About hhGA

hhGA · ‎03-14-2018

Hi, Did you ever find out how to fix the refresh problem?

hhGA · ‎07-24-2017

Hi Deepdive, Unfortunately I have not been able to find a solution to the issue. I have worked around this by creating a new Splunk 6.6.1 installation and copying the indexes across and configurations across. I have not yet attempted to upgrade to 6.6.2 again.

hhGA · ‎07-02-2017

Hi, I am running Splunk Free on a Ubuntu 17.04 box. I have just upgraded Splunk from 6.6.1 to 6.6.2 via the deb package. Now when I try and start Splunk the web interface never becomes available. And I get the following output: Waiting for web server at http://127.0.0.1:8000 to be available............................................................................................................................................................................................................................................................................................................ WARNING: web interface does not seem to be available! Splunkd.log gives the following message several times over: WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Could anyone please help me with this? I've gone through server.conf but there seems to be a lot of different SSL settings and I'm not sure which to modify (if any) and to what. I've also gone through repositories and there's nothing blindingly obvious there to upgrade my SSl. Thanks in advance.

hhGA · ‎05-03-2017

Hi, Have you tried the edit_sourcetypes capability?

hhGA · ‎05-03-2017

hhGA · ‎05-03-2017

You're welcome. Unfortunately I am not aware of an configuration in Splunk that allows you to do that. You can remove it from dashboards, but not from searches / reports.

hhGA · ‎05-03-2017

Hi, This might be a bit overly complex but - in the absence of any other answers - here's an idea. I would set up a Splunk alert which is fired for each new phone call record coming into Splunk. The script would query the REST API and dump (and format if needed) the results to a folder which is being monitored by Splunk. A bash script containing a curl command would do the job. Hope this helps.

hhGA · ‎05-03-2017

You're welcome.

hhGA · ‎05-03-2017

Hi, Please try: curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>" You can also use the following if you would like the results in CSV format: curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>" Kind regards,

hhGA · ‎05-03-2017

Hi, Not exactly what you're after but you can set the maximum time window for a search using srchTimeWin = <time_in_seconds> in authorize.conf. For example, if you didn't want anyone with the simple_user role to be able to search a timeframe over a year then you would add the following: [role_simple_user] srchTimeWin = 31536000 Note that the stanza title is in the format role_<role_name> . Hope this helps.

hhGA · ‎05-02-2017

Hi, This is a known issue with DBConnect 3 (DBX-4019,DBX-4021). The workaround that I have found is to change the value of the timestamp in the SQL query. For example (SQL): (SELECT *, dateadd(hh, 1, OriginalTimestamp) NewTimestamp FROM Table The 'dateadd()' function is in the following format: dateadd(<time unit to modify>, <modify by value>, <timestamp to modify>), <new timestap name> Then change the date field to NewTimestamp in DBConnect. The above example adds one hour to the time field on a UTC source where Splunk is assuming it is in BST. Just remember to: A. Change everything back when the issue has been fixed. B. Ensure that the new field does not conflict with any existing extractions you have. Hope this helps.

hhGA · ‎04-27-2017

(?U)\/\S+\/\S+\/(?<sourcetype>.+)\/ should work. I noticed that your regex101 was set to python. Splunk uses pcre regex for extractions. I have missed SOURCE_KEY=source from the transforms.conf in my original answer which has now been updated.

hhGA · ‎04-27-2017

Apologies, this was left over from my original conf file. I have corrected the original post. $1 (the correct value) references the first capture group of the regex.

hhGA · ‎04-27-2017

Hi Iatwal, If the rsyslog server is using a universal forwarder then you will have to use the props.conf and transforms.conf on your indexer(s).

hhGA · ‎04-27-2017

Hi, To do this dynamically you would use props.confs and transforms.conf using the following code: props.conf: TRANSFORMS-change_sourcetype = change_sourcetype EDIT: Please excuse the below formatting; I couldn't get the line breaks to work. transforms.conf: [change_sourcetype] REGEX = (?U)\/\/logs\/\S+\/(\S+)\/ FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype SOURCE_KEY=source Splunk will need to be restarted for the changes to take affect. I've not tested it but it should work. Let me know if you have any issues. Also, if they all have the same format then I'd recommend that they all share the same sourcetype. Have you considered using a different field? This would be done using a search time extraction.

hhGA · ‎04-13-2017

Hi sangjoonlee, If a1 is present in both sources then you can use join : <source 1 search> | join a1 [search <source 2 search> | table a1, b1, c1, b2, c2] Hope this helps.

hhGA · ‎04-07-2017

Ah sorry, misread your query. Glad to have helped though.

hhGA · ‎04-07-2017

Hi, Please can you try the following: | timechart mean(percentIdle) AS mean, stdev(percentIdle) AS stdev | eval up = mean+stdev, down=mean-stdev Let me know if you're still having problems.

hhGA · ‎04-07-2017

Hi, I have the same issue on 6.5.2. You can access the REST inputs screen using: <your_url_here>/en-GB/manager/launcher/data/inputs/rest The functionality of the input works perfectly fine. Hope this helps.

hhGA · ‎04-06-2017

I don't know if this is a typo in your actual search or only what you've written in your question but in query B you are missing an 'e' from 'firewalllogs'.

hhGA · ‎04-05-2017

Hi leomedina, Seeing as you have 0x80e00791="Fail", I'm assuming that 0x80e00110, 0x01130009 etc are field names. Instead of eval(0x80e00110 NOT 0x01130009 NOT 0x01130024) try using eval(isNull(0x80e00110) AND isNull(0x01130009) AND isNull(0x01130024)) instead. When you have the data correct, click on 'Vizualisation' to see the chart views. Let me know if there are any issues.

hhGA · ‎03-21-2017

Hi, You can filter your search to all records with a 'create_date' value within the last 5 minutes using: <your_search_here> | WHERE strptime(create_date, <time_format here> > relative_time(now(), "-5m") You can then save this as an alert and set it run every 5 minutes, setting the trigger action to send an email.

hhGA · ‎03-21-2017

Hi, We have recently upgraded our ServiceNow instance directly from Eureka to Helsinki as you are planning to do and our ServiceNow - Splunk integration worked post-upgrade with no changes required. We do, however, only consume ServiceNow data into Splunk and not vice versa (using the ServiceNow event management plugin) so I can't comment on whether that will be affected or not. I'd recommend checking the connection in a test instance first.

hhGA · ‎03-21-2017

I would use a scripted input to do this. What OS is your SFTP server?

hhGA · ‎02-22-2017

Hi, Give this a shot: rex field=_raw> "\"sessionID\":\"(?<field>\S+)\""

Posts	40
Solutions	4
Karma Given	6
Karma Received	13
Member Since	‎10-21-2015

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

SSL error after upgrading from 6.6.1 to 6.6.2

How to set a realtime search to constantly run eve...

I use Splunk Cloud with SAML, but is there a way t...

Why is _time different between apps for the same d...

How to event break using Regex. Not working.

Re: REST API Modular Input: How to pull data from ...

Re: SSL error after upgrading from 6.6.1 to 6.6.2

SSL error after upgrading from 6.6.1 to 6.6.2

Re: What is capability required to avoid authoriza...

Re: How to achieve vlookup in Splunk

Re: how to disable "ALL time" for user role

Re: How to dynamically call an REST API ?

Re: How to execute a saved search using Splunk's R...

Re: How to execute a saved search using Splunk's R...

Re: how to disable "ALL time" for user role

Re: DB Connect 3.0.2 Not Honoring Sourcetype in Pr...

Re: Sourcetype Override

Re: Sourcetype Override

Re: Sourcetype Override

Re: Sourcetype Override

Re: how to merge data from different two source ?

Re: Is it possible to print a line chart with: lin...

Re: Is it possible to print a line chart with: lin...

Re: REST API Modular Input: Why is the add-on not ...

Re: Sub search works well in one case but yields n...

Re: HELP with Search and Bar Chart...

Re: How to create a Splunk alert upon new database...

Re: Splunk Add-on for ServiceNow: Are there any im...

Re: Is it possible to configure Splunk to show the...

Re: Help me with Rex in search query