Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jonnim
jonnim
Explorer
Member since:
07-15-2013
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 07-15-2013 |
Activity Feed
- Got Karma for How to edit my props and transforms to extract the correct time from my sample DNS log from a Syslog encapsulated message?. 06-05-2020 12:48 AM
- Posted How to edit my props and transforms to extract the correct time from my sample DNS log from a Syslog encapsulated message? on Getting Data In. 06-03-2016 01:04 AM
- Tagged How to edit my props and transforms to extract the correct time from my sample DNS log from a Syslog encapsulated message? on Getting Data In. 06-03-2016 01:04 AM
- Tagged How to edit my props and transforms to extract the correct time from my sample DNS log from a Syslog encapsulated message? on Getting Data In. 06-03-2016 01:04 AM
- Tagged How to edit my props and transforms to extract the correct time from my sample DNS log from a Syslog encapsulated message? on Getting Data In. 06-03-2016 01:04 AM
- Tagged How to edit my props and transforms to extract the correct time from my sample DNS log from a Syslog encapsulated message? on Getting Data In. 06-03-2016 01:04 AM
- Tagged How to edit my props and transforms to extract the correct time from my sample DNS log from a Syslog encapsulated message? on Getting Data In. 06-03-2016 01:04 AM
- Posted Re: How to extract fields from an extracted JSON ingested string on Getting Data In. 05-30-2016 08:23 PM
- Posted How to extract fields from an extracted JSON ingested string on Getting Data In. 05-26-2016 07:49 PM
- Tagged How to extract fields from an extracted JSON ingested string on Getting Data In. 05-26-2016 07:49 PM
- Tagged How to extract fields from an extracted JSON ingested string on Getting Data In. 05-26-2016 07:49 PM
- Tagged How to extract fields from an extracted JSON ingested string on Getting Data In. 05-26-2016 07:49 PM
- Posted Re: How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard? on Dashboards & Visualizations. 04-07-2016 10:09 PM
- Posted How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard? on Dashboards & Visualizations. 04-06-2016 07:42 PM
- Tagged How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard? on Dashboards & Visualizations. 04-06-2016 07:42 PM
- Tagged How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard? on Dashboards & Visualizations. 04-06-2016 07:42 PM
- Tagged How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard? on Dashboards & Visualizations. 04-06-2016 07:42 PM
- Tagged How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard? on Dashboards & Visualizations. 04-06-2016 07:42 PM
- Tagged How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard? on Dashboards & Visualizations. 04-06-2016 07:42 PM
- Posted Re: How to troubleshoot why pivot finalizes before end of search and results are incomplete?d on Splunk Search. 03-01-2016 04:38 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
06-03-2016
01:04 AM
1 Karma
I have DNS log format as follows:
<14>May 25 23:59:19 COL02 Windows: {"Level":"4","Channel":"DNS Server","Version":"","Computer":"DC01.ntadmin.local","EventID":"55555","ExecutionThreadID":"","Keywords":"0x80000000000000","ProviderName":"DNS Server","Message":"25/05/2016 11:58:26 PM 0820 PACKET 0000000002F797A0 UDP Snd 172.30.235.30 697d R Q [8385 A DR NXDOMAIN] A (4)wpad(7)ntadmin(5)local(0)","Opcode":"","TimeCreated":"2016-05-25T13:58:50.000000000Z","EventData":"25/05/2016 11:58:26 PM 0820 PACKET 0000000002F797A0 UDP Snd 172.30.235.30 697d R Q [8385 A DR NXDOMAIN] A (4)wpad(7)ntadmin(5)local(0)","ExecutionProcessID":"","Task":"0","SecurityUserID":"","EventRecordID":"86253"}
I use the following in props.conf and transforms.conf:
props.conf
[windows]
KV_MODE = JSON
TRANSFORMS-T1_extractJSON = extract-json
TRANSFORMS-T2_win_sourcetype = win_dns
[windows_dns]
KV_MODE = JSON
REPORT-EventData = extract_EventData
TIME_PREFIX= /"Message":"/
TIME_FORMAT = %d/%m/%y %H:%M:%S
SHOULD_LINEMERGE = false
FIELDALIAS-Win:DNS-aliases = Computer AS dest_ip EventID AS eventid host AS dvc opcode AS vendor_query_type packetid AS transaction_id
transforms.conf
[win_dns]
DEST_KEY = MetaData:Sourcetype
REGEX = 55555
FORMAT = sourcetype::windows_dns
CLEAN_KEYS = 0
[extract-json]
SOURCE_KEY = _raw
DEST_KEY = _raw
REGEX = ^([^{]+)(?{.+})$
FORMAT = $2
CLEAN_KEYS = 0
[extract_EventData]
CLEAN_KEYS = 0
SOURCE_KEY = EventData
MV_ADD = 0
FORMAT =
to extract the JSON string to get the following:
5/26/16
1:25:40.000 PM
{ [-]
Channel: DNS Server
Computer: DC01.ntadmin.local
EventData: 25/05/2016 11:58:26 PM 0820 PACKET 0000000002F797A0 UDP Snd 172.30.235.30 697d R Q [8385 A DR NXDOMAIN] A (4)wpad(7)ntadmin(5)local(0)
EventID: 55555
EventRecordID: 86253
ExecutionProcessID:
ExecutionThreadID:
Keywords: 0x80000000000000
Level: 4
Message: 25/05/2016 11:58:26 PM 0820 PACKET 0000000002F797A0 UDP Snd 172.30.235.30 697d R Q [8385 A DR NXDOMAIN] A (4)wpad(7)ntadmin(5)local(0)
Opcode:
ProviderName: DNS Server
SecurityUserID:
Task: 0
TimeCreated: 2016-05-26T03:21:09.000000000Z
Version:
}
As seen from above the the ingested time is different from the syslog message time. I have tried to use TIME_PREFIX etc, but doesn't work as I think the syslog message is being parsed already. The Syslog time is being extracted into the Message_Time as follows:
Message_Time = 3/06/2016 6:01:55 PM
How can I get this to be the source of truth time?
... View more
05-30-2016
08:23 PM
Just a typo left out the filed names as I was trying something else. Here is the updated SPL.
rex field=EventData "^(?\d\d\/\d\d\/\d\d\d\d)\s(?\d+:\d\d:\d\d\s\w\w)\s(?\d+)\s(?\w+)\s+(?\S+)\s(?\w+)\s(?\w+)\s(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+(?\S+)\s(?\w*)\s(?\w*)\s[(?.\S+)\s(?[\w\s]{1,4})\s(?\S+)]\s(?\S+)\s+(\d+)(?\S+)$"
Woodcock- the
TRANSFORMS-extractJSON = extract-json, extract_EventData
Doesn't work - It does not seem to find the EventData filed to extract .. As mentioned before it works during a search but does nit auto extract.
... View more
05-26-2016
07:49 PM
I have DNS log format as follows:
<14>May 25 23:59:19 COL02 Windows: {"Level":"4","Channel":"DNS Server","Version":"","Computer":"DC01.ntadmin.local","EventID":"55555","ExecutionThreadID":"","Keywords":"0x80000000000000","ProviderName":"DNS Server","Message":"25/05/2016 11:58:26 PM 0820 PACKET 0000000002F797A0 UDP Snd 172.30.235.30 697d R Q [8385 A DR NXDOMAIN] A (4)wpad(7)ntadmin(5)local(0)","Opcode":"","TimeCreated":"2016-05-25T13:58:50.000000000Z","EventData":"25/05/2016 11:58:26 PM 0820 PACKET 0000000002F797A0 UDP Snd 172.30.235.30 697d R Q [8385 A DR NXDOMAIN] A (4)wpad(7)ntadmin(5)local(0)","ExecutionProcessID":"","Task":"0","SecurityUserID":"","EventRecordID":"86253"}
I use the following in props.conf and transforms.conf:
props.conf
[windows]
KV_MODE = JSON
TRANSFORMS-extractJSON = extract-json
TRANSFORMS-win_sourcetype = windows_dns
transforms.conf
[extract-json]
SOURCE_KEY = _raw
DEST_KEY = _raw
REGEX = ^([^{]+)({.+})$
FORMAT = $2
[windows_dns]
DEST_KEY = MetaData:Sourcetype
REGEX = 55555
FORMAT = sourcetype::windows_dns
to extract the JSON string to get the following:
5/26/16
1:25:40.000 PM
{ [-]
Channel: DNS Server
Computer: DC01.ntadmin.local
EventData: 25/05/2016 11:58:26 PM 0820 PACKET 0000000002F797A0 UDP Snd 172.30.235.30 697d R Q [8385 A DR NXDOMAIN] A (4)wpad(7)ntadmin(5)local(0)
EventID: 55555
EventRecordID: 86253
ExecutionProcessID:
ExecutionThreadID:
Keywords: 0x80000000000000
Level: 4
Message: 25/05/2016 11:58:26 PM 0820 PACKET 0000000002F797A0 UDP Snd 172.30.235.30 697d R Q [8385 A DR NXDOMAIN] A (4)wpad(7)ntadmin(5)local(0)
Opcode:
ProviderName: DNS Server
SecurityUserID:
Task: 0
TimeCreated: 2016-05-26T03:21:09.000000000Z
Version:
}
which extracts the relevant fields:
Channel
Computer
EventData
EventID
EventRecordID
ExecutionProcessID
ExecutionThreadID
Keywords
Level
Message
Opcode
ProviderName
SecurityUserID
Task
TimeCreated
Version
I now want to further extract fields from the EventData field using the following transform:
transforms.conf
[extract_EventData]
CLEAN_KEYS = 0
REGEX = ^(?\d\d\/\d\d\/\d\d\d\d)\s(?\d+:\d\d:\d\d\s\w\w)\s(?\d+)\s(?\w+)\s+(?\S+)\s(?\w+)\s(?\w+)\s(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+(?\S+)\s(?\w*)\s(?\w*)\s\[(?.\S+)\s(?[\w\s]{1,4})\s(?\S+)]\s(?\S+)\s+\(\d+\)(?\S+)$
SOURCE_KEY = EventData
It doesn't work. I have tested the REGEX using SPL :
sourcetype=windows_dns | rex field=EventData "^(?\d\d\/\d\d\/\d\d\d\d)\s(?\d+:\d\d:\d\d\s\w\w)\s(?\d+)\s(?\w+)\s+(?\S+)\s(?\w+)\s(?\w+)\s(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+(?\S+)\s(?\w*)\s(?\w*)\s\[(?.\S+)\s(?[\w\s]{1,4})\s(?\S+)]\s(?\S+)\s+\(\d+\)(?\S+)"
That extracts the relevant EventData fields. I cannot get this to work automatically.
... View more
04-07-2016
10:09 PM
somesoni2 - you solution may work if we define alert_action. This is not defined and such cannot be used as a filter. Is there anyway to add a tag to the saved search result?
... View more
04-06-2016
07:42 PM
I have created alerts based on use case for e.g. failed authentications. These alerts pertain to different data sources, - Failed auth on Windows Failed auth on Linux etc. The alerts results go into the _internal index. I want to display the count of these alerts on a dashboard. Currently I am doing this by using the savedsearch_name field and correlating against the :Failed-auth" in the name as follows:
search index=_internal sourcetype=scheduler savedsearch_name="*Failed_Auth*"
However, this makes me dependent on correct naming conventions. I would rather create a tag (say alert-typ=failed-auth) when the alert gets written to the _internal index. I know you can do this using summary indexing, but customer doesn't want to use summary indexing ..Any suggestions?
... View more
03-01-2016
04:38 PM
I have the same problem ... I did a search using the top level of the datamodel (eventtype=xxx) for a unique time range 24th of February. I did the same search eventtype=xxx using SPL for the same time range and I got more results in the SPL query thanm the Pivot query. Incidentally I ran a datamodel query and that seems to work so I don't think its a datamodel issue.
... View more
06-02-2014
10:47 PM
I am trying to export data from the main index to a cloudera hadoop cluster. When I start the scheduled export it saves a cursor on the hadoop side but no files are transferred even though I have 230 MB of data indexed. I tried to re-install, Splunk but the same thing is happening. I suspect that Splunk thinks that the data has been exported already. It says last completed run 33 days ago.
How do I reset this to assume nothing has been exported
How do I get the data to be exported?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
