Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About snowmizer
snowmizer
Communicator
Member since:
05-07-2010
4 weeks ago
Community Statistics
| Posts | 67 |
| Solutions | 7 |
| Karma Given | 136 |
| Karma Received | 75 |
| Member Since | 05-07-2010 |
Activity Feed
- Got Karma for Re: How to monitor all windows event logs?. 06-18-2020 05:58 PM
- Got Karma for Re: CSV File Issues. 06-18-2020 05:58 PM
- Got Karma for Re: Is there a comprehensive list of configuration options for the Donut - Custom Visualization app?. 06-18-2020 05:58 PM
- Got Karma for Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?. 06-18-2020 05:57 PM
- Got Karma for Re: How do I return values that match column in Lookup table?. 06-18-2020 05:57 PM
- Got Karma for Re: How to replace a field value with a value from another field?. 06-18-2020 05:57 PM
- Got Karma for Re: Need to present a use case for applications. 06-18-2020 05:57 PM
- Got Karma for Re: Splunk Python Script error - ImportError: No module named azure.keyvault. 06-18-2020 05:57 PM
- Got Karma for Re: How do I configure and enforce a 6 month data retention policy?. 06-18-2020 05:57 PM
- Got Karma for Re: Splunk Alerting. 06-18-2020 05:56 PM
- Posted Re: Splunk Alerting on Alerting. 06-10-2020 12:27 PM
- Posted Re: Splunk Alerting on Alerting. 06-10-2020 11:54 AM
- Karma Re: Indexer hosts with shared storage for Richfez. 06-05-2020 12:49 AM
- Karma Re: Indexer hosts with shared storage for dwaddle. 06-05-2020 12:49 AM
- Got Karma for Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?. 06-05-2020 12:49 AM
- Got Karma for Re: How do I return values that match column in Lookup table?. 06-05-2020 12:49 AM
- Karma Re: How can i split a json array in mutiple events? for alacercogitatus. 06-05-2020 12:48 AM
- Karma Re: Get top pages per time period for alacercogitatus. 06-05-2020 12:48 AM
- Karma Re: datamodel_summary directory in _internaldb - can we delete? for dshpritz. 06-05-2020 12:48 AM
- Karma Re: Why all indexes are not available to select from "Available search indexes" during role creation? for dshpritz. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 4 | |||
| 3 | |||
| 1 | |||
| 4 | |||
| 5 | |||
| 0 | |||
| 4 | |||
| 10 | |||
| 3 | |||
| 2 |
10-09-2013
01:11 PM
1 Karma
I am trying to set up the Splunk DB Connect app to connect to my Avamar database using the PostgreSQL database option. When I try to save the connection it tells me that the password is bad for the user I'm using. I know the user can connect because if I connect to the database using this same user on the Avamar utility node it works fine.
Anyone else have this issue?
Thanks.
... View more
01-04-2013
02:13 PM
1 Karma
Just installed version 2.2.10 and this isn't fixed. Was this supposed to be fixed in 2.2.10?
... View more
02-25-2011
03:02 PM
1 Karma
Thanks for the explanation and help hexx.
... View more
02-24-2011
08:17 PM
4 Karma
I'm trying to load one of my logs from my phone server into Splunk. Splunk will read the log file and break the events correctly.
My problem is with the date that Splunk places on the event. The event in my log has a time but no date however the date is in the filename. When I look at the loaded events in Splunk the time is extracted properly however the date is the next day (which is because of the modified date on the file).
I've copied the existing datetime.xml into /etc/system/local and added an extraction for my date from my filename. How can I pull the date from the filename into Splunk as the date on my event?
File name: d:...\VMail-110212-000000.Log
Raw event looks like from (d:...\VMail-110212-000000.Log but shows date as 2/13/11 because of file modified date):
23:59:57.334 ( 4172: 5540) [MS] Entering Process MWI loop
23:59:57.334 ( 4172: 5540) [MS] Process MWI loop return, no more entries left
Datetime.xml:
<datetime>
<define name="_masheddate3" extract="year, month, day">
<text><![CDATA[source::.*?\\Vmail-\d{2}\d{2}\d{2}.*\.Log]]></text>
</define>
...
<datepatterns>
...
<use name="_masheddate3"/>
</datepatterns>
</datetime>
Props.conf
[ShoreTel_VMail]
SHOULD_LINEMERGE = FALSE
DATETIME_CONFIG = \etc\system\local\datetime.xml
TRANSFORMS-shoretel-comment = shoretel_comment
Inputs.conf
[monitor://D:\Sample Logs\Shoretel_Current]
disabled=false
host=Shoretel
sourcetype=ShoreTel_VMail
crcSalt=<SOURCE>
index=shoretel
... View more
02-18-2011
04:33 PM
I thought this was working but I've gone through these steps for another dashboard and my timerangepicker is stuck on the last value I selected yesterday. Also, will this work for the "results per page" lists?
... View more
02-07-2011
07:45 PM
Not really sure where you're looking. I have the xml code for my dashboard and the application itself has a few css files (application.css, and then I have a couple of css files that I specifically created for specific dashboards. When I look at the application.css I don't see anything dealing with "View Results".
I'm obviously missing something.
... View more
02-07-2011
06:56 PM
5 Karma
How can I control where the "results per page" dropdown is displayed on my dashboard/view? I would like it to always display in the upper right corner.
Thanks
... View more
01-27-2011
08:25 PM
Turns out that someone else pointed me to the fact that "transaction" returns two fields duration and eventcount. The eventcount gives me what I want.
... View more
01-27-2011
08:14 PM
I would like to be able to generate an alert whenever there is a failed login using the same account from the same IP where the number of events in a 1 minute period is greater than 2. I tried grouping them by using the "bucket" search command but that doesn't give me the desired results. I also looked at the transaction command but that doesn't seem to do what I want either. If I can get the grouping to work the way I want (group all login failures in a 1m period for the same account and client ip)
Here's a sample of the search I did with the "bucket" command (the table command is just there to see the results generated):
eventtype="windows-security-4771"
| lookup Service_Account_Lookup sAMAccountName as Account_Name OUTPUT sAMAccountName AS User_Account, AdminAccount
| where AdminAccount="true"
| bucket _time span=1m
| stats count by User_Account
| rename count AS Login_Attempts
| table _time, User_Account, Login_Attempts
What's the best way to do this?
... View more
12-14-2010
03:36 PM
Following this worked for what I needed. Thanks.
... View more
12-09-2010
08:37 PM
Code didn't post properly:
true
true
true
Last 4 Hours
...
... View more
12-09-2010
08:35 PM
4 Karma
How can I get the TimeRangePicker to always default to the value specified in my dashboard? I've read two different posts on this website and they both recommend using "isSticky=false" in the tag on the dashboard. I have tried this and it will not work. I've got the default set to "Last 4 hours" but it always shows "Last 24 hours" since that's what I used for a previous dashboard search (different dashboard). Here's the code I have:
<view template="dashboard.html" stylesheet="three_panel_custom_width.css" isSticky="false">
<label>Cisco IPS Overview</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="SearchBar" layoutPanel="mainSearchControls">
<param name="useAssistant">true</param>
<param name="useTypeahead">true</param>
<module name="TimeRangePicker">
<param name="searchWhenChanged">true</param>
<param name="default">Last 4 Hours</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</view>
Thanks.
... View more
12-08-2010
03:45 PM
After some work I figured this out. Your suggestion to use hidden intentions worked great. To figure out the rest I needed to figure out how to do a group-by in a plot intention. Here's a link to the answers post that explains what I did.
http://answers.splunk.com/questions/9481/how-can-i-describe-a-splitby-group-by-component-to-a-plot-intention-in-the-xml
Thanks again for all of the help!!!!
... View more
12-01-2010
10:30 PM
10 Karma
Figured this out...
Turns out that when you read the comments in the transform.py module for "plot" there's a description on different arguments and parameters. Here's the code from my second view that made this work. Enjoy!!!!!
<module name="HiddenIntention" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
<param name="intention">
<param name="name">plot</param>
<param name="arg">
<param name="mode">top limit=10 dest_ip showperc=f</param>
<param name="fields">
<list>
<list>count</list>
<list>dest_ip</list>
</list>
</param>
<param name="splitby">dest_ip</param>
</param>
</param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">bar</param>
<param name="legend.placement">none</param>
<param name="primaryAxisTitle.text">Malware Site</param>
<param name="secondaryAxisTitle.text">Number of Connections</param>
<param name="charting.seriesColors">[0xFF6600]</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
... View more
12-01-2010
08:14 PM
10 Karma
I have a view that is displaying cumulative port information. One of the charts on the view is a pie chart with the port breakdown. I have set up the code to convert the port the user clicks on to an intention to be passed to a second view.
Code snippet from first view:
<module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
<param name="default">Last 7 days</param>
<param name="searchWhenChanged">true</param>
<module name="ServerSideInclude" layoutPanel="panel_row2_col1" group="BotNet Port Breakdown">
<param name="src">botnetsummaryports.html</param>
<module name="ConvertToIntention">
<param name="settingToConvert">port_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="group">$target$</param>
</param>
</param>
<module name="HiddenSearch" autoRun="True" layoutPanel="panel_row2_col1">
<param name="search">eventtype="BotNet_Traffic" | eval proto_port=protocol." ".dest_port | fields dest_port, protocol, proto_port, dest_ip, botnet_list_type | chart count by dest_port </param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="popup">True</param>
<param name="viewTarget">botnet_dashboard_individual_port_breakdown</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
I have the second view set to use a plot intention to create searches that will populate various pie charts and graphs based on the port selected. One graph is a bar graph that will display the destination IPs associated with the port selected on the first view and the count by dest_ip. I have set up the plot intention as followed in the code snippet below. Problem is that I want to do "stats count by dest_ip" not "stats count(dest_ip)".
How can I configure the plot intention so that it does a splitby (or group by)?
<module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
<param name="default">Last 7 days</param>
<param name="searchWhenChanged">true</param>
<module name="StaticContentSample" layoutPanel="panel_row1_col1">
<param name="text"><h1>Botnet Traffic Summary</h1>
<p>
You may click on any value to drill down into the detail of the results. If you press Ctrl-Click the detailed search will open in a new window.
</p>
</param>
</module>
<module name="HiddenIntention" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
<param name="intention">
<param name="name">plot</param>
<param name="arg">
<param name="mode">stats</param>
<param name="fields">
<list>
<list>count</list>
<list>dest_ip</list>
</list>
</param>
</param>
</param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">bar</param>
<param name="legend.placement">none</param>
<param name="primaryAxisTitle.text">Malware Site</param>
<param name="secondaryAxisTitle.text">Number of Connections</param>
<param name="charting.seriesColors">[0xFF6600]</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
... View more
12-01-2010
07:22 PM
I think I figured out part of my problem. I changed "timechart" to "stats" with fields count and dest_ip. Unfortunately it's doing a stats count(dest_ip) instead of the stats count by dest_ip that I want. Is there a way to do a group-by in the plot intention?
... View more
12-01-2010
04:18 PM
I guess what I'm after is the user clicks on a port value from the pie chart on the first view and gets redirected to the second view where different stats are displayed (bar graph of top 10 sites hit, and various other pie charts).
... View more
12-01-2010
03:17 PM
I've looked at the "UI Examples" and found the views that are using the HiddenIntention. So I need to add a "ConvertToIntention" module to my first view and replace the "HiddenSearch" in my second view with the "HiddenIntention". Is this correct?
How do I implement the "| top limit=10 dest_ip" when I replace the search in the second view with the intention. I can't limit the number of results in my search on the first view.
I want a chart since this isn't really a timechart. Can I replace "timechart" with "chart"? Do you know where I can find docs on plot?
Thanks.
... View more
11-23-2010
04:00 PM
3 Karma
I've got a dashboard with a pie chart that breaks down port information. When the user clicks on a specific port I want to redirect the user to a new view that will break down the port information (site accessed, etc...). I'm having some problems getting the second dashboard to display properly.
If I redirect to flashtimeline I see that the query sent to Splunk is the query from my original dashboard + the port the user clicked on. So I'm getting the correct subset of data. I have even traced the query getting set to my second dashboard via Firebug and the query looks the same as the one sent to flashtimeline.
How can I use the data from the query getting sent to my second dashboard and create my charts? The first snippet of code in this is from my first dashboard and the second is from my second dashboard.
Thanks for any guidance.
<module name="ServerSideInclude" layoutPanel="panel_row2_col3" group="BotNet Port Breakdown">
<param name="src">botnetsummaryports.html</param>
<module name="HiddenSearch" autoRun="True" layoutPanel="panel_row2_col3">
<param name="search">eventtype="BotNet_Traffic" | eval proto_port=protocol." ".dest_port | fields dest_port, protocol, proto_port | stats count by dest_port </param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">HLC_botnet_dashboard_individual_port_breakdown</param>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" autoRun="True" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
<param name="search"> | top limit=10 dest_ip | fields dest_ip, count | sort -count</param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">bar</param>
<param name="legend.placement">none</param>
<param name="primaryAxisTitle.text">Malware Site</param>
<param name="secondaryAxisTitle.text">Number of Connections</param>
<param name="charting.seriesColors">[0xFF6600]</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
... View more
11-19-2010
02:30 PM
Thanks. This worked great.
... View more
11-17-2010
09:36 PM
2 Karma
I would like to create a dashboard (using advanced xml) that has more than two panels (singlevalue charts and pie charts) per row. I have added this to my application.css file on my app:
.panel_row2_col .layoutCell {
width: 33% !important;
}
This works but that will mean that every dashboard in the app will use this layout and I don't want that. Is there a way to specify the panel layout at the dashboard level? I've played with the "width" parameter inside "Flashchart" but that changes the size of the pie chart or singlevalue not the panel itself.
Thanks.
... View more
11-03-2010
08:16 PM
1 Karma
I've got a dashboard I'm building that has a column flashchart displaying port counts for a time range. I need to have the ability to click on a time range and then populate a new chart on the same dashboard with the breakdown of port information for the time range clicked.
Can I use HiddenPostProcess to achieve this behavior or is there a better way?
Thanks.
... View more
- Tags:
- post-process
10-27-2010
05:36 PM
1 Karma
I have a summary index that contains the following information for my Windows event logs: host, sourcetype, and count. I want to group the records so that when they are displayed they show like this:
datetime hostname sourcetype count
-------- -------- ------------------------- -----
10/27/10 9:00 am hostname WinEventLog:Application 9
WinEventLog:Security 17034
WinEventLog:System 3
My search looks like:
index="winos_event_summary" | transaction orig_host maxpause=59m | table _time,orig_host,orig_sourcetype,count
This shows the following table
10/27/10 9:00 am hostname WinEventLog:Application 17034
WinEventLog:Security 3
WinEventLog:System 9
The count field isn't being put with the proper host/sourcetype combination. When I take out the transaction statement I get:
10/27/10 9:00 am hostname WinEventLog:Application 9
10/27/10 9:00 am hostname WinEventLog:Security 17034
10/27/10 9:00 am hostname WinEventLog:System 3
Why does the transaction statement move the count and associate it with the wrong host/sourcetype? The count field is part of the summary record.
Thanks.
... View more
- Tags:
- transactions
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
4 weeks ago
|
Karma from
