Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About CREVITCH
CREVITCH
Path Finder
Member since:
10-26-2015
06-05-2020
Community Statistics
| Posts | 31 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 10-26-2015 |
Activity Feed
- Got Karma for Re: Why am I unable to forward logs from a Linux machine to Windows using Splunk 6.3?. 06-05-2020 12:47 AM
- Posted How to schedule a daily report of logins over time? on Reporting. 01-26-2016 02:42 PM
- Tagged How to schedule a daily report of logins over time? on Reporting. 01-26-2016 02:42 PM
- Posted Re: What is the best way to set up a scheduled search to alert if there are more than 5 events from a specific user? on Alerting. 01-26-2016 11:25 AM
- Posted What is the best way to set up a scheduled search to alert if there are more than 5 events from a specific user? on Alerting. 01-26-2016 11:06 AM
- Tagged What is the best way to set up a scheduled search to alert if there are more than 5 events from a specific user? on Alerting. 01-26-2016 11:06 AM
- Posted Re: How to create dashboards so they update/refresh search results? on Splunk Search. 01-19-2016 02:57 PM
- Posted How to create dashboards so they update/refresh search results? on Splunk Search. 01-19-2016 02:56 PM
- Tagged How to create dashboards so they update/refresh search results? on Splunk Search. 01-19-2016 02:56 PM
- Tagged How to create dashboards so they update/refresh search results? on Splunk Search. 01-19-2016 02:56 PM
- Posted Re: Is there a way to display the time when a dashboard panel updated? on Dashboards & Visualizations. 01-19-2016 11:03 AM
- Posted Is there a way to display the time when a dashboard panel updated? on Dashboards & Visualizations. 01-19-2016 09:25 AM
- Tagged Is there a way to display the time when a dashboard panel updated? on Dashboards & Visualizations. 01-19-2016 09:25 AM
- Tagged Is there a way to display the time when a dashboard panel updated? on Dashboards & Visualizations. 01-19-2016 09:25 AM
- Posted Re: alerts triggering continuously on Alerting. 01-14-2016 05:33 AM
- Posted alerts triggering continuously on Alerting. 01-13-2016 02:53 PM
- Tagged alerts triggering continuously on Alerting. 01-13-2016 02:53 PM
- Posted Re: How to edit my search to only return results that exceed a certain count within a time window? on Splunk Search. 01-13-2016 12:57 PM
- Posted Re: Is there a way to save the results for parts of a search so when I modify the tail end, I don't have to run the whole search? on Splunk Search. 01-13-2016 07:23 AM
- Posted Re: How to edit my search to only return results that exceed a certain count within a time window? on Splunk Search. 01-13-2016 07:19 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-26-2016
02:42 PM
I want to report the number of logins on my system by day. Is there some way to schedule the 24 hour search every day and show a chart of the daily counts so far? I am thinking this is more efficient than searching the daily count over the history of the index.
... View more
01-26-2016
11:06 AM
I am looking to do a search every minute, and see if there are more than 5 events from a specific user. If so, I need to trigger an alert. I have this running as a scheduled search every minute, and it seems to be working. Is there a better way to do this? Should I be scheduling the search every hour and look for login events >5 in 1 minute windows? If so, how would I do that.
My current search looks like this
user=* | eventstats count by user | where count > 5
start time -6m
finish time -5m
run every minute
... View more
01-19-2016
02:57 PM
also is there any way to just display the results of an alert on a dashboard? The schedule is already in the alert. It would be nice to just display the results rather than create a new search.
... View more
01-19-2016
02:56 PM
I save dashboards from both search and report, and it appears that the dashboards run the search every time it is brought up, but does not refresh after that. I have read that it is supposed to display the cached search. What is the proper way to create dashboards so that they update properly. Is there a way to do this from Splunk Web or only in XML?
... View more
01-19-2016
11:03 AM
thanks! this works!
... View more
01-19-2016
09:25 AM
Is there any way to display the time when a dashboard panel updated? I am scheduling a report, adding it to a dashboard, and would like to know when the report ran that is displayed on the dashboard.
... View more
01-13-2016
02:53 PM
I am saving the following alerts:
"user=* | search failed | dedup _raw"
real time 60 second window. It triggers only when new event with “failed” is detected.
"user=* | search failed | dedup _raw | stats count by user"
real time 60 second window. It alerts continuously
how do I get the second alert to trigger only when a new event is detected?
... View more
01-13-2016
12:57 PM
your current search ...| where count > [ search your search to get get threshold for move 5 min window | return $yourthreshold ]
This looks like what I want but not sure of the syntax. I am fine with a fixed thresshold. How do I search for a count of events in a moving 5 minute window that have the string "failed", and output the count when it exceeds a fixed thresshold?
... View more
01-13-2016
07:23 AM
the dedup _raw takes so long I am hoping to store its result to pipe to subesequent searches. I need to do thsi step because I have many duplicate events for some reason.
... View more
01-13-2016
07:19 AM
Thanks. Is there a way to do this for count over a moving time window for stored events? Right now the count is the total over the interval defined by the time range picker. In other words, is there a way to count events by user that exceed a threshold within a moving 5 minute time window over my event history?
... View more
01-12-2016
02:13 PM
I would like to issue the following search, but only get results that exceed a count within a time window. I see how to set an alert to do this, but I just want to search my current stored events. How do I do this in a search?
user=* action=* | stats count by user, action
... View more
01-12-2016
11:11 AM
If I only have one index and one sourcetype, will this speed things up? I want to look at all events, and not just within a time window.
Is there a way to reuse the results of a search?
... View more
01-12-2016
11:10 AM
I am looking to group events by transaction. Will the stats command do this for me?
I have a lot of events. By doing user=*, I narrow it to login events since they have a user field. I end up with duplicate events, and I go through dedup. Finally i am left with events, some of which group together (i.e. password accepted and session opened). This is why I want to group as transactions: want to preserve individual events, but want to know the number of independent transactions.
It would be nice to know if there is a way to re-use the results of previous searches. Is there a way to do this?
... View more
01-12-2016
08:31 AM
I am executing the following search and it is taking a long time to execute. Is there a way to save the results of parts of a search so that when I modify the tail end I don't have to run the whole search? I.e. can I save the results of user=* | dedup _ raw and then run those saved results through subsequent searches?
user=* | dedup _raw | transaction user date_minute date_second
... View more
01-11-2016
11:31 AM
turned out to be fast mode. when I changed to smart mode the fields were extracted properly. Thanks!
... View more
01-11-2016
11:27 AM
I am trying to chart different types of login events. I believe that the fields were extracted by the *nix app in logs from /var/log/secure.
For example, if I have 100 events, I have found that I can group them into non overlapping groups that total to 100 in the following way:
eventtype=failed_login
vendor_action=session open
vendor_action=accepted
I can create 2 new event types to cover session open and accepted.
I want to be able to do something like "stats count by eventtype" but eventtype alone generates overlapping groups of events since one event can have multiple eventtypes. Is there some way I can eliminate the unwanted event types?
... View more
01-08-2016
10:16 AM
How do I select different sourcetypes for multiple logs coming from multiple servers (no universal forwarders, using rsyslog.conf)? When I set up the input port, it only offers one type of sourcetype choice.
... View more
01-07-2016
12:25 PM
Thanks. However I do have one configuration that extracts the fields. On the second one it does not. It seems to be built into the *nix app, but not clear why it is not working. I would rather not create field extractors if they already exist.
The one that works has this configuration for file and directory local data inputs. I tried to set a new input that looks like this on the system that was not working but SA-nix was not one of the app choices.
path set host source type dest index app status
/var/log/secure constant value linux_secure default SA-nix enabled
... View more
