Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About BobM
BobM
Builder
Member since:
03-09-2010
06-05-2020
Community Statistics
| Posts | 168 |
| Solutions | 40 |
| Karma Given | 70 |
| Karma Received | 229 |
| Member Since | 03-09-2010 |
Activity Feed
- Got Karma for Re: crcSalt issue. 04-25-2022 09:42 AM
- Got Karma for Re: how to delete old date from splunk. 01-03-2022 02:59 PM
- Got Karma for Re: crcSalt issue. 12-01-2021 06:30 PM
- Got Karma for Re: Merge events base on common field. 09-21-2021 11:46 AM
- Got Karma for Re: Merge events base on common field. 08-19-2020 12:49 PM
- Karma Re: Trial version of Enterprise Security for ekost. 06-05-2020 12:47 AM
- Karma Re: Is default deploymentclient.conf under $SPLUNK_HOME/etc/system/default? for bmunson_splunk. 06-05-2020 12:47 AM
- Karma Re: Splunkd not responding for bmunson_splunk. 06-05-2020 12:47 AM
- Got Karma for Re: Is there an easy way to download an app from the UI?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there an easy way to download an app from the UI?. 06-05-2020 12:47 AM
- Karma Re: error in "docgen" command for splunktechie. 06-05-2020 12:46 AM
- Karma Re: How to configure email alert using gmail smtp? for itinney. 06-05-2020 12:46 AM
- Karma Re: Extract fields from syslog (new to splunk) for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: Multiple Deployment Servers Configuration for Eqalis. 06-05-2020 12:46 AM
- Karma Re: adding second TCP listener for SSL for itinney. 06-05-2020 12:46 AM
- Karma Re: Clusters and Apps for Vishal_Patel. 06-05-2020 12:46 AM
- Karma Re: event panel with fields discovery for lguinn2. 06-05-2020 12:46 AM
- Karma Splunk for Windows Technology add-on VS. Splunk for Windows for treinke. 06-05-2020 12:46 AM
- Karma Re: Line_Breaker question for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Main differences between a saved report and a saved search for lguinn2. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 5 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 2 | |||
| 12 | |||
| 1 | |||
| 2 | |||
| 1 | |||
| 2 |
12-28-2012
06:58 AM
The interactive field extractor can do this for you.
There is a quick 3min video here http://www.splunk.com/view/SP-CAAADUY
and the docs are here http://docs.splunk.com/Documentation/Splunk/5.0.1/Knowledge/ExtractfieldsinteractivelywithIFX
... View more
12-27-2012
02:30 PM
Assuming you already have the src_ip field being extracted, you need a stats command to build a count. Try the following search over a relevant time period:-
seclogin: "Login failed" "invalid user" | stats count by src_ip | where count>20
... View more
12-19-2012
02:46 PM
1 Karma
Yes that's a standard alert setting and you can have it alert with Seperated counts for each service.
See http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Alertexamples
... View more
12-15-2012
03:03 PM
This is really a question you should ask Google, they control their licensing and not Splunk.
I expect it would be better if the vendor did it as they may get bulk discount and be able to charge more for the product.
... View more
12-15-2012
02:25 PM
1 Karma
The idea of a summary index is it contains a subset of your live data to allow for faster searching. This summary data should only be kept as long as it is useful and should not get larger than the original.
As yours is growing out of control, it seems you have some badly set up summarising searches. First look for searches with "index=summary" in them to see what summarised data you are using. Then look for searches with si commands or the "collect" command in them and see if the data they are collecting is useful to you. If not, disable them. You may also find searches that could be merged. Make sure to check any apps you have installed as well.
Deleting summary data can cause inaccurate reports so care should be taken but in most cases, the wanted results can be rebuilt with the backfill script. See http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Managesummaryindexgapsandoverlaps for details.
... View more
12-15-2012
02:15 AM
2 Karma
I would add that in version 5, unless you are in verbose mode, a report will not create fields that it does not require. This can mean your results arrive a little faster.
I think what is more important is how you want to look at your data. If you want a table or graph of information summarised from your events, you should use reporting commands. If you want the original events, don't.
... View more
11-22-2012
04:46 PM
1 Karma
There is a way you can do this with an eval function to insert a new line before the transaction. You will have to paste the new line in as typing it will trigger a search.
sourcetype=cisco_esa | eval _raw=_raw+"
"| transaction mid icid dcid
If you are adding this into a config file add a backslash \ before the newline.
... View more
11-22-2012
02:20 PM
After testing this, I found I have to use REPORT and not TRANSFORMS as it is a search time function. Editing original answer to reflect this
... View more
11-22-2012
12:27 PM
1 Karma
I found this works. Set the sourcetype with a transform and regex then set the field names at search time.
props.conf
[mycsvsourcetype]
TRANSFORMS-mysourcetyper = csvsourcetypes
transforms.conf
[csvsourcetypes]
DEST_KEY = MetaData:Sourcetype
REGEX = ^\w*,(\w+),
FORMAT = sourcetype::$1
then back in the props.conf file for each source type
[ABC]
REPORT-abc = ABCfields
[DEF]
REPORT-def = DEFfields
and back to transforms.conf to define the filed names
[ABCfields]
DELIMS = ","
FIELDS = "field1", "field2", "field3"
[DEFfields]
DELIMS = ","
FIELDS = "fieldA", "fieldB", "fieldC"
... View more
11-22-2012
12:25 PM
1 Karma
In SPLUNK, can we index and search data with varying formats?
We have a csv file containg events with different formats. Approximately there are 100 formats available. There is also a config file which can be used as a lookup to determine the column names of the corresponding record.
If we need to put such data into Splunk, where and how we can specify the format for each event to be handled?
The data format is something like this:
Dept01,ABC,20120904,001500,Gn,3,ggss Test-City_gtpp,1,103031 Dept01,DEF,20120904,1500,1,13.17,86.83,277,1876288,34078720,2,3.34,96.66,235,1681068 Dept01,PQR,20120904,001500,24,3,0
Dept01,XYZ12,20120904,001500,Gi,2,abc-xyz.net.P2,67651,0,0,63419,R,0,G,10.208.0.0,abc-xyz.net.GP
The second column (ABC, PQR) are different source types, and each has varying column names and numbers. Since there are no key-value pairs, we cannot use EXTRACT.
In this case, how can we populate the fields?
... View more
- Tags:
- csv
- extractions
- field
11-20-2012
02:56 AM
One way I have thought of was to clone each dashboard in different languages and deliver the correct one based on role but this prevents users selecting their own language.
I would prefer to use the url /en-US/ /en-GB/ etc. method but how do I add missing languages and how do I detect this in my dashboards.
... View more
11-20-2012
01:06 AM
1 Karma
I want my dashboard to display the contents in multi-lingual environment (Like English, French, Arabic etc..).
By default it should display the contents in English, but if i want the contents to display in Arabic (For UAE Client), I should be able to do it.
Can we do this in splunk?
... View more
- Tags:
- language
- multivalue
11-16-2012
08:01 AM
No. The passAuth=root passes an authentication code for the splunk account root if it exists and not the OS account root.
... View more
11-11-2012
02:38 PM
If you look at the advanced XML of the your pages, there are a few message modules.
The first on any page is for system messages. By default, this has a wildcard filter.
< module name="Message" layoutPanel="messaging">
< param name="filter" >*< /param>
If you edit it and replace the * with the word NONE, it will then not show any system messages. Then make a duplicate copy, restore the * and only give the admin role rights to see it.
You will have to do this for each of the advanced XML pages you don't want users to see the message on. I don't think you can do this for simple XML so you will have to convert them.
... View more
11-08-2012
08:57 AM
You have to tell the deployment server in its serverclass.conf file which clients should have what app. They don't automatically get an app, only if they match the whitelists.
Also there is no automatic way of copying the app from client A onto the deployment server. You would have to do this manually.
See http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver for more detail.
... View more
10-23-2012
12:11 PM
When you reach 5 license violations, search is disabled. But the _internal index is not blocked for exactly this kind of reason. You need to be able to tell if you are still getting violations and if so where the data is coming from.
... View more
10-17-2012
03:25 PM
2 Karma
This will give what you want.
index=_internal per_host_thruput | timechart span=1d dc(series) as hosts
dc is short for distinct count and series contains the host name in the per_host group
... View more
09-28-2012
10:57 AM
2 Karma
a change span=7d to span=1d to get daily granularity.
You can also use streamstats to smooth it more if that is needed.
... View more
09-28-2012
09:40 AM
1 Karma
For a start you should be using splunktcp and not udp for the forwarders to send to. If you configured it via the UI it is dificult to get wrong so assume that was a mistake.
The problem looks to me that you need to use a wildcard in your search. Splunk is not case sensitive (in most places) but it expects complete words or values so add a star before, after or both and it should work. Try the following
host=*pdm*
... View more
09-23-2012
01:15 AM
All calls to splunkd should be HTTPS. Corrected
... View more
09-12-2012
07:15 PM
1 Karma
Try adding
MAX_TIMESTAMP_LOOKAHEAD=12
That should force it to ignore the 13th digit.
... View more
09-12-2012
06:36 AM
1 Karma
This should work but it is not a best practice as it extracts the field at index time. This places more load on your indexers as well as taking more space in your index. If you replace TRANSFORMS with REPORT in your props.conf this will run at search time which is more efficient.
Although switching to EXTRACT would be my preference. Your initial post was close to an extract regex.
... View more
09-12-2012
06:18 AM
1 Karma
There is a better way.
Go in to Manager >> Access Controls >> Roles and edit your role.
There is a setting Restrict search time range this is set to -1 by default which means all time.
Changing it to any other number indicates how many seconds anyone with that role can search. Set it to 2592000 and they will only ever see 30 days data and will get no error messages.
If the user has multiple roles, then all roles should have this set as the longest duration will prevail.
Bob
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma from
