Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About saravanan90
saravanan90
Contributor
Member since:
02-01-2017
02-01-2023
Community Statistics
| Posts | 96 |
| Solutions | 21 |
| Karma Given | 10 |
| Karma Received | 33 |
| Member Since | 02-01-2017 |
Activity Feed
- Got Karma for Re: how to get a value for now and 7 days ago. 08-27-2024 04:08 AM
- Got Karma for Re: Is it possible to use IP white listing to restrict user access to Splunk Cloud from only within a corporate network?. 10-31-2023 06:30 AM
- Got Karma for Re: How to deploy HEC and token to indexers in a cluster?. 09-20-2023 06:57 AM
- Got Karma for Re: sourcetype cron, cron-2 or syslog. 08-02-2022 07:03 AM
- Posted Re: HEC Input on a existing and used Heavy Forwarder? on Deployment Architecture. 03-31-2022 06:40 AM
- Got Karma for Re: Upgrade UF forwarder plan from 6.5.1 to 8.0. 03-31-2022 03:46 AM
- Posted Re: Upgrade UF forwarder plan from 6.5.1 to 8.0 on Splunk Enterprise Security. 03-31-2022 03:42 AM
- Got Karma for TsidxStats errors. 12-16-2021 07:13 AM
- Posted Re: Extract Field with Backslash and Quotes on Splunk Search. 02-22-2021 09:49 PM
- Got Karma for Re: Routing and filtering is not working as expected. 02-21-2021 08:42 PM
- Karma Re: Cataloging Report Notification Actions for tscroggins. 02-20-2021 09:20 PM
- Posted Re: Combine 3 queries into tabular form for export to .csv on Splunk Search. 02-19-2021 01:15 PM
- Posted Re: Routing and filtering is not working as expected on Deployment Architecture. 02-19-2021 12:25 PM
- Posted Re: splunk on Splunk Search. 02-19-2021 05:16 AM
- Posted Re: DB Connect invalid character error on Getting Data In. 02-18-2021 02:52 PM
- Posted Re: Combine 3 queries into tabular form for export to .csv on Splunk Search. 02-18-2021 02:42 PM
- Posted Re: Extract Field with Backslash and Quotes on Splunk Search. 02-18-2021 02:35 PM
- Posted Re: Decode Logs coming from Syslog (SSL) on Getting Data In. 02-15-2021 09:34 PM
- Karma Re: Decode Logs coming from Syslog (SSL) for esix_splunk. 02-15-2021 09:34 PM
- Posted Re: Decode Logs coming from Syslog (SSL) on Getting Data In. 02-15-2021 09:23 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
12-30-2020
08:43 AM
Below may help. For Linux : [monitor:///opt/splunk/var/log/splunk/temp.csv] index = main sourcetype = csv disabled = 0 crcSalt = <SOURCE> For Windows [monitor://C:\splunk\var\log\splunk\temp.csv] index = main sourcetype = csv disabled = 0 crcSalt = <SOURCE>
... View more
12-25-2020
08:50 AM
1 Karma
This can help.. <<my query>> | timechart span=1h count(path) | streamstats sum(count) as cumulative_data
... View more
12-25-2020
01:32 AM
1 Karma
Please check if this helps .
... View more
12-24-2020
11:45 PM
1 Karma
Below may help | timechart span=1w count by Customer | eval week=strftime(_time, "%U")
... View more
12-22-2020
04:41 AM
Check if the below works. | makeresults count=10| streamstats count| eval TrustedLocation="Zscaler Miami III"| eval TrustedLocation=if(count%2=0,TrustedLocation,"otherdata") | search TrustedLocation!="Zscaler Miami III" ----------------------------------------- An upvote would be appreciated if the above reply is useful to you.
... View more
12-21-2020
05:35 AM
We can create a scheduled search & save the results to separate index by using collect command in Splunk. https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Collect ----------------- An upvote would be appreciated if the above comment helps.
... View more
12-21-2020
05:25 AM
1 Karma
Below can help.. index=_internal | convert timeformat="%d-%m-%y(%A)" ctime(_time) AS c_time | stats count by c_time sourcetype |xyseries sourcetype c_time count | addtotals row=true | sort - "Total" ---------------------- An upvote would be appreciated if the above reply is useful to you.
... View more
12-19-2020
11:19 AM
This may help... Below will search in the lookup and pull the results when the ip is not available in lookup. | makeresults | eval field3="192.168.1.6", field4="hostname" | fields field3 field4 | dedup field3 | rename field3 as Source_IP | lookup ip_whitelist IPAddresses AS Source_IP | eval InWhitelist=if(isnull(SubnetMasks),"Yes","No") | table Source_IP field4 InWhitelist SubnetMasks | where InWhitelist="Yes"
... View more
12-19-2020
08:56 AM
It seems the actual sourcetype is not WinEventLog. The original sourcetype is "WinEventLog:Application". It is being renamed as wineventlog during the search time. Please find below the props.conf for renaming from the TA. [WinEventLog:Application] rename = wineventlog
... View more
12-19-2020
08:52 AM
Mostly this could be firewall issue. Check the host firewall by connecting to destination server. From forwarder we can telnet to destination to confirm the same telnet indexer 9997
... View more
12-18-2020
09:50 AM
1 Karma
1. Query to get the license usage per day for index(idx), source(s), sourcetype(st) , host(h) can be pulled from license_usage file. Use the values mentioned in brackets in the timechart. For each index: index=_internal host=licenseserver source="*license_usage.log" type=usage idx="*" | eval MB = round(b/1048576,2) | eval st_idx = idx | timechart span=1d sum(MB) by idx limit=0 2. To further drilldown. We can use the below query but this will calculate by going through each events. index=* | eval esize=len(_raw) | stats sum(esize) as size by index host source sourcetype | eval size_in_GB=(size/1024/1024/1024)
... View more
12-17-2020
11:04 PM
We can mount the NAS storage to the OS. Please find below the url. https://cloud.ibm.com/docs/network-attached-storage?topic=network-attached-storage-mountNASLinux
... View more
12-17-2020
12:44 PM
Use frozenTimePeriodInSecs parameter in index stanza. https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/Setaretirementandarchivingpolicy
... View more
12-17-2020
09:07 AM
This may help.. https://docs.splunk.com/Documentation/DBX/3.0.2/DeployDBX/Commands#procedure -------------------- An upvote would be appreciated if the above reply is useful to you.
... View more
12-16-2020
09:08 PM
1 Karma
We can use stats with last. index=main source=xyz dv_state=* dv_opened_by=pox OR dv_opened_by=IOP | stats last(dv_state) last(otherfields) by number
... View more
12-16-2020
09:33 AM
Yes it will. The precedence order will be of the below. source host sourcetype https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Attributeprecedencewithinafile#Precedence_for_events_with_multiple_attribute_assignments --- An upvote would be appreciated if the above comment is helpful.
... View more
12-16-2020
09:03 AM
1 Karma
I presume this is coming from the learned app in Splunk. Splunk automatically stores the sourcetype in props.conf if it is not mentioned by default. Please check if the sourcetype is available in the learned app in both UF & indexer. $SPLUNK_HOME\etc\apps\learned\local\
... View more
12-16-2020
04:51 AM
It might be configured in some other apps. Please check the value through btool. ./splunk btool indexes list _audit --debug | grep frozenTimePeriodInSecs
... View more
12-16-2020
12:34 AM
Run the script directly in the server and check whether we are getting the output properly. If you are getting an output save to a temp file and check how it is appearing. Each line needs to have separate process details. sh ps.sh > temp.txt cat -n temp.txt
... View more
12-15-2020
09:01 PM
1 Karma
Yes, it is possible in UF that you can enable a UDP/TCP port and start receiving logs from network appliance. Check the firewall communication between network devices -- > UF --> Indexers.
... View more
12-15-2020
09:33 AM
1 Karma
If we are migrating standalone instance then above will surely work. Once it is moved, need to update the host in /opt/splunk/etc/system/local/inputs.conf. Check the index files /opt/splunk/var/lib/splunk/$indexname$/db/ are present before & after restarting in new instance.
... View more
12-15-2020
09:12 AM
1 Karma
Installation might have been done in root & service is running under splunk user which could have created the splunk file. Changing it to splunk user will not have any impact if service is running under splunk. chown splunk:splunk /opt/splunkforwarder
... View more
12-15-2020
08:44 AM
1 Karma
This small sample script may help you. #!/usr/bin/bash mkdir /home/splunk/scripts/ cd /home/splunk/scripts/ echo "Please enter the start date of the required events in (mm/dd/yyyy hh:mi:ss)?" read Startdate #Startdate="02/13/2020 00:00:00" st_epoch=$(date -d "${Startdate}" +"%s") echo "Please enter the end date of the required events in (mm/dd/yyyy hh:mi:ss)?" read enddate #enddate="02/13/2020 18:00:00" ed_epoch=$(date -d "${enddate}" +"%s") echo "Please enter the Index Name?" read index ed_epoch=$(date -d "${enddate}" +"%s") #enter your frozen bucket path below find /opt/splunk/$index/frozendb/db_* -maxdepth 0 -type d > idx.txt while read line do #set the delimeter as per the frozen path file_st=$(echo $line | cut -d'/' -f6 | cut -d'_' -f3) file_ed=$(echo $line | cut -d'/' -f6 | cut -d'_' -f2) if [ $file_ed -lt $ed_epoch -a $file_ed -gt $st_epoch ] || [ $file_st -lt $ed_epoch -a $file_st -gt $st_epoch ] then echo "$line" >> /home/splunk/scripts/backup_temp.txt else if [ $file_st -le $st_epoch -a $ed_epoch -le $file_ed ] then echo "$line" >> /home/splunk/scripts/backup_temp.txt fi fi done < idx.txt
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-01-2023
12:10 AM
|
Karma given to
