Activity Feed
- Karma Can Splunk report on original events, even if new events for same day get indexed later? for maverick. 06-05-2020 12:45 AM
- Karma Which of these two searches is more performant or optimized, if at all? for maverick. 06-05-2020 12:45 AM
- Karma Re: WinEvent Filtering on Heavy Forwarder for maverick. 06-05-2020 12:45 AM
- Karma hex encoded unix timestamp? for maverick. 06-05-2020 12:45 AM
- Karma Re: hex encoded unix timestamp? for mitch. 06-05-2020 12:45 AM
- Karma What is the best strategy to handing overlapping data? for Marinus. 06-05-2020 12:45 AM
- Karma How to make my custom dashboard the default screen when users log into Splunk for maverick. 06-05-2020 12:45 AM
- Karma Re: How to make my custom dashboard the default screen when users log into Splunk for maverick. 06-05-2020 12:45 AM
- Karma Data wherehousing - Can Splunk report on previous device-account mapping? for maverick. 06-05-2020 12:45 AM
- Karma Re: Data wherehousing - Can Splunk report on previous device-account mapping? for DrewO. 06-05-2020 12:45 AM
- Karma Re: How to filter out specific sources, sourcetypes, and hosts from displaying on my Search Summary page. for gbolcer. 06-05-2020 12:45 AM
- Karma Re: Can Splunk report on original events, even if new events for same day get indexed later? for maverick. 06-05-2020 12:45 AM
- Karma Re: Can Splunk report on original events, even if new events for same day get indexed later? for tmartin. 06-05-2020 12:45 AM
- Karma Re: Relating 2 different fields within a transaction for maverick. 06-05-2020 12:45 AM
- Karma How to configure a Forwarder to filter and send only the events I want? for maverick. 06-05-2020 12:45 AM
- Karma Re: How to configure a Forwarder to filter and send only the events I want? for maverick. 06-05-2020 12:45 AM
- Karma Re: Splunk via Shibboleth for bwooden. 06-05-2020 12:45 AM
- Karma how to create a report table with fields AND the original event together? for maverick. 06-05-2020 12:45 AM
- Karma Re: how to create a report table with fields AND the original event together? for maverick. 06-05-2020 12:45 AM
- Karma Re: Agent vs Agentless event gathering on Windows for maverick. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 |
11-17-2010
07:06 AM
@ cfrantsen - I think maverick is saying you can utilize Splunk's alerting feature, only instead of specifying to send an email alert when the search runs and finds the duplicates, you will choose the last option in the scheduled saved search popup window and tell splunk to simply add the dedup'd search results into a secondary index that you create on the indexes management page exactly for this purpose.
... View more
10-02-2010
09:32 PM
1 Karma
I believe you can do what you are wanting by overriding Metadata:Sourcetype in your transforms.conf file based on the regular expression (i.e. REGEX=foo ) pattern match and then mapping it to syslog sourcetype in your props.conf file.
However, I believe a better practice, depending on your particular reason for wanting to override the sourcetype, would be to leave it as syslog sourcetype and then creating an eventtype for each of your 40+ "situations". That way you have flexibility to add, delete, and/or change the eventtype definitions as you need to, without having to re-index the syslog events.
(See this page regarding eventtypes and how to setup:)
http://www.splunk.com/base/Documentation/latest/Knowledge/Configureeventtypes
You can also create host tags as well, to group your hosts together for easier logical searching across common host groups, which when combined with eventtype, makes for a very powerful combination to leverage at search time, rather than at forwarding/indexing time.
(see this page regarding tagging your hosts:)
http://www.splunk.com/base/Documentation/latest/Knowledge/Tagthehostfield
... View more
10-02-2010
04:16 PM
2 Karma
I have log files from a custom app we wrote that is entirely in hex.
To splunk it, I understand I might be able to create a custom command that converts hex-to-ascii and then pipe to it at search time and then pipe again to "search some ascii terms"
Could I also, though, create a custom hex-to-ascii module or component and insert it into pipeline.xml after input step and before the indexing step? I believe that approach was supported in Splunk v2.x or maybe it was v3.x.
Also, does that component need to be written in C/C++ or can it be a script instead?
... View more
