Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Starlette
Starlette
Contributor
Member since:
02-26-2010
06-05-2020
Community Statistics
| Posts | 95 |
| Solutions | 3 |
| Karma Given | 31 |
| Karma Received | 47 |
| Member Since | 02-26-2010 |
Activity Feed
- Got Karma for 2 different timestamps in single log. 06-23-2021 01:48 PM
- Karma How to rename field names using lookups and regex? for shikhanshu. 06-05-2020 12:47 AM
- Got Karma for Is the data from accelerated data models and reports replicated in a cluster as well?. 06-05-2020 12:47 AM
- Got Karma for Is the data from accelerated data models and reports replicated in a cluster as well?. 06-05-2020 12:47 AM
- Got Karma for Is the data from accelerated data models and reports replicated in a cluster as well?. 06-05-2020 12:47 AM
- Karma Re: Why is FSChange (file system change monitor) a deprecated feature in Splunk 5.0? for cervelli. 06-05-2020 12:46 AM
- Karma Re: Deployment clients logging for sowings. 06-05-2020 12:46 AM
- Karma Re: Single Value change font size for Drainy. 06-05-2020 12:46 AM
- Karma Re: Override source key in inputs.conf for gekoner. 06-05-2020 12:46 AM
- Karma Re: security threats for Ayn. 06-05-2020 12:46 AM
- Karma Re: timechart count against si gives different max results for 2 intervals for Drainy. 06-05-2020 12:46 AM
- Karma List of saved/in-line searches within a view for SarahBOA. 06-05-2020 12:46 AM
- Karma Re: Eval limitations on si index with sistats count by field1, field2 etc for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Eval limitations on si index with sistats count by field1, field2 etc for sideview. 06-05-2020 12:46 AM
- Karma Re: System requirements for Universal Forwarder for Drainy. 06-05-2020 12:46 AM
- Karma Deployment monitor and intermediary forwarder for echalex. 06-05-2020 12:46 AM
- Karma Re: report acceleration besides existing job server for hexx. 06-05-2020 12:46 AM
- Got Karma for Re: space and tab as Delimiter. 06-05-2020 12:46 AM
- Got Karma for list deploy-clients remotely. 06-05-2020 12:46 AM
- Got Karma for Re: how to really delete, NOT HIDE, data from splunk. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
10-19-2011
06:47 AM
How can you handle files which are delimted by tab and single spaces?
[stanza]
FIELDS = "field1", "field2"
DELIMS=" "
DELIMS="\t"
so the log is like
field1 [tab] field1 [tab] field3 field4 etc
... View more
- Tags:
- delimitedfields
10-15-2011
03:33 AM
Is it possible to use ldap AND radius authentication against a few indexers. ( fi with 2 searchheads if necesary)
... View more
10-10-2011
03:28 AM
yeah that was the trick,,,,After the + hours the span=5 minutes is added, so thats why within the hour the results are 1/5 off ( just use 1 minute)
... View more
10-10-2011
03:11 AM
I have si search "save" for every 5 mins as :
search = sourcetype="cisco_firewall" | sitimechart count
When running a report for last hour :
search = index=summary marker=cisco_firewall_05 | timechart count
I get line which is 200.000 events
BUT when i ran a "last 4 hours", I get a line in the +1milion count.
I doubt that i am using count over time wrong with si or is this unexpexted behaviour.
if I take a look at a slice for 5 mins in e.g. last 30 mins i get
10/10/11 11:30:00.000 AM 248483
10/10/11 11:31:00.000 AM 252576
10/10/11 11:32:00.000 AM 256538
10/10/11 11:33:00.000 AM 249775
10/10/11 11:34:00.000 AM 246672
10/10/11 11:35:00.000 AM 245773
And for last 4 hours i see 5 minutes bins wich are give the totals...
10/10/11 9:45:00.000 AM 1166499
10/10/11 9:50:00.000 AM 1201649
10/10/11 9:55:00.000 AM 1170088
10/10/11 10:00:00.000 AM 1186497
10/10/11 10:05:00.000 AM 1189967
So how to deal with this?
... View more
- Tags:
- summary-index
10-02-2011
12:24 AM
I setted it to 410 and now it is working,,,NOT sure if there is a limit...
.appLogo {
height: 43px;
width: 410px;
padding-right: 5px;
float: left;
background: url(images/appLogo2.png) no-repeat 0 0;
_background: url(images/appLogo.gif) no-repeat 0 0;
}
... View more
10-01-2011
01:37 PM
How can i extend the width of the logo in the appheader?
I have a png of 450 but its cut, Do i change it somewhere else as in the application.css below?
.appLogo {
height: 43px;
width: 450px;
background-image: url(appLogo.png);
_background-image: url(appLogo.gif); /* for IE6 */
background-repeat: no-repeat;
... View more
09-26-2011
01:25 PM
Glad i reckon its not my misconfiguring!
Thanks nick
... View more
09-26-2011
01:23 PM
this works like a charm!
... View more
09-26-2011
11:55 AM
1 Karma
I have a search to SI index=sec marker=01
sourcetype=cisco_firewall | bin _time span=5m | sistats count by log_level, hostname
When calling the results with
index=sec marker=01 | stats count by log_level, hostname
I get results,,,but :
index=sec marker=01 | stats count(eval(log_level="7")) AS Debugging, count(eval(log_level="6")) AS Information, count(eval(log_level="5")) AS Notification, count(eval(log_level="4")) AS Warning, count(eval(log_level="3")) AS Error, count(eval(log_level="2")) AS Critical, count(eval(log_level="1")) AS Alert, count(eval(log_level="0")) AS Emergency by hostname
isnt,,,am i missing something? if this is not possible how can i "SI" this search?
... View more
- Tags:
- sistats
- summary-index
09-06-2011
01:11 AM
So i presume you changed some settings according the manual?
Can you post your config here?
... View more
09-06-2011
01:06 AM
You really have to play this ball though sales,,,so contact splunk u.s. that your local splunkcontact/partner didnt deliver your answers.
ESS is pack of knowledge with services/education etc, and there are plenty of resources outthere.
But again, those are guided by an accountmanager.
... View more
09-06-2011
01:03 AM
4 Karma
Take a look at this , you have to configure this per index.
So e.g. in indexes.conf
[main]
frozenTimePeriodInSecs = 7776000
This wil delete data from the main index after 90 days (so its in seconds)
Regarding the delete on demand, you can clean per index as in :
splunk clean evendata -index "indexname"
( splunk has to stopped)
... View more
07-21-2011
02:31 AM
just a brainwave, if you set an alert on the lic violation and fire of a script that set indexes.conf, restart splunk action?
... View more
07-19-2011
07:47 AM
2 Karma
This sounds like a mod request? ( to use regex)
... View more
06-09-2011
12:21 AM
Oke digged into it,,,the suspected searches are within an app and are owned by nobody...so after changing something its owned by the user,,,
So whats best prtatice then? ..change it in the app and modified the permissions initialy before using?
... View more
06-08-2011
11:13 AM
Lets say I edit an saved search within an app from the gui as user arnold.
Then the search is owned by arnold in the local.meta and isnt valid anymore in the app. ( cause its private then to arnold.
Is this normal behaviour or do you have to edit searches by configs to avoid conflicts?
... View more
- Tags:
- guid
- savedsearch
06-01-2011
10:57 PM
Here's another thing, isn't my sourcetype override happening at index time and my field extractions happening at search time? :
yeah thats what i think,,,btw why the KV_MODE=none setting
??
... View more
06-01-2011
10:49 PM
Are the extracts not working at all?
I ran into some troubles as well with one big syslogfeed on udp so now i use a sysloghost with a forwarder (rolled files monitor) and push this as one sourcetype to the indexer (splunksyslog).
There i use exact the same method as you are using ( making 8+ sourcetype overrides) and have dozens of fields extracts on those new ones.
So I am not sure if this is working only for cooked data,,,my concern was the load ( 50G a day,so wanted a store and forward before parsing)
I def. want to test your setup cause I have some planned deployments with this as well!
... View more
05-16-2011
12:36 AM
Oke just wanted to make sure,,,( I hoped that you could also extracted a unique id and use this with a specific search/transaction)
so lets say that I cut the user part, and only index that one to indexB, and reconstruct this with searches over indexa en indexb on _time and "someid"
... View more
05-15-2011
08:52 AM
1 Karma
If I have data and I want to anonymize a part of an event (extracted field, let's say user),
I want to keep the original events in indexA and the anonymized events in indexB.
Does this affect my license? (doubled)
And if so, is it possible to route only the anonymized part to indexB and build searches for user and orig event in a way?
... View more
- Tags:
- indexing
05-13-2011
05:58 AM
It seems that the settings for importRoles in authorize.conf are leading,,,so settings for a inheritance role arent picked up!
importRoles = power;user
srchIndexesAllowed = ;_
srchIndexesDefault = main;os
srchFilter = *
srchTimeWin = 0
srchDiskQuota = 10000
srchJobsQuota = 50
rtSrchJobsQuota = 100
so when i add a roll which is deriving from power and choose index=test as allowed i ended up with main;os
... View more
05-13-2011
05:17 AM
When I configure an allowed index for a role, and I choose Inheritance for another role.
Users for this new roll dont got this config, i also noticed that the capabilities are zero for Inheritance, override the allowed index for the derived roll arent picked up as well.
How should this work? Will the allowed indexes from a role derived? and why cant i override this?
The only way to get this working is to make new roles from scratch!
... View more
Oke thanks, I am aware it isnt easy, this is just a general question, and the 3 searches are an example to decribe the functional fundamentals.
Bottemline is I have seperate searches which are running in notification if there is a (siem) hit, those are combis of eval, subsearches, lookups etc. So just wondered if i can run a top just like evettypes top.
On the dashboards i have per search, postprocesses, with linkswitches, intentions to drills etc etc..
I will diginto this later but appreantly its more complex then i was thinking ( just though i could group "search" results and simple count them....
... View more
Stange that this one is devoted...the search hit is an alert and differs per alert (fi external lookup for fields which are allowed, or users who are logged into a system with non allowed name etc etc...
So if there is a search hit then its an alert....now i want a consolidated overview instread of a bunch of loose rangemap values.
... View more
05-10-2011
07:29 AM
<view template="dashboard.html">
<label>Development</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="LinkSwitcher" layoutPanel="panel_row1_col1">
<param name="mode">independent</param>
<param name="label"> </param>
<module name="NullModule" group="Operations Overview" autoRun="True">
<module name="HiddenSavedSearch">
<param name="savedSearch">dev_eventcount</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">CPU seconds</param>
<param name="secondaryAxisTitle.text">Pipeline processors</param>
<param name="legend.placement">right</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
</module>
</module>
</module>
<module name="HiddenSavedSearch">
<param name="savedSearch">dev_eventcount</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">CPU seconds</param>
<param name="secondaryAxisTitle.text">Pipeline processors</param>
<param name="legend.placement">right</param>
<module name="JobProgressIndicator"/>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
</module>
</module>
</module>
<module name="TimeRangePicker"> group="Operations Overview choose time" autoRun="True">
<param name="searchWhenChanged">True</param>
<param name="selected">All time</param>
<module name="HiddenSavedSearch">
<param name="useHistory">false</param>
<param name="savedSearch">ferrydev_eventcount</param>
<module name="ResultsHeader">
<param name="entityName">scanned</param>
<param name="entityLabel">events scanned</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Events over choosen timeinterval</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
So I ended up with a single switch with everything under it,,,cant manage to get this right,,,any tips?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
