Activity Feed
- Got Karma for XML Parsing using SPath. 06-05-2020 12:48 AM
- Posted Re: Splunk App for Windows Infrastructure: Why is there no data under Group Policy (GPO) Changes? on All Apps and Add-ons. 01-04-2017 01:54 AM
- Posted Re: How to fix error "Forwarding to indexer group default-autolb-group blocked for 100 seconds"? on Getting Data In. 12-22-2016 02:39 AM
- Posted Re: Route data to separate index based on CIDR on Getting Data In. 12-13-2016 02:00 AM
- Posted Re: Can I configure transforms.conf to route data to different sourcetypes and indexes based on host? on Getting Data In. 12-12-2016 10:27 PM
- Posted Re: How can I override an index name based on sourcetype? on Getting Data In. 12-07-2016 04:26 AM
- Posted Re: How to route to an Index based on SourceType AND Host combination in inputs.conf? on Getting Data In. 12-05-2016 11:00 AM
- Posted How to route to an Index based on SourceType AND Host combination in inputs.conf? on Getting Data In. 12-05-2016 02:52 AM
- Tagged How to route to an Index based on SourceType AND Host combination in inputs.conf? on Getting Data In. 12-05-2016 02:52 AM
- Tagged How to route to an Index based on SourceType AND Host combination in inputs.conf? on Getting Data In. 12-05-2016 02:52 AM
- Tagged How to route to an Index based on SourceType AND Host combination in inputs.conf? on Getting Data In. 12-05-2016 02:52 AM
- Tagged How to route to an Index based on SourceType AND Host combination in inputs.conf? on Getting Data In. 12-05-2016 02:52 AM
- Tagged How to route to an Index based on SourceType AND Host combination in inputs.conf? on Getting Data In. 12-05-2016 02:52 AM
- Posted How to filter out the first 2 lines of an event? on Getting Data In. 08-30-2016 08:13 AM
- Tagged How to filter out the first 2 lines of an event? on Getting Data In. 08-30-2016 08:13 AM
- Tagged How to filter out the first 2 lines of an event? on Getting Data In. 08-30-2016 08:13 AM
- Tagged How to filter out the first 2 lines of an event? on Getting Data In. 08-30-2016 08:13 AM
- Posted Re: XML Parsing using SPath on Dashboards & Visualizations. 08-25-2016 11:02 PM
- Posted Re: XML Parsing using SPath on Dashboards & Visualizations. 08-25-2016 12:00 AM
- Posted Re: XML Parsing using SPath on Dashboards & Visualizations. 08-24-2016 05:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
01-04-2017
01:54 AM
I am also having similar problem with Event Monitoring Dashboard. Log Name drop down is showing no results
... View more
12-22-2016
02:39 AM
Same problem happened to me because of the instruction to create 'send to indexer" app on indexer while deploying Splunk app for windows infrastructure.
... View more
12-13-2016
02:00 AM
How can I implement the same logic for host. I want to route the events to different indexes based on source and host name. Any suggestion?
... View more
12-12-2016
10:27 PM
What could be the value for REGEX if I want to set index for events coming from Server001?
... View more
12-07-2016
04:26 AM
Can I do this based on specific host name, if yes, how?
... View more
12-05-2016
11:00 AM
The primary reason for having separate index by server is to get rid of unwanted data easily once the server from lab environment is decommissioned. If I have a common index across host, how easy is to delete unwanted events from index.
Having a separate index per server is not recommended?
... View more
12-05-2016
02:52 AM
I have a setup as Universal Forwarder (UF) - Heavy Forwarder (HF) - Indexer - Search Head (SH).
Where multiple UF are sending data to single HF which in turn sends data to single Indexer.
I have below stanza on my multiple UF's inputs.conf file
[perfmon://CPU Load]
counters = % Processor Time;% User Time
object = Processor
instances = _Total
interval = 30
sourcetype = Perfmon
index = idx_XXX_Perfmon_CPU-Load
Where XXX is server name. Now, in order to have a common app across all UF to be deployed through Deployment server, I have removed the Index from the stanza and wants to assign index based on Host + SourceType combination on a HF using props.conf and transform.conf.
Example:
- If event comes from Server1 with sourcetype as Perfmon then set index = idx_Server1_Perfmon_CPU-Load
- If event comes from Server2 with sourcetype as Perfmon then set index = idx_Server2_Perfmon_CPU-Load.
Please help me to design correct stanza for this requirement.
... View more
08-30-2016
08:13 AM
I have a VB script to get Local users from Admin group. The event data from this script by default adds the below 2 lines to the event.
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
How to get rid of these unwanted lines?
... View more
08-25-2016
11:02 PM
Thanks for your comments on this and showing readiness to help by proving search string etc.
However, I am already using Splunk TA Windows application to get windows security events data using below stanza in inputs.conf file
Monitors Windows Security Events
[WinEventLog://Security]
current_only = 1
renderXml = 1
suppress_text = 0
checkpointInterval = 30
evt_resolve_ad_obj = 1
evt_dc_name = ap.com, na.com, eu.com,
whitelist = 4732,4733
index = myIndex
disabled = 0
But the problem is on one of my Splunk server 6.2 version, when I search index=myIndex it automatically extracts all the fields including XML attribute names etc. Where as on another Splunk server version 6.4.3 it does not extracts all fields automatically.
I have also set KV_Mode = XML on my Splunk Indexer but still its not working. May be some thing is missing so Splunk 6.4.3 is not automatically extracting XML fields while search or during indexing.
... View more
08-25-2016
12:00 AM
I tried below
index=myindex
| spath output=name path=Event.EventData.Data{@Name}
| mvexpand name
| table name | appendcols
[ | search index=myindex
| spath output=data path=Event.EventData.Data
| mvexpand data
| table data ]
| search name=MemberSid OR name=TargetDomainName
but getting only name nothing for field data
... View more
08-24-2016
05:33 AM
How can I specify my index here as it says makersult has to be the first command.
... View more
08-24-2016
04:53 AM
in my case I tried above with Index=myindex | rex mode=sed "s/()([^<]+)(<\/Data>)/<\2>\4<\2>/g"
This does not gave me any result.
Basically I want to extract value1 and value2 as per your example above as separate fields.
... View more
08-23-2016
08:14 AM
1 Karma
My Windows security event looks like below
I want to get the value of element Data based on specific Name attribute. I can get this by spcifying index as below
| spath output=test path="Event.EventData.Data{2}"
| spath output=test path="Event.EventData.Data{3}"
But instead of value 2 or 3, I want to use a name as MemberSid or TargetDomainName. Can anyone help me to define path for this?
... View more
05-31-2016
01:13 AM
I want to call a SQL SP on a periodic intervals and index the data returned by SP in Splunk. I have dbconnect 2 app installed. How can this be possible?
... View more
05-25-2016
02:12 AM
I have Stored Procedure on my SQL server and want to call the SP after regular intervals and index the SP return result set. How can this be possible using the Splunk DB Connect 2 app?
... View more
04-17-2016
11:18 PM
This worked for me. Thanks for your help.
... View more
04-14-2016
10:18 PM
Thanks for your reply. however in my case I want to use dbinspect and use its output for sub search. dbinspect has to be a first statement in the search which I can not use as a subsearch. Some sample wrt my scenario will be of great help.
... View more
04-14-2016
05:33 AM
I this search below to calculate compression rate of my index
| dbinspect index=myIndexName
| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
| eval rawTotalinMB=(rawTotal / 1024 / 1024) | fields - rawTotal
| eval compression=round(diskTotalinMB / rawTotalinMB * 100, 2)
| table compression
Then I want to further use the compression value in below search in place of constant value .4
index=_internal source=*metrics.log group=per_index_thruput series=myIndexName | eval MB = round
(kb/1024,2) * .4 | reverse | accum MB as totalvalue | timechart last(totalvalue) span=1d
I tried subsearch and join, but no success. Can any one suggest a solution, hint?
... View more
