cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
edwinmae
Path Finder
Member since: ‎12-10-2015
‎05-01-2024
Community Statistics
Posts 74
Solutions 0
Karma Given 2
Karma Received 4
Member Since ‎12-10-2015
Activity Feed
Topics I've Started
View All

How to get special characters in logs recognized b...

by in Splunk Search
‎10-26-2022 02:41 AM
‎10-26-2022 02:41 AM
Hi, Log format is JSON I have a Field named Organization Now when Organization = "Systèmes" , this will have the following consequences -- When doing a search with Organization = "Systèmes" (and doing e.g. a table output), I get no results When doing a search with Organization = Syst* (and doing e.g. a table output), I get results -- I am wondering why Splunk would not recognize this è in the search ... I read different topics where CHARSET in props.conf file was suggested, but should Splunk not recognize this è by default? And what would be the solution to get this recognized by Splunk by Default? Thanks in advance! Edwin     ... View more
Labels

What would be the recommended Log Levels for the d...

by in Security
‎10-10-2022 02:59 AM
‎10-10-2022 02:59 AM
Hi All, This is more a general inquiry I noticed that the _audit index collects a lot of activity, but it's not really telling in detail what actually has been done (if anything at all) .. edit user / edit role / edit index / remove ... What would be the recommended Log Levels for the different Audit Log channels? If  I would like to see in details what has been changed for a certain index, what Log channel(s) and what Log Level(s) would result in showing that information? Note, that in our environment any changes to indexes are done  in the (Linux) server directly, not using the UI Thanks in advance! Edwin           ... View more
Labels

Re: Calcualte Duration

by in Splunk Search
‎06-03-2022 05:24 AM
‎06-03-2022 05:24 AM
That actually worked 🙂 ... View more

How to calculate duration?

by in Splunk Search
‎06-03-2022 05:01 AM
‎06-03-2022 05:01 AM
Hi, I try to calculate the duration I have extracted 2 fields, start_time and end_time -- I believe both times should be in the exact same format in order to successful calculate the duration start_time = 2022-06-03T02_11_50 end_time = 2022-06-03T03:48:06 -- I have been puzzling for some time now, but how do I get the start_time in the same format as the end_time? ... Thanks for help in advance! Edwin           ... View more
Labels

Re: How to Parse EMR Log to generate table output?

by in Splunk Search
‎03-24-2022 11:26 PM
‎03-24-2022 11:26 PM
3/25/22 6:07:02.000 AM Date: Fri, 25 Mar 2022 06:07:02 GMT x-amz-bucket-region: us-east-1 x-amz-access-point-alias: false Content-Type: application/xml Server: AmazonS3 # Now traceroute it traceroute -T --sport=17241 -p 443 -w 3 -n -m 10 elasticmapreduce.s3.amazonaws.com traceroute to elasticmapreduce.s3.amazonaws.com (52.217.108.28), 10 hops max, 60 byte packets 1 10.119.0.247 0.110 ms 0.078 ms 0.100 ms 2 * * * 3 * * * 4 * * * 5 * * 241.0.10.12 0.854 ms 6 241.0.10.15 0.799 ms 241.0.9.199 0.842 ms 240.1.100.16 0.823 ms 7 240.1.100.19 0.742 ms 240.1.100.24 0.714 ms 240.1.100.20 0.818 ms 8 242.3.185.1 16.959 ms 26.163 ms 242.3.183.129 1.169 ms 9 100.95.3.19 1.328 ms 100.95.19.31 1.364 ms 100.95.3.17 1.308 ms 10 100.91.176.205 66.646 ms 100.91.176.217 66.800 ms 100.91.177.131 65.994 ms # listing of last logged in users last -w -n 25 reboot system boot 4.14.241-184.433.amzn2.x86_64 Fri Mar 25 05:15 - 06:07 (00:51) reboot system boot 4.14.241-184.433.amzn2.x86_64 Fri Aug 6 20:41 - 20:51 (00:09) wtmp begins Fri Aug 6 20:41:09 2021 # whats io usage look like iostat -x 1 5 Linux 4.14.241-184.433.amzn2.x86_64 (ip-10-20-30-40) 03/25/22 _x86_64_ (32 CPU) avg-cpu: %user %nice %system %iowait %steal %idle 12.27 0.00 1.28 2.72 0.00 83.73 Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util nvme1n1 0.00 5.11 0.24 68.54 5.32 14455.52 420.51 0.49 8.54 0.18 8.57 1.42 9.77 nvme2n1 0.00 0.28 0.14 61.21 2.22 15169.38 494.59 0.51 10.06 0.18 10.08 1.69 10.34 nvme3n1 0.00 0.40 0.14 56.51 2.22 13949.54 492.62 0.46 9.86 0.25 9.88 1.65 9.36 nvme4n1 0.00 0.40 0.14 58.78 2.22 14544.40 493.83 0.50 10.09 0.19 10.12 1.69 9.95 nvme0n1 0.02 6.74 7.85 5.38 276.56 897.95 177.55 0.04 4.61 2.02 8.41 0.83 1.10 dm-0 0.00 0.00 0.06 0.53 1.04 64.44 221.22 0.01 9.97 0.19 11.07 0.77 0.05 dm-1 0.00 0.00 0.06 24.40 1.07 14390.98 1176.70 53.67 2193.89 0.25 2199.03 4.09 10.00 dm-2 0.00 0.00 0.06 10.22 1.04 15169.34 2951.65 50.23 4886.42 35.81 4915.42 10.09 10.37 dm-3 0.00 0.00 0.06 9.96 1.04 13949.50 2783.36 36.04 3595.08 0.25 3617.01 9.37 9.40 dm-4 0.00 0.00 0.06 10.00 1.04 14544.36 2891.29 42.12 4185.86 0.29 4211.43 9.93 9.99 avg-cpu: %user %nice %system %iowait %steal %idle 0.00 0.00 0.06 0.00 0.00 99.94 Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util nvme1n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme2n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme3n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme4n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme0n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-2 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-3 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-4 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 avg-cpu: %user %nice %system %iowait %steal %idle 0.31 0.00 0.19 0.06 0.00 99.44 Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util nvme1n1 0.00 0.00 0.00 1.00 0.00 4.00 8.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme2n1 0.00 0.00 0.00 34.00 0.00 8388.00 493.41 0.06 2.24 0.00 2.24 0.59 2.00 nvme3n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme4n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme0n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-0 0.00 0.00 0.00 1.00 0.00 4.00 8.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-2 0.00 0.00 0.00 6.00 0.00 8388.00 2796.00 0.06 9.33 0.00 9.33 3.33 2.00 dm-3 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-4 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 avg-cpu: %user %nice %system %iowait %steal %idle 0.00 0.00 0.09 0.06 0.00 99.84 Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util nvme1n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme2n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme3n1 0.00 246.00 0.00 68.00 0.00 12784.00 376.00 0.09 1.76 0.00 1.76 0.47 3.20 nvme4n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme0n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-2 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-3 0.00 0.00 0.00 275.00 0.00 12784.00 92.97 4.86 17.69 0.00 17.69 0.12 3.20 dm-4 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 avg-cpu: %user %nice %system %iowait %steal %idle 6.64 0.00 0.22 0.00 0.00 93.14 Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util nvme1n1 0.00 0.00 1.00 0.00 16.00 0.00 32.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme2n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme3n1 0.00 0.00 1.00 0.00 16.00 0.00 32.00 0.00 0.00 0.00 0.00 0.00 0.00 nvme4n1 0.00 0.00 1.00 0.00 16.00 0.00 32.00 0.00 4.00 4.00 0.00 0.00 0.00 nvme0n1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-1 0.00 0.00 1.00 0.00 16.00 0.00 32.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-2 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-3 0.00 0.00 1.00 0.00 16.00 0.00 32.00 0.00 0.00 0.00 0.00 0.00 0.00 dm-4 0.00 0.00 1.00 0.00 16.00 0.00 32.00 0.00 4.00 4.00 0.00 4.00 0.40 # whats memory usage look like free -m total used free shared buff/cache available Mem: 255139 27090 187176 4 40872 225853 Swap: 0 0 0 # trend memory vmstat 1 5 procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu----- r b swpd free buff cache si so bi bo in cs us sy id wa st 2 0 0 191668400 8632 41844724 0 0 9 1845 51 221 12 1 84 3 0 15 0 0 187757920 8632 41845156 0 0 0 0 196146 187847 35 18 47 0 0 15 0 0 186603456 8632 41845280 0 0 0 0 23810 17182 45 3 52 0 0 15 0 0 186288448 8632 41845312 0 0 0 288 5776 3159 47 1 52 0 0 19 0 0 186075552 8632 41845632 0 0 0 0 119725 126526 32 7 61 0 0 # amount of disk free df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 125G 0 125G 0% /dev tmpfs 125G 0 125G 0% /dev/shm tmpfs 125G 768K 125G 1% /run tmpfs 125G 0 125G 0% /sys/fs/cgroup /dev/nvme0n1p1 10G 5.5G 4.6G 55% / /dev/mapper/nvme1n1p1 5.0G 213M 4.8G 5% /emr /dev/mapper/nvme1n1p2 123G 9.4G 114G 8% /mnt /dev/mapper/nvme2n1 128G 11G 118G 8% /mnt1 /dev/mapper/nvme3n1 128G 8.1G 120G 7% /mnt2 /dev/mapper/nvme4n1 128G 8.7G 120G 7% /mnt3 tmpfs 25G 0 25G 0% /run/user/990 tmpfs 25G 0 25G 0% /run/user/991 tmpfs 25G 0 25G 0% /run/user/0 set +o verbose Top 10 folders in /emr in MB: 172 /emr/instance-controller/lib/bootstrap-actions/2 3 /emr/instance-state 1 /emr/setup-devices 1 /emr/logpusher/run 1 /emr/logpusher/log 1 /emr/logpusher/db 1 /emr/instance-controller/run 1 /emr/instance-controller/log/system-actions/3 1 /emr/instance-controller/log/system-actions/2 1 /emr/instance-controller/log/system-actions/1 Top 20 folders including subdirectories in /emr in MB: 176 /emr 173 /emr/instance-controller 172 /emr/instance-controller/lib 172 /emr/instance-controller/lib/bootstrap-actions 172 /emr/instance-controller/lib/bootstrap-actions/2 3 /emr/instance-state 1 /emr/apppusher 1 /emr/apppusher/log 1 /emr/apppusher/run 1 /emr/instance-controller/db 1 /emr/instance-controller/lib/bootstrap-actions/1 1 /emr/instance-controller/lib/info 1 /emr/instance-controller/lib/sslKeys 1 /emr/instance-controller/log 1 /emr/instance-controller/log/bootstrap-actions 1 /emr/instance-controller/log/bootstrap-actions/1 1 /emr/instance-controller/log/bootstrap-actions/2 1 /emr/instance-controller/log/system-actions 1 /emr/instance-controller/log/system-actions/1 1 /emr/instance-controller/log/system-actions/2 # dump network statistics netstat -s -e Ip: 27677847 total packets received 3 with invalid addresses 0 forwarded 0 incoming packets discarded 27677843 incoming packets delivered 18440811 requests sent out 3 outgoing packets dropped 31 dropped because of missing route Icmp: 73 ICMP messages received 55 input ICMP message failed. ICMP input histogram: destination unreachable: 12 timeout in transit: 55 echo replies: 6 6 ICMP messages sent 0 ICMP messages failed ICMP output histogram: echo request: 6 IcmpMsg: InType0: 6 InType3: 12 InType11: 55 OutType8: 6 Tcp: 6584 active connections openings 4777 passive connection openings 56 failed connection attempts 48 connection resets received 150 connections established 27676466 segments received 48951171 segments send out 6558 segments retransmited 0 bad segments received. 7645 resets sent Udp: 1307 packets received 0 packets to unknown port received. 0 packet receive errors 10621 packets sent 0 receive buffer errors 0 send buffer errors UdpLite: TcpExt: 12160 packets pruned from receive queue because of socket buffer overrun 5265 TCP sockets finished time wait in fast timer 18967 delayed acks sent 335 delayed acks further delayed because of locked socket Quick ack mode was activated 474 times 17105542 packet headers predicted 4513674 acknowledgments not containing data payload received 4324063 predicted acknowledgments 123 times recovered from packet loss by selective acknowledgements Detected reordering 33 times using time stamp 1 congestion windows partially recovered using Hoe heuristic TCPLostRetransmit: 269 6392 fast retransmits 1 other TCP timeouts TCPLossProbes: 250 11732 packets collapsed in receive queue due to low socket buffer 478 DSACKs sent for old packets 19 DSACKs sent for out of order packets 198 DSACKs received 358 connections reset due to unexpected data 1137 connections reset due to early user close TCPDSACKIgnoredNoUndo: 187 TCPSackShifted: 19344 TCPSackMerged: 9843 TCPSackShiftFallback: 2633 TCPRcvCoalesce: 10144666 TCPOFOQueue: 404026 TCPOFOMerge: 18 TCPChallengeACK: 5 TCPAutoCorking: 3105716 TCPFromZeroWindowAdv: 12071 TCPToZeroWindowAdv: 12071 TCPWantZeroWindowAdv: 806608 TCPSynRetrans: 1 TCPOrigDataSent: 36414854 TCPHystartTrainDetect: 205 TCPHystartTrainCwnd: 8723 TCPACKSkippedSeq: 28 TCPACKSkippedChallenge: 150 TCPWinProbe: 2 IpExt: InOctets: 170168321507 ... View more

How to Parse EMR Log to generate table output?

by in Splunk Search
‎03-24-2022 06:47 AM
‎03-24-2022 06:47 AM
I have a log events (each about 260 lines) related to our AWS EMR Cluster 'performance' metrics. It seems it's just a collection of output from certain Linux commands. ** If I want to parse e.g. like free -m, to generate some table output / timechart out of those, how would I start to parse these (assuming it's possible) ? Extract New fields, using Regular Expression didn't seem to work ... ... View more

Re: Splunk SmartStore and searchable Events when u...

by in Splunk Search
‎06-08-2021 03:54 AM
‎06-08-2021 03:54 AM
There are lot of discussions about SmartStore, but it seems that nobody really knows how it should work. There should be some clear POC (whitepaper) done by Splunk itself what to do when you need e.g. to store Logs for 10 years with SmartStore, but you want to archive them after 1 year .. and then when needed to restore data from archive back to searchable .. in case of a security audit request, etc. ... View more

Splunk SmartStore and searchable Events when using...

by in Splunk Search
‎06-07-2021 05:23 AM
‎06-07-2021 05:23 AM
We are using Splunk Enterprise, using SmartStore (S3). Example:  Index A, with frozentimeperiodinsecs = 7776000 (~90 days) I understood that the EBS basically contains the cached events (that are searched a lot), but all event objects are stored in S3, right? -- Let's say I have lifecycle policy set for the bucket that contains all the splunk data, using a prefix for (Folder) 'index A', with S3 > S3 I/A (30 days) and S3 I/A > Glacier (60 days) If the event has been moved to Glacier, is the splunk search still working for that event? Will the object be deleted after 90 days, meaning the object will be in Glacier for about 30 days (with the lifecycle policy in mind) and then deleted? I need to test this, but if there is already some POC or test being carried out by somebody Thanks ... View more

Re: How to format alerts email message in alert se...

by in Alerting
‎11-22-2019 01:43 AM
‎11-22-2019 01:43 AM
I actually solved it myself, by adding a star after each line, and using | makemv delim="*" Alert_Message ... View more

How to format alerts email message in alert search...

by in Alerting
‎11-22-2019 12:05 AM
‎11-22-2019 12:05 AM
Hi, I use the following in the Alert Search to get the Email Message (body) in the Splunk Results output: | eval Alert_Message= "Text A, Text B, Text C" | table Alert_Message ... It shows the Message in the Splunk Results output in 'One single line' > Text A, Text B, Text C ** Is it possible to get the Splunk Results output, e.g. in 3 Lines? Text A Text B Text C ... View more

Why is my Splunk Machine Learning Toolkit's Alert ...

by in All Apps and Add-ons
‎05-20-2019 11:01 PM
‎05-20-2019 11:01 PM
Hi, The incoming Alert in my mailbox is just a number and not the name that I gave when creating the Alert The alert condition for '1d8e77cf90d44f0b8954dd4ea2902a83_1558350166' was triggered. Alert: 1d8e77cf90d44f0b8954dd4ea2902a83_1558350166 The real name of the Alert is bit more describing ... -- Is this normal behavior? ... View more

Re: How to add an additional backslash to source?

by in Splunk Search
‎01-04-2019 12:27 AM
‎01-04-2019 12:27 AM
Excellent ! ... View more

How to add an additional backslash to source?

by in Splunk Search
‎01-03-2019 11:21 PM
‎01-03-2019 11:21 PM
I have an input that offers me x sources index="xxxxx" sourcetype=xxxxx | dedup source | table source The problem is when I open the panel in a search it shows me the source with a single \ and it needs two \ to give me the actual output It seems I am close when using | rex mode=sed field=source "s/\\{1}/\\\//g" | dedup source | table source The output is now: source=D:\/xxxx\/xxxxx\/xxxx\/xxxxx\/xxxx\/xxxx.log I tried to search and tried different options, but didn't found the correct rex 'line' that also changes the / into \ , in order to get the output: source=D:\xxxx\xxxxx\xxxx\xxxxx\xxxx\xxxx.log ... View more

Re: How can I extract multiple fields and values f...

by in Splunk Search
‎11-08-2018 12:55 AM
‎11-08-2018 12:55 AM
That actually seems to work There are still blanks in the output which is likely caused by the raw data within the same 'section' that contains e.g. s3://xxxx or https:// , so these are also seen as 'pairs' ... Is there a way exclude them from the output? Now they have no value ... View more

How can I extract multiple fields and values from ...

by in Splunk Search
‎11-08-2018 12:00 AM
‎11-08-2018 12:00 AM
I have raw information as follows: Two times Kaspersky output within one 'section' ------------------------------------------------------------ snip of one section -------------------------------------------------------------------- 08/11/2018 07:43:58.000 kaspersky output: Scanned objects : 19 Total detected objects : 0 Infected and other objects : 0 Disinfected objects : 0 Moved to backup : 0 Removed objects : 0 Not disinfected objects : 0 Scan errors : 0 Corrupted objects : 0 Password protected objects : 0 Skipped : 0 Between the above/below output are many lines with all kind of information that is not really relevant kaspersky output: Scanned objects : 1 Total detected objects : 0 Infected and other objects : 0 Disinfected objects : 0 Moved to backup : 0 Removed objects : 0 Not disinfected objects : 0 Scan errors : 0 Corrupted objects : 0 Password protected objects : 0 Skipped : 0 And then there are many lines in the bottom that is not really relevant as well ------------------------------------------------------------ snip of one section -------------------------------------------------------------------- Target is to have e.g. a time table with the values of each line, e.g. field value would be e.g. "Scanned objects" and its value would be 19 and 1 (in this case) -- and then similar approach for all the other lines -- I tried to extract the fields using the Regular Expression, but it seems it does not select every value (of e.g. Scanned objects), meaning I have blanks in the output itself Please advise how to actually get this done ... View more

Re: Configure triggered alert expiration

by in Alerting
‎05-08-2018 09:26 PM
‎05-08-2018 09:26 PM
I remember that in the 'past' this could be defined by editing the Alert. I believe that I found the related setting through Advanced Edit (Alert): alert.expires ... View more

Configure triggered alert expiration

by in Alerting
‎05-08-2018 02:47 AM
1 Karma
‎05-08-2018 02:47 AM
1 Karma
Hi, Its probably somewhere but I can't see it (find it) http://docs.splunk.com/Documentation/Splunk/6.6.3/Alert/Updatealerts There is only the: Trigger Actions / Add Actions / e.g. Add to Triggered Alerts But if default is 24h and I want to set it to e.g. 7 days, how do I do that? -- Thanks in advance /Edwin ... View more

Re: Multiple fields extraction,m using props.conf

by in Getting Data In
‎12-21-2017 09:04 PM
‎12-21-2017 09:04 PM
It worked 🙂 ... View more

Re: Multiple fields extraction,m using props.conf

by in Getting Data In
‎12-21-2017 07:53 AM
‎12-21-2017 07:53 AM
I have another post? We also tried using the props.conf from the Splunk Forwarder (on the web server) [source::C:\DIR......\Web\log*bbb.log] EXTRACT-Customer,Country = C:\\DIR\(?\w*)\(?\w*) in source -- The inputs.conf (on the web server) looks like this: [monitor://C:\DIR**\Web\log*bbb.log] disabled = 0 ignoreOlderThan = 3d followTail = 0 sourcetype = aaa_bbb crcSalt = index = aaa -- The props.conf file on the Splunk server stanza = aaa_bbb (=sourcetype) [aaa_bbb] EXTRACT-Customer,Country = C:\DIR\(?\w*)\(?\w*) in source tried with \\ and \ Using normal search with rex works fine index=aaa sourcetype=aaa_bbb | rex field=source "C:\\DIR\(?\w*)\(?\w*)" | table source,Customer,Country -- Unfortunately the props.conf doesn't work We use Splunk 7.0.0 (Server and Forwarder) the source = Log path is same for all Customers: C:\DIR\Customer\Country\Web\log\2017-12-bbb-log ... View more

Re: Multiple fields extraction,m using props.conf

by in Getting Data In
‎12-21-2017 05:08 AM
‎12-21-2017 05:08 AM
still not working for me ... View more

Re: Multiple fields extraction,m using props.conf

by in Getting Data In
‎12-21-2017 04:56 AM
‎12-21-2017 04:56 AM
I tried that as well, but it doesn't work ... View more

Re: Multiple fields extraction,m using props.conf

by in Getting Data In
‎12-21-2017 04:55 AM
‎12-21-2017 04:55 AM
Something went wrong with copying. my apologies The normal search is working and get the source, Customer and County, but not through props.conf So I had the below in props.conf, but it doesn't work [aaa_bbb] EXTRACT-Customer,Country = C:\\TEM\(?\w*)\(?\w*) in source ... View more

Multiple fields extraction,m using props.conf

by in Getting Data In
‎12-21-2017 03:52 AM
1 Karma
‎12-21-2017 03:52 AM
1 Karma
Hi, We have a search that extracts Customer and Country correctly index=aaa host="Host1" sourcetype=aaa_bbb | rex field=source "C:\\DIR\(?\w*)\(?\w*)" | table source,Customer,Country source example = C:\DIR\CustomerX\CountryX\Web\log\2017-12-bbb.log -- Now we want to use props.conf for extracting these 2 fields When modifying the props.conf on the Splunk server (/opt/splunk/etc/system/local/props.conf) [aaa_bbb] EXTRACT-Customer,Country = C:\\DIR\(?\w*)\(?\w*) in source After rebooting the server the fields are not there (we tried different options, none seem to work) Please advise how we could extract these fields 'automatically' using props.conf Thanks /Edwin ... View more

Re: Splunk Add-on for Tenable: No Data

by in All Apps and Add-ons
‎12-15-2017 02:45 AM
‎12-15-2017 02:45 AM
Actually, the hostname could not be resolved. With the IP address it seems to work ... View more

Splunk Add-on for Tenable: No Data

by in All Apps and Add-ons
‎12-07-2017 02:38 AM
‎12-07-2017 02:38 AM
Hi, I installed the Tenable Add-on for Tenable, but I don's see any data or events When checking the nessus index, it's 0 -- so there is no traffic/data I use Splunk v7.0 and have Security Center 5.6.0 The only 2 lines in the ta_nessus.log 2017-12-07 10:21:37,796 INFO pid=61967 tid=MainThread file=nessus_config.py:get_nessus_conf:71 | Try to get encrypted proxy username & password 2017-12-07 10:21:37,796 INFO pid=61967 tid=MainThread file=nessus.py:get_nessus_modinput_configs:142 | Set loglevel to WARN -- inputs.conf (/opt/splunk/etc/apps/Splunk_TA_nessus/local) [nessus://xxxxx] access_key = ******** batch_size = 100000 index = nessus interval = 43200 metric = nessus_scan secret_key = ******** start_date = 2017/11/01 url = https://xxxxx:8834 -- Please advise /Edwin ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-01-2024 05:25 AM
Karma from
Karma given to
View All
Top