Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About sarwshai
sarwshai
Communicator
Member since:
08-04-2017
07-06-2023
Community Statistics
| Posts | 57 |
| Solutions | 4 |
| Karma Given | 16 |
| Karma Received | 4 |
| Member Since | 08-04-2017 |
Activity Feed
- Posted How to Trigger Time is different than Notable time? on Getting Data In. 07-06-2023 06:26 AM
- Tagged How to Trigger Time is different than Notable time? on Getting Data In. 07-06-2023 06:26 AM
- Posted Re: Exclude Source IP and Destination IP from results if they belong to same private ip range on Splunk Search. 06-29-2021 06:54 AM
- Posted Re: Exclude Source IP and Destination IP from results if they belong to same private ip range on Splunk Search. 06-29-2021 06:46 AM
- Posted Re: Exclude Source IP and Destination IP from results if they belong to same private ip range on Splunk Search. 06-29-2021 06:26 AM
- Posted Exclude Source IP and Destination IP from results if they belong to same private ip range on Splunk Search. 06-29-2021 06:03 AM
- Karma Re: Splunk Upgrade sequence 8.0 for gcusello. 06-05-2020 12:51 AM
- Karma Re: Splunk Upgrade sequence 8.0 for richgalloway. 06-05-2020 12:51 AM
- Karma Re: Splunk Query for user accessing assets for gcusello. 06-05-2020 12:51 AM
- Karma Re: Splunk Query for user accessing assets for gcusello. 06-05-2020 12:51 AM
- Karma Re: Chronology of Splunk Deployment for gcusello. 06-05-2020 12:51 AM
- Karma Re: Chronology of Splunk Deployment for gcusello. 06-05-2020 12:51 AM
- Karma Re: Chronology of Splunk Deployment for gcusello. 06-05-2020 12:51 AM
- Karma Re: Splunk Indexes question for woodcock. 06-05-2020 12:51 AM
- Karma Re: How to filter the log using REGEX? for woodcock. 06-05-2020 12:50 AM
- Karma Re: How to filter the log using REGEX? for jeffland. 06-05-2020 12:50 AM
- Karma Re: Best practice for Shutting entire Splunk Distributed Environmen. for broberg. 06-05-2020 12:50 AM
- Karma Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible? for JDukeSplunk. 06-05-2020 12:49 AM
- Got Karma for Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?. 06-05-2020 12:49 AM
- Got Karma for Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-27-2019
10:21 AM
Below are the logs which contains both 'LogonType=Owner' & 'InternalLogonType=Owner'
1. **LogonType="Owner"** MailboxOwnerUPN="" MailboxOwnerSid="" DestMailboxOwnerUPN="" DestMailboxOwnerSid="" DestMailboxGuid="" CrossMailboxOperation="" LogonUserDisplayName="" LogonUserSid="" SourceItems="" SourceFolders="" SourceItemIdsList="" SourceItemSubjectsList="" SourceItemAttachmentsList="" SourceItemFolderPathNamesList="Inbox" SourceFolderPathNamesList="" ItemId="" ItemSubject="" ItemAttachments="" DirtyProperties="" OriginatingServer="" MailboxGuid="" MailboxResolvedOwnerName="" LastAccessed="" Identity="=" IsValid="True" ObjectState="New"
2. 2019-04-01T00:14:59+02:00 Operation="" OperationResult="" LogonType="Admin" ExternalAccess="False" DestFolderId="" DestFolderPathName="" FolderId="" FolderPathName="" ClientInfoString="Client=POP3/IMAP4;Protocol=IMAP4" ClientIPAddress="" ClientMachineName="" ClientProcessName="" ClientVersion="" **InternalLogonType="Owner"** MailboxOwnerUPN="" MailboxOwnerSid="" DestMailboxOwnerUPN="" DestMailboxOwnerSid="" DestMailboxGuid="" CrossMailboxOperation="" LogonUserDisplayName="" LogonUserSid="" SourceItems="" SourceFolders="" SourceItemIdsList=" SourceItemSubjectsList="" SourceItemAttachmentsList="" SourceItemFolderPathNamesList="Inbox" SourceFolderPathNamesList="" ItemId="" ItemSubject="" ItemAttachments="" DirtyProperties="" OriginatingServer="" MailboxGuid="" MailboxResolvedOwnerName="" LastAccessed="" Identity="" IsValid="True" ObjectState="New"
i want the first log to be discarded but not the second one.
... View more
04-25-2019
05:13 AM
I have logs which contains 'LogonType=Owner' and some logs which contains 'InternalLogonType=Owner'.
I want to send 'LogonType=Owner' to nullqueue while the latter not, so how can i write regex for it?
As writing regex for 'LogonType=Owner' would also capture 'InternalLogonType=Owner' and send it to nullqueue i assume.
Note: logs are big 'LogonType=Owner' & 'InternalLogonType=Owner' are just one string in it.
... View more
03-07-2019
12:30 AM
I have installed EMC Isilon add-on on my Heavy Forwarder and tried setting it up, but it always ends up throwing error 'Encountered the following error while trying to update: Error while posting to url=/servicesNS/nobody/TA_EMC-Isilon/isiloncustom/isilonendpoint/setupentity'.
Upon checking the logs from /opt/splunk/var/log/isilon , i am getting several errors as below,
'EMC Isilon Error: HTTP Request error for endpoint : No JSON object could be decoded'
'EMC Isilon INFO: Password Entity Not found for given host and given user in splunk, so creating new entity'
'EMC Isilon Error: [HTTP 401] Client is not authenticated'
'EMC Isilon Error: HTTP Request error for endpoint : HTTPSConnectionPool(host='x.x.x.x', port=8080): Max retries exceeded with url: /session/1/session (Caused by : [Errno 111] Connection refused)'
'EMC Isilon Error: index isilon does not exist' : (For this i did workaround as suugested in this answer "https://answers.splunk.com/answers/507932/emc-isilon-app-and-add-on-for-splunk-enterprise-ho.html")
I have even tried the ultimate root user to authenticate but still getting the above errors.
Also one thing i noticed is there are 2 compulsory ways that isilon logs are to be taken, 1 via the syslog(isilon to splunk) and 2 the API calls(splunk to isilon) is this right?
Any help would be appreciated
... View more
10-10-2018
12:40 AM
Did you get anywhere with this? Because i am also facing this issue.
... View more
09-20-2018
10:00 AM
No, that doesn't work, an error comes for this,
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '375' of search query 'search index=myindex url=myurl | search [ | i...{snipped} {errorcontext = Action | [lookup "DH}'.
However i found a way for this and successfully displayed all fields from lookup while matching only one, below is the query,
index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip]
| stats values(field1) values(field2) by src_ip
|join [| inputlookup mylookup.csv ]
... View more
09-19-2018
02:28 PM
I have a lookup which has 6-7 fields. One of them is src_ip, which I'm trying to use in a search as follows:
index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip] | stats values(field1) values(field2) by src_ip
Here it matches src_ip in "myindex" and brings out 3 fields i.e src_ip, field1, field2. However i want all the fields from the lookup in the results to compare only the src_ip with fields in "myindex" .
Is this possible?
... View more
06-12-2018
11:23 AM
Hi Splunkers! Is there any solutions for this right now?
Splunk < 7.0.1 - Information Disclosure - CVE: CVE-2018-11409
link: https://nvd.nist.gov/vuln/detail/CVE-2018-11409
Thanks!
... View more
05-10-2018
04:56 AM
Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.
... View more
05-05-2018
10:46 AM
Do you have logs from nessus? If so , can you kindly share the results?, don't know why i am getting that error?
... View more
05-05-2018
10:37 AM
'useother'=true
That's it.
... View more
05-05-2018
10:21 AM
@xpac, No i checked for all brackets, all is perfect.
Here is the full query,
index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational")
| stats dc(signature) as vuln_count count by severity,dest
| chart useother= useother first(vuln_count) over dest by severity
| eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)
| eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0)
| eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0)
I am getting error for all the eval statements here @woodcock
... View more
05-05-2018
04:54 AM
This is the eval statement i am using along with case but getting error.
eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)
... View more
02-10-2018
05:51 AM
I have created more than 10 alerts for different trigger conditions which send a unique CSV through mail, For e.g. there is field 'Country' in which many countries come and I have set different alerts just to segregate countries but the core search is exactly same of all alerts and each Country CSV file comes in different email
And of course, I can set in one single alert, the question is can I have multiple CSVs emailed to me through that single alert?
... View more
02-10-2018
02:59 AM
Yes tried finding to send monitoring console overview as a pdf but there isn't any options, yes we have different email alerts created for our cluster but just wanted the PDF, anyways thanks.
... View more
02-10-2018
02:50 AM
1 Karma
After rigorously finding any help, created separate alert where if there is violation of license send me an alert along with top 10 consumers of license.
If anybody wants to know let me know about it.
... View more
02-10-2018
02:44 AM
I have created a query related to account lockouts, but my criteria is if user is continuously coming over last 3 days and has between 5 to 10 lockouts per day, then only should results come up.
For e.g.
if user A has 6, 7, 8 lockouts and user B has 1, 2, 9 lockouts and user C has 8, 8, 8 lockouts on 1-Feb , 2-Feb , 3-Feb respectively.
Then only user A and C should come up in the result.
Currently when i specify earliest and latest in the search it brings up all the users over last 3 days with 5-10 lockouts even if user has locked out for 1 day in between the range specified.
I am a splunk noob here any help might be appreciated.
... View more
01-09-2018
11:54 PM
Thanks it's very helpful, but i want usage by hosts too, i'll see that try to do it on my own.
But precisely wanted an alert where for e.g. my license of 100 GB exceeds and i get an violation alert along with top 10-15 consumers by host.
Thanks any way!
... View more
01-09-2018
07:49 AM
1 Karma
Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?
... View more
01-04-2018
11:37 AM
I know dashboards can be sent as PDF, but can monitoring console overview pdf can be sent via email? as no options can be seen for this.
P.S: I have monitoring console where overall splunk's instances can be seen and monitored.
... View more
11-10-2017
05:09 AM
Can you let me know, what exactly you made the changes, as i am facing the same problem.
... View more
10-19-2017
01:53 AM
Hi, @nickhillspl I am having the same issue and all the forwarders which are lagging/leading are based on CEST timezone. so what should i put in TZ as i am unable to find a proper TZ from wikipedia link:https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
... View more
10-06-2017
10:52 AM
1 Karma
Hi @splunker12er, tried your's query but the only host it is showing is license master itself not any other.
However try this query, it gives exact license usage per host along with index, source and sourcetype.
index=_internal [ set_local_host ] source=license_usage.log type="Usage"
2. | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
3. | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
4. | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
5. |dedup _time host i b s st h idx
6. | bin _time span=1d
7. | stats sum(b) as b values(s) As Source values(st) As sourceType values(idx) As Index values(_time) As Time by h
8. | eval r_GB=b/1024/1024/1024 | convert ctime(Time) timeformat="%m/%d%Y %H:%M:%S %z"
9. |sort -r_GB
Enjoy!!
... View more
10-01-2017
11:16 PM
I have ran some query for Data coming through all of the forwarders and matched it with actual daily license utilization.
some of the queries are,
index=_internal group=* group=per_host_thruput | bucket _time span=1d|bin _time |eval time=strftime(_time,"%m/%d/%y") | eval kb=(kb/1024/1024) | stats sum(kb) as SUM by time series | xyseries series time SUM |sort -SUM
index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
Its weird that results the search are showing is far greater than the actual utilzation, ran it for today accounting all forwarders & the sum shows almost 500Gigs of data where as license utilization is 280+Gigs only.
Is it something wrong with the search or am i missing out something?
... View more
Labels
- Labels:
-
license
09-21-2017
11:42 AM
It worked for me, however i want to remove the exchange servers that ends with "$" from the results, can this be done?
... View more
09-20-2017
10:33 AM
Is this search's errors only for enterprise or is it for the Specifically for Cisco Security Suite?
... View more
- « Previous
-
- 1
- 2
- Next »
