Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About pfabrizi
pfabrizi
Path Finder
Member since:
02-15-2017
06-05-2020
Community Statistics
| Posts | 208 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 9 |
| Member Since | 02-15-2017 |
Activity Feed
- Got Karma for How does DUO authentication for SPLUNK work?. 01-06-2026 08:03 AM
- Got Karma for How do I configure email settings on a search head (SH) cluster?. 06-18-2025 10:46 AM
- Got Karma for Re: How to create an If Statement in Props.conf?. 06-05-2020 12:49 AM
- Got Karma for Re: Universal forwarder deprecated for Windows 2008 on Splunk 7.0.0?. 06-05-2020 12:49 AM
- Got Karma for What is considered a full back up of Search Head?. 06-05-2020 12:49 AM
- Got Karma for LookUp Functionalility. 06-05-2020 12:49 AM
- Got Karma for Re: Universal forwarder is listening to the wrong port for the splunkd process. 06-05-2020 12:49 AM
- Got Karma for SSL certificate for Splunk Web process -- can you verify these steps I'm taking?. 06-05-2020 12:49 AM
- Got Karma for How would you use an internal signed certificate with a Search Head (SH) cluster?. 06-05-2020 12:49 AM
- Posted Why is our alarm not launching all tasks? on Reporting. 12-13-2018 09:33 AM
- Posted Can I tab delimit a report file on Splunk Search. 12-03-2018 11:56 AM
- Posted SPLUNK will Not Start on All Apps and Add-ons. 11-28-2018 02:33 PM
- Posted Can you help me with the following query using the coalesce command? on Splunk Search. 11-26-2018 12:53 PM
- Posted Re: Lookup File Lookup in props\transform on All Apps and Add-ons. 11-19-2018 08:23 AM
- Posted Lookup File Lookup in props\transform on All Apps and Add-ons. 11-15-2018 05:48 AM
- Posted How does a LOOKUP and Report command work in a PROPS.CONF ? on Getting Data In. 10-19-2018 09:19 AM
- Posted Why aren't lookups replicating on search head (SH) cluster? on Deployment Architecture. 10-04-2018 09:28 AM
- Posted Re: How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:55 AM
- Posted How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:17 AM
- Tagged How do I configure email settings on a search head (SH) cluster? on Reporting. 10-04-2018 03:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
03-23-2018
08:14 AM
Thank You, I have it working. appreciate your help.
... View more
03-23-2018
06:35 AM
I am building a DB to manage newly installed UF devices as well as the de-installed UF devices. I was wondering I was wondering how to convert the lastphonehome value to a readable time?
Thanks!
I am using the REST API in C#
... View more
03-21-2018
05:07 AM
Thank You, I added that to the ES and it works great.
... View more
03-20-2018
03:16 AM
we use a deployment server and created a folder called travlers_all_app_props. This doesn't follow what you recommend as best practice. Does this cause an issue?
I did check the permissions on those extractions, evals and alias and they are set to global.
Thanks!
... View more
03-19-2018
10:24 AM
I have the following field alias and extractions in my props.conf, however they only see to work when searching from core splunk and NOT ES even though same SH device.
FIELDALIAS-severity_as_id = severity as severity_id
FIELDALIAS-dst_as_dest = dst as dest
EVAL-app = netwitness
EVAL-analysis_session = split(analysis_session, ",")
EVAL-analysis_service = split(analysis_service, ",")
EVAL-analysis_file = split(analysis_file, ",")
EVAL-action = split(action, ",")
EVAL-content = split(content, ",")
EVAL-extension = split(extension, ",")
EVAL-filetypee = split(filetype, ",")
EVAL-fname = split(fname, ",")
Do I have to add them to Props.conf in ES?
Thanks!
... View more
- Tags:
- splunk-enterprise
03-12-2018
07:38 AM
I am using EVAL in my props.conf to create a multi-value field.
EVAL-test = split(test,",")
test = this,that,xyz
If I use an existing field and that field is not a multivalued field will become multivalues with the eval and split command or does it remain as is?
Thanks!
... View more
03-07-2018
09:56 AM
i had to have been missing something in my original attempt. my second attempt was what you have in there and it wasn't working. I fo have issue from time to time where a change requires me to restart splunk and not just deploy-server.
... View more
03-07-2018
08:48 AM
so this is the event:
Mar 7 11:43:30 xxxxxcxxxx.xxxx.net [07/03/2018: 16:43:29 GMT]
stanza:
TIME_PREFIX = net\s[
TIME_FORMAT %d/%m/%Y: %H:%m:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
this was stopping index of these events. when I removed these from my stanza it would start again. I was not sure if '[' was causing an issue,
Thanks!
... View more
03-07-2018
07:25 AM
I am trying to format the time that is in this format: [dd/mmyyyy HH:MM:SS GMT] when I set the time_prefi to a regex that contains [ it seems to stop the data from being indexed. When remove the settings it start collecting.
I am guessing this is because a [ is regex command? Is another way to do this?
Thanks!
... View more
03-07-2018
03:30 AM
We had a discussion with a SPLUNK ES engineer and we installed the Splunk_TA_bluecoat app and using the stanza's in that app.
We are trying to get cs_categories moved to a multivalue field call category and we found that the props.conf and tranforms.conf have this code but we are not having any luck.
our source type is bluecoat:proxysg:access:kv
source =tcp:bluecoat
I am also guessing that REPORT keyword is only used when searching?
props.conf:
[bluecoat:proxysg:access:kv]
pulldown_type = true
category = Network & Security
description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog
KV_MODE = auto
SHOULD_LINEMERGE = false
MAX_DAYS_AGO = 10951
EVENT_BREAKER_ENABLE = true
TRUNCATE = 64000
TRANSFORMS-TrashHeaders = TrashHeaders
SEDCMD-empty=s/ [a-zA-z0-9-]+=-//g
REPORT-categories = bluecoatkv_categories
transforms.conf:
[bluecoatkv_categories]
SOURCE_KEY = cs_categories
REGEX = (?[^;]+)
MV_ADD = true
... View more
- Tags:
- splunk-enterprise
03-05-2018
05:55 AM
Thanks!
Dio you recommend the trouble shooting class? Will that help with this stuff?
... View more
03-02-2018
12:30 PM
this is not working.
I am still seeing the time off,
occurred_on="March 2, 2018 3:22:10 PM"
is showing as 3:22:16 000 PM
so there is a 6+ second difference.
the text occurred_on starts at position 1165 and ends around 1204. Does this create an issue?
... View more
03-02-2018
11:36 AM
can you explain what the %Y:%M:%S is?
I thought %M and %S where minutes and seconds?
What about the hour?
Thanks!
... View more
03-02-2018
04:21 AM
I am trying to set the time format from our Symantec events to the value of 'occurred_on' in my props.conf.
here is the event string:
",occurred_on="March 2, 2018 6:50:14 AM",
here is how time is displayed:
3/2/18
6:50:27.000 AM
Here is my props.conf:
[symantec]
TIME_PREFIX = occurred_on=\"([A-Za-z]+\s\d{1,2},\s\d{4}\s\d{1,2}:\d{1,2}:\d{1,2})
TIME_FORMAT = %B %d, %Y %H:%M:%S
I changed the time_prefix last night to what it was. I did have it earlier as [A-Za-z\s,0-9:]+
each of these expressions worked in regex101, I changed to what it is now because I only wanted to grab the time minus the am\pm.
I have deployed and also restarted splunk on my devices.
any thought on what I am doing wrong or even how to debug these.
Thanks!
... View more
03-02-2018
04:06 AM
We are using ES and I was wondering if all the data models\lookups and enriched data available when searching from a non ES search head?
our deployment has a ES search head and then 2 clustered search heads.
I have an alert that uses a value populated by ES which in our DEV space works great but this is a single search head with ES.
I just had a thought yesterday at everything we doing for our Prod space will on be available if those alerts are run from our ES search head and that clustered search head would not be able to use those?
Thanks!
... View more
02-28-2018
03:34 AM
We are bringing in symatec DLP events and we want _time to have the value of occurred_on.
occurred_on comes in like this:
February 27, 2018 2:39pm
Can I do this as a TIME_FORMAT in props.conf or can I use a field-alias in props.conf?
Thanks!
... View more
02-08-2018
11:34 AM
We currently use rsyslog on our Linux forwarder with a file monitor input with filtering, but we would like to use syslogNG as we believe we can filter as the syslog streams in to the forwarder, reducing the size of the file and what gets indexed.
can anyone provide some assistance?
Thank You!
... View more
- Tags:
- splunk-enterprise
02-08-2018
11:21 AM
So it is the mgmt. port that is in conflict. I used the out of the box 8089 to communicate with deployment server, changed it to 8090 and now that is conflicting with our VM center.
What I want to change the UF management port to 80899 and just wasn't sure if I can do this.
Thanks!
... View more
02-08-2018
03:07 AM
We are in the middle of deploying our UF to windows servers and we are running into port conflicts with other applications.
First we ran into a conflict with 8089 and now 8090. Can I change our port to something like 80899?
Thanks!
... View more
- Tags:
- splunk-enterprise
01-31-2018
09:18 AM
Thanks, I found the drivers I needed and then we had to configure the sql connection string like we did in 2.x although the documents didn't indicate those settings.
... View more
01-31-2018
04:32 AM
I have SPLUNK DB Connect installed and trying to configure it for SQL using Windows Auth. We get an error and it looks like it needs a driver, I have the JDK installed but is there a MS SQL driver needed?
Thanks!
... View more
- Tags:
- splunk-enterprise
01-26-2018
06:47 AM
can I use a transform to include the 722051?
so have a transforms:
[cisco-send722051]
REGEX = %ASA-[0-9]-(722051)
also my filtering out transform:
[cisco-setnull]
REGEX = %ASA-[0-9]-(304|303)\d{1,4}
DEST_KEY= queue
FORMAT = nullQueue
and then in props:
transforms-null = cisco-send722051,cisco-setnull
... View more
01-26-2018
06:32 AM
I just checked and it appears it just took sometime. It does appear to be working, sorry I jumped the gun.
I am being asked to filter all the 7220* except the 722051, so I am guessing I need to add more to the transform?
... View more
01-26-2018
06:18 AM
I made the change then waited a bit and then checked 15 minutes, however we are noticing that there is a backlog on the indexers (which is why we are trying to filter) so it is possible that is why I am seeing what I am seeing.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
