Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About morethanyell
morethanyell
Contributor
Member since:
06-18-2018
06-13-2020
Community Statistics
| Posts | 133 |
| Solutions | 6 |
| Karma Given | 64 |
| Karma Received | 9 |
| Member Since | 06-18-2018 |
Activity Feed
- Got Karma for Word Wrap on Single Value. a month ago
- Karma Re: Is load balancing in UF/HF bound to cause data imbalance on IDXC eventually? for anmolpatel. 06-05-2020 12:51 AM
- Karma Re: Are values() returned by Splunk in a search sorted alphabetically? for inventsekar. 06-05-2020 12:50 AM
- Karma Re: SMLT: Where is the model located? for dkeck. 06-05-2020 12:50 AM
- Karma Re: How to exclude certain wildcard matches from the search for franjo. 06-05-2020 12:50 AM
- Karma Is it possible to set "Forwarder Management" as the default app on a Deployment Server? for chris_barrett. 06-05-2020 12:50 AM
- Karma Re: Ingestion Method as Field? for jawaharas. 06-05-2020 12:50 AM
- Karma Re: Dashboard CSS: Stack SingleValue Panel for niketnilay. 06-05-2020 12:50 AM
- Karma Re: Indexes Config: Relationship of maxTotalDataSizeMB to home and cold for DavidHourani. 06-05-2020 12:50 AM
- Karma Re: Indexes Config: Relationship of maxTotalDataSizeMB to home and cold for HiroshiSatoh. 06-05-2020 12:50 AM
- Karma Re: Special fillnull? Polulate null values with evaluated calculations for VatsalJagani. 06-05-2020 12:50 AM
- Karma Re: How to use Splunk to audit Windows processes created and the users who are running them? for whrg. 06-05-2020 12:50 AM
- Karma Re: How to index results from cURL? for gjanders. 06-05-2020 12:50 AM
- Karma Re: Where is the .conf file for the lookup definition? for FrankVl. 06-05-2020 12:50 AM
- Karma Re: Ubuntu on Windows - tar Splunk is permission denied; why? for tom_frotscher. 06-05-2020 12:50 AM
- Karma Re: splunk hash-passwd Command Not Accepting My Password for lmethwani_splun. 06-05-2020 12:50 AM
- Karma Re: Config Documentation Sites Not Opening for markhill1. 06-05-2020 12:50 AM
- Karma Re: Where did Splunk 7.3.1 go? for KevinMurray. 06-05-2020 12:50 AM
- Karma Re: Group By Replace for woodcock. 06-05-2020 12:50 AM
- Karma Re: IDX CM as DS Client for MuS. 06-05-2020 12:50 AM
05-20-2020
05:15 AM
This problem can be solved if you have Lookup Editor installed in your SplunkCloud search head. In that app, there's a way to configure a new KV Lookup and that includes taking care of collections-conf name.
... View more
05-06-2020
04:30 AM
Hi,
Our ES's pre-packaged datamodel (DM) Network_Traffic has 3 months of summary range. We've introduced new logs in this said DM by adding new indexes and specifying eventtypes and tags . We've confirmed by searching the datamodel that the new logs (i.e. WinEventLogs) are now included.
However, using tstats to see counts of events per day, we noticed that there's no data beyond one month ago. See:
As can be seen from above, other sourcetypes yield positive result except for the newly added sourcetype.
We were wondering why this is being the case when the DM's summary range is for 3 months. Shouldn't we be expecting to get more beyond just a month ago?
What are we missing here?
... View more
Labels
03-05-2020
05:37 PM
Enlightening. Thanks.
... View more
03-05-2020
04:26 PM
Is load balancing in HF and UF's outputs.conf bound to cause data imbalance on IDXC overt time? If yes, I wholeheartedly accept that data rebalancing is something that we need to do in a regular basis. Just need confirmation from the crowd / community.
If not and in which it means that the line (according to this Splunk doc)
"every 30 seconds, the forwarder switches the data stream to another indexer in the group, selected at random"
guarantees to make number of data among the peers balance. If that is really the case, then what causes data imbalance and how to prevent it?
Thanks in advance.
... View more
03-01-2020
11:42 PM
^ prolly the fastes way to do it
... View more
03-01-2020
08:30 PM
If your logs from outerspace use atomic clock that is programmed to represent the current UTC, taking into account the effects of Einstein's generalrelativity (curvature of spacetime), then there shouldn't be any problem.
The problem you will have to deal with is the delay in _indextime . See, your log's _time is the information your search timepicker will look after.
Say your spaceship has a log at 2020-03-01T00:00:00 about a malfunction of one of its thingamagjiggies. Your search head that is on Earth has an alert that looks after "malfunctions on one of the thingamajiggies" every 5 minutes. It will cause an issue if the log arrives on your Earth-bound indexer 6 minutes late. Because at 2020-03-01T00:00:00 and at 2020-03-01T00:00:05 , the alert wouldn't be able to detect the log (because it's not ingested yet). And at 2020-03-01T00:00:10 , the alert would've already missed it. There are however tweaks that can solve these types of issues.
In short, having a Splunk forwarder from outerspace wouldn't cause much headache as long as the network is alright (heck, I've seen NASA livestreams from low-orbit space, forwarding logs wouldn't be that hard).
... View more
03-01-2020
07:42 PM
If you wish to append slightly varying timestamps on the raw logs, I think it's best to do this pre-ingestion...like via a python script. I can imagine a loop through all the logs and appending timestamp.
... View more
02-20-2020
11:10 PM
what a freaking life saver. i was on fast mode
... View more
02-20-2020
06:06 AM
Not an answer but just curious as to why wouldn't you perform there filtering in the first level search, such as index=server site=login NOT [| inputlookup savedfile | fields test_ip | rename test_ip AS ip] ?
... View more
02-20-2020
05:53 AM
Try this
| makeresults
| eval _raw = "\"header.JMSDestination\"=\"topic/testTopic/Durable-Non-Subscription/20\""
| rex "testTopic\/(?<field1>[^\"]+)"
| rex field=field1 mode=sed "s/\//./g"
| rex field=field1 "Durable-(?<field2>.*)$"
... View more
02-11-2020
10:32 PM
Hi,
We have been experiencing broken UI on 3 of our nodes (DS, SHDep, & IDXCM; 2 screenshots below) and the rest seems to be fine. The Web UI is not showing web objects as normal, like the dropdown, apps, etc.
This is not an issue on serverclass.conf (as the message on the UI is saying) because running functionalities in the background / CLI seems to be fine. Attempts to fix this one include splunk restart splunkweb and splunk restart , the former fixes the issue but the problem goes back after 15-30 minutes of not being used. We've cleared the cache of the browser but also to no avail.
The version we're using is 6.5.2. Have you experienced the same? If so, how do we permanently fix this?
Thanks in advance.
... View more
02-10-2020
02:28 PM
By paper, it should capture this
[ FIELDNAME = The quick brown fox jumps over the lazy dog. ]
If you try it on | rex or on regex101.com, it does work. But when implemented on transforms.conf, it only captures "The"...so, the field value will be "FIELDNAME = The" instead of entire "FIELDNAME = The quick brown fox jumps over the lazy dog."
It's not appropriate anymore to show evidence that the regex is working via | rex or regex101.com because as I've said before, it does work via those mediums. But not when used in transforms.conf for index-time field extraction, it doesn't.
Out of frustration, I've changed the strategy of capturing the fields by enclosing values with double quotes (e.g. [ FIELDNAME = s0m3 vaLu3 ] becomes [ FIELDNAME ="s0m3 vaLu3" ] ) using SEDCMD on props instead of transforms.conf.
Thanks for the help.
... View more
02-09-2020
08:00 PM
Same issue, mate. I've used your transforms and it still fails to capture the entire thing and halts at whitespace
[aap_fields_discov]
REGEX = \[\s*(\S+)\s\=\s(.*?)\s\]
REPEAT_MATCH = true
WRITE_META = true
... View more
02-06-2020
08:59 PM
My old Regex also works on | rex but it does not on transforms.conf
... View more
02-06-2020
08:58 PM
Edited transforms.conf with your regex. Stopped Splunk. Deleted index using "clean eventdata" (don't worry, it's a dev machine). Then restarted Splunk. Re indexed the file using one-shot. Still fails to capture the entire value. It stops at whitespace .
... View more
02-06-2020
07:04 PM
We're trying to extract fields that match this [ FIELD_NAME = S0m3 Valu3 w\ reaLLy $pec!aL ch*rac+3rs ] and write them on tsidx so that their consumable on tstats . We're using the transforms-props partnership below
# transforms.conf
[hello_transforms]
REGEX = (?<key>[\w]+)\s\=\s(?<value>[^\]]+)
FORMAT = $1::$2
REPEAT_MATCH = true
WRITE_META = true
#props.conf
[hello]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
TRANSFORMS-capturer = hello_transforms
While it is doing what's expected for most of the fields, (i.e. fields are written on disk, verified through walklex), some values failed to be captured entirely or as expected. For example
[ REMARKS = A Kerberos authentication ticket (TGT) was requested. ]
Splunk only captured "A". See screenshot below.
REGEX VALID:
Do you think this is Splunk's REGEX engine's fault or I have something wrong in my configs?
Thanks in advance.
... View more
02-04-2020
08:04 PM
The differentiating information is host, not name of index. Also, you don't install wineventlog on an indexer because and indexer should be a dedicated server (cluster of servers) which purpose is solely for indexing.
... View more
02-04-2020
07:12 PM
Assuming that the 10 companies are in the same network the "single site" you're referring to, there shouldn't be any problem.
Install Universalforwarders or Heavyforwarders on the 10 companies you mentioned. And using your Deployment Server, you can install apps you can manage--all remotely. These are apps such as TAs that collect logs from different sources and/or configuration files (e.g. outputs.conf) that tells Splunk to send logs to your intermediate Heavyforwarder (or direct to the indexer cluster).
Each company "may" have their own indexes but if you configure them to send logs to your indexer, that should solve the issue.
However, if the 10 other comapanies you're referring to are in totally different network of their own, then, you might want to consider other solutions like using HEC on a heavyforwarder that has rules to allow incoming HEC posts.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-13-2020
07:05 PM
|
