Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About smurf
smurf
Communicator
Member since:
02-28-2021
Thursday
Community Statistics
| Posts | 52 |
| Solutions | 11 |
| Karma Given | 6 |
| Karma Received | 19 |
| Member Since | 02-28-2021 |
Activity Feed
- Posted Re: How to filter fields in my logs before to index in splunk enterprise using ingest actions? on Splunk Enterprise. 09-26-2023 05:05 AM
- Posted Re: Plot graph using lookup file on Splunk Search. 09-26-2023 04:55 AM
- Posted Re: I'm having trouble importing sysmon logs to Splunk. on Getting Data In. 09-04-2023 02:06 AM
- Posted Re: Splunk Infrastructure Monitoring on prem? on Splunk Enterprise Security. 08-22-2023 07:13 AM
- Posted Re: Schedule window vs scheduling mode on Other Usage. 08-19-2023 01:19 PM
- Posted Re: Schedule window vs scheduling mode on Other Usage. 08-18-2023 02:52 PM
- Karma Security Newsletter | August 2023 for melissap. 08-18-2023 02:15 PM
- Got Karma for Re: How to deploy Splunk Connect for Syslog 部署?. 08-17-2023 07:59 AM
- Got Karma for Re: How to fetch the values from raw logs. 08-10-2023 12:07 AM
- Got Karma for Re: How to fetch the values from raw logs. 08-09-2023 04:51 AM
- Got Karma for Re: How to fetch the values from raw logs. 08-08-2023 04:46 PM
- Posted Re: How to fetch the values from raw logs on Dashboards & Visualizations. 08-08-2023 03:34 PM
- Posted Re: Creating alert on if log message does not appear on Splunk Search. 08-08-2023 03:23 PM
- Got Karma for Re: SPL Query for the configured storage path. 08-03-2023 09:13 AM
- Got Karma for Re: tag as datamodel attribute. 08-01-2023 01:30 AM
- Got Karma for Re: Phantom license page. 03-27-2023 10:19 PM
- Posted Re: Does anyone know if the script soar-install can be passed an option not to check disk space? on Splunk SOAR. 03-27-2023 06:38 AM
- Posted Re: Prompting the user who runs the playbook on Splunk SOAR. 03-27-2023 06:02 AM
- Posted Re: How to deploy Splunk Connect for Syslog 部署? on Splunk On-Call. 03-27-2023 05:56 AM
- Posted Re: Phantom license page on All Apps and Add-ons. 03-27-2023 05:03 AM
Topics I've Started
No posts to display.
07-01-2022
01:42 PM
Hi, this is not really the answer to your question but based on the docs it says that you cannot change your experience. "Splunk assigns your deployment to an appropriate Splunk Cloud Platform Experience for you. You cannot independently change your current Experience. For further details, contact your Splunk Cloud Platform representative."
... View more
07-01-2022
01:39 PM
Hi, I don't know if this is feasible for you but you should be able to rename a sourcetype based on regex (as described here https://community.splunk.com/t5/Splunk-Search/Changing-sourcetype-with-regex/m-p/155058#M43613). With this you could use the default xml sourcetype and the original sourcetype with the rest of your data. I am not sure about the long xml thought.
... View more
07-01-2022
01:28 PM
1 Karma
Hi, it is possible to send directly to Splunk. You can set up input in Splunk (it would need to be either some kind of forwarder or indexer) to listen on a port. You can define it in GUI or in inputs.conf and it would look something like this. You can ommit the host and have it listen for any connection on a port. [tcp://syslog.corp.example.net:514]
sourcetype = cisco:ise
index = cisco On the network device, you would enter the IP address of the Splunk instance and whatever port you specified and you start receiving the data. Keep in mind that it would be better to use a syslog server for this. Because when you restart the ingesting Splunk instance, you could start losing data. If you have multiple devices that you want to set up like this I would look at the SC4S project: https://splunk.github.io/splunk-connect-for-syslog/main/
... View more
07-01-2022
06:57 AM
2 Karma
Try checking datamodels.conf for tags_whitelist. According to docs: * Only the tag fields identified in this allow list (and the event types tagged
by them) are loaded when you perform searches with this data model. They are defined as default in CIM's DMs but maybe you are rewriting it in you local conf?
... View more
06-29-2022
10:58 AM
I tried it today with the latest CIM version and I had it populated. Just as OP had in the query dc(Authentication.tag) worked fine.
... View more
06-29-2022
05:34 AM
Hi, I think the issue is that you are renaming the filed and using the original field again. When you rename it, the original field does not exist anymore, so in the next macro call you need to use the new field name.
... View more
06-29-2022
05:31 AM
1 Karma
Hi, when searching through accelerated data models with tstats you need to specify FROM. This should work with your query: | tstats summariesonly=t dc(Authentication.tag) as tag from datamodel=Authentication where nodename=Authentication.Failed_Authentication by Authentication.app Authentication.src
... View more
06-29-2022
05:26 AM
Hi, what time frame do you have defined for the search? I don't mean the one in SPL, but the one that is to the right of where you right your queries. smurf
... View more
06-28-2022
12:18 PM
Hi, | eval date_hour = strftime(_time, "%k"), date_wday = strftime(_time, "%A") | search date_wday IN ("saturday", "sunday") OR (date_hour > 18 AND date_hour < 7) change the times to your likings. usually the date_* fields are included, so you might not need the eval at all.
... View more
05-05-2022
12:12 AM
Hi, you can add a blacklist. I am not sure if all your files could be easily matched with regex, but it is a possibility. blacklist = <regular expression>
* If set, files from this input are NOT monitored if their path matches the
specified regex.
* Takes precedence over the deprecated '_blacklist' setting, which functions
the same way.
* If a file matches the regexes in both the deny list and allow list settings,
the file is NOT monitored. Deny lists take precedence over allow lists.
* No default.
... View more
05-04-2022
11:36 PM
1 Karma
Hello, Yes, it is possible to send logs from UFs to HFs, since you can setup HFs to act as receivers. On HF you need to setup receiving as described here: Enable a receiver - Splunk Documentation in inputs.conf (HF) - setup listening port, 9997 is default [splunktcp://9997]
disabled = 0 On UF you need to setup forwarding to the HF as described here: Configure forwarders with outputs.conf - Splunk Documentation in outputs.conf (UF) - setup to send events to HF. You can name the groups whatever you want. You also need to change the server name / IP. [tcpout]
defaultGroup=my_HFs
[tcpout:my_HFs]
server=mysplunk_heavy:9997
[tcpout-server://mysplunk_heavy:9997] Hope this helps.
... View more
04-29-2022
02:50 AM
1 Karma
Hi, you can find list of stanzas with sourcetypes and indexes using rest command to all conf-inputs. You can define a certain server, or use * to query all. Basically everything you have in inputs.conf is available like this. | rest splunk_server=* /services/configs/conf-inputs | fillnull value="n/a" | stats values(index) values(sourcetype) by eai:acl.app splunk_server title Here you can see list of all apps per server: | rest splunk_server=* /services/apps/local | search disabled=0 | stats values(label) by splunk_server
... View more
04-28-2022
11:52 AM
Hi, it could be permissions issue. If you need to use the command in different apps, it should have Global permissions.
... View more
04-28-2022
09:47 AM
Hi, You have to take current time and deduct 15 minutes from it, after that you can compare _time from the event with your variable. `tutu` sourcetype="session" | bin _time span=15m | stats dc(s) as count by _time | eval current_time = relative_time(now(), "-15m") | where _time >= current_time
... View more
04-28-2022
08:09 AM
2 Karma
Hi, if the key is not present in the spec for alert_actions.conf, you are safe to remove it.
... View more
04-28-2022
07:52 AM
Hi, I think you might be hitting some of the user search limits like the amount of memory it can consume. I would try to switch from Verbose to Fast or specify the _raw field before your eval. index="hcg_oapi_prod" | fields _raw | eval size = len(_raw) ... This should substantially speed the search up as it would not try to extract all the fields.
... View more
04-21-2022
02:22 AM
"The asterisk wildcard matches anything in that specific folder path segment. Unlike ..., * does not recurse through subfolders.". You can read more about it in the docs: Specify input paths with wildcards - Splunk Documentation I think your stanza should be working without that typo, but if it doesn't I would try (...). I also noticed that you have disabled = true. If you want it active, it should be false.
... View more
04-21-2022
01:56 AM
1 Karma
Hi, if you know that you can find it based on a host, you can use it in the data model too. | tstats count from datamodel=Web where host=not_a_proxy
... View more
04-21-2022
01:51 AM
1 Karma
Hi, When any Urgency is selected when editing a Notable (even if it is the same as the original Urgency) can be found like this: index=_audit source=notable_update_rest_handler urgency=* Originally, I thought you were looking for a Notable that has a different Urgency than what you defined in Severity in the correlation search. That could be found like this: `notable` | where severity != urgency
... View more
04-21-2022
01:26 AM
Hi, I haven't tried something like this yet. But I think creating a persistent storage with the index config could help. Data Storage ## | docker-splunk
... View more
04-21-2022
01:16 AM
Hi, I think your stanza should work with a small change - removing the double backslash [monitor://D:\Logs\*\*\*.txt] I personally would use ... like this: [monitor://D:\Logs\...\*.txt]
... View more
04-06-2022
07:30 AM
Hi, fields in the by clause cannot be empty. If it is empty, it does not show up in the results. Try using fillnull before running the stats command like this: | fillnull tutu value="n/a"
... View more
04-06-2022
07:18 AM
Hi, not sure if this is the most elegant solution, but I would use replace. | replace <*> with * in src
... View more
04-05-2022
05:00 AM
I find Monitoring Console good place for debugging Indexes. Try Monitoring Console -> Indexing -> Indexes and Volumes -> Indexes and Volumes: Instance. There you have a nice overview of all indexes with their sizes, data age, etc.
... View more
04-05-2022
03:16 AM
Hi, maxDataSize tells Splunk how large each bucket can be. If you are losing old data, you could look for one of these settings: maxTotalDataSizeMB frozenTimePeriodInSecs coldPath.maxDataSizeMB / homePath.maxDataSizeMB Having any of these would limit the amout of data that is stored in the index. If you are losing everything that is older than 3 months, I would especially look for the attribute frozenTimePeriodInSecs (The number of seconds after which indexed data rolls to frozen.).
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
Karma from
