Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jizzmaster
jizzmaster
Path Finder
Member since:
01-12-2015
06-05-2020
Community Statistics
| Posts | 41 |
| Solutions | 2 |
| Karma Given | 5 |
| Karma Received | 15 |
| Member Since | 01-12-2015 |
Activity Feed
- Got Karma for Re: Collecting to a summary index not working. 03-23-2022 12:32 PM
- Karma Re: Get percentage between two graph lines over time for bmacias84. 06-05-2020 12:47 AM
- Karma Re: inputlookup not returning all rows for steveyz. 06-05-2020 12:47 AM
- Karma "One or more machines does not meet the recommended minimum system requirements. Review the documentation for details." How do I get rid of this message? for brent_weaver. 06-05-2020 12:47 AM
- Got Karma for Could not create Splunk settings directory at '/root/.splunk'. 06-05-2020 12:47 AM
- Got Karma for Could not create Splunk settings directory at '/root/.splunk'. 06-05-2020 12:47 AM
- Got Karma for Re: How to create a new key-value pair name and value based on text within a log?. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 2: Why am I getting error "(JRE) version 1.8 is not supported by this driver" trying to connect to a MS SQL Database?. 06-05-2020 12:47 AM
- Got Karma for How do I get Splunk DB Connect 2 to recognize the Timestamp column in my MS SQL database?. 06-05-2020 12:47 AM
- Got Karma for How do I get Splunk DB Connect 2 to recognize the Timestamp column in my MS SQL database?. 06-05-2020 12:47 AM
- Got Karma for How do I get Splunk DB Connect 2 to recognize the Timestamp column in my MS SQL database?. 06-05-2020 12:47 AM
- Got Karma for Re: Collecting to a summary index not working. 06-05-2020 12:47 AM
- Got Karma for Re: Collecting to a summary index not working. 06-05-2020 12:47 AM
- Got Karma for Re: inputlookup not returning all rows. 06-05-2020 12:47 AM
- Got Karma for Re: inputlookup not returning all rows. 06-05-2020 12:47 AM
- Got Karma for Re: Why is deployment client not picking up changes to an app deployed from deployment server?. 06-05-2020 12:47 AM
- Got Karma for Re: DB Connect 2.0.1 shows NOT SUPPORTED TYPE for MySQL TINYINT. 06-05-2020 12:47 AM
- Got Karma for Re: "One or more machines does not meet the recommended minimum system requirements. Review the documentation for details." How do I get rid of this message?. 06-05-2020 12:47 AM
- Karma Re: Subtraction for ccsfdave. 06-05-2020 12:46 AM
- Karma Re: inputlookup not returning all the rows in csv file for strive. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 |
12-23-2015
06:21 AM
1 Karma
Renaming the file, as my previous answer suggested, does not stop the alerts. What appears to work is editing the search query that triggers this alert.
Go to /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/savedsearches.conf
Copy out the [Audit - ES System Requirements] stanza
Paste it into /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf
Edit the appropriate test, such as "numberOfCores" or "physicalMemoryMB"
... View more
12-08-2015
07:52 AM
The answer went "beyond" the question by not answering the actual question. Read the question, "How do I get it to stop, regardless of my system requirements?" I repeat, "regardless of my system requirements." This site is called answers.splunk.com, not Im-gonna-tell-you-how-to-run-your-splunk-instance-because-I-know-your-environment-and-needs-better-than-you.splunk.com. It did not answer the question therefore it should not be considered an answer.
I'm not disagreeing on the points made about the effectiveness of the documented minimum requirements. They are sound. And belong in the answers for a question asking if it is ok to run a Splunk box under the minimum requirements. But that is not this question here.
... View more
12-08-2015
07:43 AM
A Python script performs the check that kicks out the alert in question.
/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/configuration_checks/confcheck_es_system_requirements.py
Renaming this file (to something like confcheck_es_system_requirements.bak) seems to effectively stop in from running and stop the alerts.
While it is not the proper way to run Splunk, this addresses the question asked. I'm not going to tell you how to run your Splunk instance. You know your environment better than anyone else here. We all know what the term "minimum requirements" means. The question is not asking for people to tell him to upgrade to the minimum requirements, which is the straightforward alert verbiage.
... View more
12-07-2015
10:41 AM
I downvoted this post because it doesn't answer the question that was asked.
... View more
11-03-2015
09:07 AM
I have an app that is not removing/deleting the files after consuming them. They are indexed appropriately, but just not deleted afterwards.
inputs.conf
[batch:///opt/splunk/etc/apps/my-special-app/pickup/*.json]
index = test
sourcetype = nessus_json
move_policy = sinkhole
I have tested this on a second Splunk box and the exact same app will correctly remove the files after indexing them. I can't tell where the issue may be on this main Splunk box, however. Any suggestions?
On Splunk v6.2.1. This worked a month or so ago. I'd rather figure out the cause before moving to upgrade the Splunk instance.
... View more
08-11-2015
11:30 AM
1 Karma
http://answers.splunk.com/answers/139821/inputlookup-not-returning-all-the-rows-in-csv-file.html
Seems that double quotes affect this. I had six entries with double quotes. I removed them and now I'm getting all my results. Seems that inbetween the lines with quotes was about 15,000 lines.
So, why would double quotes affect a csv lookup file? Rows are determined via linebreaks. And columns are determined by commas.
... View more
08-11-2015
11:26 AM
I'm creating it via a bash shell script that is using the sqlcmd command provided by the Microsoft MS-SQL driver (this is on a RHEL6 box) to query the database and create the file. The output overwrites the previous csv in a lookup folder every morning.
... View more
08-11-2015
11:23 AM
1 Karma
I figured the username should fit with the product ...
max_memtable_bytes is 10MB but my csv is 4.5MBs.
... View more
08-11-2015
11:19 AM
Only 1 line per event in my csv lookup file. I'm trying to find some rhyme and reason to which rows are missing.
... View more
08-11-2015
11:16 AM
Why would quotes affect this? A csv is split by linebreaks for rows, and commas for columns.
... View more
08-11-2015
11:02 AM
Also, when performing additional searches through Splunk on this lookup file, there are missing fields. When I search for it in the actual file, the rows I'm looking for are there.
This is the command I use to search through the lookup table:
|inputlookup resources.csv |search host_name=2AH39911B
And yes, the "host_name" field exists. As does the specific host_name I'm searching for. No results in the Splunk search though.
... View more
08-11-2015
10:59 AM
I have a csv file as a lookup, named "resources.csv." Looking at the actual file, it has about 30,000 lines. In the Splunk search, I am only getting about 15,000 results, though. I'm using the following command to view the lookup table:
|inputlookup resources.csv
The csv file is updated through a script I have running each morning. I have restarted the searchhead that this lookup file is being read by. Nothing has seemed to work. Still only about 15,000 results from the inputlookup command.
Any suggestions?
... View more
- Tags:
- inputlookup
07-31-2015
01:17 PM
I went with the 2nd option as I'm not very familiar with appendcols and it didn't work immediately for me. It said I had to use a chart option instead of a table. But the 2nd option with the join works great. Thank you.
... View more
07-31-2015
12:45 PM
I have two numbers that I am trying to get a percentage out of. One number is a count of total IPs. The other is a count of asset records. I want to know what percentage of total IPs have an asset record. That's "asset/total" for a proportion. Easy enough.
Now the part that is stumping me. I summarize the "asset" number and the "total" number each day into a summary index. So I have a running number for each. I would like to have a graph showing the "total" count, the "asset" count, and a new field, "percentage." How can I have Splunk start at 30 days back, compare these two numbers to create a percentage, then do the same things for days 29-1 and make it into a visual graph?
Here's my current attempt at doing it for just the most recent summary info. Not sure how to approach the 30 days, though.
index=summary source="assets" earliest=-1d
|eval proportion=count/[search index=summary source="total" earliest=-1d |return $count]
|table proportion
... View more
07-06-2015
08:07 AM
3 Karma
Turns out that it was indexing, just with a completely wrong date and timestamp. I could not find much rhyme or reason to when it applied the timestamp, but it was not the first or the last timestamp of the data it was pulling from.
Anyway, adding "|eval _time=now()" worked perfectly. Timestamps and summary indexing now being applied as I expect it to be. Timestamps are from when the saved search begins, not dependent on timestamps within the logs it is searching on.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma from
