Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rune_hellem
rune_hellem
Contributor
Member since:
11-18-2013
11-20-2023
Community Statistics
| Posts | 98 |
| Solutions | 11 |
| Karma Given | 19 |
| Karma Received | 21 |
| Member Since | 11-18-2013 |
Activity Feed
- Posted How to get the target Account Name from WinEventLog:Security on Splunk Search. 11-20-2023 07:30 AM
- Karma Re: When searching for IP, how to only show the subnet, not the whole IP for ITWhisperer. 08-17-2023 12:57 AM
- Posted When searching for IP, how to only show the subnet, not the whole IP on Splunk Search. 08-16-2023 08:16 AM
- Got Karma for Re: HTTP Event collector won't work - only http 404 when trying to post. 05-04-2022 06:09 AM
- Posted How to return stats from subsearch if first search returns no events on Splunk Search. 01-23-2022 10:56 PM
- Posted Re: How to find all events not having a prior event on Getting Data In. 09-09-2020 06:51 AM
- Posted How to find all events not having a prior event on Getting Data In. 09-08-2020 10:04 AM
- Posted Re: HTTP Event collector won't work - only http 404 when trying to post on Getting Data In. 08-27-2020 06:31 AM
- Posted Re: HTTP Event collector won't work - only http 404 when trying to post on Getting Data In. 08-27-2020 06:24 AM
- Posted Re: HTTP Event collector won't work - only http 404 when trying to post on Getting Data In. 08-26-2020 01:28 PM
- Posted Re: HTTP Event collector won't work - only http 404 when trying to post on Getting Data In. 08-26-2020 01:06 PM
- Posted HTTP Event collector won't work - only http 404 when trying to post on Getting Data In. 08-26-2020 12:46 PM
- Posted Re: HF - How to configure an additonal forwarder for a given sourcetype (Data cloning) on Getting Data In. 06-19-2020 02:18 PM
- Posted HF - How to configure an additonal forwarder for a given sourcetype (Data cloning) on Getting Data In. 06-19-2020 12:28 PM
- Posted Re: How to configure the Heavy Forwarder to recieve syslog events and forward them to indexer on Getting Data In. 06-19-2020 12:19 PM
- Posted How to configure the Heavy Forwarder to recieve syslog events and forward them to indexer on Getting Data In. 06-19-2020 06:38 AM
- Posted Re: Best practice for Splunk to index syslog events with correct time? on Getting Data In. 06-11-2020 05:57 AM
- Posted Best practice for Splunk to index syslog events with correct time? on Getting Data In. 06-11-2020 05:16 AM
- Got Karma for How do I group per N minutes and remove duplicates within those?. 06-10-2020 12:26 PM
- Got Karma for Can't get value of job.resultCount when using Custom Alert Action. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-16-2019
04:57 AM
The events indexed via Syslog and stripped for the prefixed date/time using SEDCMD is finally indexed by Splunk like this
192.777.77.77 95.66.66.66 - - [16/Aug/2019:11:34:50.962 +0000] "GET /favicon.ico HTTP/1.1" 404 6144
Ok, it is a slight diff from what I see here https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Listofpretrainedsourcetypes, the example does not have the X-forward-for address
10.1.1.140 - - [16/May/2005:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HTTP/1.1" 404 304
Question is how do I extend access_common to support source ip and x-forward-for and also indexing the other fields as well?
... View more
05-31-2019
12:30 AM
Well, it provides all details about the stanzas that the forwarder is configured to use, but still it won't explain why the one stanza is not part of the output, but the three others are.
It is worth mentioning that there are other inputs.conf for other indexes on the same server which are identical and are to be found in the config. So it should not be anything wrong with the missing stanza, they are identical.
... View more
05-30-2019
01:21 PM
On the forwarder...
... View more
05-30-2019
12:29 PM
Using command splunk btool --app=operations_inputs_prod inputs list the following is listed
[monitor://D:\logs\powershell\*.log]
index = klpoperations
sourcetype = log4net
whitelist = .*\.log
But if I try the command without the --app to list all configuraitons, the one above is missing, but not the three others in the file, and I'm not able to figure out why. I have tried a lot of different things, reloading the deploy-server a lot of times.
splunk btool inputs list
... View more
04-04-2019
10:02 AM
Whow!! I'm impressed, thanks a bunch! Totally accepted, Worked just fine with bigger dataset as well
... View more
04-03-2019
07:18 AM
First start with what I have today. We use a tool to deploy applications on to our WebSphere Deployment Server. A scheduled script will list every fourth hour applications, version number and enviroment, like this
2019/04/03 08:06:10 Application=useradmin-dar Version=2018.9.0.3 Environment=Environments/PROD
2019/04/03 08:06:10 Application=platform-forsikring Version=2085 Environment=Environments/PROD
2019/04/03 08:02:10 Application=useradmin-dar Version=2018.9.0.3 Environment=Environments/QA
2019/04/03 08:02:10 Application=nettpensjon-dar Version=4.9.12 Environment=Environments/QA
Then by using the search string below I will get a table showing all applications where the version number is not identical in all enviroments
index=xebialabs source="e:\\logs\\environments\\*\\deployedApplications.log" | stats dc(Version) AS numVersions list(Version) AS versions list(Environment) AS indices BY Application | where numVersions > 1
That's just fine, but there is one issue with this. It won't show applications not installed in one of the environments.
So what I mean by the question
How to solve this: Count unique unique number of field X, expect to find the same number of field Y
is: Based on this very simple example
2019/04/03 08:06:10 Application=useradmin-dar Version=2018.9.0.3 Environment=Environments/PROD
2019/04/03 08:06:10 Application=platform-forsikring Version=2085 Environment=Environments/PROD
2019/04/03 08:02:10 Application=useradmin-dar Version=2018.9.0.3 Environment=Environments/QA
I would need a search that returns
Application=platform-forsikring Environment=Environments/PROD
Telling me that the application platform-forsikring is only found in Prod, and even better would be
Application=platform-forsikring Environment=Environments/QA
Telling me that is is NOT found in QA, but not sure if that is possible.
... View more
10-30-2018
03:19 AM
Since normal users by default do not have the right to create alerts, I guess there is a good reason for it. Could it create unnecessary load on the server if the end users create whatever they want?
So, is the best option for normal users to ask for the alert to be created by administrator/power users?
... View more
10-22-2018
05:51 AM
1 Karma
The inital search is this:
index=myindex myapplication UID=* IDX=* IDOK=* | dedup IDX | table _time,UID,IDX,IDOK
I have been asked to create a report that shows the same for lets say the last 24 hours — but not removing all duplicates, only duplicates within each 5 minutes time slot. I guess time slot is created using span, but not sure how to ensure that I do not get duplicate IDX'es.
... View more
03-14-2018
11:54 PM
As I remember it I got an answer from support saying that it actually is not possible using Powershell. If I'm not totally wrong it is a bug in how Splunk implements Powershell. Therefore I switched to Python, as a starter because of this, but also to make the move to running Splunk on Linux easier. As a result of the work my company does related to GDPR we will index a lot more data/logs, and I really expect this to force us to cluster Splunk due to performance. So anyhow it was not a big deal moving to Python.
... View more
12-07-2017
11:43 PM
Ref. my comment from the 13'th of November I did create a support ticket. The ticket is now closed with the following conclusion
Thank you for the update. I understand that you got this working with python and are going to use this instead of Powershell. If you are moving to a clustered environment then we would definitely recommend going with a Linux solution.
I will close down this matter but will follow up with our engineering team with regards to using powershell.
(Blockquote is very bold these days...)
So for now I will leave the scripted alerts as they are using Powershell and sometime in the not so distant future I will convert to using Custom Alerts with Python instead. This will make the move from Windows to Linux less painfull as well if we are to cluster our Splunk deployment.
... View more
11-27-2017
02:09 AM
Now working with Support. First lesson learned that I did discover by chance right now is that I did not need to install Python for Windows since Splunk uses its own Python.exe, which is pre Python 3.7 which I did install.
From the _internal-index I found 11-27-2017 10:35:05.767 +0100 ERROR sendmodalert - action=nimsoft_python STDERR - File "D:\splunk\etc\apps\klp_nimsoft_custom_alerts\bin\nimsoft_python.py", line 22 caused by print (msg, file=$filename . Splunk Python wants it the old way print >> f, str(datetime.datetime.now().isoformat()), msg
And when I got that working I found
"result_count":"13"
So that was how to get Python working. Still not solved Powershell, working on that now
... View more
11-13-2017
10:46 PM
Did create the support ticket at the end of last week. Confirmed recieved and investigation started, waiting for feedback.
... View more
11-08-2017
06:59 AM
File Received
Thanks for your file upload. Your request has been sent to support.
So, by referring to what is described here and the diag file, hopefully that will help. Crossing fingers for a complex fix required and not a simple typo that we have missed 🙂
... View more
11-07-2017
10:41 PM
Should I create a support ticket and upload a diag-file?
I check the alerts using generic_single_line action.logevent = 1
action.logevent.param.event = alarm=$name$ antall=$job.resultCount$ Rune
action.logevent.param.host = splunksearch
action.logevent.param.index = filenetprod
... View more
11-07-2017
01:31 PM
Took a while, sorry for that, but I did update the alert as described, but ... doh, no help.
Have verified that the script can be called from command line, just a minor change and then it worked
fileName = open(os.path.join("d:/", "temp", "test_modalert.log"), "a")
d:/, then I could run the script by just typing nimsoft_python.py and it would log from the bin-folder. But still not triggered by the alert. Tried to move the file to bin\scripts, did always restart Splunk, but no. Still won't work .... tough nut to crack this one
... View more
10-30-2017
08:24 AM
What I've done is to install latest Python on the server. In apps\klp_nimsoft_custom_alerts\bin I have added python.path containing no more than D:\Python\Python37\python.exe
Then in alerts_actions.conf added
[nimsoft_python]
is_custom = 1
label = Nimsoft Python Custom Alert Action
icon_path = action.png
payload_format = json
disabled = 0
alert.execute.cmd = python.path
alert.execute.cmd.arg.0 = $SPLUNK_HOME\etc\apps\klp_nimsoft_custom_alerts\bin\scripts\testArguments.py
param.result_count = $job.resultCount$
param.search_query = $job.search$
The script is (for now) very simple
import sys, os, datetime
def log(msg):
fileName = open(os.path.join("d:", "temp", "test_modalert.log"), "a")
msg = str(datetime.datetime.now().isoformat()) + msg
print (msg,file=fileName)
fileName.close()
#endDef
log(" got arguments %s" % sys.argv)
#print ("If executed from command line and not from Spunk, you must break with keyboard")
#log(" got payload: %s" % sys.stdin.read())
#log(sys.stderr)
It does print to the file if executed from command line, but I cannot get it to be triggered by Splunk...and the alert is executed (confirmed by single line event)...thought I had this part under control, same thing I did with Powershell.path...
... View more
10-27-2017
07:39 AM
...and another thing I see is that from at random times, the payload is not being logged either.
[10/27/2017 4:33 PM]: Arg 2: $job.search$
[10/27/2017 4:33 PM]: Settings are:
[10/27/2017 4:33 PM]: All done
I can try out using a Python script instead, just have to eat the humble pie and install it first. I do not expect that to help me out either, but without giving it a try I won't know...
... View more
10-27-2017
07:15 AM
Added
alert.execute.cmd.arg.4 = $job.resultCount$
alert.execute.cmd.arg.5 =$job.search$
But, unfortunately
[10/27/2017 4:12 PM]: Arg 1: $job.resultCount$
[10/27/2017 4:12 PM]: Arg 2: $job.search$
Does not seem that the variables are accessible in neither scope on Windows other than when logging a generic_single_line
action.logevent = 1
action.logevent.param.event = nimsoftCustomAlert=true antall=$result.count$ antallJob=$job.resultCount$
action.logevent.param.host = splunksearch
action.logevent.param.index = filenetprod
... View more
10-27-2017
04:16 AM
Folder structure with files
apps\klp_nimsoft_custom_alerts\appserver
apps\klp_nimsoft_custom_alerts\appserver\static
apps\klp_nimsoft_custom_alerts\appserver\static\action.png
apps\klp_nimsoft_custom_alerts\bin
apps\klp_nimsoft_custom_alerts\bin\powershell.path
apps\klp_nimsoft_custom_alerts\bin\README
apps\klp_nimsoft_custom_alerts\bin\scripts
apps\klp_nimsoft_custom_alerts\bin\scripts\testArguments.ps1
apps\klp_nimsoft_custom_alerts\default
apps\klp_nimsoft_custom_alerts\default\alert_actions.conf
apps\klp_nimsoft_custom_alerts\default\app.conf
apps\klp_nimsoft_custom_alerts\default\data
apps\klp_nimsoft_custom_alerts\default\data\ui
apps\klp_nimsoft_custom_alerts\default\data\ui\nav
apps\klp_nimsoft_custom_alerts\default\data\ui\views
apps\klp_nimsoft_custom_alerts\default\data\ui\nav\default.xml
apps\klp_nimsoft_custom_alerts\default\data\ui\views\README
apps\klp_nimsoft_custom_alerts\local
apps\klp_nimsoft_custom_alerts\local\app.conf
apps\klp_nimsoft_custom_alerts\local\savedsearches.conf
apps\klp_nimsoft_custom_alerts\metadata
apps\klp_nimsoft_custom_alerts\metadata\default.meta
apps\klp_nimsoft_custom_alerts\metadata\local.meta
apps\klp_nimsoft_custom_alerts\README
apps\klp_nimsoft_custom_alerts\README\alert_actions.conf.spec
I do not have the savedsearches.conf.spec.
I do not have Python installed on the server so I would prefer to continue using Powershell. When you say it works for you, is that on a Linux install as well? Could it be that the Windows/Powershell combo never has been working?
... View more
10-26-2017
06:58 AM
Did clean up the alert, now it is defined like this
[TestAlarm]
action.email.useNSSubject = 1
action.nimsoft = 1
action.nimsoft.param.result_count = $job.resultCount$
action.nimsoft.param.search_query = $job.search$
alert.digest_mode = 0
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = -2m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = klp_nimsoft_custom_alerts
request.ui_dispatch_view = search
search = index=filenetprod error
Restarted the server to be all sure, but still no help. Nothing in configuration yet.
Splunk btool check
does not show any issuew with the app.
... View more
10-26-2017
05:56 AM
Hmm, hard nail this one...
Did add to savesearches.conf
action.nimsoft.param.result_count = $job.resultCount$
action.nimsoft.param.search_query = $job.search$
Restarted Splunk, still same
...search_name=TestAlarm; configuration=; result=}
Checking internal log, only info messages
10-26-2017 14:49:29.685 +0200 INFO SavedSplunker - savedsearch_id="nobody;klp_nimsoft_custom_alerts;TestAlarm", search_type="scheduled", user="admin", app="klp_nimsoft_custom_alerts", savedsearch_name="TestAlarm", priority=default, status=success, digest_mode=0, scheduled_time=1509022140, window_time=0, dispatch_time=1509022141, run_time=0.875, result_count=23, alert_actions="logevent,nimsoft", sid="scheduler__admin_a2xwX25pbXNvZnRfY3VzdG9tX2FsZXJ0cw__TestAlarm_at_1509022140_14", suppressed=0, fired=23, skipped=0, action_time_ms=26641, thread_id="AlertNotifierWorker-0", message=""
and
index=_internal component=ScriptRunner
actually does return
10-26-2017 14:45:54.463 +0200 ERROR ScriptRunner - Couldn't start child process. script="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -f D:\splunk\etc\apps\klp_nimsoft_custom_alerts\bin\testArguments.ps1 --execute"
But it seems to be a false positive, since the log file is being updated.
... View more
10-26-2017
04:53 AM
[TestAlarm]
action.email.useNSSubject = 1
action.logevent = 1
action.logevent.param.event = nimsoftCustomAlert=true antall=$result.count$ antallJob=$job.resultCount$
action.logevent.param.host = splunksearch
action.logevent.param.index = filenetprod
action.nimsoft = 1
action.nimsoft_100_filenet_error = 1
alert.digest_mode = 0
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = -2m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = klp_nimsoft_custom_alerts
request.ui_dispatch_view = search
search = index=filenetprod error
The action logevent creates an event of type generic_single_line which is logged like this
nimsoftCustomAlert=true antall= antallJob=44
... View more
10-26-2017
02:39 AM
Did just now try
param.result_count = 67
param.search_query = | stats count
First /debug/refresh, then restart. Still
search_name=TestAlarm; configuration=; result=}
To be all sure, did search for result_count in all files in folder
D:\splunk\var\run\splunk\dispatch\scheduler__admin_a2xwX25pbXNvZnRfY3VzdG9tX2FsZXJ0cw__TestAlarm_at_1509009960_21
Found nothing. Did also check the results.csv.gz and it does have results.
... View more
10-26-2017
02:14 AM
index=*prod error
It would have been nice to be able to say that the above search string does not return results...but...it does 🙂
... View more
10-26-2017
12:56 AM
I did create file D:\splunk\etc\apps\klp_nimsoft_custom_alerts\README\alert_actions.conf.spec with content
[nimsoft]
# Runtime value of result count.
param.result_count = <integer>
# Runtime splunk search query.
param.search_query = <string>
Then first attempt, just did a refresh http://.../debug/refresh, did not help. Then restarted, still same, output is still
...search_name=TestAlarm; configuration=; result=}
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-20-2023
09:57 AM
|
Karma given to
