cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
mathewboarman
Explorer
Member since: ‎06-21-2013
‎06-28-2022
Community Statistics
Posts 19
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎06-21-2013
Activity Feed
View All

Re: Field extration based on Event Type

by in Splunk Search
‎06-27-2022 08:03 AM
‎06-27-2022 08:03 AM
Nine years on...    is it possible yet to define field extractions for particular eventtypes  ? Defining them  on a sourcetype basis is too generic... one extraction does not fit all events for a given source type. Example.  -    Linux file  /var/log/secure   contains Username in different places for successful login and for failed login...   so two extractions are required for the same field  "Username"   Is this a reliable way to do it... ?   Will the extractions conflict or will the results just be merged? ... View more

Re: Should my Cisco IPS ips_sdee.log files be rota...

by in Monitoring Splunk
‎09-02-2014 07:36 AM
‎09-02-2014 07:36 AM
Im also struggling with this... Would be good if a) the logs were not collected at all... just imported straight to the index b) the logs were located in the /var/log folder... and managed with normal unix logrotate... anyone know how to do either of those things...? thanks ... View more

Re: Does stats understand the % symbol?

by in Splunk Search
‎07-11-2014 06:19 AM
‎07-11-2014 06:19 AM
... and is it possible to include the host in the label... ie ... as $host_CPU_Util% by time many thanks ... View more

Re: Does stats understand the % symbol?

by in Splunk Search
‎07-11-2014 05:56 AM
‎07-11-2014 05:56 AM
perfect, thank you ... View more

Does stats understand the % symbol?

by in Splunk Search
‎07-11-2014 05:43 AM
‎07-11-2014 05:43 AM
Hi, My events actually report CPU and Mem utilization... 35.45% and 25.56% I extract these over time but I don't get Lines on my chart. I'm wondering if these fields are read as text... so cant be graphed? My search is below CSCOacs_System_Statistics host="bob" | stats list(SysStatsUtilizationMemory) as MemUtil list(SysStatsUtilizationCpu) as CPU_Util by _time I'm wondering if I need to strip out the % from the results... or if I should be using a different tool... timechart or something. thanks ... View more

Re: Cisco IPS Error [errno="" 8]

by in Getting Data In
‎06-30-2014 10:43 AM
‎06-30-2014 10:43 AM
I installed the pySDEE.py file attached earlier, tried it with v1 and v3... I get the same fault with both. ERROR - Exception thrown in sdee.get(): URLError: ERROR - Attempting to re-connect to the sensor: 173.30.4.68 INFO - Checking for exsisting SubscriptionID on host: 173.30.4.68 INFO - SubscriptionID: sub-1-c0a4a321 found for host: 173.30.4.68 INFO - Attempting to connect to sensor: 173.30.4.68 INFO - Successfully connected to: 173.30.4.68 Any ideas welcome... thanks ... View more

Re: If Cisco IPS App is now deprecated, how should...

by in All Apps and Add-ons
‎06-30-2014 06:41 AM
‎06-30-2014 06:41 AM
Have just install Cisco Security Suite but Im no wiser. It seems there is no way to configure IPS event collection via SDEE from within the App... and a Technology Addon is required. (but it doesnt say which one or where to find it...) CiscoIPS app used to be fine but it stopped working since upgrading to Splunk 6.1 (somekind of SSL error) ... View more

If Cisco IPS App is now deprecated, how should SDE...

by in All Apps and Add-ons
‎06-30-2014 05:26 AM
1 Karma
‎06-30-2014 05:26 AM
1 Karma
If Cisco IPS App is now deprecated, how should SDEE events be collected? thanks ... View more

Re: Can I add text on the login page ?

by in Security
‎05-16-2014 09:43 AM
‎05-16-2014 09:43 AM
good to change the text but how do you change the logo? thanks ... View more

Re: Splunk 6.0.1 Login page customization

by in Splunk Search
‎05-16-2014 09:28 AM
‎05-16-2014 09:28 AM
So how do I insert and center my own logo? This was clearly explained for v5, now its broken and now explanation on how to fix it. ... View more

Re: How do I remove Print/Generate PDF buttons?

by in Other Usage
‎10-30-2013 03:47 PM
‎10-30-2013 03:47 PM
Hi... I've just implemented this change... its successful removed the Edit Buttons... However I would actually like to have a title on my charts.. is there a simple way to insert some text so I can have a Title... without using the title bar... ? Also I'd like to add a logo. Many thanks ... View more

Alerts - enrichment

by in Alerting
‎10-30-2013 03:21 PM
1 Karma
‎10-30-2013 03:21 PM
1 Karma
I have a search defined to trigger an alert... eg search all failed logins and count by user_name If the number of failed logins > 5 in time_frame, then trigger alert. This works fine... I get an alert telling me that the Alert_ has triggered.... But this is not much information... The information content of the alert should at least contain the name of the user who failed to login 5 times. In general I'm asking for the ability to pass an extracted field from the search into the Alert forwarded to an up-stream system. Is this possible? Best regards Mathew ... View more

Timeranger picker is great for timerange, is there...

by in Dashboards & Visualizations
‎10-30-2013 03:14 PM
‎10-30-2013 03:14 PM
eg When I run a search over 7 days I get a bar chart with 7 bars (daily granularity) When I run a search over 24 hours I get a bar chart with 48 bars (30 min granularity) If I run a search over 7 days how can I make it give me (24x7) 168 bars? Is there something similar to Timerange picket for Granularity? thanks ... View more

Re: [PDF Report Issue] We want to generate 'PDF F...

by in Reporting
‎09-20-2013 10:18 AM
‎09-20-2013 10:18 AM
I also would like to do this. If a pdf can be generated and emailed, surly it can be generated and dropped on the local disk somewhere. Sounds simple... Does anyone know how to do it? ... View more

Splunk Cisco Firewalls

by in All Apps and Add-ons
‎08-15-2013 02:12 PM
‎08-15-2013 02:12 PM
Just reinstalled Splunk for Cisco Firewalls and restarted... Not seen this error before... Any suggestions? received event for unconfigured/disabled/deleted index='firewall' with source='source::DirectSysLogMessages' host='host::173.30.4.67' sourcetype='sourcetype::syslog' (1 missing total thanks ... View more

Re: How do I remove the Cisco Firewall App?

by in Getting Data In
‎08-14-2013 11:58 AM
‎08-14-2013 11:58 AM
Hi thanks I removed the app as suggested rm -rf Splunk_CiscoFirewalls splunk restart I still have the firewall reports in the Splunk for security app I still get the error " Error in 'SearchParser': Could not find macro 'cisco_firewall' that takes 0 arguments. Expecting stanza name 'cisco_firewall'. " and when I search for the missing macro... I can see lots of reference to it, but no actual macro grep -r cisco_firewall ./* ./etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf:search = cisco_firewall Im not sure if this macro was part of the app I deleted or not? Any ideas? ... View more

Re: How do I remove the Cisco Firewall App?

by in Getting Data In
‎08-14-2013 11:25 AM
‎08-14-2013 11:25 AM
ok, a blut approach, but usualy reliable. Two more questions... 1)With the Cisco ASA app, there are no transform, props or inputs defined in the app directory. Does this suggest they are integrated with the main conf files? If so how can you remove that app... not with the rm -rf command... 2) why does the 'splunk remove app /opt/splunk/etc/apps/Splunk_CiscoFirewalls' not work many thanks Mathew ... View more

How do I remove the Cisco Firewall App?

by in Getting Data In
‎08-14-2013 11:12 AM
‎08-14-2013 11:12 AM
Disabling it does not remove menus from 'Splunk for Cisco Security' The splunk remove app command says app does not exist. [root@hostname apps]# ll total 92 drwx--x--x 8 root root 4096 Jul 15 17:14 amMap drwx------ 2 root root 4096 Aug 6 14:36 default drwxr-xr-x 2 root root 4096 Aug 6 16:15 ****** drwxr-xr-x 6 splunk splunk 4096 Jul 11 13:51 gettingstarted drwxr-xr-x 7 splunk splunk 4096 Jul 15 17:53 launcher drwxr-xr-x 5 splunk splunk 4096 Jul 11 13:53 learned drwxr-xr-x 3 splunk splunk 4096 Jul 11 13:51 legacy drwx--x--x 8 root root 4096 Aug 8 14:52 maps drwx------ 5 root root 4096 Jul 15 17:14 MAXMIND drwxr-xr-x 6 splunk splunk 4096 Jul 11 13:51 sample_app drwxr-xr-x 8 splunk splunk 4096 Jul 11 13:51 search drwx--x--x 9 root root 4096 Aug 6 14:37 sideview_utils drwx--x--x 8 root root 4096 Jul 16 15:30 Splunk_CiscoFirewalls drwx------ 9 root root 4096 Jul 15 17:12 Splunk_CiscoIPS drwx--x--x 7 root root 4096 Aug 14 17:42 Splunk_CiscoSecuritySuite drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 splunk_datapreview drwx------ 7 root root 4096 Jul 15 18:04 splunk_deployment_monitor drwx--x--x 6 root root 4096 Jul 15 17:12 Splunk_for_CiscoASA drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 SplunkForwarder drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 SplunkLightForwarder drwx--x--x 6 root root 4096 Aug 8 14:51 TA-cisco_ios drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 user-prefs drwx------ 9 root root 4096 Jul 15 18:04 windows [root@ams-coms-btnm-04 apps]# splunk remove app /opt/splunk/etc/apps/Splunk_CiscoFirewalls Application does not exist: /opt/splunk/etc/apps/Splunk_CiscoFirewalls [root@hostname apps]# ll Splunk_CiscoFirewalls total 72 drwx--x--x 3 root root 4096 Jul 15 17:13 appserver drwx--x--x 2 root root 4096 Jul 16 15:30 default drwx--x--x 2 root root 4096 Jul 15 17:13 default.old.20130716-153026 -r-------- 1 root root 19031 Jul 16 15:30 license-eula.rtf -r-------- 1 root root 18526 Jul 16 15:30 license-eula.txt drwx--x--x 2 root root 4096 Aug 8 14:46 local drwx--x--x 2 root root 4096 Jul 15 17:13 lookups drwx--x--x 2 root root 4096 Aug 8 14:46 metadata -r-------- 1 root root 5890 Jul 16 15:30 README.txt [root@hostname]# ... View more

Re: Offline Google Maps

by in All Apps and Add-ons
‎06-24-2013 03:33 AM
‎06-24-2013 03:33 AM
I would also like to know the answer. My environment is also isolated from the internet. Can I create some .png files or something like that? Regards Mathew ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-28-2022 04:34 AM
Karma from
View All
Karma given to
View All