
start splunk
before doing this make sure you have that full backup, because if there's ever anything you need for config, it's going to be in /opt/splunk/etc
... View more
08-17-2017
10:10 AM
Need some help understand which app you installed, and for what reason.
I'm not sure what you're trying to do, but anything targeting port 8000 on a splunk machine will get the UI. If you want API access, or KV store access, or a number of anything else, it's a different port all together.
... View more
08-17-2017
10:03 AM
I'm trying to create some logic within my search, and it requires some IF THEN AND logic, which I know Splunk has the capability to do, but I don't know how to make it work the way I'm needing it.
I have 2 different types of machines I'm searching, and I'm trying to alert on two distinct values.
example: if machines named host10* have a mount with mount=/boot, AND have drive space over 90% then alert, AND if machines named host20* have a mount with mount=/boot AND drive space over 95% alert.
Working Query:
index=nix sourcetype=df host=myHost10 * OR host=myHost20*
| stats first(PercentUsedSpace) as pctUsed latest(Avail) as Avail by host, Filesystem, filesystem_type, Size, Used, MountedOn
| where pctUsed > 90
| sort - pctUsed
I thought about using |eval field=if(coalesce...) but I don't think it fits my needs here, as both host types will have a value, it's just that the value needs to be filtered differently based upon the system type. maybe a subsearch?
Any help would be appreciated.
... View more
