Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About damode
damode
Motivator
Member since:
09-26-2017
05-06-2021
Community Statistics
| Posts | 310 |
| Solutions | 8 |
| Karma Given | 132 |
| Karma Received | 21 |
| Member Since | 09-26-2017 |
Activity Feed
- Got Karma for Re: How to upgrade add-ons on Indexers and Forwarders after Splunk ES upgrade ?. 01-27-2026 11:03 AM
- Got Karma for Re: operation:"copying source to destination", error:"Access is denied.". 03-19-2025 09:25 PM
- Got Karma for Bucket replication issues - No possible srcs for replication. 08-26-2021 01:26 PM
- Posted cannot change user and/or app context of a report that is embedded on Knowledge Management. 05-06-2021 03:57 AM
- Posted Re: How to configure index settings to index data directly in S3 buckets/smartstore ? on Getting Data In. 05-05-2021 06:48 PM
- Posted How to configure index settings to index data directly in S3 buckets/smartstore ? on Getting Data In. 05-04-2021 05:38 PM
- Posted Is there any Splunk recommended best practice for ingesting Netflow data ? on Getting Data In. 05-03-2021 09:16 PM
- Got Karma for How to configure input in DB Connect v3.1.2 for Splunk Add-on for Microsoft SQL Server using template mssql:audit ?. 03-01-2021 04:55 PM
- Posted Re: What is the recommended logging requirement for Linux OS from Splunk ES perspective ? on Splunk Enterprise Security. 02-04-2021 01:54 PM
- Posted What is the recommended logging requirement for Linux OS from Splunk ES perspective ? on Splunk Enterprise Security. 02-03-2021 09:18 PM
- Posted Need help to find specific auth logs for Linux OS on Getting Data In. 02-01-2021 12:31 AM
- Posted Re: Is there any ES Analytical Story or Usecase for Certificates and Alerts datamodel ? on Splunk Enterprise Security. 01-31-2021 04:22 AM
- Posted Is there any ES Analytical Story or Usecase for Certificates and Alerts datamodel ? on Splunk Enterprise Security. 01-28-2021 11:48 PM
- Posted Application Protocols list in ES - unclear in documentation on Splunk Enterprise Security. 01-28-2021 02:30 AM
- Posted What is the actual use of Expected Views lookup ? on Splunk Enterprise Security. 01-28-2021 02:23 AM
- Posted How does ESCU app exactly maps Analytical Stories against CIS Controls ? on Splunk Enterprise Security. 01-12-2021 03:43 AM
- Posted Is there any automated way to check or validate magix six parsing attributes have been configured ? on Getting Data In. 01-09-2021 05:28 PM
- Posted Re: Accelerating CIM Validation (S.o.S.) datamodel results in error on Splunk Enterprise Security. 01-06-2021 04:09 PM
- Posted Re: SSL Certificate Checker: Which extensions are supported? on All Apps and Add-ons. 01-05-2021 02:17 PM
- Posted Strategies for populating watchlist field in Assets and Identity Framework on Splunk Enterprise Security. 01-04-2021 05:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-19-2017
02:56 AM
Hi @Kamlesh, I can confirm your points and I tried the above query but it populated only client_ip field.
... View more
12-19-2017
02:47 AM
1 Karma
Hi @DalJeanis,
This worked perfect and I was able to get results as expected. Thanks!
... View more
12-15-2017
02:14 AM
Hi @mayurr98, Sadly, Getting lots of event but no results found.
... View more
12-15-2017
02:09 AM
Hi @HiroshiSatoh, thanks for your response. Sadly, I am not getting any results with this query.
... View more
12-15-2017
02:04 AM
Hi @kamlesh_vaghela, thanks for your help. I am getting results but they are both separate from each indexes. For e.g, userid, client_ip, action from indexA in 2 rows and all other rows are of index B with fields client_ip and sender
... View more
12-15-2017
01:54 AM
Hi @deepashri_123, Thanks for your response. On running the query, I get 249 event but "No results found".
... View more
12-14-2017
10:06 PM
Table 1
userid, action, IP
Table2
sendername, action, client_IP
Query : select Table1.userid, Table1.action, Table1.ip,Table2.sendername FROM table1 INNERJOIN table2 ON table1.ip=table2.client_ip
What can be the equivalent query in Splunk if index is considered a table ?
below is the actual scenario,
indexA : userid, action, ip
indexB: sendername, action, client_ip
ip and client_ip have same values on which I want to build query
both indexes have same field name - action but different value. I am interested to see only indexA's action field
I want to see userid, ip, action from indexA and sendername from IndexB where indexA.ip=indexB.client_ip
EDIT: actual logs below,
index A:
action: deleted
anonymous: 0
component: tool_recyclebin
contextid: 633444
contextinstanceid: 23uu2
contextlevel: 50
courseid: 099987
crud: d
edulevel: 0
eventname: \tool_recyclebin\event\item_deleted
ip: 127.0.0.1
objectid: 35521
objecttable: tool_recyclebin
origin: cli
other: null
target: xxxxxxxxx
timecreated: 1513328455
timestamp: 2017-12-15T20:00:55+1100
userid: 242425
indexB:
2017-12-13T12:59:31.900Z,,WEB,,WEB,xxxxxxxxx,127.0.0.1,<xxxxxxx.@xxxxx.com>,user@sender.com,,13981,1,,,StudiesEnquiry,no-reply@abc.com,0100016sxsxdwdd3-000000@ozone.com,2017-12-13T12:59:36.859Z;SRV=abc.edu:TOTAL=0;SRV=mail.com:TOTAL=0,Incoming,,,,S:MailName=WBE-BAN;S:DataHealth=2
... View more
- Tags:
- splunk-enterprise
12-14-2017
06:08 PM
I am getting expected results along with results specific to each index with no IP matching.
one result from just index A is,
action, ip, userid
next is both results merged with IP matching (expected result)
action, ip, client_ip , sender, userid
another with results from just index B
action, client_ip , sender.
and I noticed Index B also has same field " action " like index A but with different values.
... View more
12-14-2017
02:09 PM
Hi MuS,
In my two indexes,
index=a
host=system
action=deleted
userid
ip
index=b
client_ip
sender
I am trying to figure out a query that will match ip from index A with client_ip of index B and merge results giving userid, ip sender and action as tables.
I have tried below query, but it only gave me results from index a
index=a host=system action=deleted OR index=b |transaction ip |table userid, ip, action, sender | eval correlation_field=case(isnotnull(ip), ip, isnotnull(client_ip), client_ip, 1=1, "unknown")
| stats values(*) AS * by correlation_field
... View more
12-14-2017
01:41 PM
thanks for your response @coltwanger. I will try this.
Does this have a high performance impact on the system or highly alarming aspect about it ? Because the way it shows in the GUI hitting the value 226 which is way beyond its max value-2, looks quite scary.
... View more
12-14-2017
01:21 PM
How would you write a query if ip is named as client_ip in index B ? basically if same field value has different field name in another index .
... View more
12-13-2017
03:37 PM
Hi @MuS, for some reason, the Search Head had the same hostname as the Indexer. Not sure how and when I did that. Once I changed it to its correct username, I stopped getting time parsing warning messages. I believe, that’s probably what was causing the issue.
... View more
12-12-2017
11:23 PM
found the solution at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata
... View more
12-12-2017
01:58 PM
Hi @woodcock, sorry if my question isn't clear enough.
What my main question is , how I can configure Heavy Forwarder to buffer data if Indexer goes down ?
You have mentioned that the 1, 2 and 4 settings are deprecated, but HF still supports data buffering.
So, can you please suggest what are the other steps required to configure that ?
... View more
12-12-2017
12:43 AM
Below are the folders within the colddb directory of in windows index,
db_1512626644_1499845837_0
db_1512629742_1512627226_2
db_1512634103_1512629742_4
I applied this configuration today.
... View more
12-11-2017
11:05 PM
Based on answers from this and other posts, I configured some of my indexes in the below way,
maxDataSize = 1000 (~1 day's worth of data)
maxHotSpanSecs = 86401 (to trigger hot --> warm)
maxHotBuckets = 3
maxWarmDBCount = 31 (hot + warm ~ one month's data )
frozenTimePeriodInSecs = 10368000
maxTotalDataSizeMB = 120000 (~120 days)
There is no separate storage for hot and cold. All on same storage.
With the above settings, I can also see buckets rolling to cold, but despite of all of these settings, there is still data in my cold bucket that is older than the frozenTimePeriodInSecs. What can I do to get them into frozen state i.e delete?
... View more
12-11-2017
06:43 PM
I couldnt find any mention about this particular topic anywhere, hence posting this question.
Currently, on the Search Head--->DMC--->Search--->KV Store:Instance, it shows "Page Fault per Operation" --> 226.85 and
on the Indexer it is, 162.44.
I am not sure if it actually an issue or normal because, there are no warning messages from Splunk instance, nothing came up related to this in Health check, no DMC alerts.
Please advise how can I bring this value to normal ?
... View more
12-11-2017
06:35 PM
Thanks for clarifying.
... View more
12-11-2017
06:02 PM
Sorry, I think you meant whether the S.H was configured in distributed mode. No, Both S.H and Indexer are in Standalone mode.
... View more
12-11-2017
05:52 PM
Its configured in Distributed Search mode with the Search Head. So, there is only 1 S.H and 1 Indexer. The above issue is on Indexer DMC.
... View more
12-11-2017
05:43 PM
Props.conf
line 33- index =winsysmon
... View more
12-11-2017
02:18 PM
Hi @adonio,
Thanks for clarifying that.
... View more
12-10-2017
09:59 PM
The instructions on this page http://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/DownloadandconfiguretheSplunkAdd-onsforActiveDirectory dont specify if the powershell add-on requires any configuration after download and install.
Please advise.
... View more
12-06-2017
09:15 PM
After I did the above step, I got this message during Splunk restart,
Invalid key in stanza [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] in c:\Program Files\Splunk\etc\apps\TA-microsoft-sysmon\local\props.conf, line 33: index (value: winsysmon).
... View more
12-06-2017
05:55 PM
Thanks, Myron.
As per @kamlesh_vaghela comment, do those stanza have to go in props.conf ?
Also, why do we have two stanzas if they are both same,
[monitor:///logpartition/2017/meraki/]
SHOULD_LINEMERGE=false
[monitor:///logpartition/2017/meraki/]
SHOULD_LINEMERGE=false
Can you please update the "details" page of the app as well ?
thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-06-2021
08:24 AM
|
