Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About w344423
w344423
Explorer
Member since:
09-03-2018
12-04-2023
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 1 |
| Member Since | 09-03-2018 |
Activity Feed
- Posted Importing logs from Parquet into Splunk on Getting Data In. 11-09-2023 05:46 PM
- Posted Re: Calculating next row with current row on Splunk Search. 03-12-2023 08:12 PM
- Karma Re: Calculating next row with current row for ITWhisperer. 03-12-2023 08:12 PM
- Got Karma for Calculating next row based on the first value generated in the new column called 12days?. 03-09-2023 03:25 AM
- Posted Calculating next row based on the first value generated in the new column called 12days? on Splunk Search. 03-09-2023 12:59 AM
- Posted Re: Looping through the avg_distance series with a lookback of 20 periods to find the Mean Absolute Deviation on Splunk Search. 03-07-2023 11:49 PM
- Tagged Re: Looping through the avg_distance series with a lookback of 20 periods to find the Mean Absolute Deviation on Splunk Search. 03-07-2023 11:49 PM
- Karma Re: Looping through the avg_distance series with a lookback of 20 periods to find the Mean Absolute Deviation for bowesmana. 03-07-2023 11:48 PM
- Tagged Looping through the avg_distance series with a lookback of 20 periods to find the Mean Absolute Deviation on Splunk Search. 03-07-2023 08:59 PM
- Tagged Looping through the avg_distance series with a lookback of 20 periods to find the Mean Absolute Deviation on Splunk Search. 03-07-2023 08:59 PM
- Tagged Looping through the avg_distance series with a lookback of 20 periods to find the Mean Absolute Deviation on Splunk Search. 03-07-2023 08:59 PM
- Tagged Looping through the avg_distance series with a lookback of 20 periods to find the Mean Absolute Deviation on Splunk Search. 03-07-2023 08:59 PM
- Posted Looping through the avg_distance series with a lookback of 20 periods to find the Mean Absolute Deviation on Splunk Search. 03-07-2023 08:46 PM
- Posted is it possible to get splunk to insert same event betweent he start and end time of the first record? on Security. 12-20-2018 10:52 PM
- Tagged is it possible to get splunk to insert same event betweent he start and end time of the first record? on Security. 12-20-2018 10:52 PM
- Posted Re: How do you go forward and backwards through the following records? on Splunk Search. 12-20-2018 09:42 PM
- Posted How do you go forward and backwards through the following records? on Splunk Search. 12-18-2018 12:23 AM
- Tagged How do you go forward and backwards through the following records? on Splunk Search. 12-18-2018 12:23 AM
- Posted Re: Unable to pass the value from CSV into kvlookup and return results on Getting Data In. 09-19-2018 05:31 PM
- Posted Re: Unable to pass the value from CSV into kvlookup and return results on Getting Data In. 09-18-2018 06:46 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-09-2023
05:46 PM
Hi Guys, I am performing a POC to import our parquet files into splunk, i have manage to write a python script to extract out the events aka raw logs to a df. I also did a python script to pump the logs via the syslog protocol to HF than to indexer. I am using the syslog method because i got many log type and i can do this by using the [udp://portnumber] to ingest multiple types of logs at once and to a different sourcetype however when i do this I am not able to retain the original datatime on the raw event but it is taking the datetime on the point i was sending the event. secondly i am using python because all these parquet files are storing in a s3 container hence it will be easier for me to loop thru the directory and extract the file. I was hoping if anyone can help me out how can i get the original timestamp of the logs? Or there are other more effective way of doing this? sample logs from splunk after index, - Nov 10 09:45:50 127.0.0.1 <190>2023-09-01T16:59:12Z server1 server2 %NGIPS-6-430002: DeviceUUID: xxx-xxx-xxx heres my code to push the event via syslog. import logging
import logging.handlers
import socket
from IPython.display import clear_output
#Create you logger. Please note that this logger is different from ArcSight logger.
#my_loggerudp = logging.getLogger('MyLoggerUDP')
#my_loggertcp = logging.getLogger('MyLoggerTCP')
#We will pass the message as INFO
my_loggerudp.setLevel(logging.INFO)
#Define SyslogHandler
#TCP
#handlertcp = logging.handlers.SysLogHandler(address = ('localhost',1026), socktype=socket.SOCK_STREAM)
#UDP
handlerudp = logging.handlers.SysLogHandler(address = ('localhost',1025), socktype=socket.SOCK_DGRAM)
#X.X.X.X =IP Address of the Syslog Collector(Connector Appliance,Loggers etc.)
#514 = Syslog port , You need to specify the port which you have defined ,by default it is 514 for Syslog)
my_loggerudp.addHandler(handlerudp)
#my_loggertcp.addHandler(handlertcp)
#Example: We will pass values from a List
event = df["event"]
count = len(event)
#for x in range(2):
for x in event:
clear_output (wait=True)
my_loggerudp.info(x)
my_loggerudp.handlers[0].flush()
count -= 1
print(f"logs left to be transmit {count}")
print (x)
... View more
Labels
- Labels:
-
heavy forwarder
-
indexer
-
sourcetype
-
syslog
-
time
03-12-2023
08:12 PM
thank you @ITWhisperer for this artful way of doing it and i learn another new way to do such calculation via a temp column. noted on your suggestion on the 2 decimal place and thanks for highlighting that. I would consider my solution that i am coding in splunk will be performing batch processing which would be a snapshot of the time in every 5 min.
... View more
03-09-2023
12:59 AM
1 Karma
I got to calculate the rest of the row based on the first value generated in the new column called 12days.
Attempted solution which i can think of is using streamstats with foreach but i got an error that i cannot use a non streaming command and here is my attempted spl, and would like to ask the guru here for some help how can i do this differently.
| foreach 12day [ | streamstats window=1 current=f last(12day) AS temp | eval 12day = round((switch*(0.5)+(temp*(0.025)),2) ]
Example of the calculation done in excel,
1. row 12 is avg of row 1-12
=AVERAGE(a1:a2)
2. from row 13 it will take current value from switch and add to the previous value of 12
3. objective is to generate the subsequence 12day from previous value
=ROUND((a13*(0.5))+(b12*(0.025)),2)
col : a
col : b
count
switch
12day
1
1
2
2
3
1
4
2
5
1
6
2
7
0
8
1
9
2
10
1
11
0
12
0
1.083333333
13
1
0.53
14
2
1.01
15
1
0.53
16
0
0.01
17
0
0
18
0
0
19
1
0.5
20
2
1.01
21
0
0.03
22
0
0
23
1
0.5
24
2
1.01
25
1
0.53
... View more
03-07-2023
11:49 PM
OMG now i learn something new using mvmap command. thank you so much.
... View more
- Tags:
- OMG
03-07-2023
08:46 PM
Hi all Ninja's i need some help here to find this calculation which can be done easily in excel but i wanted to convert to SPL. I have tried to use streamstats but and autoregress but unable to figure out how to do it. Problem statement: How do I convert the calculation for mean deviation. below formula is applied in col : j explanation of the formula, calculation starts at count of 20, it takes the value of col : i and subtract col : h once it done with its own row take the same i value and subtract from "count - 1" after it finishes 20 period. hopefully someone could really help as this part of calculation has me stuck for a few days which i unable to submit this to my boss for system migration to splunk. =(ABS(I22-H22)+ABS(I22-H21)+ABS(I22-H20)+ABS(I22-H19)+ABS(I22-H18)+ABS(I22-H17)+ABS(I22-H16)+ABS(I22-H15)+ABS(I22-H14)+ABS(I22-H13)+ABS(I22-H12)+ABS(I22-H11)+ABS(I22-H10)+ABS(I22-H9)+ABS(I22-H8)+ABS(I22-H7)+ABS(I22-H6)+ABS(I22-H5)+ABS(I22-H4)+ABS(I22-H3))/20 col : h col : i col : j count date stop top bottom avg_distance moving_avg_20_period Mean Deviation 1 2022-08-01 2.29 2.31 2.265 2.2883 2 2022-08-02 2.31 2.37 2.28 2.32 3 2022-08-03 2.27 2.36 2.24 2.29 4 2022-08-04 2.35 2.36 2.26 2.3233 5 2022-08-05 2.44 2.57 2.34 2.45 6 2022-08-08 2.49 2.51 2.41 2.47 7 2022-08-09 2.41 2.52 2.35 2.4267 8 2022-08-10 2.51 2.59 2.38 2.4933 9 2022-08-11 2.49 2.5176 2.43 2.4792 10 2022-08-12 2.38 2.5 2.26 2.38 11 2022-08-15 2.35 2.41 2.32 2.36 12 2022-08-16 2.39 2.41 2.31 2.37 13 2022-08-17 2.31 2.38 2.3 2.33 14 2022-08-18 2.28 2.32 2.23 2.2767 15 2022-08-19 2.11 2.32 2.055 2.1617 16 2022-08-22 2.08 2.19 2.07 2.1133 17 2022-08-23 2.02 2.105 1.92 2.015 18 2022-08-24 2.01 2.06 1.94 2.0033 19 2022-08-25 2.01 2.07 1.87 1.9833 20 2022-08-26 2.02 2.06 1.93 2.0033 2.2769 0.13814 21 2022-08-29 2.02 2.04 1.96 2.0067 2.2628 0.15529 22 2022-08-30 2.205 2.22 2 2.1417 2.2539 0.160265 23 2022-08-31 2.09 2.25 2.07 2.1367 2.2462 0.16509 24 2022-09-01 1.92 2.16 1.92 2 2.23 0.173545 25 2022-09-02 1.86 1.99 1.83 1.8933 2.2022 0.1766 26 2022-09-06 1.8 1.86 1.73 1.7967 2.1685 0.176745 27 2022-09-07 1.84 1.85 1.75 1.8133 2.1379 0.175175 28 2022-09-08 1.7 1.85 1.665 1.7383 2.1001 0.174805 29 2022-09-09 1.75 1.76 1.63 1.7133 2.0618 0.17136
... View more
12-20-2018
10:52 PM
Sample Data,
datetime starttime endtime id desc
1 2018-08-16 10:49:49 2018-08-16 10:49:49 2018-08-16 10:54:13 STAFF-1006 Valid Card Entry
2 2018-08-16 10:54:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
3 2018-08-16 11:20:06 2018-08-16 11:20:06 2018-08-16 11:24:05 STAFF-1006 Valid Card Entry
4 2018-08-16 11:24:05 2018-08-16 11:24:05 2018-08-23 10:16:53 STAFF-1006 Valid Card Exit
5 2018-08-23 10:16:53 2018-08-23 10:16:53 2018-08-23 10:40:40 STAFF-1006 Valid Card Entry
6 2018-08-23 10:40:40 2018-08-23 10:40:40 2018-08-27 12:58:54 STAFF-1006 Valid Card Exit
7 2018-08-27 12:58:54 2018-08-27 12:58:54 2018-08-27 13:12:31 STAFF-1006 Valid Card Entry
8 2018-08-27 13:12:31 2018-08-27 13:12:31 2018-08-30 16:11:05 STAFF-1006 Valid Card Exit
9 2018-08-30 16:11:05 2018-08-30 16:11:05 2018-08-30 16:14:47 STAFF-1006 Valid Card Entry
10 2018-08-30 16:14:47 2018-08-30 16:14:47 2018-09-05 15:16:00 STAFF-1006 Valid Card Exit
i would like to duplicate every event across multiple rows base on start and end time and each event will add 1 min to the current records starttime and once it hits the endtime it will go to the next records and perform the same job.
example
2018-08-16 10:49:49 2018-08-16 10:49:49 2018-08-16 10:54:13 STAFF-1006 Valid Card Entry
2018-08-16 10:50:49 2018-08-16 10:49:49 2018-08-16 10:54:13 STAFF-1006 Valid Card Entry
2018-08-16 10:51:49 2018-08-16 10:49:49 2018-08-16 10:54:13 STAFF-1006 Valid Card Entry
2018-08-16 10:52:49 2018-08-16 10:49:49 2018-08-16 10:54:13 STAFF-1006 Valid Card Entry
2018-08-16 10:53:49 2018-08-16 10:49:49 2018-08-16 10:54:13 STAFF-1006 Valid Card Entry
2018-08-16 10:55:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
2018-08-16 10:56:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
2018-08-16 10:57:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
2018-08-16 10:58:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
2018-08-16 10:59:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
2018-08-16 11:00:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
2018-08-16 11:01:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
2018-08-16 11:02:13 2018-08-16 10:54:13 2018-08-16 11:20:06 STAFF-1006 Valid Card Exit
... ... ...
... View more
- Tags:
- splunk-enterprise
12-20-2018
09:42 PM
I found another way to do it but not sure if this is the norm but this works for me.
| streamstats current=f window=1 last(datetime) as prevtime last(id) as previd last(code) as prevcode
| reverse
| streamstats current=f window=1 last(datetime) as nexttime last(id) as nextid last(code) as nextcode
| reverse
... View more
12-18-2018
12:23 AM
Hi all,
I need some help here. I have a sample records of 30 lines, and now would need to eval the endtime. However, I still need the event for door open and close.
i f (current desc = "Valid Card Entry" AND next row of desc = "Valid Card Exit") AND (current id = next ID) then endtime for current row with desc = "Valid Card Entry" will have the datetime for next desc = "Valid Card Exit" datetime
datetime id desc location starttime
2018-11-13 18:46:42 STAFF-1001 Valid Card Entry cca 2018-11-13 18:46:42
2018-11-13 18:46:43 STAFF-1001 Door is opened cca na
2018-11-13 18:46:47 STAFF-1001 Door is closed cca na
2018-11-13 18:46:49 STAFF-1001 Valid Card Exit cca 2018-11-13 18:46:49
2018-11-13 18:46:50 STAFF-1001 Door is opened cca na
2018-11-13 18:46:55 STAFF-1001 Door is left open cca na
2018-11-13 18:46:56 STAFF-1001 Door is closed cca na
2018-11-13 18:47:22 STAFF-1001 Valid Card Entry cca 2018-11-13 18:47:22
2018-11-13 18:47:23 STAFF-1001 Door is opened cca na
2018-11-13 18:47:24 STAFF-1001 Door is closed cca na
2018-11-13 18:47:28 STAFF-1001 Antipassback Lockout (Entry) cca na
2018-11-01 11:11:14 STAFF-1006 Valid Card Entry cca 2018-11-01 11:11:14
2018-11-01 11:11:15 STAFF-1006 Door is opened cca na
2018-11-01 11:11:19 STAFF-1006 Door is closed cca na
2018-11-01 11:12:25 STAFF-1006 Valid Card Exit cca 2018-11-01 11:12:25
2018-11-01 11:12:27 STAFF-1006 Door is opened cca na
2018-11-01 11:12:31 STAFF-1006 Door is closed cca na
2018-11-12 10:08:17 STAFF-1006 Valid Card Entry cca 2018-11-12 10:08:17
2018-11-12 10:08:17 STAFF-1006 Door is opened cca na
2018-11-12 10:08:33 STAFF-1006 Door is left open cca na
2018-11-12 10:08:33 STAFF-1006 Door is closed cca na
2018-11-12 10:18:45 STAFF-1006 Valid Card Exit cca 2018-11-12 10:18:45
2018-11-12 10:18:45 STAFF-1006 Door is opened cca na
2018-11-26 13:53:57 STAFF-1006 Valid Card Entry cca 2018-11-26 13:53:57
2018-11-26 13:53:57 STAFF-1006 Door is opened cca na
2018-11-26 13:54:03 STAFF-1006 Door is left open cca na
2018-11-26 13:54:07 STAFF-1006 Door is closed cca na
2018-11-26 14:46:11 STAFF-1006 Valid Card Exit cca 2018-11-26 14:46:11
2018-11-26 14:46:13 STAFF-1006 Door is opened cca na
2018-11-26 14:46:19 STAFF-1006 Door is left open cca na
... View more
- Tags:
- splunk-enterprise
09-19-2018
05:31 PM
Thank you for this useful info. Awaiting for their approval now.
... View more
09-18-2018
06:46 PM
Wondering if any kind soul here able to provide a solution or there are no solution to this. Been trying this for a while but nothing seems to work,
... View more
09-16-2018
11:27 PM
Hi All, i need help and would understand can Splunk forward a value from CSV and compare the value in a lookup and return the col of that KV back into the main search. As I am having difficulties doing that with my expected search query, it always return nothing in the ProviderName, Country, CountryCode, IPEnd, IPStart fields
And this is the expected search query and with this search should produce the below results,
| inputlookup VPNNewVersion.csv
| fields user Internet_IP InternetIPToIntg
| appendcols
[| inputlookup GeoIPCountry
| where IPtoIntEnd>=InternetIPToIntg AND IPtoIntStart<=InternetIPToIntg
| table IPtoIntStart IPtoIntEnd Country CountryCode IPEnd IPStart]
| appendcols
[| inputlookup GeoIPASNum
| where IPtoIntEnd>=InternetIPToIntg AND IPtoIntStart<=InternetIPToIntg
| table IPtoIntStart IPtoIntEnd ProviderName]
| table user Internet_IP InternetIPToIntg ProviderName Country CountryCode IPEnd IPStart
... View more
- Tags:
- csv
- kv
- lookuptable
09-05-2018
09:51 PM
there are more fields in the second lookup, those where just a example becuase there are more than 10k of lines inside. and yes 3707717043 is a number between IPtoIntStart and IPtoIntEnd.
so i want to lookup the number i have in the first lookup/index and compare to the second lookup table. in that table i got IPtoIntStart, IPtoIntEnd and country. so if that numbers falls within that range it will return country.
... View more
09-04-2018
05:56 PM
Hi Renjith,
dont seems to be able to get any data, heres my query,
Table where all the data are and needs to compare with another KV,
| inputlookup IPs
| table IPtoInt IP
Output,
IPtoInt IP
3707717043 220.255.69.179
982689272 58.146.165.248
1947134216 116.14.233.8
3707757158 220.255.226.102
1947125255 116.14.198.7
Lookup KV,
| inputlookup GeoIPCountry
| table IPtoIntStart IPtoIntEnd Country
Output,
IPtoIntStart IPtoIntEnd Country
16777216 16777471 Australia
16777472 16778239 China
16778240 16779263 Australia
16779264 16781311 China
16781312 16785407 Japan
How do i get the value of IPtoInt from IPs and match the value between IPtoIntStart IPtoIntEnd from GeoIPCountry and return the country, which will have the final output of,
IPtoInt IP Country
3707717043 220.255.69.179 Singapore
982689272 58.146.165.248 Singapore
1947134216 116.14.233.8 Singapore
3707757158 220.255.226.102 Singapore
1947125255 116.14.198.7 Singapore
... View more
09-03-2018
02:42 AM
I got a number in my first lookup and i want to compare this number with a start and end number in a lookup, how do i do it?
| inputlookup IPaddress
| table IPtoNumber IPAddress UserID
Expected output in table format
IPtoNumber IPAddress UserID
100 1.1.1.1 john
Base on the above result, i looked up another table that had the country name
| inputlookup geoIP
| table startNumber EndNumber Country
Expected output in table format
startNumber EndNumber Country
1 10 Somewhere1
11 90 Somewhere2
91 100 Somewhere3
How do I pass the IPtoNumber from IPaddress lookup into geoIP lookup and return me the Country in geoIP?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-04-2023
08:26 AM
|
