Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About MHibbin
MHibbin
Influencer
Member since:
11-03-2011
01-31-2025
Community Statistics
| Posts | 562 |
| Solutions | 87 |
| Karma Given | 241 |
| Karma Received | 363 |
| Member Since | 11-03-2011 |
Activity Feed
- Got Karma for Re: Running external script from search. 10-14-2025 03:56 AM
- Got Karma for Re: How to Manipulate Multiple Lookup Results. 08-28-2024 10:37 AM
- Got Karma for Re: How to Manipulate Multiple Lookup Results. 08-28-2024 10:36 AM
- Got Karma for Re: Table Column Headings. 10-25-2023 12:03 PM
- Got Karma for Re: REST API: Why am I hitting a limit of 100 exported results?. 05-11-2023 01:01 PM
- Got Karma for Re: Changing table column header names. 06-15-2022 08:25 AM
- Got Karma for Re: Scripted input stream mode. 11-23-2021 02:34 PM
- Got Karma for Re: How to export logs to Excel or text file. 07-14-2021 08:58 AM
- Got Karma for Re: Getting rid of "other" in pie chart. 08-07-2020 09:34 AM
- Got Karma for How do you migrate historic data from on-prem Splunk Enterprise to Splunk Cloud?. 06-05-2020 12:50 AM
- Karma Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"? for ekost. 06-05-2020 12:47 AM
- Got Karma for Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?. 06-05-2020 12:47 AM
- Karma Updated Splunk Visio Stencil or Deployment Icons for Drainy. 06-05-2020 12:46 AM
- Karma Re: Updated Splunk Visio Stencil or Deployment Icons for ChrisG. 06-05-2020 12:46 AM
- Karma Re: Does Splunk support Redhat chkconfig? for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Reasonable Search performance? for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Gaps in graphs for dwaddle. 06-05-2020 12:46 AM
- Karma Re: mastering splunk for MarioM. 06-05-2020 12:46 AM
- Karma Re: mastering splunk for araitz. 06-05-2020 12:46 AM
- Karma Re: SplunkWeb Certificates Issue for araitz. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
12-13-2011
06:59 AM
Have you restarted your Splunk services after making the changes to the props/transforms.conf files?
... View more
12-13-2011
06:53 AM
Can you include an example of you props.conf and transforms.conf.
I think possibly you are sending the events to a nullqueue (as shown in the Windows example of the link above, but not another queue, as shown i other examples.
... View more
12-13-2011
06:49 AM
You should edit a file called transforms.conf via a shell/command line session. The file should be located in one of the following locations (you may need to create this if it does not exist.
$SPLUNK_HOME/etc/apps/ /local/transforms.conf (preferable)
$SPLUNK_HOME/etc/apps/ /default/transforms.conf
$SPLUNK_HOME/etc/system/local/transforms.conf
... View more
12-13-2011
05:07 AM
urtho,
This is an interesting topic, and the following Splunk Blog maybe able to assist you on you choices...
http://blogs.splunk.com/2011/11/04/splunk-and-multitenancy/
Hope this helps answer your question.
If it does answer your question, please mark the answer as accepted to assist the community.
Regards,
MHibbin
... View more
12-13-2011
05:03 AM
2 Karma
lantuin,
The following Splunk documentation should be able to assist you with this setup... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_WMI_events.
The following splunk base question may also be of use, as it has a working solution... http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs.
I believe this should answer you question.
If this does answer you question, please mark this question as answered to help the community.
Regards,
Matt
... View more
12-13-2011
01:05 AM
That's great... It was a type on my behalf (re: license_audit.log) I will edit my answer to be more reflective of this!
If this answered your question, would you mind marking the question as answered, which will help other splunkers (both those trying to answer and those looking for answers), thanks!
... View more
12-12-2011
01:23 PM
3 Karma
How did you create you field extraction?
If you used the IFX (Interactive Field eXtractor), you can do this in...
"Manager">>"Fields">>"Field Extractions">> Choose field for modifying/deleting.
If you did this in props.conf (you can also remove those created in IFX) this way too... you can find the props.conf files containing the extractions and modify/hash/remove the extraction and restart the Splunk services. The props.conf file will be in one of the following locations...
$SPLUNK_HOME/etc/system/default/props.conf
$SPLUNK_HOME/etc/system/local/props.conf
$SPLUNK_HOME/etc/system/apps/<appName>/props.conf
$SPLUNK_HOME/etc/system/apps/<appName>/props.conf
Regards,
Matt
... View more
Hi,
On in the Splunk log files, you should look at "license_audit.log" , which can be found in "$SPLUNK_HOME/var/log/splunk/" . Here you will see information regarding licenses violations.
So you could search on
index=_internal licensemanager
If you have access to the internal index, the fields should be extracted for you.
Regards,
Matt
... View more
12-05-2011
04:38 AM
Thanks for getting back to me. I'll give this a try.
Thanks for the suggestion about stdout, I have already set up info/error codes for this though. 🙂
... View more
12-05-2011
03:31 AM
Hi SplunkBase,
How do I make Splunk start a script (not as an input)? -the script generates log files which I can then monitor in Splunk. Or, is there a way of making the script run as an input continuously (i.e. not running on intervals)?
Basically, I want the script to run when ever Splunk is, and would rather not add an entry to cron (making it safer when distributing in an environment).
Any advice welcome on best practices.
Regards,
MHibbin
... View more
12-03-2011
01:31 AM
Awesome, can you make the answer as accepted please? Thanks.
... View more
12-03-2011
01:31 AM
Awesome, can you make the answer as accepted please? Thanks.
... View more
12-02-2011
12:55 AM
Possibly a simple solution, but it has helped me with some things...
Have you tried cleaning the browsers cache/history?
... View more
12-01-2011
10:26 AM
Can you not use...
| where isnotnull(<traffic_field>)
... View more
12-01-2011
09:46 AM
ianformanek,
Building on your answer, would it not be better to a be a little more explicit and use
To check just splunkweb...
... $SPLUNK_HOME/bin/splunk status splunkweb | grep 'is not running' | ...
To check just splunkd (not including helpers)
... $SPLUNK_HOME/bin/splunk status splunkd | grep splunkd| grep 'is not running' | ...
You could also check helpers are running (used for running scripts, etc.)
... $SPLUNK_HOME/bin/splunk status splunkd | grep 'splunk helpers' | grep 'are running'...
Doing this could prove more reliable. As one service could crash without stopping the other (or someone could kill one process but not the other).
... View more
12-01-2011
09:15 AM
I'm not sure if there is an issue with the site, I too can not download any Linux installs from it (I already have it, just testing it for you 🙂 )
The wget command may not be working, as you may need to login anyway(you need to be logged to download from the site).
... View more
12-01-2011
08:49 AM
2 Karma
Right I know it is not at index time, but this is the what I think realistically you are best off doing... using a csv file as a lookup. So your first step should be to extract the product family members... you could do something like...
source="<your_source_type>" | rex field=N_vuln "(?P<N_group>\w+[^\d\:\-\s])" | where isnotnull(N_group) | stats count by N_group
This will show you a list of the N_group members....
N_group count
Adobe 2
Firefox 1
MS 1
Microsoft 1
Then you should have a manually (or it can be scripted if you like) created and maintained csv (this example I use family.csv and put it in $SPLUNK_HOME/etc/apps/search/lookups) which has the family and members, something like...
group,family
MS,Microsoft
Microsoft,Microsoft
Adobe,Adobe
Firefox,Firefox
Then modify the command to include the lookup... such as...
source="/var/tmp/test1.log" | rex field=N_vuln "(?P<N_group>\w+[^\d\:\-])" | where isnotnull(N_group) | stats count by N_group | lookup family.csv group as N_group OUTPUT family as N_family
And then you should have the N_family field you desire.
Regards,
P.S Please note, that you don't need to keep the "stats" command as this is just for demo to show your values are working.
P.P.S... I think this is better, as it is not a static format, such as IP addresses. So you are not committing any changes which could end being faulty to the index, which could require cleaning the index. You could probably save this as saved search to call on, so you don't have to have the whole string.
... View more
12-01-2011
05:39 AM
You could try
*|sort -_time
Or do you have a unique date value. If its already extracted you could do something like
*|sort -<date_field>
you may need to convert it to epoch time, if you are having issues.
... View more
11-30-2011
04:57 PM
Have you checked what else is running on the machine? Does the "top" command work on HP-UX?
... View more
11-30-2011
02:40 PM
Do you mean, there are blank values when visualising data (i.e. in a line-chart)?
... View more
