Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Olli1919
Olli1919
Path Finder
Member since:
06-16-2011
12-02-2021
Community Statistics
| Posts | 34 |
| Solutions | 4 |
| Karma Given | 9 |
| Karma Received | 11 |
| Member Since | 06-16-2011 |
Activity Feed
- Posted Alert Manager: Creating incidents from SPL on All Apps and Add-ons. 12-01-2021 04:25 AM
- Tagged Alert Manager: Creating incidents from SPL on All Apps and Add-ons. 12-01-2021 04:25 AM
- Posted Reset Alert Manager Incidents / Database on All Apps and Add-ons. 12-01-2021 03:54 AM
- Tagged Reset Alert Manager Incidents / Database on All Apps and Add-ons. 12-01-2021 03:54 AM
- Karma Does Splunk support cgroups v2 for Workload Management? for AlexHaydock. 10-12-2021 05:06 AM
- Posted Extend NMon Metricator HEC on All Apps and Add-ons. 06-14-2021 02:34 AM
- Got Karma for Re: Is it possible to map value to color/color code using a bilinear color gradient for visualization?. 06-05-2020 12:50 AM
- Got Karma for Re: Is it possible to map value to color/color code using a bilinear color gradient for visualization?. 06-05-2020 12:50 AM
- Karma Re: Summary Index Backfiller fill_summary_index.py broken? "No scheduled times for your time range" for daubsi_2. 06-05-2020 12:48 AM
- Got Karma for Summary Index Backfiller fill_summary_index.py broken? "No scheduled times for your time range". 06-05-2020 12:48 AM
- Got Karma for Re: Summary Index Backfiller fill_summary_index.py broken? "No scheduled times for your time range". 06-05-2020 12:48 AM
- Karma Re: Scheduled PDF delivery not being received - Invalid earliest_time in python.log for rsimmons. 06-05-2020 12:47 AM
- Karma Re: Does Cisco eStreamer for Splunk support eStreamer 6? for sjaworski. 06-05-2020 12:47 AM
- Karma Re: Does Cisco eStreamer for Splunk support eStreamer 6? for douglashurd. 06-05-2020 12:47 AM
- Karma Re: Is there a programmatic method to list and analyze which objects/resources (indexes, macros, lookups) are used by scheduled searches? for woodcock. 06-05-2020 12:47 AM
- Got Karma for Does Cisco eStreamer for Splunk support eStreamer 6?. 06-05-2020 12:47 AM
- Got Karma for Does Cisco eStreamer for Splunk support eStreamer 6?. 06-05-2020 12:47 AM
- Got Karma for Is there a programmatic method to list and analyze which objects/resources (indexes, macros, lookups) are used by scheduled searches?. 06-05-2020 12:47 AM
- Got Karma for Is there a programmatic method to list and analyze which objects/resources (indexes, macros, lookups) are used by scheduled searches?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a programmatic method to list and analyze which objects/resources (indexes, macros, lookups) are used by scheduled searches?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 2 | |||
| 0 | |||
| 2 | |||
| 1 |
12-01-2021
04:25 AM
Hi fellow Alert Manager Users, is it possible to create alert manager incidents from SPL instead of from the custom alert action? This would allow for easier testing, being able to manually create incidents, not needing to schedule a search. I tried the following, not diving into the code so far, but this did not work out: | makeresults count=1
| eval index="alerts", auto_assign_owner="unassigned", impact="low", urgency="low", title="testTitle", owner="unassigned", append_incident=1, auto_previous_resolve=0, auto_subsequent_resolve=0, auto_suppress_resolve=0, auto_ttl_resove=0, display_fields="test", category="testCategory", subcategory="testSubcategory", tags="testTag", notification_scheme="testScheme"
| sendalert alert_manager param.index="alerts" param.auto_assign_owner="unassigned" param.impact="low" param.urgency="low" param.title="testTitle" param.owner="unassigned" param.append_incident=1 param.auto_previous_resolve=0 param.auto_subsequent_resolve=0 param.auto_suppress_resolve=0 param.auto_ttl_resove=0 param.display_fields="test" param.category="testCategory" param.subcategory="testSubcategory" param.tags="testTag" param.notification_scheme="testScheme" It fails with the error: File "/opt/splunk/etc/apps/alert_manager/bin/alert_manager.py", line 570, in <module>
log.debug("Parsed savedsearch settings: expiry={} digest_mode={}".format(savedSearch['content']['alert.expires'], savedSearch['content']['alert.digest_mode']))
KeyError: 'content' Thanks!
... View more
Labels
- Labels:
-
administration
-
configuration
12-01-2021
03:54 AM
Hi fellow Alert Manager Users, what is a good way to clear out the alert manager incidents, to restart fresh? I am creating new tickets and still testing their content. After having finalized the ticket content, I would like to start out fresh again. Seeing that alert manager keeps incidents, their details and change history separately, also in index, kv and other places, they question is what should be cleared to get a clean new start. Thanks!
... View more
Labels
- Labels:
-
administration
-
configuration
06-14-2021
02:34 AM
Hi Metricators, thanks for Metricator, I have now used it for a few weeks to get take a look at my systems health. It is a very comprehensive app, well thought out and quite quick to start with. How I would approach extending Metricator with custom metrics? E.g. when adding similar values like temperatures, hdd smart values or power / ups statistics. Is that something I could and should put into metricator as well? Or would it be easier to keep Metricator as it is and use the classic collectd Metrics path? Thanks for any recommendations
... View more
Labels
- Labels:
-
other
11-04-2019
10:32 AM
Hi,
you most certainly solved it yourself, but for sake of completeness:
There is no good solution, as we would need Splunk's SPL parser. A workaround would be come up with a more elaborate regex parser. Of course, in the long run this would not be an ideal solution.
| makeresults count=1
| eval qualifiedSearch=" | inputlookup first_file.csv
| eval flag=\"this is from the first file\"
| append
[| outputlookup append=true second_file.csv]"
| table qualifiedSearch
| rex max_match=100 field=qualifiedSearch "[\s\|]+inputlookup\s(?<lookup_name>[^\s\|\]]+)|outputlookup.*\s(?<lookup_name2>[^\s\|\]]+)"
| eval lookup_name_final=mvappend(lookup_name, lookup_name2)
This should parse the following SPL:
| inputlookup first_file.csv
| eval flag="this is from the first file"
| append
[| outputlookup append=true second_file.csv]
finding:
first_file.csv
second_file.csv
... View more
11-04-2019
09:22 AM
2 Karma
A nice usage scenario for chart annotation (e.g. heatmap) is to merge two values (e.g. local riskscore, global riskscore) into a single color. Of course the same could be achieved in coming up with an overall score first and mapping this into a colorcode.
But since splunk can do, let's take the more colorful approach of "mapping two values into a 2D color space" ("Bilinear Interpolate Color Gradient").
As referenced in slide 26 of conf19's: SEC1374 - Augment Your Security Monitoring Use Cases with Splunk's Machine Learning Toolkit (@time 41:04)
Colorize Graph using two riskscores
bilinearInterpolateColorGradient(inputVal1, inputVal2, colorspaceCol00, colorspaceColX0, colorspaceCol0Y, colorspaceColXY, "outcolor")
Goal:
- Input two values in the range of 0..1
- Map into a 2D colorspace defined by the four colorcodes in the corners
- Output a single colorcode in the format "#AABBCC"
Result:
The two input values will get mapped into a 2D colorspace like this one:
2DColorspace at HarmonicCode: harmoniccode.blogspot.com
For a great explanation, refer to this article:
Bilinear color interpolation at HarmonicCode: harmoniccode.blogspot.com
Code: (4 Macros)
bilinearInterpolateColorGradient(7)
`comment("
Maps two values into a color space with four colors.
Outputs a final color, smoothly interpolated between these four color,
on basis of the two input values.
https://harmoniccode.blogspot.com/2011/04/bilinear-color-interpolation.html
x: Input value 1 (x axis in color space. left->right)
y: Input value 2 (y axis in color space. bottom->top)
col00: color in the bottom left corner of the color space.
colX0: color in the bottom right corner of the color space.
col0Y: color in the top left corner of the color space.
colXY: color in the top right corner of the color space.
outcolorfieldname: name of field in which the final color is written.
")`
| eval _x = $x$
| eval _y = $y$
| eval _col00 = $col00$
| eval _colX0 = $colX0$
| eval _col0Y = $col0Y$
| eval _colXY = $colXY$
`interpolateColor(_col00, _colX0, _x, "_outcolorB")`
`interpolateColor(_col0Y, _colXY, _x, "_outcolorT")`
`interpolateColor(_outcolorB, _outcolorT, _y, "_outcolor")`
| eval $outcolorfieldname$ = _outcolor
interpolateColor(4)
| eval _col1 = $col1$
| eval _col2 = $col2$
| eval _lerpt = $lerpt$
| eval _outcolor = "#ZZZZZZ"
| eval _lerpt = if(_lerpt > 1, 1.0, _lerpt)
| eval _lerpt = if(_lerpt < 0.0, 0.0, _lerpt)
`splitColorIntoComponents(_col1, "_col1r", "_col1g", "_col1b")`
`splitColorIntoComponents(_col2, "_col2r", "_col2g", "_col2b")`
| eval _deltaRed = _col2r - _col1r, _deltaGreen = _col2g - _col1g, _deltaBlue = _col2b - _col1b
| eval _outRed = _col1r + _lerpt * _deltaRed, _outGreen = _col1g + _lerpt * _deltaGreen, _outBlue = _col1b + _lerpt * _deltaBlue
`genColorFromComponents(_outRed, _outGreen, _outBlue, "_outcolor")`
| eval $outcolorfieldname$ = _outcolor
splitColorIntoComponents(4)
| eval _color = $color$
| rex field=_color "^#(?<_red>[0-9a-zA-Z]{2,2})(?<_green>[0-9a-zA-Z]{2,2})(?<_blue>[0-9a-zA-Z]{2,2})$"
| eval _red = tonumber(_red, 16), _green = tonumber(_green, 16), _blue = tonumber(_blue, 16)
| eval $oufieldname_red$ = _red
| eval $oufieldname_green$ = _green
| eval $oufieldname_blue$ = _blue
genColorFromComponents(4)
| eval _red = $red$
| eval _green = $green$
| eval _blue = $blue$
| eval _outcolor = "#" + upper(printf("%02x", _red)) + upper(printf("%02x", _green)) + upper(printf("%02x", _blue))
| eval $outcolorfieldname$ = _outcolor
Testbed / Usage example
| makeresults count=484
| eval count = 22
| streamstats count as id
| eval id = id - 1
| eval x = floor(id / count) / count, y = (id % count) / count, z = 0
| eval col00 = "#00AA00"
| eval colX0 = "#FFA500"
| eval col0Y = "#FFFF00"
| eval colXY = "#FF0000"
`bilinearInterpolateColorGradient(x, y, col00, colX0, col0Y, colXY, "outcolor")`
| eval clusterId=outcolor, clusterColor=outcolor, z=0
| table clusterId, x, y, z, clusterColor
**-> Render the generated events into MLTK's 3D Scatterplot**
... View more
11-04-2019
09:03 AM
(Disclaimer: May be a little nuts. Meaning you do not necessarily need to be sane to enjoy this question/answer) Many custom visualizations can work with a colorcode in the event data to further enrich a chart. Is it possible to map a numerical value to a color / colorcode? E.g. 42.4 -> #FFA500 Furthermore, is it possible to map a value range to a color range? E.g. 0.0-1.0 -> green-red?
... View more
07-26-2016
10:38 AM
Now with the new DMC in v6.4 there are still both types of license usage reporting. And it is Type=RolloverSummary, which is the reference for actual daily license count. Unfortunately Type=RolloverSummary does not offer the sourcetype. Only Type=Usage does. Yesterday we had delta of 120GB between both license usages calculation types. It is thus nearly impossible do analyze a license violation down to the sourcetype / data source which caused it, when missing 120GB in the reporting.
One could think that splunk has no interest in offering a license usage report, which would allow customers to identify what data sources they spend their money on.
... View more
07-21-2016
01:17 AM
Thinking about it, I would assume that "src_ip!=" needs a fieldvalue to compare with. Probably a "check this fieldvalue, remove the match". So if no fieldvalue is there, the the clause cannot come back being positive, because it cannot be checked.
Whereas "NOT src_ip" negates the clause. Which is negative when either this wanted value exists or when the field cannot be checked. So on both occurences it comes back negative, negated again gives a positive.
... View more
07-21-2016
01:10 AM
Hi fellow Splunkers,
I just fell over the difference between "NOT src_ip=1.2.3.4" and "src_ip!=1.2.3.4" in a basesearch. Can someone explain what the difference is and why?
What I did was to use this statement in a basesearch, filtering out this single IP. What happens is:
- "src_ip!=1.2.3.4": Filters out this single IP and all events with src_ip being null
- "NOT src_ip=1.2.3.4": Filters out this single IP, leaves all events with null src_ip standing
I know that "NOT src_ip=*" is the best way to search for empy or null occurences of src_ip. But I figure I should understand what is happening under the hood as well.
Thanks for the enlightenment.
Olli
... View more
06-10-2016
06:55 AM
1 Karma
Here is a quick hack to fix this - if anyone needs it, too. Beware of mistakes, use at you own risk, I am no pro at that.
First, check if you are getting the same error:
- Is your search configured correctly (enabled, is_scheduled, has summary_index action)?
- Check if the REST Endpoint returns the scheduled times correctly, when queried manually:
curl -k -u <user>:<pass> https://localhost:8089/servicesNS/<user>/<app>/saved/searches/<searchname>/scheduled_times --get -d earliest_time=-5d -d latest_time=now
This REST query should return a block with the scheduled_times you queried for (-5d until now, as set above), e.g.:
<s:key name="scheduled_times">
<s:list>
<s:item>1465548600</s:item>
<s:item>1465549500</s:item>
<s:item>1465550400</s:item>
....
</s:list>
</s:key>
If it does not return this list of scheduled_times of jobs, there is something else wrong. This hack won't help you until you get schedules_times.
To integrate this hack, make the following changes to fill_summary_index.py:
Within the imports at the beginning add the following line, after line 11 "import splunk.util" would be a nice place:
import splunk.entity as entity
Comment out line 352 like this:
#ent = splunk.search.getSavedSearchWithTimes(ssname, et, lt, namespace=app, sessionKey=sk, owner=owner)
Insert this replacement statement in the following line 353:
ent = entity.getEntity("/saved/searches", ssname, uri="/servicesNS/"+owner+"/"+app+"/saved/searches/"+ssname+"/scheduled_times", earliest_time=et, latest_time=lt, namespace=app, owner=owner, sessionKey=sk)
What this does is that it leaves out the call to the wrapper function getSavedSearchWithTimes in saved.py and calls the getEntity function from entity.py directly, with an override to the correct REST Endpoint (in field "uri").
As said, use at own risk. If anyone has a nicer solution, feel free to post here.
Please upvote of you have the same problem and this helped you.
... View more
06-07-2016
10:36 AM
1 Karma
Hi Fellow Splunkers,
After having upgraded to 6.4.1 yesterday, I had a go with fill_summary_index.py again, and noticed that am still getting the same error "No scheduled times for your time range", which I had been getting since a year or longer.
Being in dire need of it this time, I tried to backfill different searches, e.g. using sistats, using collect, basic and cron scheduling. To my surprise even the most basic search (basic scheduling 1 hour, using sistats and flagging "enable summary indexing" in the webgui search edit form), was getting the same error "No scheduled times...".
Taking a deeper look at it with @daubsi_2, we found that:
manually searching the designated REST endpoint (saved/searches/{name}/scheduled_times) returned the needed list "scheduled_times"
<s:list>
<s:item>1465292100</s:item>
<s:item>1465293000</s:item>
...
Looking at the function output of getSavedSearchWithTimes in fill_summary_index.py, this returned the definition of the search in question, but without scheduled_times. It looks pretty much as if only search definition without scheduled_times was queried
Taking a look a saved.py and entity.py, we could not make out where the needed REST URI .../scheduled_times would be prepended
Changing a few lines to make fill_summary_index.py use the REST endpoint (saved/searches/{name}/scheduled_times) made the script run again as it used to. It found the scheduled_times just happily.
How is your mileage with fill_summary_index.py? Does it work as intended in 6.3+? As it is probably in heavy use out there, I would be a little surprised if it's really going to the wrong endpoint.
Olli
... View more
05-13-2016
08:15 AM
I am seeying the same as coleman07 describes, only that this is happening in LURV (http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/AboutSplunksLicenseUsageReportView ). When going into the "Previous 30 Days" tab and choosing no splitby, a license violation is shown, when switching to a splitby (e.g. index), there a still 50GB free before the pool size is reached. So there's a delta of 50GB between "RolloverSummary" and "Usage" calculations.
Trying to find these unaccounted, missing 50GB has been unfruitful so far.
Can you please elaborate a little more on these artificats? What volume does count towards license volume, is it "RolloverSummary"?
... View more
02-12-2016
01:27 AM
Thank you for your replies. It is good to see Cisco extends the functionality. Looking at the Integration side, ArcSight seems to have said that they do not support eStreamer in the future, as they want CEF. I am not surprised to see this development. I just hope that open interfaces remain as important for the players as they are for their customers.
... View more
02-11-2016
09:35 AM
Bombastic. That is the one. Thank you very much.
... View more
02-11-2016
09:11 AM
2 Karma
Hello,
I have not yet found a reference to Splunk eStreamer 6 connectivity in the documentation or the net. Has anyone tested yet if the app allows to pull eStreamer v6? Is there a roadmap date when v6 will be supported?
Thanks and regards,
Oliver
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-02-2021
10:01 AM
|
Karma from
