Activity Feed
- Karma Re: How to merge multiple lookup lines into one for anmolpatel. 06-05-2020 12:51 AM
- Karma Re: How to merge multiple lookup lines into one for to4kawa. 06-05-2020 12:51 AM
- Karma Re: How to merge multiple lookup lines into one for manjunathmeti. 06-05-2020 12:51 AM
- Karma Re: Missing source types for Ayn. 06-05-2020 12:46 AM
- Karma Re: Regex not appearing to work for Rob. 06-05-2020 12:46 AM
- Karma Re: Regex not appearing to work for mloven_splunk. 06-05-2020 12:46 AM
- Karma Re: Regex not appearing to work for mloven_splunk. 06-05-2020 12:46 AM
- Got Karma for Regex not appearing to work. 06-05-2020 12:46 AM
- Posted Which capability allows a power user to view a list of all users? on Security. 03-11-2020 03:03 PM
- Tagged Which capability allows a power user to view a list of all users? on Security. 03-11-2020 03:03 PM
- Posted Re: How to merge multiple lookup lines into one on Splunk Search. 03-08-2020 11:59 PM
- Posted How to merge multiple lookup lines into one on Splunk Search. 03-08-2020 02:48 PM
- Tagged How to merge multiple lookup lines into one on Splunk Search. 03-08-2020 02:48 PM
- Tagged How to merge multiple lookup lines into one on Splunk Search. 03-08-2020 02:48 PM
- Posted Time-based exclusion on a search on Splunk Search. 02-26-2019 03:40 PM
- Tagged Time-based exclusion on a search on Splunk Search. 02-26-2019 03:40 PM
- Posted Re: Query MX records or lookup MX records? on Deployment Architecture. 04-18-2013 09:08 AM
- Posted Re: splunk for websense on All Apps and Add-ons. 04-17-2013 11:38 PM
- Posted Re: Query MX records or lookup MX records? on Deployment Architecture. 04-17-2013 11:31 PM
- Posted Re: Splunk for telecom on All Apps and Add-ons. 01-26-2013 10:30 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
1 | |||
0 |
03-11-2020
03:03 PM
The list of capabilities doesn't explicitly list this.
I want a particular power user to be able to use the rest API and see a result of all users, not simply themselves. They have the ability to execute REST already, but they only ever see their own user account when running this command:
| rest /services/authentication/users splunk_server=local | table realname
... View more
- Tags:
- splunk-cloud
03-08-2020
11:59 PM
Anmolpatel got me what I needed specifically (since I was using a lookup table), but the other two are worthy of points and I'll mark them. Thank you all for the great answers!
... View more
03-08-2020
02:48 PM
I have a table with formatted something like this:
1 John, Smith, a123, superuser, blah 2 John, Smith, a123, audit user, blah 3 Sally, Smith, a234, regular user, blah 4 Andy, Smith, a345, audit user, blah 5 Andy, Smith, a345, log user, blah 6 Andy, Smith, a345, super user, blah
When you run the lookup for the user id (so like a123), you get both results on two lines within the same box in the table.
I want one single line that has the user type concatenated. So instead of: a123, super user a123, audit user
I want: a123, "super user, audit user"
Is that possible?
... View more
02-26-2019
03:40 PM
Is it possible, and if so, how would I, filter specific terms but only for a certain time range within a broader search?
For example, say I’m retrieving all failed logons for the last 24 hours like this:
index=myindex logonmessage=FAILED
Now, let’s say there’s a certain account that always fails to logon between 0200 and 0300 every day called bob. We’ve investigated these and worked with the team responsible for the application, and these failures are expected and unchangeable due to some architectural considerations.
How do I modify my search to basically say:
NOT (username=bob AND timestamp > 0200 AND timestamp < 0300)
Is that possible?
Thank you all!
... View more
- Tags:
- splunk-cloud
04-18-2013
09:08 AM
Exactly. Just make sure that your python script only returns a single MX record and nothing else and you should be good to go.
... View more
04-17-2013
11:38 PM
You might have two potential issues.
First, are you on Websense 7.7?
Secondly, see this:
http://splunk-base.splunk.com/apps/34715/websense-app-for-splunk
Specifically:
•It would be nice to document the different invocations of fill_summary_index.py that the user has to run in order to backfill the summary indexes that power some of the dashboards. Ideally, you could advertise the need to run these backfill commands on the dashboard itself so that the user understands why no data is displayed.
... View more
04-17-2013
11:31 PM
You should be able to do it with the script-based lookup:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_fields_lookup_based_on_an_external_command_or_script
Something as simple as a bash script with nslookup/dig would do the trick.
... View more
01-26-2013
10:30 AM
From network logs, like Ayn said, it captures anything you can export to it. It's up to the admin to filter those logs for relevant information.
For example, with out ASAs, I'm able to see who logs into the VPN the most, which IPs generate the most URL requests, which IP addresses have the most outbound traffic (in number of requests, not bandwidth), and so forth.
If you want to find network abusers (such as people who download excessive amounts of data), you'll want to combine Splunk with a tool that'll monitor bandwidth and activity.
... View more
01-04-2013
02:37 PM
I just realized that I was doing something Splunk isn't designed for.
I was attempting to modify the 'hosts' value based on entries within the log. What I failed to notice on the data input screen, the regex is based on the path of the file, not the contents.
I've since modified rsyslog to log to files with the IP address as the name of the file and used the following regex to generate the host IP: (\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)
Thanks again for the assistance and the info on regex and rex. That'll be helpful moving forward.
... View more
01-04-2013
10:01 AM
All,
Thanks for your replies so far. I'm getting some issues running the expression using rex field=_raw . It does seem to give me some results if I use regex _raw=<expression> . I haven't tried using this in my data input section yet...that'll happen later today. Will report back on how it works.
Thanks again!
... View more
01-03-2013
05:58 PM
1 Karma
I'm having some issues with using regex to define the host of some events from an ASA. The events are in the format below:
Jan 3 17:14:29 10.111.11.111 %ASA-6-302016: Teardown UDP connection 10101576 for external_untrusted:10.111.111.111/111 to external_untrusted:10.111.111.111/111 duration 0:00:00 bytes 0 (asdfasdf)
I'm using the following regex:
(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)?
This works fine here: Regex pal
But my event still shows:
host=rel-splunk.roll.ad | sourcetype=cisco_asa | source=/var/log/syslog/asa
Any thoughts on what I'm doing wrong?
... View more
12-17-2012
12:42 PM
Ahhhhhh...gotcha. Dude, that makes no sense. Why would the from-list not have all the options and require you to manually type it in?
Thank you very much for your help...that solved it. 🙂
... View more
12-17-2012
09:18 AM
That answer is in direct contradiction to this:
http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Listofpretrainedsourcetypes
Your answer meshes what I'm experiencing out of the box, but it contradicts how the software should be behaving, based on the manual.
... View more
12-14-2012
04:14 PM
I just installed Splunk 5.0.1, and I'm missing the cisco_syslog source, along with a bunch of others.
In fact, when I define a source, my only options are:
access_combined
apache_error
csv
iis
log4j
log4php
syslog
Any ideas?
... View more
- Tags:
- missing