Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About hhGA
hhGA
Communicator
Member since:
10-21-2015
06-05-2020
Community Statistics
| Posts | 40 |
| Solutions | 4 |
| Karma Given | 6 |
| Karma Received | 13 |
| Member Since | 10-21-2015 |
Activity Feed
- Karma Re: I use Splunk Cloud with SAML, but is there a way to just log in with normal username and password authentication? for ktugwell_splunk. 06-05-2020 12:48 AM
- Karma Re: Since splunk 6.4 some users do not see the "export" button anymore for yannK. 06-05-2020 12:48 AM
- Karma Re: how to use timechart count to return 0 when value is null, fillnull not working for paulbannister. 06-05-2020 12:48 AM
- Karma Re: How to replace contents of the message? for paulbannister. 06-05-2020 12:48 AM
- Karma Re: Is there a Lookup File Editor for Splunk Cloud? for paulbannister. 06-05-2020 12:48 AM
- Got Karma for I use Splunk Cloud with SAML, but is there a way to just log in with normal username and password authentication?. 06-05-2020 12:48 AM
- Got Karma for I use Splunk Cloud with SAML, but is there a way to just log in with normal username and password authentication?. 06-05-2020 12:48 AM
- Got Karma for Re: HELP with Search and Bar Chart.... 06-05-2020 12:48 AM
- Got Karma for Re: Is it possible to print a line chart with: line with value, line with mean+stdev and line with mean-stdev?. 06-05-2020 12:48 AM
- Got Karma for Re: how to merge data from different two source ?. 06-05-2020 12:48 AM
- Got Karma for Re: How to create a Splunk alert upon new database table entry?. 06-05-2020 12:48 AM
- Got Karma for Re: DB Connect 3.0.2 Not Honoring Sourcetype in Props.conf. 06-05-2020 12:48 AM
- Got Karma for Re: How to execute a saved search using Splunk's REST API. 06-05-2020 12:48 AM
- Got Karma for Re: How to execute a saved search using Splunk's REST API. 06-05-2020 12:48 AM
- Got Karma for Re: How to execute a saved search using Splunk's REST API. 06-05-2020 12:48 AM
- Got Karma for Re: How to execute a saved search using Splunk's REST API. 06-05-2020 12:48 AM
- Got Karma for Re: how to disable "ALL time" for user role. 06-05-2020 12:48 AM
- Got Karma for Re: how to disable "ALL time" for user role. 06-05-2020 12:48 AM
- Karma Re: Why am I getting "500 Internal Server Error" when I click "Data Inputs" under "Settings"? for ppablo. 06-05-2020 12:47 AM
- Posted Re: REST API Modular Input: How to pull data from 365 / Azure Active Directory reporting REST API? on All Apps and Add-ons. 03-14-2018 01:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 |
03-14-2018
01:50 AM
Hi,
Did you ever find out how to fix the refresh problem?
... View more
07-24-2017
03:34 AM
Hi Deepdive,
Unfortunately I have not been able to find a solution to the issue. I have worked around this by creating a new Splunk 6.6.1 installation and copying the indexes across and configurations across.
I have not yet attempted to upgrade to 6.6.2 again.
... View more
07-02-2017
02:28 AM
Hi,
I am running Splunk Free on a Ubuntu 17.04 box. I have just upgraded Splunk from 6.6.1 to 6.6.2 via the deb package.
Now when I try and start Splunk the web interface never becomes available. And I get the following output: Waiting for web server at http://127.0.0.1:8000 to be available............................................................................................................................................................................................................................................................................................................
WARNING: web interface does not seem to be available!
Splunkd.log gives the following message several times over: WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Could anyone please help me with this? I've gone through server.conf but there seems to be a lot of different SSL settings and I'm not sure which to modify (if any) and to what. I've also gone through repositories and there's nothing blindingly obvious there to upgrade my SSl.
Thanks in advance.
... View more
05-03-2017
08:10 AM
Hi,
Have you tried the edit_sourcetypes capability?
... View more
05-03-2017
07:56 AM
Hi,
Can you give this a try:
| inputlookup A.csv
| table USER_ID
| join type=left USER_ID
[ search index=X sourcetype=P
| dedup USER_ID
| eval in_search="Yes"
| table USER_ID , in_search]
| WHERE in_search!="Yes"
| table USER_ID
... View more
05-03-2017
07:20 AM
You're welcome.
Unfortunately I am not aware of an configuration in Splunk that allows you to do that.
You can remove it from dashboards, but not from searches / reports.
... View more
05-03-2017
06:56 AM
Hi,
This might be a bit overly complex but - in the absence of any other answers - here's an idea.
I would set up a Splunk alert which is fired for each new phone call record coming into Splunk. The script would query the REST API and dump (and format if needed) the results to a folder which is being monitored by Splunk.
A bash script containing a curl command would do the job.
Hope this helps.
... View more
05-03-2017
06:12 AM
4 Karma
Hi,
Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"
You can also use the following if you would like the results in CSV format:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"
Kind regards,
... View more
05-03-2017
05:16 AM
2 Karma
Hi,
Not exactly what you're after but you can set the maximum time window for a search using srchTimeWin = <time_in_seconds> in authorize.conf.
For example, if you didn't want anyone with the simple_user role to be able to search a timeframe over a year then you would add the following:
[role_simple_user]
srchTimeWin = 31536000
Note that the stanza title is in the format role_<role_name> .
Hope this helps.
... View more
05-02-2017
03:21 AM
1 Karma
Hi,
This is a known issue with DBConnect 3 (DBX-4019,DBX-4021).
The workaround that I have found is to change the value of the timestamp in the SQL query.
For example (SQL):
(SELECT *, dateadd(hh, 1, OriginalTimestamp) NewTimestamp FROM Table
The 'dateadd()' function is in the following format:
dateadd(<time unit to modify>, <modify by value>, <timestamp to modify>), <new timestap name>
Then change the date field to NewTimestamp in DBConnect. The above example adds one hour to the time field on a UTC source where Splunk is assuming it is in BST.
Just remember to:
A. Change everything back when the issue has been fixed.
B. Ensure that the new field does not conflict with any existing extractions you have.
Hope this helps.
... View more
04-27-2017
10:35 AM
(?U)\/\S+\/\S+\/(?<sourcetype>.+)\/ should work.
I noticed that your regex101 was set to python. Splunk uses pcre regex for extractions.
I have missed SOURCE_KEY=source from the transforms.conf in my original answer which has now been updated.
... View more
04-27-2017
10:05 AM
Apologies, this was left over from my original conf file. I have corrected the original post.
$1 (the correct value) references the first capture group of the regex.
... View more
04-27-2017
09:03 AM
Hi Iatwal,
If the rsyslog server is using a universal forwarder then you will have to use the props.conf and transforms.conf on your indexer(s).
... View more
04-27-2017
08:28 AM
Hi,
To do this dynamically you would use props.confs and transforms.conf using the following code:
props.conf:
TRANSFORMS-change_sourcetype = change_sourcetype
EDIT: Please excuse the below formatting; I couldn't get the line breaks to work.
transforms.conf:
[change_sourcetype]
REGEX = (?U)\/\/logs\/\S+\/(\S+)\/
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY=source
Splunk will need to be restarted for the changes to take affect.
I've not tested it but it should work. Let me know if you have any issues.
Also, if they all have the same format then I'd recommend that they all share the same sourcetype. Have you considered using a different field? This would be done using a search time extraction.
... View more
04-13-2017
02:03 AM
1 Karma
Hi sangjoonlee,
If a1 is present in both sources then you can use join :
<source 1 search> | join a1 [search <source 2 search> | table a1, b1, c1, b2, c2]
Hope this helps.
... View more
04-07-2017
01:48 AM
1 Karma
Hi,
Please can you try the following:
| timechart mean(percentIdle) AS mean, stdev(percentIdle) AS stdev
| eval up = mean+stdev, down=mean-stdev
Let me know if you're still having problems.
... View more
04-07-2017
01:38 AM
Hi,
I have the same issue on 6.5.2. You can access the REST inputs screen using:
<your_url_here>/en-GB/manager/launcher/data/inputs/rest
The functionality of the input works perfectly fine.
Hope this helps.
... View more
04-06-2017
06:06 AM
I don't know if this is a typo in your actual search or only what you've written in your question but in query B you are missing an 'e' from 'firewalllogs'.
... View more
04-05-2017
07:53 AM
1 Karma
Hi leomedina,
Seeing as you have 0x80e00791="Fail", I'm assuming that 0x80e00110, 0x01130009 etc are field names.
Instead of eval(0x80e00110 NOT 0x01130009 NOT 0x01130024) try using eval(isNull(0x80e00110) AND isNull(0x01130009) AND isNull(0x01130024)) instead.
When you have the data correct, click on 'Vizualisation' to see the chart views.
Let me know if there are any issues.
... View more
03-21-2017
03:09 AM
1 Karma
Hi,
You can filter your search to all records with a 'create_date' value within the last 5 minutes using:
<your_search_here> | WHERE strptime(create_date, <time_format here> > relative_time(now(), "-5m")
You can then save this as an alert and set it run every 5 minutes, setting the trigger action to send an email.
... View more
03-21-2017
02:38 AM
Hi,
We have recently upgraded our ServiceNow instance directly from Eureka to Helsinki as you are planning to do and our ServiceNow - Splunk integration worked post-upgrade with no changes required.
We do, however, only consume ServiceNow data into Splunk and not vice versa (using the ServiceNow event management plugin) so I can't comment on whether that will be affected or not.
I'd recommend checking the connection in a test instance first.
... View more
03-21-2017
01:46 AM
I would use a scripted input to do this. What OS is your SFTP server?
... View more
02-22-2017
07:02 AM
Hi,
Give this a shot:
rex field=_raw> "\"sessionID\":\"(?<field>\S+)\""
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma from
