Activity Feed
- Got Karma for disk usage from the monitoring console does NOT match the reality. 01-07-2021 12:57 PM
- Karma Re: In a Splunk dashboard, how do you make the cell coloring range different for each row? for niketn. 06-05-2020 12:50 AM
- Karma Re: In a Splunk dashboard, how do you make the cell coloring range different for each row? for niketn. 06-05-2020 12:50 AM
- Got Karma for Re: In a Splunk dashboard, how do you make the cell coloring range different for each row?. 06-05-2020 12:50 AM
- Karma Has anyone Splunked Trello data? for David. 06-05-2020 12:48 AM
- Karma Re: Threat list download failed - palevo_ip_blocklist download failed after multiple retries for MuS. 06-05-2020 12:48 AM
- Karma Re: How to set loading order for panels? for woodcock. 06-05-2020 12:48 AM
- Karma Cisco eStreamer for Splunk: How to troubleshoot error in which eStreamer logs are not displayed in Splunk? for mohammed7860. 06-05-2020 12:48 AM
- Karma How to deal with datamodel retention period as summary range is not working for thambisetty_bal. 06-05-2020 12:48 AM
- Karma Re: How to deal with datamodel retention period as summary range is not working for thambisetty_bal. 06-05-2020 12:48 AM
- Karma Re: Why is geostats not showing data for all expected countries when the search finishes? for marina_rovira. 06-05-2020 12:48 AM
- Karma Re: Why is geostats not showing data for all expected countries when the search finishes? for marina_rovira. 06-05-2020 12:48 AM
- Got Karma for is it possible to create a new threat intelligence source with json format in Enterprise Security ?. 06-05-2020 12:48 AM
- Got Karma for Re: How to refer to JSON array object in a Splunk search?. 06-05-2020 12:48 AM
- Got Karma for Re: How to break events as Every Line. 06-05-2020 12:48 AM
- Got Karma for Re: How to break events as Every Line. 06-05-2020 12:48 AM
- Got Karma for Enterprise Security script exited abnormally status="exited with code 3". 06-05-2020 12:48 AM
- Got Karma for Enterprise Security script exited abnormally status="exited with code 3". 06-05-2020 12:48 AM
- Got Karma for Re: Why is the wrong value being extracted when using this regular expression?. 06-05-2020 12:48 AM
- Got Karma for Re: Why is the wrong value being extracted when using this regular expression?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 |
01-04-2020
03:35 AM
Hello
how could I use this addon "LastPass Report Collection" if my Splunk can only access the internet through a proxy ??
I cannot find any fields for the proxy settings in the configuration menu of this Addon.
how could I make this one work without rebuilding the whole addon?
... View more
- Tags:
- splunk-enterprise
12-11-2018
05:17 AM
hi guys
anyone has some experience pulling data from Graphite into Splunk?
My goal is to have all the metrics that are stored in Graphite indexed in Splunk too. So far I have been experimenting with Graphite API, but it seems I need to be very specific with the paths to the events. The length of those paths also vary and using wildcards is not enough.
any hints or ideas ? I would like to make this pull once a day or so...
thanks in advance
... View more
11-28-2018
02:39 AM
hi guys
I am using the Splunk add-on builder to collect logs from a 3rd partu REST API. I am using the checkpoint attribute so the collection can be incremental every time.
My problem is that the last event of every collection is always the first one of the next collection, so I am indexing one duplicate event with every new data collection I do.
Example:
First data collection:
Event 1 with date: 1-1-2018
Event 2 with date: 2-1-2018
Second data collection (using the date of Event 2 as checkpoint):
Event 2 with date: 2-1-2018
Event 3 with date: 3-1-2018
Event 4 with date: 4-1-2018
Third data collection (using the date of Event 4 as checkpoint)
Event 4 with date: 4-1-2018
Event 5 with date: 5-1-2018
This is probably a bug in the REST API, but I would like to know if there is a way of getting the checkpoint value and formatting it by adding 1 hour, or day, or minute....
any ideas about how I could get this solved?? I don´t want to index duplicate events...
... View more
- Tags:
- splunk-enterprise
10-30-2018
08:11 AM
1 Karma
thanks a lot @niketnilay !! I got it working!
... View more
10-30-2018
03:10 AM
@niketnilay is there any way of getting all the fields without hardcoding the names in the javascript?? something like return _(['*']).contains(cell.field); for line 12 in the script
... View more
10-30-2018
01:22 AM
it works like a charm! thanks so much @niketnilay
... View more
10-29-2018
07:11 AM
@pramit46 each row should have a different condition for the colours. the default splunk does not provide this
... View more
10-29-2018
04:46 AM
hi guys,
I have been trying to color a table in a Splunk dashboard, but I need the color ranges to be different for each row:
Example:
Context Field 1 Field 2 Field 3
A 8 -4 9
B 8 -4 9
C 8 -4 9
For row where column Context is A: color green when the value is > 5 , red if the value < -5
For row where column Context is B: color blue when the value is > 5, yellow if the value < -5
For row where column Context is C: color orange when the value is > 5, pink if the value < -5
So, I tested with Javascript something that for a normal HTML page works. However, for the Splunk results table, it does not work.
what am I missing??
In Splunk, I built my SimpleXML table, then converted to HTML and inserted my Javascript code.
For an HTML page, this sample I built works:
<head>
<title>Sample code </title>
<script>
function start() {
var body = document.getElementsByTagName("body")[0];
var table = body.getElementsByClassName("table")[0];
var tbody = table.getElementsByTagName('tbody')[0];
for (var j=0; j<3; j++){
var rows = tbody.getElementsByTagName('tr')[j];
var cells = rows.getElementsByTagName('td');
for (var i=0, len=cells.length; i<len; i++){
if (cells[0].innerHTML == "A"){
if (parseInt(cells[i].innerHTML,10) > 5){
cells[i].style.backgroundColor = 'green';
}
else if (parseInt(cells[i].innerHTML,10) < -5){
cells[i].style.backgroundColor = 'red';
}
}
if (cells[0].innerHTML == "B"){
if (parseInt(cells[i].innerHTML,10) > 5){
cells[i].style.backgroundColor = 'blue';
}
else if (parseInt(cells[i].innerHTML,10) < -5){
cells[i].style.backgroundColor = 'yellow';
}
}
if (cells[0].innerHTML == "C"){
if (parseInt(cells[i].innerHTML,10) > 5){
cells[i].style.backgroundColor = 'orange';
}
else if (parseInt(cells[i].innerHTML,10) < -5){
cells[i].style.backgroundColor = 'pink';
}
}
}
}
}
</script>
</head>
<body onload="start()">
</br></br></br></br></br>
<table id="tableID" class="table" border="2" style="padding: 0.2em 0.5em" align="center">
<thead>
<tr>
<th>Context</th>
<th>Field 1</th>
<th>Field 2</th>
<th>Field 3</th>
</tr>
</thead>
<tbody>
<tr>
<td style="font-size: 50pt">A</td>
<td style="font-size: 50pt">8</td>
<td style="font-size: 50pt">-4</td>
<td style="font-size: 50pt">-9</td>
</tr>
<tr>
<td style="font-size: 50pt">B</td>
<td style="font-size: 50pt">8</td>
<td style="font-size: 50pt">-4</td>
<td style="font-size: 50pt">-9</td>
</tr>
<tr>
<td style="font-size: 50pt">C</td>
<td style="font-size: 50pt">8</td>
<td style="font-size: 50pt">-4</td>
<td style="font-size: 50pt">-9</td>
</tr>
</tbody>
</table>
</body>
</html>
... View more
10-04-2018
02:48 AM
@VatsalJagani thanks for your answer. I don´t have username and password, only a token.
... View more
10-03-2018
07:20 AM
Hey friends
Anyone have any experience pulling data from Qradar (API) to Splunk?? (for example. the siem/offenses )
Any Python script that would do the magic?? I tried to use the REST api modular input, but could not make it work
Any help would be much appreciated. thanks!
... View more
04-16-2018
08:08 AM
also, I believe the field m is present in all the events. would you recommend that I extract this field at indexing time then?
... View more
04-16-2018
08:07 AM
thanks for your answer @DalJeanis . I am still trying to understand your explanation.
You say this "when you add m=4, the search engine is going to have to laboriously check any event that has the value 4 in any field" but I am telling Splunk to use m as the field, righto?
... View more
04-16-2018
08:04 AM
no, it's not a matter on how many events come with m=4 as I don´t have any events in the last 24h that show that value. Despite having no events with that value I get this odd behaviour
... View more
04-13-2018
02:07 AM
hey guys
I got an odd behavior today in Splunk.
When I ran: index=A sourcetype=A m=4 OR m=404 OR m=1233 the search was running for 30 minutes (there are lots of events involved)
but if I omit "m=4" the search only takes 2 minutes to run.
I do not understand why this is happening. m is a numerical field and I was not expecting to be any difference between my two searches... with m=4 and without m=4
how do you explain this??
... View more
09-21-2017
05:58 AM
Thanks Adam. This makes sense now. However this is only a part of the case we have with Splunk Support. If you have time, feel free to take a look at #540217
... View more
09-20-2017
05:15 AM
I downvoted this post because it is offensive and does not answer the question
... View more
09-20-2017
05:04 AM
it does not. thanks but I understand the command very well enough.
I only have one stanza in that execute that Transforms.
We have been working with Splunk Support for some time but could not find an explanation yet, that´s why I brought it to the community. I would appreciate a little bit of respect when you provide an answer. thanks again
... View more
09-19-2017
02:39 AM
hi guys
I am experiencing an odd behavior when using btool to troubleshoot some issues.
When I run btool to get the list of props.conf in my instance I get lots of duplicates and I don´t know why this is happening nor if it is normal / expected to be like this. any ideas or explanations??
Example:
$ splunk btool props --debug list | grep send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue /opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue .... .... ... (lots of times)
Here is the content of my props.conf and my transforms.conf
props.conf
[default] TRANSFORMS = send_to_nullqueue
transforms.conf
[send_to_nullqueue_slb] DEST_KEY = queue REGEX = blah\sblah\sblah FORMAT = nullQueue
... View more
Labels
- Labels:
-
props.conf
07-12-2017
06:46 AM
hi
we have Splunk connected to Active Directory and we cannot add local users so we cannot reassign orphaned searches in order to delete them.
is there a way to delete them without reassigning them??
thanks
... View more
06-26-2017
07:11 AM
hey @Mus , funny story:
when we found out about this we disabled the palevo download and we stopped seeing the error message, but then we upgraded to ES 4.7.1 and got the message back even though we removed all trace of the palevo download...... dodgy dodgy dodgy.....
... View more
06-26-2017
06:52 AM
Hi folks
We upgraded Enterprise Security to 4.7.1 and we are getting the following errors in the UI:
A threat intelligence download has failed. stanza="palevo_ip_blocklist" host="searchhead1" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="phishtank" host="searchhead1" status="threat list download failed after multiple retries"
the palevo list was removed and the phishtank one was disabled. However, we are still getting these annoying messages
what is going on? I found no trace of the palevo list anywhere in the conf files.....
thanks
... View more
06-20-2017
06:36 AM
I think the CertNanny project is trying to automate some of the processes.
It may be worthy to have a look there too
https://github.com/certnanny
... View more
06-09-2017
02:21 AM
hi Okie @jwelch
if you register with Phishtank you can register an app and they give you a key (a long alphanumeric chain) to remove the limit. Is there any way in Splunk of configuring that key for the threatlist download?
... View more
05-22-2017
06:05 AM
@lguinn does this apply to datamodels retention too??
... View more
05-12-2017
06:32 AM
the mount points match on both apps, the disk usage does not
... View more
