Activity Feed
- Got Karma for Re: Why am I unable to forward logs from a Linux machine to Windows using Splunk 6.3?. 06-05-2020 12:47 AM
- Posted How to schedule a daily report of logins over time? on Reporting. 01-26-2016 02:42 PM
- Tagged How to schedule a daily report of logins over time? on Reporting. 01-26-2016 02:42 PM
- Posted Re: What is the best way to set up a scheduled search to alert if there are more than 5 events from a specific user? on Alerting. 01-26-2016 11:25 AM
- Posted What is the best way to set up a scheduled search to alert if there are more than 5 events from a specific user? on Alerting. 01-26-2016 11:06 AM
- Tagged What is the best way to set up a scheduled search to alert if there are more than 5 events from a specific user? on Alerting. 01-26-2016 11:06 AM
- Posted Re: How to create dashboards so they update/refresh search results? on Splunk Search. 01-19-2016 02:57 PM
- Posted How to create dashboards so they update/refresh search results? on Splunk Search. 01-19-2016 02:56 PM
- Tagged How to create dashboards so they update/refresh search results? on Splunk Search. 01-19-2016 02:56 PM
- Tagged How to create dashboards so they update/refresh search results? on Splunk Search. 01-19-2016 02:56 PM
- Posted Re: Is there a way to display the time when a dashboard panel updated? on Dashboards & Visualizations. 01-19-2016 11:03 AM
- Posted Is there a way to display the time when a dashboard panel updated? on Dashboards & Visualizations. 01-19-2016 09:25 AM
- Tagged Is there a way to display the time when a dashboard panel updated? on Dashboards & Visualizations. 01-19-2016 09:25 AM
- Tagged Is there a way to display the time when a dashboard panel updated? on Dashboards & Visualizations. 01-19-2016 09:25 AM
- Posted Re: alerts triggering continuously on Alerting. 01-14-2016 05:33 AM
- Posted alerts triggering continuously on Alerting. 01-13-2016 02:53 PM
- Tagged alerts triggering continuously on Alerting. 01-13-2016 02:53 PM
- Posted Re: How to edit my search to only return results that exceed a certain count within a time window? on Splunk Search. 01-13-2016 12:57 PM
- Posted Re: Is there a way to save the results for parts of a search so when I modify the tail end, I don't have to run the whole search? on Splunk Search. 01-13-2016 07:23 AM
- Posted Re: How to edit my search to only return results that exceed a certain count within a time window? on Splunk Search. 01-13-2016 07:19 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-26-2016
02:42 PM
I want to report the number of logins on my system by day. Is there some way to schedule the 24 hour search every day and show a chart of the daily counts so far? I am thinking this is more efficient than searching the daily count over the history of the index.
... View more
01-26-2016
11:06 AM
I am looking to do a search every minute, and see if there are more than 5 events from a specific user. If so, I need to trigger an alert. I have this running as a scheduled search every minute, and it seems to be working. Is there a better way to do this? Should I be scheduling the search every hour and look for login events >5 in 1 minute windows? If so, how would I do that.
My current search looks like this
user=* | eventstats count by user | where count > 5
start time -6m
finish time -5m
run every minute
... View more
01-19-2016
02:57 PM
also is there any way to just display the results of an alert on a dashboard? The schedule is already in the alert. It would be nice to just display the results rather than create a new search.
... View more
01-19-2016
02:56 PM
I save dashboards from both search and report, and it appears that the dashboards run the search every time it is brought up, but does not refresh after that. I have read that it is supposed to display the cached search. What is the proper way to create dashboards so that they update properly. Is there a way to do this from Splunk Web or only in XML?
... View more
01-19-2016
11:03 AM
thanks! this works!
... View more
01-19-2016
09:25 AM
Is there any way to display the time when a dashboard panel updated? I am scheduling a report, adding it to a dashboard, and would like to know when the report ran that is displayed on the dashboard.
... View more
01-13-2016
02:53 PM
I am saving the following alerts:
"user=* | search failed | dedup _raw"
real time 60 second window. It triggers only when new event with “failed” is detected.
"user=* | search failed | dedup _raw | stats count by user"
real time 60 second window. It alerts continuously
how do I get the second alert to trigger only when a new event is detected?
... View more
01-13-2016
12:57 PM
your current search ...| where count > [ search your search to get get threshold for move 5 min window | return $yourthreshold ]
This looks like what I want but not sure of the syntax. I am fine with a fixed thresshold. How do I search for a count of events in a moving 5 minute window that have the string "failed", and output the count when it exceeds a fixed thresshold?
... View more
01-13-2016
07:23 AM
the dedup _raw takes so long I am hoping to store its result to pipe to subesequent searches. I need to do thsi step because I have many duplicate events for some reason.
... View more
01-13-2016
07:19 AM
Thanks. Is there a way to do this for count over a moving time window for stored events? Right now the count is the total over the interval defined by the time range picker. In other words, is there a way to count events by user that exceed a threshold within a moving 5 minute time window over my event history?
... View more
01-12-2016
02:13 PM
I would like to issue the following search, but only get results that exceed a count within a time window. I see how to set an alert to do this, but I just want to search my current stored events. How do I do this in a search?
user=* action=* | stats count by user, action
... View more
01-12-2016
11:11 AM
If I only have one index and one sourcetype, will this speed things up? I want to look at all events, and not just within a time window.
Is there a way to reuse the results of a search?
... View more
01-12-2016
11:10 AM
I am looking to group events by transaction. Will the stats command do this for me?
I have a lot of events. By doing user=*, I narrow it to login events since they have a user field. I end up with duplicate events, and I go through dedup. Finally i am left with events, some of which group together (i.e. password accepted and session opened). This is why I want to group as transactions: want to preserve individual events, but want to know the number of independent transactions.
It would be nice to know if there is a way to re-use the results of previous searches. Is there a way to do this?
... View more
01-12-2016
08:31 AM
I am executing the following search and it is taking a long time to execute. Is there a way to save the results of parts of a search so that when I modify the tail end I don't have to run the whole search? I.e. can I save the results of user=* | dedup _ raw and then run those saved results through subsequent searches?
user=* | dedup _raw | transaction user date_minute date_second
... View more
01-11-2016
11:31 AM
turned out to be fast mode. when I changed to smart mode the fields were extracted properly. Thanks!
... View more
01-11-2016
11:27 AM
I am trying to chart different types of login events. I believe that the fields were extracted by the *nix app in logs from /var/log/secure.
For example, if I have 100 events, I have found that I can group them into non overlapping groups that total to 100 in the following way:
eventtype=failed_login
vendor_action=session open
vendor_action=accepted
I can create 2 new event types to cover session open and accepted.
I want to be able to do something like "stats count by eventtype" but eventtype alone generates overlapping groups of events since one event can have multiple eventtypes. Is there some way I can eliminate the unwanted event types?
... View more
01-08-2016
10:16 AM
How do I select different sourcetypes for multiple logs coming from multiple servers (no universal forwarders, using rsyslog.conf)? When I set up the input port, it only offers one type of sourcetype choice.
... View more
01-07-2016
12:25 PM
Thanks. However I do have one configuration that extracts the fields. On the second one it does not. It seems to be built into the *nix app, but not clear why it is not working. I would rather not create field extractors if they already exist.
The one that works has this configuration for file and directory local data inputs. I tried to set a new input that looks like this on the system that was not working but SA-nix was not one of the app choices.
path set host source type dest index app status
/var/log/secure constant value linux_secure default SA-nix enabled
... View more
01-07-2016
07:59 AM
I have seen that Splunk App for Unix extracts the user field from /var/log/secure logs. This appears to be working fine on my desktop Linux workstation. If you look below, you will see a list of the settings>data inputs>local inputs>files and directories.
If you look at the last line, it indicates it is monitoring /var/log/secure, has source type linux_secure, and app is SA-nix. I believe this is what is extracting the user field out of the /var/log/secure logs.
I tried doing the same thing on another server with the Splunk App for Linux and do not see this line in the inputs, only the line with /var/log. I assumed it was configured by the Splunk App for *nix. Can you tell me what I am doing wrong? I tried manually adding it, but it does not provide SA-nix as an application option.
Also, would like to be able to do this processing from forwarded logs from other servers. We have the logs forwarded via the rsyslog.conf file on port 514 from multiple servers, and are not using universal forwarders. Can you tell me how to configure the servers so that the user field will be extracted?
Full path to your data
Set host
Source type
Set the destination index
Number of files
App
Status
Actions
$SPLUNK_HOME/etc/splunk.version
Constant Value splunk_version _internal 1 system Enabled | Disable
$SPLUNK_HOME/var/log/introspection
Constant Value Automatic _introspection 15 introspection_generator_addon Enabled | Disable
$SPLUNK_HOME/var/log/splunk
Constant Value Automatic _internal 43 system Enabled | Disable
$SPLUNK_HOME/var/spool/splunk
Constant Value Automatic default system Enabled | Disable
$SPLUNK_HOME/var/spool/splunk/...stash_new
Constant Value stash_new default 1 system Enabled | Disable
/Library/Logs
Constant Value Automatic os Splunk_TA_nix Disabled | Enable
/etc
Constant Value Automatic os Splunk_TA_nix Disabled | Enable
/home/.../.bash_history
Constant Value bash_history os Splunk_TA_nix Disabled | Enable
/root/.bash_history
Constant Value bash_history os Splunk_TA_nix Disabled | Enable
/var/adm
Constant Value Automatic os Splunk_TA_nix Disabled | Enable
/var/log
Constant Value Automatic os Splunk_TA_nix Disabled | Enable
/var/log/secure
Constant Value linux_secure default SA-nix Disabled | Enable
Delete
... View more
12-18-2015
08:25 AM
I have a number of formats for user. How can I create a field extractor that will cover all of them:
session closed for user XXXX
session opened for user XXXX
disconnected by user XXXX
invalid user XXXX
about user XXXX
check pass; user unknown
Invalid user XXXX
user=XXXX (default built into linux_secure)
... View more
12-18-2015
07:04 AM
I have logs that do not use the default name value format for the user field. When I add a field extractor for my user format and name it "user", the default format of "user=" no longer is included in the search. How to I add to the existing field rule rather than replace it?
... View more
12-11-2015
08:58 AM
Python.log for yahoo, outlook and gmail:
2015-12-10 23:30:14,683 Eastern Standard Time ERROR sendemail:115 - Sending email. subject="Splunk Alert: powershell", results_link="http://XXXXXX:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__powershell_at_1449801720_15.4%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now", recipients="[u'crevitch@gmail.com']", server="smtp.mail.yahoo.com:465"
2015-12-11 11:34:11,292 Eastern Standard Time ERROR sendemail:115 - Sending email. subject="Splunk Alert: Failed Login", results_link="http://XXXXXX:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__RMD5dcd2e82a46e9e89f_at_1449840900_21.1114%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now", recipients="[u'crevitch@gmail.com']", server="smtp-mail.outlook.com:587"
2015-12-10 17:57:13,279 Eastern Standard Time ERROR sendemail:115 - Sending email. subject="Splunk Alert: powershell", results_link="http://XXXXXX:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__powershell_at_1449787800_14.1%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now", recipients="[u'crevitch@gmail.com']", server="smtp.gmail.com:587"
... View more
