Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About strive
strive
Influencer
Member since:
10-06-2012
06-05-2020
Community Statistics
| Posts | 545 |
| Solutions | 74 |
| Karma Given | 50 |
| Karma Received | 346 |
| Member Since | 10-06-2012 |
Activity Feed
- Got Karma for Re: How to convert epoch time to human readable format in search query?. 02-21-2025 04:46 AM
- Got Karma for Difference between last(X) and latest(X). 01-06-2025 09:02 AM
- Got Karma for Re: how to limit percent results to 2 decimal places. 06-10-2024 04:04 AM
- Got Karma for Re: Splunk searches unit test automation. 12-13-2023 01:04 AM
- Got Karma for How to remove the View Dashboard link from PDF report emails?. 11-19-2023 12:26 AM
- Got Karma for Re: How to convert epoch time to human readable format in search query?. 11-12-2021 08:36 AM
- Got Karma for Re: Hardware recommendation for high log volume splunk deployments. 07-29-2021 05:53 AM
- Got Karma for Hardware recommendation for high log volume Splunk deployments to optimize performance and provide indexer replication?. 07-29-2021 05:53 AM
- Got Karma for Re: How to convert epoch time to human readable format in search query?. 12-15-2020 12:17 AM
- Got Karma for Re: How to remove duplicate values of a field inside of a row/column?. 08-28-2020 06:01 AM
- Got Karma for Re: How to convert epoch time to human readable format in search query?. 08-11-2020 10:35 AM
- Got Karma for Splunk license warnings are based on type=Usage or type=RollOverSummary?. 06-26-2020 08:09 AM
- Karma Re: Stop concurrent scheduled summary update in clustered env for somesoni2. 06-05-2020 12:49 AM
- Got Karma for Re: Clarify where pass4symmkey is used to authenticate client connections. 06-05-2020 12:49 AM
- Got Karma for Re: REST endpoint: data/indexes-extended - Why is total_raw_size is bigger than total_size. 06-05-2020 12:49 AM
- Got Karma for Re: REST endpoint: data/indexes-extended - Why is total_raw_size is bigger than total_size. 06-05-2020 12:49 AM
- Got Karma for Re: REST endpoint: data/indexes-extended - Why is total_raw_size is bigger than total_size. 06-05-2020 12:49 AM
- Got Karma for Re: Peers doesn't come back live after the restart signal from Master. Why?. 06-05-2020 12:49 AM
- Got Karma for Re: Calculate the percentage of a given date_hour. 06-05-2020 12:49 AM
- Karma Re: How do i query for those results occurred before 9 AM today? for acharlieh. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 4 | |||
| 0 |
10-28-2014
07:29 AM
Additional details:
Splunk UF version on device is: 4.3.x
Splunk version on downward forwarder is 5.0.4
Even though we have set compressed as false in downward forwarder, We tried adding blacklist = \.(gz)$ in the inputs.conf of Splunk UF on device. It doesn't work. We still get duplicate log files.
... View more
10-28-2014
07:22 AM
Hi,
We have splunk UF installed on devices to send log files to another forwarder, which sends the logs to indexer.
Splunk UF on Device --> Forwarder --> Indexer.
The configurations are:
Splunk UF on Device
inputs.conf
[monitor:<Path to the directory>]
disabled = false
host_regex = _(\d+\.\d+\.\d+\.\d+)
sourcetype = abc_xyz
index = my_index
crcSalt = <SOURCE>
outputs.conf
[tcpout]
disabled = false
defaultGroup = our_lwf
[tcpout:our_lwf]
server = <ip address of downward forwarder>:9998
Forwarder node
[splunktcp://:9998]
compressed=false
The issue is: We are getting duplicate log files. Same log files are sent twice. When we see the _indextime of log events, we see two different times. First set got indexed at X and the second set got indexed at X+Y minutes. The Y value varies from 11 to 13.
Note: On the device, the customers are compressing the log files and exporting them to another location every 15 minutes. If this compression and exporting feature is turned off on the devices then we are not seeing duplicate logs. If the compression and exporting is turned on we see duplicate logs.
Could you please let me know how to avoid duplicate log files getting into the system.
Thanks
Strive
... View more
09-13-2014
10:43 PM
Check this .. http://answers.splunk.com/answers/104124/how-can-i-verify-if-the-boot-start-is-already-enabled.html
... View more
09-05-2014
11:06 PM
1 Karma
Try this
Your Base Search with out Top command | stats count as Count count(eval(range="0-5 min")) as Count5min count(eval(range="5-10 min")) as Count10min count(eval(range="10-15 min")) as Count15min count(eval(range="15-60 min")) as Count60min count(eval(range="60+ min")) as Count60Plus by _time | eval Percent5min=Count5min*100/Count | eval Percent10min=Count10min*100/Count | eval Percent15min=Count15min*100/Count | eval Percent60min=Count60min*100/Count | eval Percent60plus=Count60plus*100/Count | timechart partial=false first(Percent5min) as "0-5 min" first(Percent10min) as "5-10 min" first(Percent15min) as "10-15 min" first(Percent60min) as "15-60 min" first(Percent60plus) as "60+ min"
You can add options like span and etc.. to timechart as per your needs
... View more
09-05-2014
10:31 PM
2 Karma
Try this
some search terms.. | sort 0 - Field_Of_Interest | streamstats count as Rank | eventstats count as TotalRows | where Rank<(TotalRows * 0.7) | stats avg(Field_Of_Interest) as Required_Average
... View more
09-05-2014
01:32 PM
1 Karma
I asked for frequency, so that you can create a separate index for this and set data retention as 1 or 2 days. That way you need not delete or clean index every time you finish your analysis.
We followed same approach while trying proof of concepts. We created a new index for this, called it as temp_analysis_idx. Created a new sourcetype as temp_analysis_srctype. Rest everything as you have mentioned in your question. This helped us not to mess up with other indexers. Since data retention was set as 2 days, automatically data used to get deleted and we need not execute commands every time.
... View more
09-05-2014
01:20 PM
I have edited my answer. Test regex once. I am not good at regex.
... View more
09-05-2014
12:31 PM
transforms.conf is not needed
... View more
09-05-2014
12:24 PM
Agree. Thats why i have asked for sample log lines, so that we can suggest right configurations
... View more
09-05-2014
12:22 PM
Can you post the proper snippet of your props.conf file
... View more
09-05-2014
12:21 PM
It Should be like this in props.conf
[bluestripe]
TRUNCATE = 0
... View more
09-05-2014
12:13 PM
Can you post your sample log lines which you want to send to null Queue
... View more
09-05-2014
10:48 AM
Try to set Regex for some field that is present in your log events. Say for example: DLP-
... View more
09-05-2014
10:33 AM
2 Karma
transforms.conf
[strip_pattern_lines]
REGEX = StringPattern
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[your sourcetype]
TRANSFORMS-tonullqueue = strip_pattern_lines
Dont forget to restart the splunk after making above changes.
Update:
transforms.conf
[strip_pattern_lines]
REGEX = ^(?:[^ ]* ){4}(?!(PATTERN))
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[your_sourcetype]
TRANSFORMS-tonullqueue = strip_pattern_lines
... View more
09-05-2014
10:29 AM
When you say delete, you do not want to index such lines. Is that right?
For this you need transforms.conf and props.conf
... View more
09-05-2014
10:27 AM
The answer depends on how frequently you do this kind of one time analysis?
... View more
09-04-2014
05:51 AM
Try Some thing like this
Your search terms... | eventstats min(Start_Time) as ActualStartTime, max(Duration) as ActualDuration by Conference | where Start_Time=ActualStartTime and Duration=ActualDuration
The Start_Time here is the time present in your log event (start time of conference). You have to convert it into epoch format before applying eventstats.
... View more
09-04-2014
05:36 AM
So, your need is.. you just need one event for start and one event for end of the conference.
... View more
09-04-2014
04:42 AM
Ok. In any case, the above search in my comment should work. are you seeing any issues with the search?
... View more
09-04-2014
04:20 AM
Are you configuring what should be host in inputs.conf? If not the host name set on the device will be taken automatically.
... View more
09-04-2014
04:19 AM
The above search should work for your needs. In case if you need splunk server details also then do this
|metasearch host=* | dedup source | table host, source, splunk_server
... View more
09-04-2014
03:15 AM
Transaction command is working properly. Are you trying to find out the duration of the conferences?
... View more
09-04-2014
02:59 AM
You mean to say you received data into two separate indexes once?
As per your regex, will you always have host::(10.xx.xx.xx+) at the start on all your log lines?
I think this might be causing problem. You need to revisit your regex.
Can you post some log samples for both fireeye and dlp
... View more
09-03-2014
09:31 PM
There is also an app for FireEye. I think you should have a look at it. They have many regexes which you can reuse.
For example, for setting sourcetype:
[fix_FireEye_CEF_st]
REGEX= \|FireEye\|
DEST_KEY=MetaData:Sourcetype
FORMAT=sourcetype::FireEye_CEF
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma from
Karma given to
| User | Karma Count |
|---|---|
| 13 | |
| 1 | |
| 12 | |
| 2 | |
| 1 |
