Activity Feed
- Got Karma for Re: How to exclude events with null fields in a search?. 07-23-2024 10:28 AM
- Got Karma for Cisco Security Suite: What is the best logging level configuration for ASAs in our environment?. 06-05-2020 12:48 AM
- Karma Re: Splunk for Palo Alto Networks: Why we not seeing any pan_data_filtering to populate the "Data Filtering" dashboard? for btorresgil. 06-05-2020 12:47 AM
- Got Karma for How to chart total number of each hostname that appear in 2 databases from csv files?. 06-05-2020 12:47 AM
- Got Karma for Re: chart by source and hostname. 06-05-2020 12:47 AM
- Got Karma for How to graph a line chart of two field values over time from a csv log file?. 06-05-2020 12:47 AM
- Got Karma for Find a field value string that is partially present in another field value string.. 06-05-2020 12:47 AM
- Got Karma for Re: Find a field value string that is partially present in another field value string.. 06-05-2020 12:47 AM
- Got Karma for Re: Find a field value string that is partially present in another field value string.. 06-05-2020 12:47 AM
- Got Karma for How to remove text from host name in search results?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are graphs not representative of counts from my search? How to join main and subsearch to compare results?. 06-05-2020 12:47 AM
- Got Karma for How to increase truncation limit to display all results in a chart?. 06-05-2020 12:47 AM
- Got Karma for How to increase truncation limit to display all results in a chart?. 06-05-2020 12:47 AM
- Got Karma for How to increase truncation limit to display all results in a chart?. 06-05-2020 12:47 AM
- Got Karma for How to increase truncation limit to display all results in a chart?. 06-05-2020 12:47 AM
- Got Karma for How to search the rate of events in indexes A, B, C, D to to compare with the rate of events in index D?. 06-05-2020 12:47 AM
- Got Karma for Is there a way to count the number of dashboard views per day or per hour for a particular dashboard?. 06-05-2020 12:47 AM
- Got Karma for Is there a way to count the number of dashboard views per day or per hour for a particular dashboard?. 06-05-2020 12:47 AM
- Got Karma for How to exclude events with null fields in a search?. 06-05-2020 12:47 AM
- Got Karma for How do I delete incidents from Splunk ES. 06-05-2020 12:47 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
1 | |||
0 | |||
0 | |||
0 | |||
0 | |||
2 | |||
1 | |||
0 |
10-29-2014
03:41 PM
It looks like some data streams are getting sent over into Panorama from the firewalls and then to Splunk and some weren't.
Thanks Brian for the assistance with tracking that down!
... View more
10-29-2014
03:30 PM
Hello Splunkers,
Just checking in to get a proof read and also see what the expected result in 'source' is supposed to be when referencing two OR'd and separate sources combined with a "join" or "selfjoin" command.
I have the following query:
index=index-name (source="/file.csv" OR source="/file2.csv") | eval name=lower(coalesce('System Name',Name)) | eval os=coalesce('OS Name','Operating System')| fields + * | selfjoin max=0 keepsingle=t name .....and then some other things.
My understanding is that this search will take events and mash together the ones with matching fields (in this case 'System Name' and Name) and include the other lines with no matching fields, but in their original event format. Is that accurate?
What should I see in source at this point?
Thanks!
... View more
10-13-2014
10:52 AM
Just FYI, the build (after letting it run over the weekend is now 18%.
... View more
10-13-2014
10:51 AM
HI Brian,
Did this last Friday Night and dashboards started populating and building. The data model seems to have gotten stuck under 10%. Dashboards started disappearing and it looks like data stopped being processed in the dash, though the logs are still updating properly properly.
Any other suggestions?
... View more
10-09-2014
09:48 AM
I recall we had this issue last time during the POC for PAN, but I don’t recall what the fix was.
I also disabled Splunk Enterprise Security to see if there was some sort of resource conflict but there appeared not to be.
When I checked the Palo Alto Networks Logs Data Models and then checked the Pivots and tried to build a table, I received the following errors:
[lab-splunk] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-ap] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-eu] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-sj] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
If I ran a Pivot in “Network Traffic” I received no errors.
I also followed the below solution with no change in status.
http://answers.splunk.com/answers/138840/only-the-overview-dashboard-has-data-pan-app-v4-1-1-splunk-v6-1-1.html
with no change in status
Palo Alto Networks Logs
This datamodel represents all the syslogs produced by Palo Alto Networks devices. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.
MODEL
Objects
17 Events Edit
Permissions
Shared in App. Owned by nobody. Edit
ACCELERATION
Rebuild Update Edit
Status
Building
Access Count
0. Last Access: 1969-12-31T16:00:00-08:00
Size on Disk
0.00MB
Summary Range
31536000
Buckets
0
Waited a couple hours, restarted Splunk search head. Tried switching between PAN_index and PAN_logs per the instructions with no change in status.
PAN Logs are otherwise searchable and are showing up correctly it appears. Clocks between PAN FW's and Splunk app are within minutes of one another.
Configured PAN App using these instructions:
https://live.paloaltonetworks.com/docs/DOC-6593
... View more
10-02-2014
05:46 AM
Odd then that I maxed out at less than 5K. This wouldn't be the first time that the way I've crafted queries has introduced me to a maximum search result limit.
Any suggestions on how I should get those two searches joined? I'm trying to use Splunk to paint a picture of our asset inventory where if I can join the two asset logs by hostname and OS, I can understand what we have out there in our environment and then later search against that main query to use it as a living master repository list. Use it as a sub/main search against an virus scan log for example to see what machines have a virus scan utility installed on them etc.
Thanks for any assistance.
... View more
10-01-2014
09:02 AM
1 Karma
Hello Splunkers.
I have the below search/subsearch which are working fine by themselves, but when I try to join them to create a 'master' list, I suddenly lose events. The main search returns approximately 9.3K events/hostnames and the sub search returns approx 11.8K hostnames. I'm expecting that joining them would return a number of hostnames, somewhere down the middle but I only get a little over 4K in return.
What am I doing wrong?
index=asset_db source="/var/asset_database/fullpull.csv" "System Name"=* NOT "Purpose2"=Farm | convert timeformat="%m/%d/%Y" mktime("Last Audit") as last_audit_time | eval timer=now()-(90*24*60*60) | where last_audit_time>timer | rename "OS Name" as OS | rename "System Name" AS hostname | eval hostname=lower(hostname) | join hostname [search index=assets source="/scratch/cadence_assets/AD-host-report.CSV" earliest=-90d@d latest=-0d@d Name=* "Operating System"=* | rename "Operating System" AS OS | rename Name AS hostname | eval hostname=lower(hostname) | fields hostname,OS]
Thanks!
... View more
09-24-2014
04:52 PM
Yes. That is a macro.
... View more
09-24-2014
04:42 PM
Here is the search I am using for which is pulling up zero events. Separately, they all work fine:
index=asset_db
source="/var/asset_database/fullpull.csv"
"Reporting Status"=Reporting
"High Level Status"=Production
NOT "Purpose2"=Farm
"Last Audit"=*
"System Name"=*
| filter_audit_daysago(90)
| rename "System Name" as CN
| join
[search index=test_assets
source="C:\Splunk Test Assets\AD-LDAP export.csv"
earliest=-90d@d latest=-0d@d
CN=* NOT [search index=asset_db index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=Farm | filter_audit_daysago(90) | rename "System Name" AS CN| fields + CN]]
... View more
09-24-2014
04:32 PM
It's actually not a case of removing and then re-adding (apologies for my unclear description). I have two separate asset log files/databases. There is a way to organize a small subset of one of the log files that I cannot use to organize in the other, even though the two share the same assets (for the most part). The idea is to use the small subset in the nested subsearch to remove those assets from the subsearch, and then join the two asset lists(with both having the subset removed). The databases are not exactly the same which is why I am trying to join them to make a master reference.
The goal is to then actively track the log files and compare against other application logs to ensure that we are achieving the maximum software installation saturation in our environment.
Does that make sense?
Let me know if you have any ideas.
Thank you very much for your reply.
I appreciate it.
... View more
09-24-2014
03:36 PM
Hello Splunkers,
I have some successful searches that are producing accurate numbers but I am trying to put them together so that I take the results of a nested sub search, remove them from the sub search and then join the results of the sub search to the main search. The problem is that I don't know how to use or otherwise achieve the equivalent of a
NOT [search index=......
I know you need to do a join or append to get the contents of a sub search talking to the search 'above' it but is there a way to negate, subtract or do a NOT | join [search index=....
Can I add parentheses to move past this or what is the way to achieve what I am trying to do?
Thanks.
... View more
09-23-2014
02:59 PM
Question: So it's not the fields I want to remove specifically but rather the entire event where (events equal hostnames in this case) where if the field matches "Purpose2"=Farm, we need those hostnames excluded from the report.
Can I do that with fields?
... View more
09-23-2014
02:45 PM
Hello Ayn,
We have a scenario where we have a couple asset databases but neither one of them is 100% accurate. To help maximize effectiveness of them, we sought to join them together and dedup the hostnames for a single master list so that once it was included into Splunk, we could verify multiple application databases (which we are already Splunking) against it to verify if we were saturating the asset database effectively with our install efforts (IE, is Virus Scan installed across the entire asset base) etc. Does that make sense?
... View more
09-23-2014
02:33 PM
Hello Splunkers,
I have a search where I have two indexes from two different indexed .csv files. I have 3 seperate searches that seem to be working okay but I may be having trouble with the format of nesting the sub searches. Essentially I have two asset indexes in two different formats. One has a set of hostnames I can identify with attributes that I'd like to use to help identify and exclude said hostnames from the main search. This seems to be working successfully, however, I want to also join and dedup those two databases to help form up a master asset list. Here is what I have so far
(index=asset_db
source="/var/asset_database/fullpull.csv"
NOT "Purpose2"=*Farm*
"Reporting Status"=Reporting
"High Level Status"=Production
"System Name"=*
"Last Audit"=*) | convert timeformat="%m/%d/%Y" mktime("Last Audit") as last_audit_time | eval timer=now()-(90*24*60*60) | where last_audit_time>timer
[search index=test_assets
source="C:\\Splunk Test Assets\\AD-LDAP export.csv"
earliest=-90d@d latest=-0d@d
NOT CN=*} NOT
[search
index=asset_db
source="/var/asset_database/fullpull.csv"
"System Name"=*
"Purpose2"=*Farm*
| rename "System Name" AS CN | table CN]
| rename CN as hostname | table hostname]
| eval hostname=lower(hostname)
| table hostname
What am I doing wrong here?
Thanks!
... View more
09-22-2014
05:35 PM
I think that did it! Thanks!
... View more
09-19-2014
01:02 PM
1 Karma
Hello Splunkers,
I am successfully searching two indexes from two separate .csv files. Both indexes contain a 'similar' set of hostnames. I am searching index A for a particular list of hostnames that I would like to reference so that I can exclude any matching hostnames from index B. Anything with the field where Purpose2 has the word 'farm' in it needs to be excluded from both lists.
I will eventually be joining the hostnames lists between indexes as one single master list but I need to exclude the list from Index A from both.
Here is the search that identifies the list of hostnames from index A:
index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS hostname
search for index B which successfully returns a list of hostnames:
index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* | rename CN as hostname
How do I get index B search to "see" and exclude the search from index A?
Thank you very much for any assistance.
... View more
09-10-2014
10:07 PM
1 Karma
Resolved this with 'append' and not appendcols as I had been using.
... View more
09-10-2014
10:02 PM
There are supposed to be asterix marks after the ='s above....
... View more
09-10-2014
05:02 PM
1 Karma
I see. So if you have fieldA=* it will only return events with fieldA=* where fieldA actually has "anything" in and not "nothing" or blank space. Is that correct?
Would the correct syntax for the way I put it first be?:
search | where isnotnull(hostname)
Thanks for your time!
... View more
09-10-2014
03:00 PM
10 Karma
Hello Splunkers,
I've got a search built thats working properly but I'm not able to get the events with a particular blank field excluded. In particular, I'm trying to exclude events that have a blank System Name field. I was trying to do it thusly:
search | where isnull(System Name)
Is that wrong?
Thanks,
... View more
09-09-2014
10:24 AM
Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/radius_auth/admin/radius_auth/default. Found the following information in the _local index but am not sure what it means:
2014-09-09 09:59:50,167 ERROR RadiusAuthRestHandler - Exception generated while performing edit
Traceback (most recent call last):
File "/scratch/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 546, in handleEdit
cleaned_params = RadiusAuthRestHandler.checkConf(new_settings, name, confInfo, existing_settings=existing_settings)
File "/scratch/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 639, in checkConf
validator.validate( stanza, cleaned_params, existing_settings )
File "/scratch/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 164, in validate
raise admin.ArgValidationException("Unable to validate credentials against the server '%s' for user '%s'" % ( values['server'], values['test_username']))
ArgValidationException: Unable to validate credentials against the server 'srv-aaa01sj.cadence.com' for user 'lbogle'
... View more
08-30-2014
05:57 PM
I switched the search up a little. Check it out and let me know if you think this should work:
index=test_assets source="C:\Splunk Test Assets\Altiris_hostnames.csv" | rename "HostName" as hostname | rename "System Name" as hostname | where strptime("Last Audit","%m/%d/%Y") >= strptime("1/1/2014","%m/%d/%Y") | replace "C:\Splunk Test Assets\Altiris_hostnames.csv" with Altiris in source | eval hostname=lower(hostname) | dedup hostname | stats dc(hostname)
... View more
08-27-2014
12:45 PM
I tried the XML option but it didn't seem to work either. I also tried adjusting the limits.conf as suggested above. Restarted Splunk Web between modifications as well. Any other suggestions?
... View more
08-27-2014
11:10 AM
Hi Patrick. Tried the web.conf fix but no go. Will try XML and get back to you.
Thanks
... View more