Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About neelamsantosh
neelamsantosh
Path Finder
Member since:
09-08-2015
09-30-2025
Community Statistics
| Posts | 35 |
| Solutions | 0 |
| Karma Given | 50 |
| Karma Received | 3 |
| Member Since | 09-08-2015 |
Activity Feed
- Posted Re: Easiest way to exclude ingestion of events for a specific IP address from a SourceType on Splunk Search. 12-20-2020 09:13 PM
- Posted Re: How to Exclude private IP range from transforms on Splunk Search. 12-20-2020 08:48 PM
- Posted How to Exclude private IP range from transforms on Splunk Search. 12-20-2020 12:56 AM
- Tagged How to Exclude private IP range from transforms on Splunk Search. 12-20-2020 12:56 AM
- Tagged How to Exclude private IP range from transforms on Splunk Search. 12-20-2020 12:56 AM
- Karma Re: Splunkweb Certificate issue for vishaltaneja070. 06-05-2020 12:50 AM
- Karma Re: Can you help me with the following mongod kvstore error? for vishaltaneja070. 06-05-2020 12:50 AM
- Karma Re: file integrity check for woodcock. 06-05-2020 12:49 AM
- Karma Re: How to retrieve search name by search id for efavreau. 06-05-2020 12:49 AM
- Karma Re: ERROR: kvstore port [8191] - port is already bound. Splunk needs to use this port. for Hemnaath. 06-05-2020 12:49 AM
- Karma Another "DateParserVerbose - Failed to parse timestamp" warning for _smp_. 06-05-2020 12:48 AM
- Karma Re: Another "DateParserVerbose - Failed to parse timestamp" warning for petercow. 06-05-2020 12:48 AM
- Karma Splunk Enterprise Security: How to troubleshoot why the threat_activity index is no longer populating with data? for niemesrw. 06-05-2020 12:48 AM
- Karma Re: Why are we seeing search peer error "A script exited abnormally" on our deployment server and how do we stop it? for muebel. 06-05-2020 12:48 AM
- Karma Re: If a value is not in a lookup table, can I return that value as the OUTPUT field? for sundareshr. 06-05-2020 12:48 AM
- Karma Web Page Input Splunk for Json feeds from Hybrid-Analysis.com for dmenon84. 06-05-2020 12:48 AM
- Karma Re: Questions on Splunk and Syslog-ng Server for mcronkrite. 06-05-2020 12:48 AM
- Karma Re: I am trying to remove all the special characters in the field and replace them with space character using sed mode in rex command. for javiergn. 06-05-2020 12:48 AM
- Karma Splunk Add-on for Check Point OPSEC LEA: Why does "Manage Connections" never load and I get no data? for whoa. 06-05-2020 12:48 AM
- Karma Re: How to remove DateParserVerbose component Error messages? for mattymo. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-20-2020
09:13 PM
are u able to exclude the IP range.
... View more
12-20-2020
08:48 PM
its excluding all traffic/dst IP's besides 10 its also considering 101 too in th eprivate ip address range
... View more
12-20-2020
12:56 AM
I want to exclude the (dst="10.0.0.0/8" OR dst="172.16.0.0/12" OR dst="192.168.0.0/16") IP ranges. my configurations: props.conf: TRANSFORMS-null = internal_Logs10, internal_Logs172, internal_Logs192 Transforms.conf: [internal_Logs10] REGEX = dst\=10\.0\.0\.0\/8 DEST_KEY = queue FORMAT = nullQueue [internal_Logs172] REGEX = dst\=172\.16\.0\.0\/12 DEST_KEY = queue FORMAT = nullQueue [internal_Logs192] REGEX = dst=192\.168\.0\.0\/16 #REGEX = dst=192\.168\.5.* DEST_KEY = queue FORMAT = nullQueue it works perfectly for 192.168.5.* but not for subnet range. kindly share or assist with configuration around the same.
... View more
- Tags:
- nullqueue
- transforms
Labels
- Labels:
-
regex
12-29-2019
12:22 AM
I could able to resolve the issue by replacing from backup-auth folder.
Hope u too have taken backup.
remove the auth folder which is generated after installation and replace from my backup folder.
start the splunk .
commands:
sudo su splunk
rm -rf /opt/splunk/etc/auth
mv //opt/splunk/etc/auth/ /opt/splunk/etc/
sudo chown -R splunk.splunk /opt/splunk
/opt/splunk/bin/splunk start --accept-license --answer-yes
... View more
11-10-2019
09:02 PM
Thats not the solution/answer.
Don't mark this Accepted answer without proper solution (decommission that server).
... View more
10-17-2019
03:26 AM
As I have already placed the Fortigate AddOn on SH and u must be parsing the logs as expected.
Make sure the data models , event types and tags are in place.
Validate them first as ES mostly relies on them.
... View more
09-25-2018
06:56 AM
Forwarders have outputs.conf configured to send the data to indexers.
Indexers have indexes.conf and best to confirm is see the size of db files.
from UI:
goto setting--> Data(indexes) and if there are good size in "Current_data" it means its an indexer.
from CLI:
du -h /| grep '[0-9.]+G'
if u find the index are having high disk space usage u can guess its an indexer.
... View more
09-25-2018
06:48 AM
Search
index= tanium |join MAC_Address [| inputlookup nessus_assets.csv|rename "MAC Address" as MAC_Address]|table MAC_Address ..
... View more
09-25-2018
06:44 AM
Couple of stuff to make suref:
1. both Search head and Indexer are on same version
2. Bundles are the one which are used everytime you hit the search/submit.
reduce ur bundle size by avoiding unnecessary files/lookups.
3. Disk space, clean the old saved searches which are in pipeline from dispatch.
restart the splunk services.
... View more
05-15-2018
08:47 PM
check the props and make sure Field alias is happening only after the Fields extraction
cmd:
/opt/splunk/bin/splunk cmd btool props list --debug|grep
... View more
04-26-2018
01:03 AM
Mate, Settings has to be amended on Heavy Forwarder not on Indexer.
... View more
04-26-2018
12:58 AM
Obviously, as the results has 2counts.
which value do u want to show.
If you want single values , at the end of ur search "|table "
then the pie chart will show only desired field.
... View more
04-26-2018
12:56 AM
Select the "art brush" on the table cell header --> select color--> values--> define rules and provide "Cell value is" add the rule. ][1]
... View more
04-26-2018
12:45 AM
on the dasbord/panel
on top u have magnifier/search |table|art brush kind of symbols
choose the table icon and "Select visualization-> select the Pie chart".
Ref: https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/PieChart
happy splunking
... View more
04-26-2018
12:39 AM
Use hostname+domain_name or else use the IP to get the ping results.
How to get the host_domain name: see in DHCP logs under dns_hostname filed
or else get the IP from either of the sourcetypes and search using |ping $host$.group.local
... View more
09-28-2017
01:44 AM
Mate have u integrated the feeds into splunk.
I have the same requirement as yours.
... View more
04-26-2017
02:31 AM
Go to
Setting--> data models
select the respective accelerated datamodel and under the dropdown u will find the Acceleration with (Rebuild)
... View more
04-26-2017
01:22 AM
reload the datamodel.
... View more
04-26-2017
01:20 AM
Curently our proxy logs with user having special characters inbetween.
ref: DC=local/bob\, tom
I have created a props.conf with
SEDCMD-alter_user= s/\\,//g
with which i am able to get the desired value but its too generic.
ref: DC=local/bob tom
Kindly assist me with the SEDCMD
SEDCMD-alter_user= s/"local/"\\,//g
... View more
- Tags:
- splunk-enterprise
04-19-2017
02:54 AM
how to use this during parsing time or props.conf
... View more
04-18-2017
12:10 AM
I believe this is known issue SOLNESS-10915. Enterprise Security 4.1 is
not compatible with version 6.5.x of Splunk. It is recommended to upgrade
your Enterprise Security as the workaround for this issue.
http://docs.splunk.com/Documentation/ES/4.1.1/RN/KnownIssues
... View more
04-13-2017
07:38 AM
Our incident Review board has different view and not functioning as expected due to which we are unable to filter from the dropdown list
Chrome: up to date (Version 57.0.2987.133 (64-bit))
Splunk Enterprise : 6.5.2
Splunk ES: 4.1
... View more
01-24-2017
10:40 AM
If u r spanning Per day wise use min(_time) for first time ad authentication and max(_time) for recent/last time authenticated time.
... View more
11-26-2016
11:27 PM
1 Karma
Check the host level firewall. as often we avoid it in our troubleshooting.
enable/permit the port in firewall using:
sudo firewall-cmd --zone=public --add-port=8089/tcp --permanent
and reload the config list:
firewall-cmd --list-all
Now configure the search peers.
... View more
08-03-2016
11:52 PM
Mostly spam comes from eMails in my case we are using,
index=mail [search index=* attach*|fields message_id ] | rex field=_raw "(?im)ATTACH|(?P.+)" | rex field=_raw "(?im)ATTACHFILTER|(?P.+)" |rex "(?im)IRCPTACTION|(?P.+)"|rex "(?im)SENDER|(?P.+)"| rex "(?im)IRCPTACTION|(?P\w+@\w+.\w+)|(?P\w+)" | stats count values(suspicious_file) as suspicious_file values(malicious_sender) as malicious_sender values(recipient_user) as recipient values(_raw) values(action) as action by message_id _time | sort - count| search action=deliver|table message_id _time malicious_sender suspicious_file recipient
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-30-2025
12:14 PM
|
