Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Ayn
Ayn
Legend
Member since:
02-28-2010
06-05-2020
Community Statistics
| Posts | 3370 |
| Solutions | 730 |
| Karma Given | 1392 |
| Karma Received | 3244 |
| Member Since | 02-28-2010 |
Activity Feed
- Got Karma for Re: Host field getting overwritten in syslog processing. 10-13-2025 04:20 AM
- Got Karma for Re: Add Line Breaks with Eval. 01-15-2025 12:44 AM
- Got Karma for Re: Get the output in double quotes.. 12-26-2024 09:48 AM
- Got Karma for Re: Calculating Percentage. 11-08-2024 11:22 AM
- Got Karma for Re: My own Python script cannot import Splunk Python library modules?. 10-01-2024 01:59 PM
- Got Karma for Re: Can I reload savedsearches.conf without restarting?. 09-10-2024 01:55 AM
- Got Karma for Re: rex - matching everything until a tab. 07-31-2024 08:05 PM
- Got Karma for Re: Pulling data from a remote Splunk server via REST with Authentication. 07-26-2024 01:28 AM
- Got Karma for Re: Currently logged on username in search. 01-20-2024 05:43 PM
- Got Karma for Re: Use of "NOT" vs "!=". 12-13-2023 08:41 AM
- Got Karma for Re: How does one search for a CIDR range of addresses?. 11-19-2023 11:31 PM
- Got Karma for Re: getting unique values of the field. 08-29-2023 06:21 AM
- Got Karma for Re: eval isnull. 07-11-2023 04:44 PM
- Got Karma for Re: Get Data lookup from Other Remote Peer. 06-07-2023 08:06 AM
- Got Karma for Re: Calculating Percentage. 05-15-2023 11:02 AM
- Got Karma for Re: getting unique values of the field. 04-14-2023 01:22 PM
- Got Karma for Re: How does one search for a CIDR range of addresses?. 11-07-2022 04:28 PM
- Got Karma for Re: Can AND or OR be used in case statements in eval expressions?. 10-24-2022 06:06 PM
- Got Karma for Re: How does one search for a CIDR range of addresses?. 09-13-2022 07:11 AM
- Got Karma for Re: If/else conditional statements for search??. 08-31-2022 07:17 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 7 | |||
| 4 | |||
| 0 | |||
| 1 | |||
| 19 |
05-24-2018
04:23 AM
Have you checked the answer here: https://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html
... View more
05-20-2018
10:11 PM
The extracted fields from your JSON data are not created at index-time but at search-time, so somehow changing _raw from its JSON format will also break the field extraction.
What kind of metadata are you missing in your current _raw that you'd want to include?
... View more
05-17-2018
06:58 AM
1 Karma
One suggestion is to put this in a lookup file and then do some subsearch magic.
For instance if you have the following lookup file, let's call it maintenancetimes.csv :
MaintStart,MaintEnd
2018/04/25 21:00:00 AM,2018/04/25 22:00:00 AM
2018/04/27 22:00:00 AM,2018/04/28 02:00:00 AM
Then call this in a subsearch, and use return to create a search query that you can pass as raw input to the outer search:
index=my_data_index NOT [| inputlookup maintenancetimes.csv | convert timeformat="%Y/%m/%d %H:%M:%S %p" mktime(MaintEnd) mktime(MaintStart) | eval search="_time>".MaintStart." AND _time<".MaintEnd | return 500 $search]
After subsearch has been evaluated, the whole base search will look like
index=my_data_index NOT ((_time>1524682800 AND _time<1524686400) OR (_time>1524859200 AND _time<1524873600))
which hopefully is what you want 🙂
The only gotcha here is that return requires you to specify the max number of results to return. Just put something sensible and large in there. 🙂
... View more
05-17-2018
06:25 AM
The figure you see is how much storage the index uses. Data is compressed before it is stored, so 130MB does not mean that you only have 130MB worth of uncompressed raw data.
... View more
01-29-2018
01:09 PM
1 Karma
A reference on variables you can use when parsing timestamps with strptime can be found in the docs here: http://docs.splunk.com/Documentation/Splunk/6.6.3/SearchReference/Commontimeformatvariables
In your case you want something like %Y-%m-%d-%H.%M.%S.%6N .
... View more
07-02-2015
08:25 AM
2 Karma
This answer is awesome @MuS
... View more
04-11-2015
01:14 PM
You can configure both Splunk's web server and the Splunk daemon itself not to use SSL, if that's what you mean. I'm highly sceptical to your claims about that it would do a much better job though, and you will possibly run into certificate issues.
... View more
02-23-2015
12:08 AM
Is "150121101834794" a static string?
... View more
02-12-2015
11:38 PM
1 Karma
Yes, and even better would be to include the dot as well, so
sourcetype=access_* clientip=91.*
This will enable Splunk to find all unique events that include the string "91" so it only needs to retrieve those from disk.
... View more
02-04-2015
11:15 PM
2 Karma
No. Splunk works on streams of log data, where it is assumed that whatever data is added comes at the end. Otherwise Splunk would have to somehow keep a record of what the file looked like, do a diff and then grab only stuff that's been added, which would be very resource intensive and lead to all kinds of weird problems.
... View more
02-04-2015
06:05 AM
Sure,
do something like this:
Account_Name="20002706" Message="Network Policy Server granted*" earliest=-1h | stats dc(src) as srcnum, values(src) as srcnames by user | search srcnum>=10 | eval srcnames=mvjoin(srcnames,";")
... View more
02-04-2015
04:07 AM
1 Karma
Add "MV_ADD = true" in your transforms.conf. By default Splunk will write results only if the field it's about to write to is empty. When you set MV_ADD to true, Splunk will instead add the new value to the existing field, and make it multivalued.
... View more
02-04-2015
04:04 AM
2 Karma
Assuming you have a field that contains the hostname, IP or some other host identifier and a field that contains the username (let's call these field "src" and "user" respectively in this example):
Account_Name="20002706" Message="Network Policy Server granted*" earliest=-1h | stats dc(src) as srcnum by user | search srcnum>=10
As for the email part, this could work if you setup a lookup of some sort that maps the username to an email address. To my knowledge the internal sendemail command doesn't support reading mail addresses dynamically like that though, so you'd have to find a workaround for that.
... View more
01-20-2015
12:38 AM
1 Karma
Give more details on where you're getting stuck. Did you configure the Cisco devices to actually send syslog to your Splunk server?
... View more
01-12-2015
06:16 AM
If this is a file monitor input, have a look at the "time_before_close" directive in inputs.conf. http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf
... View more
01-09-2015
06:47 AM
You could either collect logs via WMI, or make use of Windows's own mechanisms for forwarding event logs to the "Forwarded events" log on the host, and have the forwarder pick up things there. The best idea in most cases though is to install a Universal Forwarder on each of the hosts that you want to collect events from, as it gives you better control, performance and fault tolerance compared to the alternatives.
... View more
12-28-2014
01:36 AM
2 Karma
Use an eval expression. Something like this should do it.
replace(yourfield,"([^/]+)/([^/]+)/([^/]+)/([^/]+)","*/\2/*/\4")
... View more
12-23-2014
08:37 AM
2 Karma
Use eventstats .
... | eventstats first(status) as status, first(user) as user | ...
... View more
12-18-2014
09:38 PM
Also your multiple stats commands will not work, because the first stats command consumes all data that goes into it and only emits whatever fields it calculates.
Perhaps you want something like this?
index=test sourcetype=XY action="Value1" OR action="Value2" | stats count(eval(action=="Value1")) as Field1, count(eval(action=="Value2")) as Field2 | ...
... View more
12-18-2014
09:33 PM
No. The subsearch emits a filter string containing all values for B and C. There's no separate "channel" where field values can be returned from a subsearch without having them emitted as a filter string. Depending on your exact scenario, you might want to look into using join , or if you have fairly static data, consider putting your B values in a lookup.
... View more
12-18-2014
02:11 PM
1 Karma
Yes, inputlookup would be part of the solution, as part of a subsearch.
Assuming you have your eventcodes in a lookup called "eventcodes.csv" and users in "users.csv", with the field names "eventCode" and "user" at the top, respectively, you do this:
index=microsoft [inputlookup eventcodes.csv] [inputlookup users.csv]
This will result in that the subsearches are expanded into search filters, one for each of all eventcode and user values.
... View more
12-18-2014
04:23 AM
eval won't like doing string concatenations on multivalued fields. It does that on single-valued fields only.
... View more
12-17-2014
12:05 PM
Way more details please - sample events, how you've setup log ingestion for these events, what search you're using, what you mean by blob reference, etc etc. We don't know your setup or your situation so you have to tell us if we're to stand a chance of helping you!
... View more
12-17-2014
05:55 AM
Are you putting these settings on the instance where you search (like a search head) or some other instance? Your regex looks OK, so one theory would be that you're putting your settings in the wrong Splunk instance.
... View more
12-16-2014
11:31 AM
It seems you've got the syntax wrong for the conf files. source and sourcetype aren't valid configuration directives in props.conf.
You can't have the indexer read a CSV from a remote workstation. The only way to get the CSV into Splunk, using Splunk's own mechanisms, is by adding a file monitor for it on the forwarder which will then forward it to the indexer which in turn will index that data.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
