Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dc595
dc595
Explorer
Member since:
12-18-2014
03-22-2024
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 1 |
| Member Since | 12-18-2014 |
Activity Feed
- Posted Re: Index Time Extractions of audittrail sourcetype on Splunk Enterprise. 04-28-2023 06:34 AM
- Posted Re: Index Time Extractions of audittrail sourcetype on Splunk Enterprise. 04-27-2023 02:20 PM
- Posted Are Index Time Extractions of audittrail sourcetype not supported via props and transforms? on Splunk Enterprise. 04-27-2023 10:29 AM
- Tagged Are Index Time Extractions of audittrail sourcetype not supported via props and transforms? on Splunk Enterprise. 04-27-2023 10:29 AM
- Tagged Are Index Time Extractions of audittrail sourcetype not supported via props and transforms? on Splunk Enterprise. 04-27-2023 10:29 AM
- Tagged Are Index Time Extractions of audittrail sourcetype not supported via props and transforms? on Splunk Enterprise. 04-27-2023 10:29 AM
- Posted Can Federated Search Results from Splunk Cloud to a Summary Index On-Premise? on Splunk Enterprise. 02-09-2023 10:19 AM
- Tagged Can Federated Search Results from Splunk Cloud to a Summary Index On-Premise? on Splunk Enterprise. 02-09-2023 10:19 AM
- Tagged Can Federated Search Results from Splunk Cloud to a Summary Index On-Premise? on Splunk Enterprise. 02-09-2023 10:19 AM
- Tagged Can Federated Search Results from Splunk Cloud to a Summary Index On-Premise? on Splunk Enterprise. 02-09-2023 10:19 AM
- Posted Migrate specific Indexes from Index cluster to new Index cluster on Deployment Architecture. 06-04-2021 01:02 PM
- Karma Re: What is the difference between Splunk and ELK Stack Elasticsearch in terms of Security, Infrastructure, deployment etc? for outcoldman. 06-05-2020 12:49 AM
- Karma Re: Is there a way to update existing values in KV store via REST API? for illescas. 06-05-2020 12:48 AM
- Karma Re: How to write a transaction search to expand multivalued fields into separate single value events? for niketn. 06-05-2020 12:48 AM
- Karma Re: Simple XML: How to display search results within an HTML List? for frobinson_splun. 06-05-2020 12:47 AM
- Got Karma for Re: Simple XML: How to display search results within an HTML List?. 06-05-2020 12:47 AM
- Karma Re: How do I change the URL used in email alerts for cnk. 06-05-2020 12:46 AM
- Posted Re: How to write a transaction search to expand multivalued fields into separate single value events? on Splunk Search. 12-05-2016 12:41 PM
- Posted Re: How to write a transaction search to expand multivalued fields into separate single value events? on Splunk Search. 12-05-2016 12:36 PM
- Posted How to write a transaction search to expand multivalued fields into separate single value events? on Splunk Search. 12-02-2016 03:27 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-28-2023
06:34 AM
Hi Rich, I installed these settings under system/local on both SH and Indexer and also a single instance. btool checks out fine and I've applied the same transformation on the [scheduler] sourcetype and everything works as expected. Odd Behavior with the audit.log also the default inputs.conf /etc/system/default/inputs.conf states the following. [fschange:$SPLUNK_HOME\etc]
disabled = false
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100 I'm under the impression Splunk's security measures lock the ability of transforming the audit log
... View more
04-27-2023
02:20 PM
At index time I'm have trying to extract and index the field app from the audittrail Audit:[timestamp=04-27-2023 16:51:22.073, user=test, action=search, info=completed, search_id='1682628653.251613', has_error_warn=false, fully_completed_search=true, total_run_time=0.61, event_count=9, result_count=0, available_count=9, scan_count=9, drop_count=0, exec_time=1682628653, api_et=1682539200.000000000, api_lt=1682628653.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1682539200.000000000, search_lt=1682628653.000000000, is_realtime=0, savedsearch_name="", search_startup_time="88", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="E06599A7-7307-4983-8459-FD948B9F996B_search_argus_test_6d524bc0f6be8430", app="search", provenance="UI:Search", mode="historical", From my tests it' doesn't matter what REGEX I used in the transforms.conf, there seems to be a behavior where the [audittrail] is read only props.conf [audittrail]
TRANSFORMS-audit_addMetadata = add_app_to_metadata transforms.conf [add_app_to_metadata]
SOURCE_KEY = _raw
REGEX = app=\"([^"]+)
FORMAT = mApp::$1
WRITE_META = true
... View more
04-27-2023
10:29 AM
Hi
It's seems index time extractions for audittrail is not supported via the traditional props, transforms.
Is this expected behavior and is there an approach that will allow to index a field from the audit.log?
Thankyou
... View more
Labels
- Labels:
-
configuration
-
development
-
other
02-09-2023
10:19 AM
Hi, Interested in knowing if federated search results from Splunk Cloud could be stored in a summary index located in a On-Premise Enterprise instance / cluster?
The thought is this could allow to offload some high usage dashboards to On-Premise and allow for data correlation with On-premise data.
Thank you
... View more
Labels
- Labels:
-
using Splunk Enterprise
06-04-2021
01:02 PM
HI Team, Today we have a 4 index cluster and we want to create a separate index cluster that does not share configurations or index definitions and have our SHC communicate with both. Also We would like to migrate a handful of indexes + their buckets from the current index cluster to this new index cluster. Once migrated, the handful of indexes will be purged from the old index cluster. I see documentation stating SHC can communicate with 2 different index clusters but would my setup require 2 CMs? The indexed data & definitions are completely different between index clusters Manager node wouldn't be able to deploy different master / slave apps to each index cluster. Wondering if this type of setup is supported and if there are any strategies to perform the migration tasks? Thank you in advance
... View more
Labels
12-05-2016
12:41 PM
The mvzip approach is what I was trying to accomplish, but thank you for your response it's very helpful
... View more
12-05-2016
12:36 PM
Thank you this was very helpful
... View more
12-02-2016
03:27 PM
Hi,
I'm having difficulties expanding a multivalued Transaction event back into individual events. The overall goal is to use the Transaction command | transaction Device SessionID maxpause=300s nullstr="~" mvlist=t delim="','" to create a common key between time based events from 3 different indexes, then save those grouped events into a summary index, as displayed in the picture below.
With multivalued fields I'm having difficulties grouping a field with another **i.e. TransactionName ** with its respective *** Timestamp.***
I would like to separate each multivalued row into an single value event, maintaining the fields and order.
I can provide more detail if required
Thank you in advance
... View more
01-22-2016
03:46 PM
HI Guys,
I want to post some of my findings which could cut your dbxquery time in half.
Findings:
1. Keep an eye out for the number columns you are returning
I tested this against a table with 227 columns returning 5001 rows
all 227 rows took 32-34 seconds
1 column took 13- seconds
2. @health.logger attributes slow response times
Have a look at def execute_query in dbquery.py. I commented out the attribute #@health.Logger("dbquery:execute_query", health.DB)
This took the same query as above down from 13 to 6-8 seconds
... View more
11-11-2015
02:29 PM
1 Karma
Yes it does help - I just successfully finished testing a panel with your suggestion. Thank you for your help
... View more
11-10-2015
02:21 PM
I'm looking to see if there's a solution to display a search result (1 event) using Simple XML. Is there a token that needs to be set for each return field? I'm using Splunk 6.3
In the required js stack, I noticed the ListElement, but there's isn't much documentation on this. Ideally I would like to display the results within HTML tags, however, alternatives are certainly welcomed.
I would like to display the results like the sudo code below
<row>
<panel>
<html>
FirstName: $result.fname$
LastName: $result.lname$
Email: $result.email$
</html>
</panel>
</row>
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-22-2024
01:31 PM
|
