cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
JoeIII
Path Finder
Member since: ‎12-14-2012
‎06-05-2020
Community Statistics
Posts 12
Solutions 0
Karma Given 27
Karma Received 5
Member Since ‎12-14-2012
Activity Feed
View All

Re: extract a field from event source filename

by in Splunk Search
‎12-20-2017 11:03 PM
‎12-20-2017 11:03 PM
I had a very similar situation, where pertinent information was in the filenames - this solution worked perfectly for me as well. Thank You! ... View more

Re: No port_scan data

by in All Apps and Add-ons
‎08-29-2017 07:48 AM
‎08-29-2017 07:48 AM
For NMAP to do OS detection it requires root privileges. This is why setUID works if Splunk is not running as root already. I recommend configuring sudoers to allow splunk to run nmap without a password, then modifying the script to "sudo nmap", in addition to adding unset LD_LIBRARY_PATH in the event of that issue. my /etc/sudoers.d/splunknmap (use visudo so you don't botch the file rights (my splunk instance runs as "splunk": splunk ALL = (root) NOPASSWD: /usr/bin/nmap Still not an ideal solution, but the best available, in my opinion ... View more

Re: Listing forwarders

by in Deployment Architecture
‎03-19-2015 11:05 AM
4 Karma
‎03-19-2015 11:05 AM
4 Karma
I just wanted to thank you - I modified your search to help me find out of date forwarders: index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | dedup sourceHost | table sourceHost sourceIP os version | sort version ... View more

Re: How can I use the value of one field as name o...

by in Splunk Search
‎10-16-2013 07:39 AM
‎10-16-2013 07:39 AM
Very cool - I like this solution as well. ... View more

Re: Timestamp recognition of multi timestamp forma...

by in Getting Data In
‎09-27-2013 06:44 AM
‎09-27-2013 06:44 AM
Sometimes you do not have control over the entries or timestamps used in log files. While I agree that it is stupid to have the same file with different messages with different timestamp formats, sometimes developers do things that are stupid and we have to work around those limitations. ... View more

Re: AD / LDAP Authentication Limit issues

by in Security
‎08-27-2013 06:58 AM
‎08-27-2013 06:58 AM
I wonder if your nestedGroups setting is the source of your "too many lines" issue. Also, while your environment may differ, a few of the identifying attributes are different from what I normally use when setting up AD auth for systems like Splunk. here are the attributes I use in my splunk environment: groupMappingAttribute = distinguishedname groupMemberAttribute = member groupNameAttribute = name realNameAttribute = displayname userNameAttribute = samaccountname as for the filters, Microsoft has a very in-depth article on LDAP filters and examples specific to AD that I believe anyone configuring AD auth should have bookmarked: http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx ... View more

Re: Information missing on Splunk syslog

by in Getting Data In
‎07-16-2013 06:48 AM
‎07-16-2013 06:48 AM
To elaborate on the earlier answer: By default, splunk strips the syslog priority from incoming syslog messages. to stop this behavior, add "no_priority_stripping = true" to your syslog source. there is an app on splunkbase syslog_priority_lookup that will extract this and create facility and severity fields at search time - very useful information. ... View more

Re: Hard limit on whitelist for deployment server

by in Getting Data In
‎07-15-2013 10:55 AM
‎07-15-2013 10:55 AM
the web interface allows you to add entries beyond 10 (whitelist.9) but they do not show up in the serverclass.conf file. I do not know if this is a limit or a bug in the webUI - it seems to me the webUI should remove the "add" button when you hit the limit if this is the case. Source: my experience under 5.0.3 ... View more

Re: License violations: if a sub-pool exceeds quot...

by in Monitoring Splunk
‎07-15-2013 05:44 AM
1 Karma
‎07-15-2013 05:44 AM
1 Karma
I wish I'd seen this before - in our SE conversations, I was told that in such a situation pool warnings would be generated on a strictly informational basis, as long as the total across all pools did not exceed our licensed volume. Up-voting this answer in hopes that more people see it and the SE's ar more clear in the future. ... View more

Re: Setting Deployment Server during install via C...

by in Deployment Architecture
‎07-02-2013 05:57 AM
‎07-02-2013 05:57 AM
I created a transform with Orca to configure the deployment server and "AGREE_TO_LICENSE" If you are familiar with orca (or likely if you are not, but are clever) you should be able to make one to fit your environment as well. ... View more

Re: How can I use the value of one field as name o...

by in Splunk Search
‎05-17-2013 08:01 AM
‎05-17-2013 08:01 AM
Thank you, in this instance I actually like the following better: source="Perfmon:Free Disk Space" | eval HostInstance = host.":".instance | chart latest(Value) over HostInstance by counter giving me one set of MB/% per line. in this particular example, this is an acceptible solution, but it may not work every time I'm looking for a similar solution. ... View more

How can I use the value of one field as name of an...

by in Splunk Search
‎05-17-2013 06:53 AM
‎05-17-2013 06:53 AM
Splunk 5.0.2 Example: windows "Perfmon:Free Disk Space" Each check is actually two events, one with the free space in MD, one in percent like this: search: source="Perfmon:Free Disk Space" first two results: 05/17/2013 08:59:29.087<br> collection="Free Disk Space"<br> object=LogicalDisk<br> counter="% Free Space"<br> instance=_Total<br> Value=23.842293475974397<br> 05/17/2013 08:59:29.087<br> collection="Free Disk Space"<br> object=LogicalDisk<br> counter="Free Megabytes"<br> instance=_Total<br> Value=31736<br> I make these into transactions to bring this information together: Search: source="Perfmon:Free Disk Space" | transaction host instance _time first result: 05/17/2013 09:00:59.656<br> collection="Free Disk Space"<br> object=LogicalDisk<br> counter="Free Megabytes"<br> instance=_Total<br> Value=121005<br> 05/17/2013 09:00:59.656<br> collection="Free Disk Space"<br> object=LogicalDisk<br> counter="% Free Space"<br> instance=_Total<br> Value=20.732246391710184<br> If I could rename the "Value" field to the value of the "counter" field before my transaction command I would have something along the lines of:: 05/17/2013 09:00:59.656<br> collection="Free Disk Space"<br> object=LogicalDisk<br> counter="Free Megabytes"<br> instance=_Total<br> Free Megabytes=121005<br> 05/17/2013 09:00:59.656<br> collection="Free Disk Space"<br> object=LogicalDisk<br> counter="% Free Space"<br> instance=_Total<br> % Free Space=20.732246391710184<br> I could then make tables charts graphs alerts etc based on those values and have both the space in megabytes and the percent available. For example, on a drive with multiple terabytes of disk space, 10% free isn't that big a deal but only having a few thousand meg free would be an issue, on a drive with only a few dozen gigabytes 10% free may be critical where a few thousand megabytes is "normal" I know I could use a case argument but that only adresses this one instance, I'm looking for a tool I can use again in the future. the closest i've come is this: Search: source="Perfmon:Free Disk Space" | chart first(Value) over host by counter give me <Hostname> <% Free Space> <Free Megabytes> which is "ok" but doesn't account for multiple instances (in this example, i have an instance for each drive then one for _Total ) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to