Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About lbogle
lbogle
Contributor
Member since:
01-30-2012
06-05-2020
Community Statistics
| Posts | 119 |
| Solutions | 4 |
| Karma Given | 2 |
| Karma Received | 34 |
| Member Since | 01-30-2012 |
Activity Feed
- Got Karma for Re: How to exclude events with null fields in a search?. 07-23-2024 10:28 AM
- Got Karma for Cisco Security Suite: What is the best logging level configuration for ASAs in our environment?. 06-05-2020 12:48 AM
- Karma Re: Splunk for Palo Alto Networks: Why we not seeing any pan_data_filtering to populate the "Data Filtering" dashboard? for btorresgil. 06-05-2020 12:47 AM
- Got Karma for How to chart total number of each hostname that appear in 2 databases from csv files?. 06-05-2020 12:47 AM
- Got Karma for Re: chart by source and hostname. 06-05-2020 12:47 AM
- Got Karma for How to graph a line chart of two field values over time from a csv log file?. 06-05-2020 12:47 AM
- Got Karma for Find a field value string that is partially present in another field value string.. 06-05-2020 12:47 AM
- Got Karma for Re: Find a field value string that is partially present in another field value string.. 06-05-2020 12:47 AM
- Got Karma for Re: Find a field value string that is partially present in another field value string.. 06-05-2020 12:47 AM
- Got Karma for How to remove text from host name in search results?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are graphs not representative of counts from my search? How to join main and subsearch to compare results?. 06-05-2020 12:47 AM
- Got Karma for How to increase truncation limit to display all results in a chart?. 06-05-2020 12:47 AM
- Got Karma for How to increase truncation limit to display all results in a chart?. 06-05-2020 12:47 AM
- Got Karma for How to increase truncation limit to display all results in a chart?. 06-05-2020 12:47 AM
- Got Karma for How to increase truncation limit to display all results in a chart?. 06-05-2020 12:47 AM
- Got Karma for How to search the rate of events in indexes A, B, C, D to to compare with the rate of events in index D?. 06-05-2020 12:47 AM
- Got Karma for Is there a way to count the number of dashboard views per day or per hour for a particular dashboard?. 06-05-2020 12:47 AM
- Got Karma for Is there a way to count the number of dashboard views per day or per hour for a particular dashboard?. 06-05-2020 12:47 AM
- Got Karma for How to exclude events with null fields in a search?. 06-05-2020 12:47 AM
- Got Karma for How do I delete incidents from Splunk ES. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 1 | |||
| 0 |
04-14-2015
05:27 PM
1 Karma
Found the duplicate license on a little used lab box! Lesson here is "RTEEM"! (Read The Entire Error Message)
... View more
04-14-2015
03:57 PM
Hello Splunkers,
Question for you regarding licensing issues in my distributed 6.2 instance.
I moved my corporate licenses to a new search head which I then deployed as the master license server. I then turned off my old master license server server services and made it . I then went to each of the indexers and switched them over to the new master license server/search head, restarting splunk on each in turn. I am now seeing errors from each of the indexers similar to the subject line. I have several license key hashes (different log volumes purchased incrementally) and I verified that all hashes are unique. The old license server does not appear to be referenced anywhere in the mix, but they are the same licenses.
Am I supposed to delete the licenses and re-add them?
Any suggestions?
Thanks,
Lindsay
... View more
04-07-2015
09:57 AM
Nevermind. I recieved your earlier comment regarding a data filtering profile. Thanks!
... View more
04-07-2015
09:53 AM
So if I don't have pan_data_filtering within Splunk, there will be no data filtering. What from my PAN box is supposed to generate the pan_data_filtering log data?
Thanks!
... View more
04-06-2015
06:35 PM
Hello Splunkers,
Thought I’d check with you on this. We are not seeing information in the ‘data filtering’ dashboard. URL filtering works fine.
We have no ‘data filtering’ security profile set up, but we are seeing data filtering data show up in the PAN firewall monitor dashboard for data filtering with files and executables. When I go to the PAN app, there is no data within pan_data_filtering .
I do, however see the data files and names etc in pan_file .
What am I missing to get the data filtering dash data visible?
Thanks!
... View more
04-06-2015
06:32 PM
I have the same issue.
We are not seeing information in the ‘data filtering’ dashboard. URL filtering works fine.
We have no ‘data filtering’ security profile setup but we are seeing data filtering data show up in the PAN firewall monitor dashboard for data filtering with files and executables. When I go to the PAN app there is no data within pan_data_filtering .
I do, however see the data files and names etc in pan_file so it seems like a portion of data filtering is working but maybe because we don't have a specific data filtering security profile setup on the firewall itself, maybe it's not getting flagged properly?
Not sure.
... View more
02-26-2015
06:08 AM
Gooooood....
I added the following entries to my limits.conf file
[inputproc]
file_tracking_db_threshold_mb = 500
[searchresults]
maxresultrows=500000
maxout=500000
subsearch_maxout=500000
and nothing was coming back successfully.
I saw the line about piping the format maxresults=500000 to the end of your sub search and BAM! totally different results. Will spot check and let you know. This seems to be a more accurate number though based on my knowledge of the contents of each file and I suspect this was the missing piece of the puzzle.
Faith in Splunk restored.
Carry on.
... View more
02-26-2015
06:02 AM
Hi Mark,
Thank you for your reply. It would be but deduplicating the files is not my end goal. I am trying to filter a lookup table based on the contents of another lookup table. I was communicating that the dedup was done in the .csv files prior to the lookup tables being ingested in Splunk to erase any sort of duplicates being an issue w/ the results here.
Thank you for taking the time to reply, Mark.
I appreciate it.
... View more
02-25-2015
10:24 PM
Hello Splunkers,
I have what I think should be an easy question, but I'm not able to make it happen.
I have two lookup tables, each with one field listing host names. The field is named "computer" and the host names are all basic alpha-numeric field values "pc-username" or "pc-username2" etc.
| inputlookup filename.csv
| inputlookup filename1.csv
Filename.csv has 700 entries with hostname values (all lower case)
Filename1.csv has about 13,000 fields with hostname values (all lower case)
I would like to filter out all the values in filename1.csv from filename.csv.
I am doing this with the following search:
| inputlookup filename.csv | fields computer | search NOT [|inputlookup filename1.csv | fields computer]
This drastically reduces the number of 13,000 computers down to about 611 however, when I spot check against the lookup table, there are still multiple entries from filename 1.csv in the resulting report. Both lookup tables have been deduplicated.
What am I missing?
Thanks for your help!
... View more
02-10-2015
10:33 AM
Okay, thanks for your assistance.
... View more
02-10-2015
10:33 AM
Okay, thanks for your assistance.
... View more
02-10-2015
10:18 AM
Thanks for the reply, AH.
The .csv file is not the result of a search.
So Splunk does not have the capability to update the local copy of the .csv file at all unless I manually re-add it, is that corect? What is an automatic lookup?
Thanks!
... View more
02-10-2015
09:46 AM
Hello Splunkers,
Question: I have a lookup working properly on a .csv file but I appear to have correctly assumed that once I define the lookup file and then I update the lookup file with the day's fresh copy, my Splunk searches would automatically reference the new .csv file without me having to redefine it. This appears to not be the case.
Is this possible to setup? Should I be using Automatic Lookups or will I need to redefine the lookup file every time I have a new .csv to reference?
Thanks!
... View more
02-05-2015
10:37 AM
I was hoping it would be you that responded 🙂
Your answers are always well thought out and well written.
That was exactly how I understood things to work and a lookup table may work here perfectly here now that you mention it.
Thank you very much!
... View more
02-05-2015
07:34 AM
The file in question is a report file (.csv) containing data only for my department that is manually generated and exported and then indexed into Splunk. The same index is used to collect total resolved/historical tickets.
... View more
02-05-2015
07:32 AM
Hello Splunkers,
Question. I index and report on my departments IT Service Level Agreement ticket stats for them using Splunk. I have a number of queries that are successfully returning the desired information but I have noticed that as tickets get transferred out of our ticket queue, tickets are still showing up in the reports from the time they were indexed initially. Because Splunk saw it once but does now not see it, the record of the ticket still persists in the reports. I guess my question is: How do write a query to exclude something that is not there?
... View more
01-19-2015
12:01 PM
Hello,
Yes, this is working with a field extraction. I was not able to filter the extraction 100% successfully but it's providing good data, I just need to be able to filter out the numerical values at search time. This is for a single search instance for doing some detective work and is not a long term requirement.
... View more
01-19-2015
11:44 AM
Hello Splunkers,
I need to ignore some field values that are incorrectly coming in.
I am seeing a field UserID=Tom correctly show up but there are some other entries where UserID=8.8.8.8 Accessed URL....etc etc.
How do I get Splunk to ignore any UserID where UserID=Anything with a number in it?
Thanks!
... View more
01-07-2015
11:44 AM
Hello Splunkers,
I would like to disable SSL between our Search Head and our indexers which are distributed in locations world wide. It appears that the Enterprise Security app is running searches in the background and this is generating a high volume of traffic from our indexers to the search head and this is impacting the bandwidth at those sites. Each of these sites has a traffic optimization technology that would take the volume of traffic and reduce it to a fraction of it's existing volume and is itself encrypted before it leaves our firewall. The problem is that the optimizers cannot read the encrypted Splunk traffic due to the optimization. Can it be disabled? If so, how? Considering the scenario, would it be recommended?
Thanks!
... View more
11-05-2014
12:27 PM
Thanks Somesoni2,
I got back the same number of results unfortunately. I'm not sure what could be the problem. Could it be something wrong with the data source? There are some blank fields in the data but everything has a name/hostname....
... View more
11-05-2014
11:26 AM
I think also that the search needs to mandatory identify both sources (like an AND).
... View more
11-05-2014
11:25 AM
Interesting search!
I got back 13K results which is more than I was expecting.
I like that eval hostname=coalesce(lower(hostname),lower(Name)) bit.
I'm keeping that 🙂
... View more
11-05-2014
11:05 AM
Hi sk313. Thanks for the reply.
I can see the utility of these commands but they don't seem to work for my particular search. I have two searches, both with common hostname fields but I need exclude a specific set of events based on a field (in this case hostnames) based on source from another list. It seems like set doesn't allow you to specify which set to exclude
Set intersect sounded hopeful but it gives me the values that are common to both, but I need to find specifically which are present in search 1 after the items in search 2 have been excluded from search 1.
Does that make sense?
... View more
11-05-2014
09:59 AM
Hello Splunkers,
I've been trying to solve this problem for a while now but I am still not able to NOT the contents of a sub-search from the main search.
Search 1:
index=asset source="/scratch/cadence_assets/AD-host-report.csv" NOT "Operating System"=*Server* | search "Operating System"=*Windows* | eval Name=lower(Name) | dedup Name | rename Name as hostname | fields + hostname,source | table hostname source
9,646 hostname results
Search 2:
index=asset source="/scratch/cadence_assets/SCEP.csv" | dedup hostname | eval hostname=lower(hostname) | fields + hostname,source | table hostname source
6,402 hostname results
I would expect that NOT'ing 2 from 1 would result in approx. 3244 results but I'm having trouble with the syntax apparently.
Here is the joined search:
index=asset source="/scratch/cadence_assets/AD-host-report.csv" NOT "Operating System"=*Server* | search "Operating System"=*Windows* | eval Name=lower(Name) | dedup Name | rename Name as hostname | fields hostname,source | table hostname source | search NOT [search index=asset source="/scratch/cadence_assets/SCEP.csv" | dedup hostname | eval hostname=lower(hostname) | fields + hostname,source | table hostname source]
I get 9,646 results which looks like the search is only referencing the AD-host-report.csv report. I am trying to remove the results of search 2 from search one. Or perhaps maybe a table comparing the two by hostname would be the way to go....
... View more
10-29-2014
04:27 PM
Hi Martin,
Bummer! I was told that everything that matched got joined together into a single event. I'm glad I double checked.
So the source is two .csv files. It's weird to me that only one shows up after the join.
The plan was to have two host files. Both files have some of the same host names but not all. One of the .csv files has many other fields by which to categorize the host names, whereas the other does not. I need to remove some host names from the list based on these categorization fields.
Initially I had set about doing this with nested sub searches but that didn't quite work out and it seemed to be very inefficient. I think I also ran into a limits.conf issue as the base query was returning a couple hundred entries.
This way seemed to be a little more elegant.
What are your thoughts?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
