Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About memarshall63
memarshall63
Communicator
Member since:
04-10-2018
10-22-2021
Community Statistics
| Posts | 70 |
| Solutions | 14 |
| Karma Given | 11 |
| Karma Received | 8 |
| Member Since | 04-10-2018 |
Activity Feed
- Karma Re: Why am I getting the following error logging into Splunk? "500 Internal Server Error ResponseNotReady" for woodcock. 10-22-2021 06:19 AM
- Got Karma for Re: If column is missing then eval. 08-17-2021 05:44 AM
- Posted Re: Why am I now getting "SSL configuration issue: invalid CA public key file" from Splunk Supporting Add-on f on All Apps and Add-ons. 06-14-2021 12:00 PM
- Karma Re: Failed to contact license master: reason='WARN: path=/masterlm/usage: invalid signature on request from ip=xx.xx.x.xxx' for mmacielinski_sp. 02-04-2021 07:13 AM
- Karma Re: SSL configuration causing Mongo issues for jsmithn. 01-08-2021 02:04 PM
- Got Karma for Re: How do I drilldown to a unique URL using a table row's unique token?. 06-05-2020 12:51 AM
- Got Karma for Re: lookup table question. 06-05-2020 12:51 AM
- Karma Splunk complains about "Data Durability" and "Data Searcheable" but I cannot identify the reason for afx. 06-05-2020 12:50 AM
- Karma Re: Splunk Data Flow Architecture diagram for muralikoppula. 06-05-2020 12:50 AM
- Karma Re: How to use drill-downs using whole field values? for niketnilay. 06-05-2020 12:50 AM
- Karma Re: Strange timechart issue for john_dagostino. 06-05-2020 12:50 AM
- Got Karma for Re: Enterprise Security: can we extend the cim definition with our own custom fields?. 06-05-2020 12:50 AM
- Got Karma for Re: Help with Transaction. 06-05-2020 12:50 AM
- Got Karma for Re: Filter a Chart with Values Greater Than some Integer.. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk Enterprise Security: How to exclude indexes from Authentication Data Model. 06-05-2020 12:50 AM
- Got Karma for Re: Invalid key in stanza .. in props.conf. 06-05-2020 12:50 AM
- Karma Re: Just installed SA-Eventgen and get the following error: Unable to initialize modular input "modinput_eventgen" defined inside the app "SA-Eventgen": Introspecting scheme=modinput_eventgen: script running failed (exited with code 1) for guythomasdavis. 06-05-2020 12:49 AM
- Karma Re: Splunk 7.0.0 on Mac failing to run for mattymo. 06-05-2020 12:49 AM
- Karma Re: Convert Zulu time to epoch for Aether. 06-05-2020 12:46 AM
- Posted Re: Rex pattern to extract unc path from xml on Getting Data In. 04-16-2020 07:12 PM
Topics I've Started
06-14-2021
12:00 PM
My situation with this error: I had established my own certs (including a CACert.pem file) and placed them in a folder: /opt/splunk/etc/auth/my_certs ... and everything worked fine, except for ldap-search it was complaining of an 'invalid CA public key file' in the SA-ldapsearch/default folder is the file ssl.conf with an entry: [sslConfig] sslVersions = tls caCertFile = cacert.pm Well.. because my CA cert was named "CACert.pem" -- the add-on couldn't find it. I copied my CACert.pem to 'cacert.pem' -- and everything worked well again. @jreuter_splunk wrote: sslConfig is case sensitive. Indeed it is. Good luck.
... View more
04-16-2020
07:12 PM
Sorry.. I don't know what you mean. You could just look for the file: string. So something like:
| rex field=mystring "file:(?P<filelocation>[^<]*)"
this just looks for "file:" and then grabs whatever comes after it.
... View more
04-16-2020
07:00 PM
What is your search time frame?
A user would have to fail 40 times within your search time frame to qualify as an alert.
Is that what you're expecting?
... View more
04-16-2020
06:52 PM
Are you trying port 8000 or port 8089 -- command port is usually 8089.
... View more
04-16-2020
06:25 PM
Do you mean something like this?:
|rest /servicesNS/-/-/saved/searches
| table title eai:acl.app eai:acl.owner actions search
So maybe with your criteria, it'd be:
|rest /servicesNS/-/-/saved/searches
| table title eai:acl.app eai:acl.owner actions search
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"
Alerts generally have actions so you could add a filter for those, or there may be other ways to do it:
|rest /servicesNS/-/-/saved/searches
| search NOT actions=""
| table title eai:acl.app eai:acl.owner actions search
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"
... View more
04-16-2020
06:00 PM
Maybe this will help...
| makeresults
| eval mystring = "<soa:FileSystem identifier=\"8ec65285-11ac-45a5-9652-425b7494b0df\" name=\"Windows\" description=\"Windows File System\" leftaligncheckboxes=\"false\" instance=\"102711ce-e483-46bc-bf6c-f42ae6faf234\" signature=\"00000000-0000-0000-0000-000000000000\" scheme=\"file\" opencapable=\"true\" consumeopen=\"true\" emitopen=\"true\"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location>"
| rex field=mystring "<soa:Location>file:(?P<filelocation>[^<]*)<\/soa:Location>"
... View more
04-14-2020
06:31 AM
Are you saying that the field is blank or that the column is gone in your results?
... View more
04-03-2020
09:24 AM
You're looking for a way to persist some search results -- and then further filter them?
There's a few mechanisms for that with Splunk.
I think one is the closest to what you're looking for:
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob
See also:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Usesummaryindexing
There's likely a few others that also would help.
Good luck.
... View more
04-03-2020
09:16 AM
@zacksoft in your uuery human_time and sub_time are both formatting sub_time -- so they'll be the same.
If you change your last line to display:
|table human_epoch_time sub_time human_time
You should see the diff between human_epoch_time and sub_time
... View more
04-03-2020
06:36 AM
_time is an epoch time that holds seconds since some base date. Here's some code that manipulates those values in the way you're asking for:
| makeresults
| eval serv_time = 44432
| eval epoch_time = _time
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (serv_time/1000)
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
... View more
04-03-2020
06:27 AM
No problem. I believe $click.value$ will give you the field that is clicked. However, you may want to use a specific field regardless of where on the row the click occurs. When that occurs I think $row.$ is the choice for that behavior. At any rate... good luck.
... View more
04-02-2020
05:42 AM
1 Karma
You'll likely need some form of this:
<drilldown>
<link target="_blank">/app/some_app/some_dashboard?token=$click.value$&token2=$row.fieldname$</link>
</drilldown>
https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/tokens
... View more
04-01-2020
12:45 PM
Not much to go on here... Maybe you can provide some more details around what you've tried and what your current data set or query attempts are...
Broadly you can look at these:
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Search
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Where
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchTutorial/Useasubsearch
... View more
04-01-2020
08:39 AM
Here's a search with numeric values - that you can look at:
index=_internal sourcetype=splunkd kb=*
| table _time sourcetype kb
| eval threshold = if(kb<80,"UNDER","OVER")
| streamstats current=t window=3 list(kb) as last_three list(threshold) AS all_threshholds values(threshold) AS last3_threshhold
| eval ALERT = if(last3_threshhold != "UNDER","All 3 were OVER","")
| eval GOOD = if(last3_threshhold != "OVER","Last 3 were all good","")
... View more
04-01-2020
08:17 AM
How we did that was to pull together the list of inputs and then add a streamstats like this:
| streamstats current=t window=3 values(status) AS last_three by input_name
Something like this:
index=_internal sourcetype=dbx_job_metrics
| sort input_name _time
| table input_name _time status
| streamstats current=t window=3 list(status) as last_three values(status) AS values_three by input_name
| search values_three != "COMPLETED"
You'll need to adjust a little to get your > 80% in there.. but that's the basics of it.
... View more
04-01-2020
06:20 AM
That's a tougher question.
The only way I'd know how to do that is to leave the values in a string, split it, and then use mvindex to index the 12th value in the split.
| makeresults
| eval message = "this,is,the,fourth,fifth,sixth,value"
| eval new_mvfield = split(message,",")
| eval FOURTH = mvindex(new_mvfield,3)
| eval FIFTH = mvindex(new_mvfield,4)
| eval LAST = mvindex(new_mvfield,-1)
... View more
04-01-2020
05:07 AM
1 Karma
You can use 'if' and 'isnull' to identify whether the field exists, and if not replace it with another field.
| makeresults
| eval there = "NOTNULL"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),"FIELD IS NULL", "FIELD IS AVAIL")
or
| makeresults
| eval there = "NOTNULL"
| eval newfield = "NEW"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),newfield, there)
... View more
03-31-2020
06:02 AM
Does your resulting table only have a single row in it? Or are there multiple rows?
dc returns a single value, but I think values returns a multi-value field.
I'm just shooting in the dark at this point but maybe:
Change dc(dest) AS host count -> values(dest) AS host count
Swap the field names -> dc(dest) AS hash values("match_hash") as host_count
Remove the "by "intel_name".
I did notice that you seem to be quoting the other fields, but not dc(dest)?
... View more
03-30-2020
02:35 PM
hmm.. tough to say. At least you're saying that the token doesn't work no matter where you try to use it. That gets us back into the normal territory.
I'm confused how you're using a stats command, but also generating the rest of the notable fields. Maybe you can post a few more details of your search output, or the notable that comes out of it.
... View more
03-30-2020
01:47 PM
So you're saying that a token in the "Drill-down Name" field of your Notable isn't working, but the same token when used in the "Drill-down Search" field gets passed correctly to the drill-down search?
If that's what you're seeing -- then that is a bit nasty.. I'd start to wonder whether your browser is telling you the truth? Clear browser cache?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-22-2021
09:46 AM
|
Karma given to
