Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About thepocketwade
thepocketwade
Path Finder
Member since:
03-08-2010
06-05-2020
Community Statistics
| Posts | 34 |
| Solutions | 0 |
| Karma Given | 114 |
| Karma Received | 22 |
| Member Since | 03-08-2010 |
Activity Feed
- Karma I keep getting this "Max concurrent searches reached" error. What does it mean and how do I fix it? for emma. 06-05-2020 12:45 AM
- Karma How can I use Splunk to determine Phishing attempts? for Yancy. 06-05-2020 12:45 AM
- Karma How do I find all duplicate events? for maverick. 06-05-2020 12:45 AM
- Karma Postfix Queue ID for thartmann. 06-05-2020 12:45 AM
- Karma Re: Postfix Queue ID for jrodman. 06-05-2020 12:45 AM
- Karma I've set up a forwarder but I'm not receving any events on the splunk indexer. for Jaci. 06-05-2020 12:45 AM
- Karma retrying a scripted input after a failure for Justin_Grant. 06-05-2020 12:45 AM
- Karma Estimating storage requirements on a windows server for Scott. 06-05-2020 12:45 AM
- Karma Search for inactive Splunk users for Ellen. 06-05-2020 12:45 AM
- Karma How do I search across a specific or custom time range within each hour of the day? for maverick. 06-05-2020 12:45 AM
- Karma Re: How do I search across a specific or custom time range within each hour of the day? for maverick. 06-05-2020 12:45 AM
- Karma AD is only returning 1000 entries. How do I get around this? for the_wolverine. 06-05-2020 12:45 AM
- Karma Search to find hosts sending syslog AND splunkd traffic for oreoshake. 06-05-2020 12:45 AM
- Karma maxresults and stats command for kbecker. 06-05-2020 12:45 AM
- Karma Re: maxresults and stats command for gkanapathy. 06-05-2020 12:45 AM
- Karma How to search recent alerts fired by Splunk? for Justin_Grant. 06-05-2020 12:45 AM
- Karma Does combining startswith and maxspan in a transaction work? for chris. 06-05-2020 12:45 AM
- Karma Can I display metadata in EventsViewer module? for Mick. 06-05-2020 12:45 AM
- Karma Re: Can I display metadata in EventsViewer module? for sideview. 06-05-2020 12:45 AM
- Karma How can i change the time format in Splunk web? for Ayn. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 1 | |||
| 2 |
02-18-2011
02:20 PM
I'm using Chrome in Win7 and Ctrl-Clicking elements of search results doesn't open a new tab, nor does shift-clicking open a new window. These mechanisms do work as expected outside of splunk.
... View more
02-17-2011
04:07 PM
"The user should be able to trigger this with a Ctrl+Click"
What is "this?" To me it looks like ctrl-clicking only starts a new search in the current window, which is undesirable in my situation.
... View more
02-15-2011
02:33 PM
Thanks, I knew it would turn out to be something simple I was missing
... View more
02-14-2011
08:52 PM
1 Karma
I'm running a search that compiles its results in a table by source and displays the number of logs per source. I'm trying to also find the total size of the logs by source. Is this possible? I've tried using eval length=len(_raw), but that only gives the length of each individual log.
... View more
- Tags:
- search-language
02-11-2011
03:14 PM
1 Karma
Is it possible to start a new search in a new window or tab just by clicking on part of an entry in my current results?
... View more
- Tags:
- search
01-06-2011
03:53 PM
1 Karma
I'm trying to determine what percentage of my daily indexing volume is made up of a specific group of logs. For example, I want to know the volume of all the logs with EventCode = 4720.
I know how to find total log volume over a given time period, but I haven't been able to get these strategies to work with the EventCode specification. Can I make this work?
... View more
10-29-2010
05:01 PM
Have you considered putting the syslog server in front of the Splunk server?
... View more
10-27-2010
07:45 PM
I'm able to log in to the web interface and I'm a splunk admin. But when I try to log in on the command line I get a login failure. Is this something that's been seen before?
EDIT
The failure message says "Login Failed," I'm using bash on a Red Hat box. All local accounts, my coworkers can login to their splunk accounts on the CLI, but I can't.
EDIT 2
I tried again as the splunk user on the box, and the login worked fine. Is there a way to open that capability up to a user other than splunk?
... View more
10-25-2010
05:42 PM
I could, and in fact I already am. What I'm looking for is a way to generate logs with any EventCode for testing purposes. That way, I can know for certain that EventCode = 1901 was sent, and can then verify that it was indexed (or not) properly.
... View more
10-25-2010
03:50 PM
I'm trying to test some things with my Splunk Windows installs and I'd like to have reliable test data. When I test *nix logs with Splunk I tend to use 'logger' to create the messages. I've been unable to find an equivalent for Windows (preferably 7). Does something like that exist? or is there a technique to force Windows to send logs (without having to actually do the action that makes the log?)
... View more
- Tags:
- windows
10-21-2010
02:47 PM
That doesn't address the question of how to handle the windows logs. Is it possible to generate Windows logs? Or is it possible to take the existing file of logs and shove it to splunk for the same processing Windows logs get?
... View more
10-18-2010
05:35 PM
In the past, one of my coworkers was working on a whitelist/blacklist solution for our Windows logs (dropping certain EventCodes and keeping others, etc.) Now, that task has fallen to me.
I'd like to test this on a distilled version of our log data for ease of verifying the results, but I'm not sure how to go about that. I've got a file with copies of our Windows Logs, would it be enough for me to point a Splunk instance to them for indexing? Or do I need to push them through a Windows instance?
... View more
10-12-2010
03:56 PM
From the actions menu you can select "Inspect Search." The search inspector window will pop up, and you can find a lot of information (including the search id) there.
... View more
10-12-2010
02:17 PM
I just ran a search over the last 24 hours which returned a large number of results, but not the full picture I was looking for. So I extended the time frame to the last 7 days. Doing that reran the whole search, including the results I'd already amassed over the last 24 hours.
I could feasibly open a new window and run the search over 6 days, and have the two sets of results to work with; but is there a way to concatenate these results together?
... View more
- Tags:
- search-language
09-30-2010
02:24 PM
oh, sure enough. I've never noticed that before.
... View more
09-30-2010
01:43 PM
3 Karma
I just ran a search that returned approximately 1 million results. Only after it completed (which took a bit longer than I'd anticipated), did I realize that I wanted the results sorted differently. So when I went to reverse the results (actually added a '-' to my sort) Splunk reran the search. The events have already been found, is there anyway to reverse/reorder them in place without rerunning the whole search?
... View more
09-20-2010
07:17 PM
In the future you can try using the 'erex' command, which will take examples you give it as in
... | erex monthday examples="7/01, 07/02" counterexamples="99/2"
It will give you a regex that will work to pull out your examples.
... View more
09-14-2010
05:59 PM
Thanks for your quick help. I tried using fields, but when I did "fields - _raw, _time" I wound up with other fields that hadn't previously been in the email (e.g. index, process, source etc).
... View more
09-14-2010
05:03 PM
1 Karma
I've got a saved search that's emailing me results up to this morning it was sending the results in a table with the fields I'd specified (with the fields command) in addition to _time and _raw.
This morning I decided to try and strip _time out of the table, and was unable to get _time out and keep the fields I wanted. I'm ok with that, more or less for now, but now instead of the table formatting it's all jumbled text that's hard to read. Is there a way to get the formatting back to the table?
This is the search:
process="sudo" incorrect | rex "(?i)^(?:[^:]*:){3}\s+(?P\w+)\s+:" | fields uid, host, COMMAND
... View more
08-19-2010
12:32 PM
I've determined that there exist duplicate lines and I'm trying to determine how many duplicates I have or any information about them that could lead to reducing the duplicates. Also I'm certain they are duplicates because the timestamps don't differ at all and they log the same activity on the same machine (for example, two logs of a user su'ing to root).
... View more
