Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About aferone
aferone
Builder
Member since:
05-19-2011
03-03-2023
Community Statistics
| Posts | 250 |
| Solutions | 7 |
| Karma Given | 36 |
| Karma Received | 39 |
| Member Since | 05-19-2011 |
Activity Feed
- Posted Re: Can't Extract CEF Fields in Distributed Environment on Getting Data In. 02-15-2023 06:50 AM
- Posted Re: Can't Extract CEF Fields in Distributed Environment on Getting Data In. 02-15-2023 05:58 AM
- Posted Re: Can't Extract CEF Fields in Distributed Environment on Getting Data In. 02-15-2023 05:51 AM
- Posted Re: Can't Extract CEF Fields in Distributed Environment on Getting Data In. 02-15-2023 05:41 AM
- Posted Re: Can't Extract CEF Fields in Distributed Environment on Getting Data In. 02-15-2023 05:38 AM
- Posted Can't Extract CEF Fields in Distributed Environment on Getting Data In. 02-15-2023 05:34 AM
- Posted Re: Forwarder Management troubleshooting client errors on Deployment Architecture. 08-25-2021 06:31 AM
- Karma Re: Forwarder Management troubleshooting client errors for akocak. 08-25-2021 06:31 AM
- Posted Re: How can I find out what the deployment errors are? on Deployment Architecture. 08-25-2021 06:30 AM
- Posted Re: How can I find out what the deployment errors are? on Deployment Architecture. 08-25-2021 06:28 AM
- Karma Re: How can I find out what the deployment errors are? for whrg. 08-25-2021 06:27 AM
- Karma Re: Software versioning format for _d_. 02-11-2021 03:57 PM
- Posted Re: Software versioning format on Dashboards & Visualizations. 02-11-2021 03:56 PM
- Posted Re: Yes / No Column if EventCode Found in Lookup on Splunk Search. 11-05-2020 01:14 PM
- Posted Yes / No Column if EventCode Found in Lookup on Splunk Search. 11-05-2020 09:31 AM
- Got Karma for Why is the Splunk App for Unix and Linux generating multiple "yum" source types?. 06-05-2020 12:50 AM
- Karma Re: Still lost - Where do props and transforms go?? for FrankVl. 06-05-2020 12:49 AM
- Karma Re: Appendcols Search Doesn't Work if No Event in Main Search? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Using a field within a log for the true timestamp for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Why is fill_summary_index failing to get list of scheduled times? for jsilverbears. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-26-2013
02:40 PM
Here is my current props.conf stanza for UDP:514 syslog traffic. I am sending this traffic to multple indexes using transforms.conf
props.conf:
[syslog]
TRANSFORMS-index = Stan1, Stan2, Stan3
transforms.conf
[Stan1]
SOURCE_KEY = MetaData:Host
REGEX = (host1|host2|host3)\.domain\.here\.com
DEST_KEY = _MetaData:Index
FORMAT = index1
[Stan2]
SOURCE_KEY = MetaData:Host
REGEX = (host4|host5|host6)\.domain\.here\.com
DEST_KEY = _MetaData:Index
FORMAT = index2
[Stan3]
SOURCE_KEY = MetaData:Host
REGEX = (host7|host8|host9)\.domain\.here\.com
DEST_KEY = _MetaData:Index
FORMAT = index3
This seems to work just fine. However, I am now trying to add a 4th reference to a stanza in props.conf under syslog. When I do this, and add the appropriate stanza in transforms.conf, all of the syslog ends up in one index, and it doesn't seem to be consistent when I restart the Heavy Forwarder.
Is there a limit to how many stanzas I can reference in transforms.conf from one stanza in props.conf [syslog]?
Thanks!
... View more
11-26-2013
08:44 AM
Thanks, Kristian!
... View more
11-26-2013
08:19 AM
Good stuff here, everyone. Thanks again!
... View more
11-26-2013
07:37 AM
How, can you explain exactly how this work? My RegEx is terrible. Thanks again!
... View more
11-26-2013
07:36 AM
OK, I removed my top and table commands, and the rex is working just fine. I need to see how to format this data now. Thank you very much!!
... View more
11-26-2013
07:34 AM
Nope, no typos.
How does the rex work with this? How does it know to stop at the dash in the original string?
... View more
11-26-2013
07:28 AM
Hmmm. I tried this, but I'm not getting data back in the new field.
... View more
11-26-2013
07:08 AM
I have a field named FieldA. It looks like this:
10.10.10.10->10.11.11.11
I want to create a new field (FieldB) that is everything left of the "->". I tried using LTRIM, among others, but I can't get it working. This "seems" easy. 🙂
Help?
Thank you!
... View more
- Tags:
- fields
10-31-2013
12:28 PM
2 Karma
I was really hoping for this to work. I tried it, and the first few times I refreshed it was fine. But then it reverted back to the view I have described above. And then it was correct again. This is really weird. I appreciate the response.
... View more
10-31-2013
11:52 AM
The behavior occurs in a dashboard as well as from the search bar.
... View more
10-31-2013
11:37 AM
2 Karma
This is really weird. I am hoping someone else has seen this and has a fix.
This is my query. I want to make a chart that shows the entire day (full 24 hours) for TODAY.
host="hostname" SnortID="[1000]" earliest=@d latest=+1d@d | timechart span=5m count(SnortID) by SnortID
When I run this query the FIRST TIME, I get a chart that shows all of today, including up to tomorrow at midnight, which is what I want. Here is an exmaple:
However, if I only refresh this query, it will only show the chart up from the first found record until the last found record. Here is an example:
All I did was hit refresh, and the chart changes! The data is the same.
Does anyone have a fix or seen this?
Thanks!
... View more
10-22-2013
06:53 AM
1 Karma
I have successfully implemented refreshing dashboard panels individually, without refreshing the entire dashboard, using the information in this Splunk Answers post:
Link
However, what if I wanted each panel to refresh for the same time frame (i.e. past 15 minutes), but I wanted to stagger when each panel refreshed (i.e. 1 minute apart)? I want to basically avoid refreshing the entire dashboard at the same time, but I want to stagger when each panel refreshes.
Is this possible?
Thanks!
... View more
09-30-2013
06:09 AM
Thank you!!
... View more
09-27-2013
11:58 AM
1 Karma
I am trying to use a field in my log (status) that either says "Up" or "Down". I have to convert this into a number for the rangemap command:
<single>
<title>Network Monitoring - Jabber</title>
<option name="classField">range</option>
<option name="field">status</option>
<searchTemplate>host=hostname sourcetype="sourcetype" | head 1 | eval alert_level = case(status=="up",1,status=="down",2) | rangemap field=alert_level green=0-0 red=1-2
(For some reason the ending /searchtemplate and /single tags are missing when I paste them into this question form.)
I cannot get this work. I also want to word "Up" or "Down" to either be green or red, respectively.
Any help would be appreciated, and thank you!
... View more
09-24-2013
05:43 AM
Has anyone had any luck with this app? Are the summary indexes supposed to be regularly updated? Or is it all manual? I haven't found any documentation on the app's page or anywhere else for that matter.
... View more
05-16-2013
10:39 AM
1 Karma
| metadata type=hosts index= | stats count by host
I can get a list of hostnames using this query. Is there a way to get the table I am looking for with this metadata?
... View more
05-16-2013
10:36 AM
I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!
... View more
05-16-2013
10:36 AM
I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!
... View more
05-16-2013
08:42 AM
1 Karma
I have been trying, but I can't get it to work.
I basically want a table that shows the index in Column A, and how many hosts are in that index in Column B. How would I go about this?
Thanks!
... View more
02-27-2013
11:26 AM
We are comparing a list of policies (uploaded as a lookup, using "policywithdescs") against our firewall data and determining which policies are NOT being used. Anything with a count of 0 shows us which are not being used. We are using the "policy_id" column in the lookup csv:
index="summary" policy_id=*
| inputlookup append=t policywithdescs
| rename PolicyID as policy_id
| stats count by policy_id
| eval count=count-1
| sort count
Now, I have added data to the lookup csv, including zone and description information for each policy. This search above shows the "policy_id", then count. How would I add "Zone" and "Description" to each policy_id to the report?
Thanks!
... View more
- Tags:
- lookup
02-22-2013
11:02 AM
I tweaked the search from another article and got it to work using this:
index="summary" policy_id=*
| inputlookup append=t allfirewallpolicies
| rename PolicyID as policy_id
| stats count by policy_id
| eval count=count-1
| sort count
Thanks!
... View more
02-22-2013
08:47 AM
OK, I've just discovered the fill_summary_index.py script! 🙂
http://docs.splunk.com/Documentation/Splunk/4.1.5/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_backfill_script_to_add_other_data_or_fill_summary_index_gaps
... View more
02-22-2013
08:25 AM
I am using the following query to load firewall data into a summary index I've created:
host="aegis1.grc.nasa.gov" | sitop policy_id
This query runs every 5 minutes and it working well.
However, now, I want to be able to "backfill" data into this summary index, using past firewall data. How is this done? I tried scheduling the query from the beginning of the year, but I'm not sure if it worked.
Any ideas?
Thanks!
... View more
- Tags:
- summary-index
02-20-2013
09:52 AM
I've seen this search in several other KB articles. Why isn't this working?
| inputlookup allfirewallpolicies | search NOT [search host=myfirewall | dedup policy_id | fields policy_id]
... View more
02-20-2013
09:19 AM
I get the following error:
Error in 'format' command: Option '=' is invalid.
... View more
