Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tmarlette
tmarlette
Motivator
Member since:
09-12-2011
06-24-2022
Community Statistics
| Posts | 297 |
| Solutions | 36 |
| Karma Given | 33 |
| Karma Received | 48 |
| Member Since | 09-12-2011 |
Activity Feed
- Got Karma for Re: Migrating deployment server - check my work please :). 02-06-2025 07:44 AM
- Got Karma for Re: How to get multiple lookups to work in a single search?. 05-04-2024 09:36 AM
- Posted uptime / downtime pct over 30 days on All Apps and Add-ons. 12-28-2021 09:02 AM
- Posted When alert triggers, add detail to inline table on Splunk Search. 09-29-2021 12:47 PM
- Karma Re: Conditional field alias / rename for mayurr98. 06-05-2020 12:49 AM
- Got Karma for Re: How can I monitor root-owned logs while running Splunk as a non-root user?. 06-05-2020 12:49 AM
- Got Karma for Re: SSO mode permissive but 401 Unauthorized when accessing with an unknown user. 06-05-2020 12:49 AM
- Got Karma for Re: How do I tell if we are using Splunk Web?. 06-05-2020 12:49 AM
- Got Karma for Re: How do I tell if we are using Splunk Web?. 06-05-2020 12:49 AM
- Got Karma for Re: Why is the CPU usage showing 80-100% (falsely)? -- Search help. 06-05-2020 12:49 AM
- Got Karma for Re: What is meant by Splunk integration?. 06-05-2020 12:49 AM
- Got Karma for Re: How does version change/upgrade affect Splunk Apps And Add-on configuration file in distributed Environment. ?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I write a search to find hosts that are not sending logs to Splunk or show the last time a host sent logs to Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: How to filter Windows Event 4663 at indexing time?. 06-05-2020 12:49 AM
- Karma Re: Why am unable to uninstall Splunk universal forwarder? for nmohammed. 06-05-2020 12:48 AM
- Karma Re: How to edit my eval replace / trim statement to format domain information? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Regex - DNS formatting for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to remove "missing" forwarders from the Distributed Management Console? for hexx. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-20-2017
09:41 AM
I'm working with the latest version of the Splunk Add-on for Salesforce, and I have multiple instances of Salesforce to connect to. There doesn't seem to be a way to adjust the URL in the version 1.0.0.
https://splunkbase.splunk.com/app/3549/
Is there a way to do this that I'm unaware of?
... View more
07-14-2017
08:51 AM
With the help of my Splunk engineering team I have figured this out. These are the final settings I have used on my HF to send data to my indexers on different indexes.
props.conf
[source::udp:514]
TRANSFORMS-esx_handling = esx_index,esx_syslog_sourcetype
transforms.conf
[esx_index]
REGEX = myHostName
FORMAT = main
DEST_KEY = _MetaData:Index
[esx_syslog_sourcetype]
REGEX = myHostName
FORMAT = vmw-syslog
DEST_KEY = MetaData:Sourcetype
... View more
07-12-2017
09:32 AM
I have a heavy forwarder that I am receiving an array of data on from port 514. In this case, I would like to break out esxi syslog data, and I can this via REGEX quite easily, however when I make the configurations in the HF, it doesn't seperate the data before sending to the indexers. I would like to keep the 'parsing' load off of my indexers if at all possible.
Here is my config on my HF:
props.conf
[syslog_pool]
TRANSFORMS-index_assign = esx_index
TRANSFORMS-sourcetype_assign = esx_syslog_sourcetype
Transforms.conf
[esx_index]
REGEX = myesxhost01
DEST_KEY = _MetaData:Index
FORMAT = main
[esx_syslog_sourcetype]
REGEX = myesxhost01
DEST_KEY = _MetaData:Sourcetype
FORMAT = vmw-syslog
Is there something I'm doing wrong, or am I just not understanding how the parsing works?
... View more
07-12-2017
09:21 AM
The answer I was looking for was to use an automatic lookup and force case sensitive matching. I'm sure I worded the question poorly, and this is what the working config looks like:
props.conf
[mysourcetype]
LOOKUP-SFDC-USER_NAME1 = lookup_usernames USER_ID AS USER_ID
transforms.conf
[lookup_usernames]
filename = lookup_usernames.csv
case_sensitive_match=true
The way to search a table for a specific username is accepted above.
... View more
07-07-2017
09:30 AM
This works for an individual user id, but how would I make an automatic lookup case sensitive? Is there a way?
... View more
07-05-2017
11:12 AM
I have a lookup table, with an ID field that has case specific alphanumeric values in it.
I'm attempting to search for a single user id, however when I put one in, I see at least two results for each, due to splunk seeing the values as case insensitive.
Here is an image.
You'll notice the last letter's being of different case, yet even when using " around the field values, I still get this result set. Is there something that I am missing?
... View more
06-07-2017
11:23 AM
So I'm attempint to use the REST API modular input to authenticate and pull down data from a custom Express API. I can connect and pull data via cURL, though the authentication is via JWT auth token.
the cURL command looks like this:
`curl https://my/URL-demo/api/splunkexport/ -H "Authorization: JWT <JWT auth token here>"
in the REST API Modular input, there is no selection for the JWT authentication.
Does anyone have any experience with this?
... View more
01-13-2017
12:47 PM
This extracts some, but 4 out of 104 is less than tolerance.
the trouble I'm having is how to capture the field null values, because they are printed as "" when no value exists. In the next event, the value could be there. it looks like you're hitting the same thing.
... View more
01-13-2017
11:24 AM
agreed, however no load balancer is available.
... View more
01-13-2017
11:22 AM
There is no way to do this in Splunk. The only way I've found is to use an external BIND based DNS cacheing solution and have all of the Splunk CORE infrastructure leverage that.
Link to How-To:
http://www.tecmint.com/install-configure-cache-only-dns-server-in-rhel-centos-7/
... View more
01-13-2017
10:36 AM
I have a syslog event, in which it's format remains constant, however i'm having some trouble leveraging transforms.conf (DELIMS) to pull this out
Here is an example of the data:
Jan 13 13:05:11 10.95.219.69 2017-01-13T13: 05:11.564-0500 "domain\myUser" "AGSID:oTNLYjm4OTBkZWUx" "" "10.10.10.10" "Login" "failed" "" "" "CitrixReceiver/com.enterprise.beta iOS/1.6.0 (build 1.6.0.21) CitrixReceiver-iPhone CFNetwork Darwin VpnCapable X1Class AuthManager/4.6.1.32" "NSG SSO login failed"
These are the settings in my transforms.conf:
[mySourcetype]
DELIMS = " "
FIELDS = user,field2,field3,field4,field5,type,field7,field8,field9,field10,field11,field12,field13,field14
I'm not sure if there is a delimiter setting that will help me here, but i'm open to suggestions.
I was thinking that I could use REGEX to set these fields, however the null values ("") are prohibiting me as there are no characters in between them.
Any suggestions are welcome, and appreciated.
Thank you !!
... View more
11-17-2016
08:49 AM
Is there a way to enable DNS caching in Splunk in order to not overwhelm a DNS server with repetitive lookups?
... View more
11-01-2016
09:18 AM
1 Karma
I have two ways to connect to a search head, and 1 is secured with SSL, while the other is not.
1: https://ip:port
2: https://dns.name.com:port
Is there a way I can disable option 1, and force everyone to use the DNS name?
... View more
09-13-2016
11:29 AM
1 Karma
Try using regex to peel out the first 12 digits of your time. something like this:
| rex field=_time "(?<_time>\d{12})"
... View more
08-19-2016
08:25 AM
My search head is Linux, and that works just fine. The add-on needs to be on the search head to parse the data, but it has nothing to do with the powershell function of this. You can actually deploy to your search head and delete the inputs.conf on your search head in the app as it's unnecessary.
as a suggestion to resolve:
1. try running the powershell script with the parameters in the .conf file manually via powershell on the machine.
if it works, it's not the script, it's permissions or something else. If it doesn't, then the script could be busted.
... View more
08-01-2016
12:22 PM
So i'm looking at the Splunk app for Windows infrastrucutre and data is populating great. Now I'm looking to set up some alerts for the results that I see, and I'm having trouble finding the actual query used to populate these dashboards.
There is no 'Edit Source' selection so that I can look through the XML, though when I dig through the HTML on the back end I get lost in java scripts and I see no actual query.
Is there a way to find these queries?
I'm looking at 'Group Changes' Dashboard within the App for Windows infrastructure.
... View more
07-27-2016
10:09 AM
this will give me the results, I agree, though it's not just the results i'm looking for, it's the 3 hour timespan it takes to get results from 180 days I'm attempting to effect.
... View more
07-27-2016
09:53 AM
match address will be a series of IP address in the lookup file.
The lookup file looks like this:
match_address
10.10.10.1
10.43.56.22
157.46.8.2
etc..
... View more
07-27-2016
09:15 AM
So here's my workflow.
I have a request from an outside source that wants me to scrub my data for certain IP addresses.
I get this data, and I scrub it to turn into a .csv for a lookup
I put this lookup in Splunk, and run a search against.
My problem is that I'm searching dense data over 180 days, and it takes a few hours to run a search, AND the values in the .csv change weekly.
Currently I'm attempting to use a data model, though data model's don't allow | where filters.
The search I have is pretty easy:
index=network sourcetype=fgt_traffic
| where dest_ip==match_address
| stats count by match_address
All I'm looking for is the number of hits, and the address that is matching, but I need to be able to be able to get results much faster than a few hours.
I mentioned I'm trying to use a data model, but I was wondering if tstats/tscollect would be a better way to summarize this information, or maybe a KV Store store somehow?
i'm thinking I need a summary index of just dest_ip's per event within my index, so that I can quickly do a comparison to a lookup file that will change weekly. Any thoughts would be helpful.
Thank you!
... View more
07-06-2016
10:34 AM
The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.
... View more
06-08-2016
02:21 PM
I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf?
For example:
I have a series of data
ANSWER SECTION:
Offset = 0x0016, RR count = 0
Name ".T[C00E].co."
TYPE A .
CLASS 1
TTL 1
DLEN 4
DATA 10.10.10.2
Offset = 0x0028, RR count = 1
Name "[C016].T[C00E].co."
TYPE A .
CLASS 1
TTL 1
DLEN 4
DATA 10.10.10.1
Which is called 'answer_section'. Is there some way to make this happen?
In fields.conf
[answer]
TOKENIZER = Name\s+\"(?<answer>[^\']+\' in answer
Similar to the way you can in props.conf?
EXTRACT-myField = <myRegex> in source
... View more
06-08-2016
12:33 PM
I took part of this and I think it works well enough.
here are my settings
in props.conf
[myDns]
REPORT-mv = answer_section_MV
EXTRACT-ans_sec = ANSWER\sSECTION:(?[^*]+)AUTHORITY
in transforms.conf
[answer_section_MV]
SOURCE_KEY = answer_section
REGEX = (Name)\s+\"([^\"]+)\"
FORMAT = $1::$2
MV_ADD = true
When I attempted to extract the 'answer_section' field in transforms.conf, it wouldn't pull out the 'Name' field.
... View more
06-03-2016
12:39 PM
Alrighty, this is what I have now for this.
props.conf
[myDNS]
EXTRACT-ans_sec = ANSWER\sSECTION:(?<answer_section>[^*]+)AUTHORITY
REPORT-fields = answer_section_mv
transforms.conf
[answer_section_mv]
REGEX = Name\s+\"(?<answer>[^\"]+)\"
MV_ADD = true
SOURCE_KEY = field:answer_section
Naturally, the 'answer' field is not being extracted. I'm not sure how to combine the REGEX for the answer_section and the answer fields.
... View more
