Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jdunlea
jdunlea
Path Finder
Member since:
12-15-2014
06-05-2020
Community Statistics
| Posts | 41 |
| Solutions | 6 |
| Karma Given | 3 |
| Karma Received | 10 |
| Member Since | 12-15-2014 |
Activity Feed
- Got Karma for Re: Add data into splunk cluster .. 06-05-2020 12:48 AM
- Got Karma for Why is pan and zoom not working in Google Chrome for my Splunk 6.4.0 map visualization?. 06-05-2020 12:48 AM
- Karma Re: Splunk for Enterprise Security: Is it possible to allow non-admin users to create notable events manually? for rphillips_splun. 06-05-2020 12:47 AM
- Karma Re: What is recommended to monitor multiple files in the same directory and assign them each different sourcetypes? for rphillips_splun. 06-05-2020 12:47 AM
- Karma Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)? for malmoore. 06-05-2020 12:47 AM
- Got Karma for Re: How to set up a cron schedule for every 12 hours at 6am and 6pm?. 06-05-2020 12:47 AM
- Got Karma for Re: Can a Search Head be an Indexer as well in a distributed search environment?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create a sudo to root, dedup 24 hours report?. 06-05-2020 12:47 AM
- Got Karma for Is there a way to run multiple searches one after another, ensuring the previous search has finished before a new search starts?. 06-05-2020 12:47 AM
- Got Karma for Is there a way to run multiple searches one after another, ensuring the previous search has finished before a new search starts?. 06-05-2020 12:47 AM
- Got Karma for Re: How to grab the second value of a delimited field with rex?. 06-05-2020 12:47 AM
- Got Karma for Re: How to grab the second value of a delimited field with rex?. 06-05-2020 12:47 AM
- Got Karma for Re: How to grab the second value of a delimited field with rex?. 06-05-2020 12:47 AM
- Posted How to sort apps in UI by the "label" value in app.conf? on Dashboards & Visualizations. 09-03-2019 09:55 AM
- Tagged How to sort apps in UI by the "label" value in app.conf? on Dashboards & Visualizations. 09-03-2019 09:55 AM
- Posted How to map every event which has a lat and long field? on Splunk Search. 06-25-2016 07:30 AM
- Tagged How to map every event which has a lat and long field? on Splunk Search. 06-25-2016 07:30 AM
- Posted Why is pan and zoom not working in Google Chrome for my Splunk 6.4.0 map visualization? on Dashboards & Visualizations. 06-25-2016 06:38 AM
- Tagged Why is pan and zoom not working in Google Chrome for my Splunk 6.4.0 map visualization? on Dashboards & Visualizations. 06-25-2016 06:38 AM
- Tagged Why is pan and zoom not working in Google Chrome for my Splunk 6.4.0 map visualization? on Dashboards & Visualizations. 06-25-2016 06:38 AM
09-03-2019
09:55 AM
From what I can tell, the apps dropdown in Splunk is ordered alphabetically by the app FOLDER names.
Is there a way to have this ordered by the "label" value in app.conf?
I.E. I would like to sort my apps in the app dropdown by their "UI name", rather than their folder name.
... View more
06-25-2016
07:30 AM
I have 35 events. Each one has a lat and long field. How do I map each one of them to an individual point on a map? When I use geostats, it keeps trying to throw things into "geo bins".
... View more
06-25-2016
06:38 AM
1 Karma
Does anyone know why my map visualization in 6.4.0 will not scroll when using Google Chrome? It works just fine in IE. I cannot see this listed as a known issue anywhere.
NOTE: By scroll I mean that when I zoom in and try and drag the map left or right, nothing happens.
... View more
06-24-2016
07:40 AM
Ah yes that works! Thanks! Sorry I should have dug around a little more!
... View more
06-23-2016
08:46 PM
If I have data which has lat and long data that is localized within a few miles, is there a way that I can map this on a map in Splunk?
The default map does not zoom to a level that is adequate enough to map the localized location data.
... View more
06-23-2016
09:54 AM
I have a Splunk 6.4 single instance running in AWS. I want to use the Splunk Mobile App on my iPhone to access dashboards.
Some of the documentation says that I need only the iOS app and the "add-on" app for Splunk. Other pieces of documentation make reference to setting up a "Mobile Access Server".
What exactly do I need? If I do need the Mobile Access Server, where can I download this? The link in this docs page to the "Mobile Access Server" is taking me to the "Add-on" app on Splunkbase.
... View more
06-17-2016
08:33 AM
I see what you mean. I would change your bin span to 12 hours and then try and focus the earliest time of your search in the time range picker to start at either 6pm or 6am on a given day. That might trigger the 12 hour buckets to start at 6am/6pm.
... View more
06-17-2016
07:38 AM
You could try creating two searches, then appending them together and charting them on the same chart. There may be easier ways of doing this and I have not fully tested the method below but you would try something like:
some search (date_hour<6 OR date_hour>18) | eval hours="NON-WORKING" | fillnull value=novalue | timechart count span=24h by hours | append [some search (date_hour>6 OR date_hour<18) | eval hours="WORKING" | fillnull value=novalue | timechart count span=24h by hours] | timechart span=24h sum(count) by hours
This way you will have two series on your graph. One for "NON-WORKING and one for "WORKING".
... View more
06-17-2016
07:32 AM
Ah I see. Looks like you got your answer above! Good luck! 🙂
... View more
06-17-2016
06:12 AM
Well, that is only true if "test" and "hello" are not individual tokens.
I.E. If I search as follows:
index=X test hello @ | rex email="test.*hello@.*"
This will NOT return any results IF the data you are looking for is something like
"testworldhello@something.com"
This is because you cannot search for "test" or "hello" on their own if they are just a part of a larger token (testworldhello).
The search above WILL return results if the data looks like:
"test.world-hello@something.com"
The main point I am trying to make is that to create better search efficiency you can provide as many actual tokens as you can, up front. Tokens are separated by things like dots, dashes, slashes, etc.
To see how tokens are identified and separated in Splunk you can research segmenters.conf which shows you how Splunk breaks out tokens in any event.
... View more
06-16-2016
09:30 AM
From quickly scanning through some documentation, it seems that "rex" is actually a "distributed streaming" command which means it can be run on the indexer itself so you don't have to worry about innefficiencies with map-reduce.
However, to better structure your search you can provide all the "known search tokens" to your search and you could do something like this:
index=x test @ | regex email="test@.*"
What this does is it passes the known "search tokens" of "test" and "@" as search tokens to the indexer which allows the indexer to pull out only events with those two tokens anywhere in the event. THEN the "rex" will do the specific pattern match. I dont think doing the rex on it's own will allow the indexer to search for events where ONLY "test" and "@" are present. It will have to search ALL events first.
So the search above reduces inefficiencies because it puts everything that you know you need before the first pipe and then allows the rex to do the pattern matching afterwards.
... View more
06-16-2016
06:09 AM
It turns out that once you are logged onto the CLI using the ec2-user that you can change to the "root" or "splunk" user by doing one of the following:
$ sudo su - splunk
OR
$ sudo su - root
... View more
06-15-2016
06:57 PM
That is the password for the UI - I am also looking for the password for the "splunk" user on the OS itself in the Splunk AMI.
... View more
05-17-2016
07:03 AM
I have a scheduled search that finds results successfully.
However, the search will NOT email the results as part of an alert action when the "to" field is set to a distribution email list. EG:
"security_employees@mycompany.com".
It works just fine when I set the "to" field to an actual user's email address. EG: "john.doe@mycompany.com".
What is even more strange, is that when I run the SAME search in the search app and simply append the "sendemail" command to the end and I set the "to" field to the original distribution list "security_employees@mycompany.com" then it DOES work. Example below:
index=ABC sourcetype=123 "find this event" | stats count by host | sendemail to="security_employees@mycompany.com" subject="Email Alert"
Anybody have any ideas here?
NOTE: We are running 6.3.3 in a Search Head Cluster environment.
... View more
05-06-2016
08:50 AM
I want to be able to email results to recipients where the recipient email address is PART of the result set.
For example, lets assume the following is my result set in Splunk.
Now I want to have Splunk send an automated email for EACH RESULT where the recipient of the email is the value of the "Email_Address" field.
I.E: Email 1 contains results from row 1 ONLY and the recipient of that email is jon.snow@got.com, etc.
I am pretty sure it is not possible in native Splunk but I am curious to know if anyone has come up with a custom solution.
... View more
03-30-2016
09:30 AM
I think there needs some clarification as to whether or not you already know which hours are peak and non-peak, or if you are trying to dynamically identify a peak time from the data that is coming in.
I think from your question, you already know which times are peak and all you are trying to do is direct your transactional search and alert to look at data that pertains to that peak hour only. But I could be wrong.
... View more
03-30-2016
08:58 AM
If your data is running pretty real time and there are no major delays in the data coming in, why don't you just set up an alert to run every day at 10am to search the previous hour's worth of data and then do your transaction on that and then send out an alert if all the rest of the conditions are met? Same thing for non-peak times.
Another way is to search datehour=9. You can get pretty granular with it too and look specifically for when "(datehour=9) OR (datehour=10 AND dateminute<31)" - Now you could see a span of 1 hour and a half.
... View more
03-30-2016
08:47 AM
1 Karma
"Data inputs -> forwarded Inputs - > files and directories" is used when you wish to monitor a LOCAL file/directory on that server and then forward the data from that monitoring to another server (such as an indexer)
In a distributed environment, this feature of the UI is going to provide you little to no value.
On your question as to where to configure the process of monitoring files on forwarders, you should configure "apps" in the deployment server and then deploy these apps to all of your forwarders machines. (Assuming that you have configured your forwarders as clients of the deployment server and to periodically check in with the deployment server to check for new "apps" to download).
There is plenty of documentation on Splunk's website for this.
Here are some helpful links:
About Deployment Server
Deployment Server Architecture
... View more
10-29-2015
02:17 PM
Turns out the problem was the type of group that I was looking at. It was a global group and not a universal group in AD and hence it was not propagating across all of the domains.
Once I changed the group type it worked perfectly.
Thanks for the help!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
