Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About wuming79
wuming79
Path Finder
Member since:
05-15-2017
06-05-2020
Community Statistics
| Posts | 125 |
| Solutions | 1 |
| Karma Given | 5 |
| Karma Received | 6 |
| Member Since | 05-15-2017 |
Activity Feed
- Got Karma for Re: timestamp extraction not showing milliseconds. 04-04-2023 01:02 PM
- Karma Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file? for rechteklebe. 06-05-2020 12:49 AM
- Karma Re: How to Bold "Titlle" of all reports in a dashboard? for niketn. 06-05-2020 12:48 AM
- Karma Re: How to get this feature into chart from snort statistics dashboard? for niketn. 06-05-2020 12:48 AM
- Karma Re: How to add button to change data history? for woodcock. 06-05-2020 12:48 AM
- Karma Re: strftime() showing different time for gcusello. 06-05-2020 12:48 AM
- Got Karma for Is it possible to plot wave waves?. 06-05-2020 12:48 AM
- Got Karma for How to index exported .evt and .evtx files?. 06-05-2020 12:48 AM
- Got Karma for How can we use the search from Ransomware Extensions to stop ransomware?. 06-05-2020 12:48 AM
- Got Karma for How to change colour of graphs?. 06-05-2020 12:48 AM
- Got Karma for Re: How to change colour of graphs?. 06-05-2020 12:48 AM
- Posted Re: Splunk unable to search auth.log after free trial expired? on Installation. 01-02-2018 05:48 PM
- Posted Re: Splunk unable to search auth.log after free trial expired? on Installation. 01-01-2018 11:40 PM
- Posted Re: Splunk unable to search auth.log after free trial expired? on Installation. 01-01-2018 11:00 PM
- Posted Splunk unable to search auth.log after free trial expired? on Installation. 01-01-2018 10:49 PM
- Posted Re: Free disk space (5000MB) reached solved but storage did not reduce on Getting Data In. 10-22-2017 06:33 PM
- Posted Re: Splunk upgraded 7.0.0, Message still show new version available. on Installation. 10-22-2017 06:24 PM
- Posted Re: Splunk upgraded 7.0.0, Message still show new version available. on Installation. 10-20-2017 12:24 AM
- Posted Re: Splunk upgraded 7.0.0, Message still show new version available. on Installation. 10-20-2017 12:23 AM
- Posted Re: Splunk upgraded 7.0.0, Message still show new version available. on Installation. 10-20-2017 12:21 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-19-2017
06:21 PM
I found this. http://dev.splunk.com/view/webframework-developapps/SP-CAAAEM2
So...to go to html dashboard, I need to select edit from the dashboard I want to edit and select convert HTML?
... View more
07-19-2017
06:20 PM
Hi,
Is it possible to make the column chart area as not shaded so that it will look like a line chart?
... View more
07-19-2017
06:17 PM
Hi somsoni2,
Today I search my snort stream, I can find new formats. Priority 3 has 2 different events and there are also priority 0 and 2 but I could not find priority 1. If priority 1 is currently not available, can we still extract it as priority in advance?
Below is my regex for priority: 0
^(?:[^]\n]*]){3}\s+[(?P \w+:\s+\d+)
Here's a screenshot of how it looks when I add sample to extraction.
... View more
07-19-2017
08:06 AM
Hi,
I'm trying to extract a field call Priority and I have highlighted a sample of it. Upon validate, I realized there are some rows that did not hightlight "Priority: 3" and these rows has a red cross on the left (see picture below). I'm not sure what it means. Can someone please help to explain? i can't find examples from documentation on this.
... View more
- Tags:
- splunk-enterprise
07-19-2017
07:53 AM
Hi,
I think I need to extract multiple values as field "Priority" but I am encountering the error below. Not sure what to do next..
... View more
07-19-2017
07:15 AM
Hi,
I mean I wanted my field to be in Fields » Field extractions so that when I search sourcetype, I can see it as a field and straight away know how many priority 1,2,3,4 as a quick preview. Not by SPL.
... View more
07-19-2017
02:15 AM
Hi,
I have some snort logs with prior 0,1,2,3. I used the extract new fields feature to extract the priority value as a priority field and did a pie chart by searching snort | top priority but my chart will end up show just values 0,1,2 or 3.
I noticed that if I used the default fields that were non values like ip addresses, the chart actually could display by field names. Then I tried to extract another new field but selecting the string "Priority : 3" as newPriority but the field summary only shows newPriority cound as 1 x "Priority 3".
How do I extract a field like the IP field where it treat 192.168.1.1 and 192.168.1.2 as 2 different value in IP field?
... View more
- Tags:
- splunk-enterprise
07-19-2017
01:50 AM
Hi, how do I actually instantiate a Chart element wrapper in an HTML dashboard? How do I get into html dashboard mode?
... View more
07-19-2017
01:46 AM
May I know how to I access the .css which is within my dashboard? Sorry, I'm very confused on this.
I did read something about this at https://answers.splunk.com/answers/330361/how-to-apply-custom-css-to-a-dashboard.html .
I have created a "my_sytle.css" in "%SPLUNK_HOME%/etc/apps/search/appserver/static/" with the above example, added stylesheet="my_style.css" after form which looks like below,
<form stylesheet="my_style.css">
Then I did a splunk restart from "%SPLUNK_HOME%\bin", waited for my dashboard to refresh, but the title did not bold. Did I do correctly?
... View more
07-19-2017
12:01 AM
Hi,
May I know what does the circled field call? How can I add this to my report in dashboard?
... View more
07-18-2017
11:03 PM
Hi,
I have a few reports in a dashboard. How do I change the title font to Bold in the UI source code?
... View more
07-18-2017
10:53 PM
Hi,
sorry to hijack, I'm looking for ways to adjust the width too. So we can't do 250 right? UI will show "Unknown option name="width" for node="chart". i.e dynamic meaning there is no way to adjust it? Example if I have 5 reports, and when all display in dashboard, 4 will appear as in a row and the 5th will stretch across all 4??
... View more
07-18-2017
09:38 PM
I tried the cmd "splunk list forward-server" in SplunkUniversalForwarder/bin to check the connection, after entering my userId and password, it just came back to DOS and shows nothing. I have another VMWare using vmnet8 adapter and I was able to forward my sysmon out. The cmd "splunk list forward-server" was able to see active connections. What could possibility be the issue? Virtualbox incompatible issue??
... View more
07-18-2017
06:19 PM
Hi, is there no way to change column chart attributes?
... View more
07-18-2017
08:31 AM
I saw the following msg in splunkd.log on guest1.
ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-Sysmon/Operational'
Does this mean guest2 has forworded something over to guest1 but still can't find event log?
... View more
07-17-2017
11:00 PM
Hi, I tried enable inbound traffic on guest 1 for port 9997 TCP and UDP and outbound traffic on guest 2 to 9997 TCP and UDP but still no data..
... View more
07-17-2017
07:24 PM
Do I just need to set allow TCP port 9997 (local and remote) in outbound rule in guest 1 and set allow TCP port 9997 (local and remote) in outbound rule in guest 2?
Do I actually need to set allow IP 10.0.2.4 (local and remote) in outbound rule in Guest 1 and set allow IP 10.0.2.15 (local and remote) in outbound rule in Guest 2?
... View more
07-17-2017
08:09 AM
I have uninstall and reinstall universal forwarder without indicating deployment server and receiving information.
I then tried to follow the instructions at https://answers.splunk.com/answers/126122/no-available-server-list-on-opt-splunkforwarder-bin-splunk-list-forward-server.html
I went to check my Guest 1, and still nothing from Guest B... I reboot Guest B and it seems that I have also lost the initial event that I saw previously (in first post).
I went to check C:\Program Files\SplunkUniversalForwarder\etc\system\local
my input.conf and output.conf are as below:
input.conf
[default]
host = IE8Win7
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
output.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.2.4:9997
... View more
07-17-2017
12:54 AM
1 Karma
Hi, does it work on 1495427378314000 without the decimal? My log timestamp was displayed without the decimal and I keep getting the time being converted as "12/31/99 23:59:59"
... View more
07-17-2017
12:53 AM
Hi harishalipaka,
using the simple syntax, I keep getting "12/31/99 23:59:59"
... View more
07-14-2017
08:51 AM
Hi, making the field color to be the same as background will not show the chart out. The chart just blended into the background.
... View more
07-14-2017
12:55 AM
Hi hardikJsheth,
My guest 1 was configured to listen on port 9997. Do I need to do anything on "Configure Forwarding"?
My guest 2 universal forwarder output.conf default with the following:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.2.4:9997
[tcpout-server://10.0.2.4:9997]
I just appended the following below:
[tcpout:eis_clustered_indexers]
[tcpout-server://10.0.2.4:9998]
Results: No results.
... View more
07-14-2017
12:26 AM
Hi,
I managed to make the time format from Epoch to human readable but I can't really get the millisecond out. Example timeStamp":1495447178314 From Splunk it converted to "5/22/17 5:59:38.000 PM" but from https://www.epochconverter.com/, it is showing May 22, 2017 5:59:38.314 PM
Reference document: http://docs.splunk.com/Documentation/Splunk/6.0/Data/Configuretimestamprecognition, .%3N should show the milliseconds.
... View more
07-13-2017
08:18 PM
Hi,
I'm trying to study the activities of some Malware thus I created the following environment using virtualbox. But I could not get the forwarder to work correctly. I could only get 1 event when I reboot guest 2. Did I miss out some other configurations?
**
Host
**
Disable VirtualBox Host-Only Network so that Guest and Host could not ping each other but Guest can guest to guest.
**
Guest 1:
**
IE8WIN7, SP1, IE Version 8.0.7601.17514
Network: Nat Network
IP: 10.0.2.15
Installed Splunk Enterprise
Open port 9998 to receive events (set up at http://localhost:8000/en-US/manager/search/data/inputs/tcp/cooked)
Set Firewall to allow inbound and outbound 10.0.2.4 and port 9998.
**
Guest 2:
**
IE8WIN7, SP1, IE Version 8.0.7601.17514
IP: 10.0.2.4
Installed Splunk Universal Forwarder
Install sysmon via CLI "sysmon -i -n -accepteula"
Added the following into universal forwarder input.conf
"[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true"
Set Firewall to allow inbound and outbound 10.0.2.15 and port 9998.
I only got 1 event after Guest 2 reboots. After that, no matter what programs I open in Guest 2, there is no events seens from Guest 1.
... View more
07-13-2017
07:41 PM
Hi,
Most of my dashboard charts are line charts and there is this one that shows only 1 and 0 and I wanted the chart to look like square wave so chose column chart then it's like odd one out vs all line chart without the bottom being shaded. I like to know if we can do something in the xml to remove the filling and show the square wave as line chart.
... View more
