Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About _JP
_JP
Contributor
Member since:
10-05-2023
08-26-2024
Community Statistics
| Posts | 108 |
| Solutions | 11 |
| Karma Given | 48 |
| Karma Received | 27 |
| Member Since | 10-05-2023 |
Activity Feed
- Got Karma for Re: Is it possible to automate the entity creation in Splunk ITSI from CMDB.. 01-21-2025 11:24 PM
- Got Karma for Re: Stats dc command on the total row?. 08-28-2024 07:41 AM
- Posted Re: Stats dc command on the total row? on Dashboards & Visualizations. 08-26-2024 02:44 PM
- Got Karma for Re: Stats dc command on the total row?. 08-26-2024 02:12 PM
- Posted Re: Stats dc command on the total row? on Dashboards & Visualizations. 08-26-2024 02:10 PM
- Posted Re: View Splunk Dashboard in Digital Signage display on Splunk Enterprise. 01-10-2024 11:08 AM
- Posted Re: Create dynamic alert link on Alerting. 01-04-2024 09:45 AM
- Karma Re: Expand multivalue field into individual fields WITHOUT mvexpand for ITWhisperer. 12-13-2023 08:37 AM
- Got Karma for Re: Splunk user password restore. 12-09-2023 01:27 AM
- Got Karma for Re: Accepting Webhook. 12-09-2023 01:08 AM
- Posted Re: Accepting Webhook on Security. 12-08-2023 03:05 PM
- Posted Re: Any good Viz for process correlation on Dashboards & Visualizations. 12-08-2023 02:45 PM
- Tagged Re: Any good Viz for process correlation on Dashboards & Visualizations. 12-08-2023 02:45 PM
- Posted Re: Slack Notifications Doesn't Notify Linked User on All Apps and Add-ons. 12-08-2023 02:44 PM
- Posted Re: Splunk user password restore on Getting Data In. 12-08-2023 02:40 PM
- Got Karma for Re: Splunk Cloud License question. 12-05-2023 05:45 AM
- Tagged ChatGPT on Splunk Enterprise. 12-04-2023 04:58 PM
- Posted Re: ChatGPT on Splunk Enterprise. 12-04-2023 04:49 PM
- Posted Re: Drop XML event data via transforms.conf on Splunk Search. 12-04-2023 04:39 PM
- Posted Re: Splunk Cloud License question on Splunk Cloud Platform. 12-04-2023 04:22 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
11-14-2023
08:10 AM
I don't have your answer...but it might be helpful to cross-post your question here: Alert Manager Enterprise - Splunk Community That is the "place" where questions about the Alert Manager Enterprise app on Splunkbase would go now, but I don't think there is any way to link this post with app right now. Also, the folks at Datapunctum AG might have their eyes on that area for there app, and not here, for answering any questions. I'm going to tag one person I know at Datapunctum that I think worked on this app: @my2ndhead
... View more
11-14-2023
08:03 AM
...That's quite an out of date version that is way out of support. Also, I'm not sure what your ru.js file is doing, since the typical localization process involves creating the po/mo files within the mrsparkle library localization folders. The localization stuff in Splunk is based on gettext. For your version of Splunk these are the localization instructions here and here Have you tried editing the portable object files for your formatting?
... View more
11-14-2023
07:32 AM
1 Karma
Thanks for the tip! Non-streaming type pushes like this are often a challenge, and this is one way to manage the coupling of something that likes to be working in the real-time space (Splunk) versus more of a batch space (the DB).
... View more
11-10-2023
09:45 AM
1 Karma
Have you tried sorting your data after doing the append? Per the transaction command docs the data needs to be in descending time-order for the command to work correctly: | sort 0 -_time When you do an append, you might be tacking on "earlier" timestamps that are not seen as the transaction command works on the stream of data.
... View more
11-06-2023
02:28 PM
Within the change tag have you tried to reference the $label$ or $value$ from the dynamic search using these tokens? <set token="show_another_panel">$label$</set>
<set token="another_result">$value$</set> Here's a basic SimpleXML page with a dynamic dropdown and a couple HTML panels to show the value of the tokens being set: <form version="1.1">
<label>Dropdown Test</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>source_dc</fieldForValue>
<search>
<query>index=_internal earliest=-6h | stats dc(source) as source_dc by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<set token="show_another_panel">$label$</set>
<set token="another_result">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<html>$show_another_panel$</html>
</panel>
<panel>
<html>$another_result$</html>
</panel>
</row>
</form> Per change (form input)
... View more
10-31-2023
02:34 PM
While not the most efficient command in the book, perhaps the transaction command could be helpful because you can define the start/end events and it will calculate stuff like duration for you of the overall transaction. Also, this discussion seemed to be similar to yours: How to calculate uptime percentage based on my dat... - Splunk Community
... View more
10-31-2023
01:15 PM
Are you collecting events from a lot of different sourcetypes? If you just have one sourcetype per alert can you pass it into the macro like you would other parameters? I configured a macro like the following: And then was able to use it like this: index=_internal earliest=-15m | stats count by component | `collect_macro(the_index=summary,the_sourcetype=special_sourcetype)` And then in my summary index I saw stuff appear with the special_sourcetype instead of stash:
... View more
10-31-2023
12:24 PM
This solved question seems to be what you're looking for: Solved: How to get the Audit for Lookup files modification... - Splunk Community If you don't want any changes at all, and you're on a *nix system, can you deploy your lookup with read-only permissions on the file within the app?
... View more
10-31-2023
12:14 PM
The collect command does allow you to define a sourcetype. Note that the stash sourcetype is special as it doesn't hit your license volume. When you use collect with a different sourcetype Splunk considers it "new" data since you may not be generating summarizing statistics on data already indexed. Also, since this is tied to an alert, would using the Log Event Alert Action be sufficient?
... View more
10-31-2023
12:02 PM
It sounds like you will have to build an SPL query using the eventstats command, or possibly the streamstats command. Since I can't see your data I'm not sure what would be the best approach, but there is a slight difference between these two commands. Eventstats is like the stats command where it looks at all of your events matching found by your query, but it does not transform the stream, it just adds additional fields to every event. For example, you could count your up and bad events using eventstats by host. Then, each event for that host would have the total counts on every event. So if there were six up events, and seven bad events for a host, then each of those 13 events would have an up value of six and bad value of seven. Alternatively, streamstats only looks at events in the stream up to and including the point where you are in the stream - it doesn't know about "future" events in the result set. This is good for stuff like running average, but has other uses. So in your case, the first up event would have a count of 1, the second up event a count of two, the first bad event a count of 1, and so on...the last up would have a count of six and the last bad a count of seven. I know you mentioned duration...you can also add-up the time differences using these commands, too, by doing math on _time.
... View more
10-31-2023
11:54 AM
Based on your description it sounds like you are looking to utilize the drilldown actions for a visualization to change something on the existing page. While not exactly what you're doing, here's some posts around here Solved: How to create a drill down from one panel to anoth... - Splunk Community Solved: Single value drilldown click to display and click ... - Splunk Community Also a couple of external resources discussing how the tokens work: The Beginner’s Guide to Splunk Drilldowns With Conditions – Kinney Group Define Your Drilldown in Splunk: $click.value$ vs $click.value2$ – Kinney Group
... View more
10-30-2023
12:20 PM
Is this a one-time thing, or will you have an on-going need to replicate data like this? Are you trying to isolate data for some org to search without being able to see other data? If it is a one-time thing, can you add an indexer to your existing cluster and get the data replicated/balanced to it. Then, remove that from the cluster and reconfigure it to be on its own, and make the necessary retention settings for this new environment in your indexes.conf? You could also remove any data you didn't need. Overall, moving just a single sourcetype from one environment to another when the data has already been at rest means you're probably going to need to do a manual export from Index Cluster A over to Index (cluster) B. If it's not the only sourcetype in a single index, then that means you're going to have a bunch of interleaved data within your index buckets on the filesystem. If you have on-going requirements to have data forked like this, then you should look towards using some sort of stream-management product like Splunk Edge or Cribl.
... View more
10-27-2023
10:43 AM
The default sourcetype for data that is generated for a summary index is stash. So the fact that it has a different sourcetype (specific_st) and you found a configuration stanza for it seems to imply it is not summary-index data. Keep in mind that the Splunk docs refer a lot to a "summary index" - but you can have real-time event data and summary index data in the same index. BUT - it is a best practice to keep them separate because raw data typically has a pattern of ingestion/search that is wildly different from summary data, so long term you tune those indexes differently. Thus why the docs often refer to it as a separate index. But based on what you've provided so far it sounds like someone configured that sourcetype to go into what others think is a "summary data only" index. What's the source values for those events? Are they Splunk servers, or are they part of an application/webserver/database pool of servers?
... View more
10-27-2023
10:27 AM
In the configuration of your HTTP Event Collector (HEC) token you can set how it handles the connection host. I don't think this is in the GUI, so you might have to edit your inputs.conf file containing your HEC-related stanzas to set the connection_host property to get your desired behavior: connection_host = [ip|dns|proxied_ip|none]
* Specifies the host if an event doesn't have a host set.
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
that sends the data. For this to work correctly, set the forward DNS lookup
to match the reverse DNS lookup in your DNS configuration.
* "proxied_ip" checks whether an X-Forwarded-For header was sent
(presumably by a proxy server) and if so, sets the host to that value.
Otherwise, the IP address of the system sending the data is used.
* "none" leaves the host as specified in the HTTP header.
* No default.
... View more
10-27-2023
10:15 AM
There's several older posts that seem to be related to a default setting not being correct in their case in an etc/system/local/inputs.conf. I would check through your Splunk configs to see if there's a server name not set correctly, or if an override is in place that is causing it to use a non-existent hardcoded value instead of relying on what the OS thinks the server name is (i.e. look through our .conf files): Solved: Inputs.conf $decideonstartup - Splunk Community Why is host=$decideOnStartup for Splunk Stream, bu... - Splunk Community How to Configure host = $decideOnStartup correctl... - Splunk Community Solved: $decideOnStartup Remote Perfmon - Splunk Community
... View more
10-26-2023
10:05 AM
Are you interest in this user info in context of the users for your Splunk environment, or are you looking at some other data to analyze the users? For Splunk, you can start with SPL that will query the REST interface, like this: | rest /services/authentication/users If you want information on a particular user (e.g. fred), you can specify that name in the REST call like this: | rest /services/authentication/users/fred You can get a lot of info on what capabilities they have and other metadata about that user. More info here.
... View more
10-25-2023
03:35 PM
UBA isn't a Splunk Enterprise instance, but it does include a Splunk Universal Forwarder (UF) as part of its install (see Directories created or modified on the disk section of docs). So, you should have a UF living at /opt/splunk for your UBA instance, and that's what you'll want to make sure is hooked up to the rest of your Splunk deployment. Also note the Splunk platform port requirements section on that page for more info about that UF instance running alongside the UBA install.
... View more
10-25-2023
03:03 PM
Have you taken a look in your Monitoring Console within the Splunk UI? E.g. $Your Splunk Instance$/app/splunk_monitoring_console/scheduler_activity_instance You can also open up the searches for those various panels to see what data they are looking at (a lot of them are hitting REST endpoints) (on edit: I am now realizing that you might be referring to specific SVC usage from a cloud perspective and not just "what are my scheduled searches doing? But if this sort of metric doesn't exist for the cloud admin dashboards, maybe they should...)
... View more
10-24-2023
05:56 PM
1 Karma
This isn't a question, rather just a place to drop a PDF I put together that I titled "Bare Bones Splunk" I've seen a lot of people try and get started with Splunk, but then get stuck right after getting Splunk Enterprise installed on their local machine. It can be daunting to log into Splunk for the first time and know what the heck you should do. A person can get through the install to the What Happens Next page, and be pretty overwhelmed with what to do next: Learn SPL and search? What should they search? How should they start getting their data in? What sort of data should I start getting in? What dashboard should I build? They've started...but need that ah-ha example to see how this tool will fit into their existing environment and workflow. The attached Bare_Bones_Splunk.pdf file guides the reader from the point of install to using the data already being indexed in index=_internal to replicate a few common use cases of Splunk: Monitor a web server Monitor an application server Monitor security incidents The examples are really simple, and the resulting dashboard created in the tutorial is a poor example of something your boss might want (or not...how observant is your boss - do they just want a few graphs with nice colors?). But, this will give someone a really quick intro to Splunk without having to do anything other than install (and then maybe they will be ready to tackle a broader introduction, like the Search Tutorial)
... View more
Labels
- Labels:
-
search head
10-24-2023
08:58 AM
A couple of things: - What user are you running this command as, and what user is Splunk installed as? - Are you in a bash? If you don't quote your credentials correctly then they won't get expanded: Solved: Getting error "Could not look up HOME variable. Au... - Splunk Community
... View more
10-24-2023
08:40 AM
You should be able to, although it isn't called out in the docs for serverclass.conf directly. There are a couple of other configuration parameters you can set to get a bit of logic in the matching, too, if that is helpful: whitelist.where_field whitelist.where_equals blacklist.where_field blacklist.where_equals If you think the docs are unclear and should include a multiple wildcard example, then I suggest submitting feedback via the form at the bottom of every Splunk docs page. That team has always been responsive for improving the documentation.
... View more
10-23-2023
10:31 AM
Are you interested in leaving out dest_domain values that don't have high counts? A real simple way to approach it is to "pre-count" the dest_domain using eventstats, and limit just those that had more than a particular threshold (in this case 100) with the where command: index= <Splunk query>
| eventstats count by sourcetype
| where count>100
| timechart span=15m count by dest_domain usenull=f useother=f | head 15 Also, when you think about how Splunk is running these commands, you might visualize it running these commands over and over your data...like several for-loops one right after another. That's what it does. That's what it is optimized for...it's a bit counterintuitive compared to databases where you are trying to limit full-scans of things. The distributed architecture of Splunk is built for this.
... View more
10-23-2023
10:13 AM
The old way of just running a python script as an alert action was deprecated a while back. It was a really simple, "run script and here's the search data." That way is old and busted...so it is not around anymore. The new hotness is Custom Alert Actions. You can create one that runs your python. There's some more setup/configuration so it is registered with the system and more effort goes into packaging it up as an official configuration in Splunk (official as in you made it for your environment...). Here is a previous discussion on this topic, too.
... View more
10-20-2023
09:44 AM
You can create a Custom Alert Action that is backed by your python script: Using custom alert actions - Splunk Documentation And here's the developer details on how you need to set things up: https://dev.splunk.com/enterprise/docs/devtools/customalertactions/
... View more
10-20-2023
09:02 AM
Can you work with Support to get the older version? Also, what type of Splunk instance are you doing this on? Is it a UF, HF, Search Head, Indexer, etc? I think that might help you approach this. Based on the docs it sounds like losing some index configurations are part of the breaking changes. For example, if this was an Indexer you're upgrading and relying on the indexes.conf in the Windows app to define that index, then you'll need to move those configurations into another indexes.conf within your deployment. A similar situation exists for configurations included within authorize.conf for that older version. BUT, if this is just a UF, then some of this might be a moot point because UF's don't care about the indexes.conf configurations. You would probably have less concerns about doing this on a UF versus a Splunk instance that is part of the core infrastructure versus an edge agent.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-26-2024
06:06 PM
|
Karma given to
