×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
jadengoho
Builder
Member since: ‎08-31-2017
‎02-28-2022
Community Statistics
Posts 252
Solutions 10
Karma Given 6
Karma Received 26
Member Since ‎08-31-2017
Activity Feed
Topics I've Started
View All

Re: Splunk Enterprise security Incident Review tab...

by in Splunk Enterprise Security
‎04-30-2020 01:52 AM
‎04-30-2020 01:52 AM
@DavidHourani - i do have splunk admin access but issue still occur. sometime the table shows but most of the time it's not showing. ... View more

Re: Splunk Enterprise security Incident Review tab...

by in Splunk Enterprise Security
‎04-30-2020 01:21 AM
‎04-30-2020 01:21 AM
@MuS - what could be the reason behind this ? ... View more

Re: Splunk Enterprise security Incident Review tab...

by in Splunk Enterprise Security
‎04-30-2020 01:00 AM
‎04-30-2020 01:00 AM
@DavidHourani - search is returning results, and when i change the time picker = time range shows the event count per day - but the table is not showing anything. Also the pagination is showing. tried to change page still not showing. ... View more

Re: Splunk Enterprise security Incident Review tab...

by in Splunk Enterprise Security
‎04-29-2020 10:10 PM
‎04-29-2020 10:10 PM
@DavidHourani - i tried clearing cache, changing browser and restarting my device but still issue occur. ... View more

Re: Splunk Enterprise security Incident Review tab...

by in Splunk Enterprise Security
‎04-28-2020 06:35 PM
‎04-28-2020 06:35 PM
Hi @DavidHourani - i tried restarting my laptop and reconnecting to the internet.Will try clearing browser cache when it happend again. ... View more

Re: How to handle staggered logs

by in Splunk Search
‎04-28-2020 04:01 AM
‎04-28-2020 04:01 AM
@to4kawa i've tried your code and it shows similar output. When i ingest the log as whole - it shows complete - please see GREEN BOX but in my case it send 1line per minute shows line per line - please see RED BOX ... View more

Re: How to handle staggered logs

by in Splunk Search
‎04-28-2020 03:16 AM
‎04-28-2020 03:16 AM
hi @PavelP -the configuration works for "one time ingestion", please see the GREEN BOX in the image. But when the staggered data came it doesn't follow the linebreaking - please see the RED BOX. ... View more

Re: How to handle staggered logs

by in Splunk Search
‎04-28-2020 02:42 AM
‎04-28-2020 02:42 AM
I do know how to setup the props on heavy forwarder using deployment server. The question is How can i make HF not send the logs if it doesn't saw the linebreaker? OR how to make the HF wait until he saw the linebreaker? ... View more

Re: How to handle staggered logs

by in Splunk Search
‎04-28-2020 02:32 AM
‎04-28-2020 02:32 AM
The problem was that HF was sending more than one event at a time. - How can i set the HF to not send the logs if it doesn't saw the linebreaker ? Also the client want to see the logs as a complete not line by line.. ... View more

Re: How to handle staggered logs

by in Splunk Search
‎04-28-2020 02:24 AM
‎04-28-2020 02:24 AM
Will this work even their server send data 1 line per minute, cause that's my problem? ... View more

Re: How to handle staggered logs

by in Splunk Search
‎04-28-2020 02:23 AM
‎04-28-2020 02:23 AM
hi @PavelP - it s 1 line per minute ... View more

Re: How to handle staggered logs

by in Splunk Search
‎04-28-2020 02:21 AM
‎04-28-2020 02:21 AM
we don't have inputs. their server is sending logs to our HF . ... View more

Re: How to handle staggered logs

by in Splunk Search
‎04-28-2020 01:39 AM
‎04-28-2020 01:39 AM
i'll update the question to include the current props.conf ... View more

How to handle staggered logs

by in Splunk Search
‎04-28-2020 01:09 AM
‎04-28-2020 01:09 AM
Hi , Basically their server send logs one line at a time. When it came to Splunk it ingest automatically and not following the line breaker configuration. Out target is to line break the logs before "C:\Users\localserver>systeminfo". Can Splunk wait for the line breaker to be visible before it linebreak ? Or what is the best way to handle this issue. Example log: C:\Users\localserver>systeminfo Host Name: localserver OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18362 N/A Build 18362 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: company Registered Organization: OOO Original Install Date: 01/01/2020, 7:10:02 PM System Boot Time: 4/28/2020, 12:43:21 PM System Model: HP Samplebook System Type: x64-based PC Processor(s): 1 Processor(s) Installed. Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 C:\Users\localserver> Host Name: localserver OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18362 N/A Build 18362 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: company Registered Organization: OOO Original Install Date: 01/01/2020, 7:10:02 PM System Boot Time: 4/28/2020, 12:43:21 PM System Model: HP Samplebook System Type: x64-based PC Processor(s): 1 Processor(s) Installed. Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 Here's the situation that their server sending the logs, every 1minute it will sent the nextline. C:\Users\localserver>systeminfo <After 1min it will send the next line> Host Name: localserver <After 1min it will send the next line> OS Name: Microsoft Windows 10 Enterprise <After 1min it will send the next line> OS Version: 10.0.18362 N/A Build 18362 <After 1min it will send the next line> OS Manufacturer: Microsoft Corporation <After 1min it will send the next line> OS Configuration: Member Workstation <After 1min it will send the next line> Props.conf [sourcetype_name] DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = (C\:\\Users) TRUNCATE = 8000 If i ingest the log as a bulk it will show the "GREEN BOX" in the picture whole and complete. But in my case it's staggered and ingesting 1line per minute "RED BOX". ... View more

Re: Splunk dashboard screenshot

by in All Apps and Add-ons
‎04-27-2020 04:05 AM
‎04-27-2020 04:05 AM
Hi @prashantkumar_g could you post the process here - for us to test it on out environment? ... View more

Splunk Enterprise security Incident Review table n...

by in Splunk Enterprise Security
‎04-27-2020 01:40 AM
2 Karma
‎04-27-2020 01:40 AM
2 Karma
Hi All, Would like to know what causes this issue , please see screenshot attached. There's an event "42" showing and time range is showing , but the table is not showing. SplunkEnterpriseSecuritySuite = version :5.3.0 ... View more

Eventgen one line a time

by in All Apps and Add-ons
‎04-24-2020 12:57 AM
‎04-24-2020 12:57 AM
Hi All, I want to generate logs line by line. After the first line was generated it will wait for 60 seconds before generating the second line. 529 29/03/20 12:49:13 000002 CASH WITHDRAWAL 0,0000.00 ALL 0000000000*******910  12:49:35 TRANSACTION END *461*03/29/2020*12:49* *PRIMARY CARD READER ACTIVATED* *462*03/29/2020*18:39* *TRANSACTION START*  CARD INSERTED CARD: ************1806 DATE 29-03-20 TIME 18:39:07 18:39:08 ATR RECEIVED T=0  18:39:15 PIN ENTERED  18:39:17 OPCODE = B A DB 18:39:18 GENAC 1 : ARQC 18:39:20 GENAC 2 : TC ---------- 530 29/03/20 18:39:30 000001 BALANCE INQUIRY ALL 0000000000*******806  18:39:33 CARD TAKEN  18:39:38 TRANSACTION END *463*03/29/2020*18:39* *PRIMARY CARD READER ACTIVATED* *464*03/29/2020*23:36* *PRIMARY CARD READER ACTIVATED* *465*03/30/2020*06:13* *TRANSACTION START*  CARD INSERTED CARD: ************4417 DATE 30-03-20 TIME 06:13:45 06:13:46 ATR RECEIVED T=0  06:13:53 PIN ENTERED  06:14:07 OPCODE = A A DB  06:14:23 NOTES STACKED  06:14:25 CARD TAKEN Sample: 529 29/03/20 12:49:13 000002 - will wait another 60seconds before next line CASH WITHDRAWAL 0,0000.00 ALL - will wait another 60seconds before next line 0000000000******910 - *will wait another 60seconds before next line**  12:49:35 TRANSACTION END will wait another 60seconds before next line Hope you get my point. ... View more

Re: Eventgen Generate Once

by in All Apps and Add-ons
‎04-22-2020 11:51 PM
‎04-22-2020 11:51 PM
I resolve this issue , by uninstalling the Splunk and installing a lower version. It's weird that latest version of Splunk and latest version of eventgen doesn't work. ... View more

Re: Eventgen Generate Once

by in All Apps and Add-ons
‎04-22-2020 11:49 PM
‎04-22-2020 11:49 PM
This didn't solve the issue , but it help a lot. ... View more

Re: Splunk timestamp Milliseconds vs Microseconds

by in Getting Data In
‎03-30-2020 07:16 PM
‎03-30-2020 07:16 PM
Yes the clocks are correct, maybe it's due to other stuff on their server. Thanks. ... View more

Splunk timestamp Milliseconds vs Microseconds

by in Getting Data In
‎03-30-2020 01:36 AM
‎03-30-2020 01:36 AM
Hi All, What would be the impact if i use "%Q" rather than "%6Q" ? Cause i'm seeing a 20min time delay on Splunk ingestion, is this because of this or not ? Log Example: - 2020-03-08-15.31.10.838384 - 2020-02-01-18.25.15.738385 https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Commontimeformatvariables https://docs.splunk.com/Documentation/Splunk/8.0.2/Troubleshooting/Troubleshootingeventsindexingdelay ... View more

Re: Splunk Field Extraction inside a bracket

by in Splunk Search
‎03-26-2020 07:42 PM
‎03-26-2020 07:42 PM
thanks @woodcock - this is very helpful. Can i use this command for specific logs only ? i need this configuration for INFO only not DEBUG? https://regex101.com/r/ZvxlMY/2 2020/03/01-10:01:01 INFO [firstname "JOHN"] [surename "DOE"] [age "30"] [state "NY"] [id "10001"] 2020/03/01-10:01:02 DEBUG [firstname "Julie"] [age "58"] [state "AU"] [id "10002"] 2020/03/01-10:01:02 INFO [firstname "MEGAN"][middlename "myra"] [surename "DOE"] [age "58"] [state "AU"] [id "10052"] ... View more

Splunk Field Extraction inside a bracket

by in Splunk Search
‎03-26-2020 05:30 AM
‎03-26-2020 05:30 AM
Hi All, Is there any faster way to extract fields with this format on props and transforms file? like Key value pair ? There's a lot more field than that , that's why im finding an easier way to extract field value 2020/03/01-10:01:01 [firstname "JOHN"] [surename "DOE"] [age "30"] [state "NY"] [id "10001"] 2020/03/01-10:01:02 [firstname "Julie"] [age "58"] [state "AU"] [id "10002"] 2020/03/01-10:01:02 [firstname "MEGAN"][middlename "myra"] [surename "DOE"] [age "58"] [state "AU"] [id "10052"] ... View more

Eventgen Generate Once

by in All Apps and Add-ons
‎02-26-2020 08:11 PM
‎02-26-2020 08:11 PM
Hi All, I would like to ask on why does my Eventgen only Generate data Once. It follows all the setting, but it ingest once. Please see eventgen.conf [juniper_sample] disabled = false latest = now interval = 60 count = -1 randomizeCount = 0.2 outputMode = splunkstream index = firewall_juniper sourcetype = juniper:junos:firewall ... View more

Re: How to separate multiselect drilldown

by in Dashboards & Visualizations
‎02-15-2020 07:38 PM
‎02-15-2020 07:38 PM
I've solve the issue. This page help me: https://www.advisori.de/splunk-struggles-with-multiselects-and-how-to-rule-them-all-or-at-least-some/ As per my understanding: If you set a token in a table drilldown its in array form, and need to be converted in per line value*[Split command]* for it to work. <form> <label>Mutiselect</label> <fieldset submitButton="false"> <input type="multiselect" token="multiselect_token"> <label>number</label> <choice value="1">1</choice> <choice value="2">2</choice> <choice value="3">3</choice> <delimiter>,</delimiter> </input> </fieldset> <row> <panel> <table> <search> <query>|makeresults |eval value="1,2,3"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="drilldown">cell</option> <drilldown> <eval token="form.multiselect_token">split($row.value$,",")</eval> </drilldown> </table> </panel> </row> </form> ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-28-2022 11:18 PM
Karma from
Karma given to