Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About rakeshh123
rakeshh123
Path Finder
Member since:
01-25-2016
06-05-2020
Community Statistics
| Posts | 18 |
| Solutions | 3 |
| Karma Given | 5 |
| Karma Received | 7 |
| Member Since | 01-25-2016 |
Activity Feed
- Karma Re: How to troubleshoot why Splunk performance decreased and images were not displaying in navigation menus for a certain day? for raghu_vedic. 06-05-2020 12:48 AM
- Karma Re: How to hide or remove the "edit" button from an app's user interface? for raghu_vedic. 06-05-2020 12:47 AM
- Karma Re: How to configure a universal forwarder on Windows to send data to another Windows system? for Umesh_Vedicsoft. 06-05-2020 12:47 AM
- Karma Re: How to get data from two or more data models in Splunk through a search? for somesoni2. 06-05-2020 12:47 AM
- Got Karma for Re: Merge Lines Query based on ID. 06-05-2020 12:47 AM
- Got Karma for Re: Why is Splunk's alert frequencies not working as expected and we are receiving 2600+ emails instead of 6?. 06-05-2020 12:47 AM
- Got Karma for Re: Why is my scheduled alert not sending email?. 06-05-2020 12:47 AM
- Got Karma for Re: Email alert error "command="sendemail" [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time"?. 06-05-2020 12:47 AM
- Got Karma for Re: Email alert error "command="sendemail" [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time"?. 06-05-2020 12:47 AM
- Karma arules command returns no output for iKate. 06-05-2020 12:46 AM
- Got Karma for Re: HTTP Client Timeout. 06-05-2020 12:46 AM
- Got Karma for Re: HTTP Client Timeout. 06-05-2020 12:46 AM
- Posted Re: How to install SDK for Python and resolve error "could not find coverage module. please install it and try again"? on Splunk Dev. 04-01-2016 04:51 AM
- Posted Re: How do I group one field's values by another field? on Splunk Search. 02-15-2016 08:24 PM
- Posted Re: How do I group one field's values by another field? on Splunk Search. 02-15-2016 01:31 AM
- Posted Re: How do I group one field's values by another field? on Splunk Search. 02-11-2016 08:34 PM
- Posted Re: Why is Splunk's alert frequencies not working as expected and we are receiving 2600+ emails instead of 6? on Alerting. 02-07-2016 10:15 PM
- Posted Re: How do I group one field's values by another field? on Splunk Search. 02-07-2016 09:42 PM
- Posted Re: How do I edit my search to find the difference between two fields? on Splunk Search. 02-03-2016 01:54 AM
- Posted Re: How to use tags to identify complete subnets? on Knowledge Management. 02-02-2016 03:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
04-01-2016
04:51 AM
https://answers.splunk.com/answers/83480/installing-sdk-for-python.html
... View more
02-15-2016
08:24 PM
hi HattrickNZ,
please see my query correctly ,,,it is | eval output = makemv delim=";"output |mvexpand output|table output ,meansfold...... ......
also if you are not getting meansfold you can write a separate query for meansfold and join both the queries.......by using join .....
... View more
02-15-2016
01:31 AM
hi HattrickNZ,
try this query.........
index=a sourcetype=b | eval output = toString(c1x) + ";" + toString(c2x) + ";" + toString(c3x) + ";" + toString(c4x).... |makemv delim=";"output |mvexpand output|table output ,meansfold......
reply me if its working ........
... View more
02-11-2016
08:34 PM
Hi , HattrickNZ
maxspan=30 means .....The first and last events in the transaction should be no more than thirty seconds apart.... see u r events and change it accordingly, maxpause=5s .... each event should not be longer than five seconds apart....Leave them if it is irrevalant to u r data ......
table meansInfold ,c*---sorry i forgot *
what i see from ur answers is u want meansfold unique .......and you want to list c* by meansfold........try this query
index = |transaction meansInfold | table meansInfold ,c*|eventstats list(c* ) by meansfold|table meansfold,list(c*)....
remove any irrevvalent fields using fields - field uwant to remove
see if its working...........reply me if u have any problem .....
... View more
02-07-2016
10:15 PM
1 Karma
An alert can trigger frequently based on similar results that the search returns. The schedule to run an alert can also cause the alert to trigger frequently. To reduce the frequency of the alert firing u can use throttling to reduce the frequency at which an alert triggers.configure these two parameters to reduce the frequency of search results....
1. Time period.....
In real time search time window is 60 seconds ...so alerts occuring may be frequent ....u can it suppress all successive alerts of the same type for the next 10 minutes by using throttling .....specify u required time
2. Field values ....you can also specify field value to supress alerts for that particular field......
hope it helps.........
... View more
02-07-2016
09:42 PM
Hi ,HattrickNZ
May be you can solve it by using transaction.....what transaction will do is group events based on fields specified .....try this query.....from u r information u meansInfold has to be grouped. meansInfold :1907443286
1907443286
1907443286.........
index = |transaction meansInfold maxspan=30s maxpause=5s| table meansInfold ,c|eventstats list(meansInfold ) by c*|fields - meansInfold........
... View more
02-03-2016
01:54 AM
Hello sunnyparmer,
i just changed order of the queries and changed stats to eventstats in the query ........I actually worked on my data with a similar query it is working fine..this is just due to the fact stats cannot pass data to another stats command in chain you have to use eventstats for that....i am sending screenshot of my query and data....
(host="e2e-onp-front" response="Message acknowledged successfully*") OR (host= "e2e-onp-bl-db" DocumentNotificationHookServiceImpl Successfully created notification ) org=|rex "Successfully (?created) notification"|eventstats count by notifications*|stats count(eval(like(response,"%created%"))) AS Total, count(eval(NOT like(response,"%created%"))) as Acknowledge| eval Diff = Total - Acknowledged...
Let me know if it works
... View more
02-02-2016
03:58 AM
hi adamblock2,
I can give the answer to your question...........let me explain you by taking my example.....Below u can see i have one categorytag...given to categoryId= Accessories .....also see the number of events and tags in the below diagrams
and next same tag is given to another categoryId=Strategy
when you take a tag for both events with a name it will take both events or none at all .......solution to ur problem naming two tags one with source_ip and destination_ip......
index=* tag= categorytag AND categoryID!=STRATEGY--------no results u r doing a(intersection) !a==definetely null
i have created another tag as actiontag where action =purchase ( like destination_ip)
i write query like this index=* tag=categorytag NOT tag=actiontag
then u will get all the results for categories in category tag that doesnt have purchases...(ie..source ip).........let me know if it works
... View more
02-01-2016
11:52 PM
Hi Kasu_Praveen
There is another way of doing other than changing the limits.confi by using savedsearches.conf ...........i dont know how to do it through GUI .....But you can change It through Configuration files .........Go to Splunk-----> etc---->system----> default---->savedsearches.conf
copy the files paste it in etc---->system-------->local and all u need to do is change only one attribute
dispatch.max_count----> default value is 500000
change it to ur required value ...........Let me know if it helps .....................
... View more
02-01-2016
11:35 PM
Regards
Rakesh
Vedicsoft Technologies
... View more
02-01-2016
11:27 PM
Hello rishiaggarwal,
I tried to solve your problem..........I have taken sample data returning the same results like you
Data in my sample data
index="demo1"| table Username,ID,Date
Now i have written a query ..........for u r expected results
index="demo1"|streamstats count by _raw | search count<2 | eval eid=_cd |transaction ID,Date maxspan=5s| table Username,ID,Date
I hope u can use this query on your data ..........let me know if it works for u ...........
... View more
02-01-2016
04:28 AM
2 Karma
Splunk user's session times out has three timeout settings:
splunkweb session timeout.
splunkd session timeout.
browser session timeout.
The splunkweb and splunkd timeouts determine the maximum idle time in the interaction between browser and Splunk.......
splunkweb and splunkd timeouts generally have the same value, as the same field sets both of them. ....for this u have to go to
Settings--------------->General Settings---------------->Session timeout --------->generally default value is 1h------> change it to 6h or more.........
... View more
02-01-2016
03:50 AM
1 Karma
Hi mnorindr,
It can be solved by using Transaction......according to data u got 2lines having redundant data ....for example sessionid may remain same for a particular transaction
this can be solved by using Transaction query
... View more
01-31-2016
08:39 PM
hello boopaljoti,
Let me know if u r scheduled alert is triggering any alerts ........You can check triggered alerts in Activity....Also see in search reports and alerts----------> whether alert mode is once per result /once per search .........understand the difference between them....make sure the severity is set to critical( i don't why ,but it worked for me).....
No connection could be made because the target machine actively refused it while sending mail to: xxxx@gmail.com: this may be due to u r trying to connect to another server .... in the first setting i specified
Go to server settings -----> email settings ----->Host :port........Give your required sever..
I can see ur link is HTTP not HTTPS......is ssl enabled ?
let me know ....
... View more
01-28-2016
08:20 PM
2 Karma
Hello boopaljothi ,
Please check whether u have configured the following settings ......
Go to server settings -----> email settings ----->
Host:smtp.gmail.com:465
enable ssl
Email: x@gmail.com
password:******
save and restart
and use https: in the url( ssl is enabled) Now
If u r not getting mail after restart then go to
1.Gmail --------> Settings -----------> Forwarding and POP/IMAP---------> IMAP Access------>
IMAP Access: enable it ......
2.Gmail --------> Myaccount -----------> Sign-in & security----------> Connected apps & sites------>Allow less secure apps: enable it .......
let me know if it helps
... View more
01-28-2016
04:19 AM
I already installed the universal forwarder on a Windows system. What I would like to do is get the data into another Windows system from the forwarder, but I can't figure this out, so please help me.
I have set the forwarder and receiver to listen on port 9997.
I configured like this on my receiver machine:
inputs.conf file
[default]
host = TRAINING12
[splunktcp://9997]
connection_host=ip
deployementclient.conf
[deployment-client]
[target-broker:deploymentServer]
targetUri= deploymentserver.splunk.satishnagalla:9997
serverclass.conf
[serverClass:satishnagalla:app:_server_app_rakesh]
restartSplunkWeb = 0
restartSplunkd = 0
stateOnClient = enabled
[serverClass:satishnagalla]
whitelist.0 = *
[serverClass:satishnagalla:app:_server_app_satishnagalla]
I configured like this in my forwarder machine:
output.conf file:
[tcpout]
defaultGroup=receiver
indexAndForward=true
[tcpout:receiver]
disabled = false
server=VEDICINDIA-PC:9996,TRAINING12:9997
[tcpout-server://TRAINING12:9997]
inputs.conf file:
[default]
host = satishnagalla
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
... View more
01-26-2016
08:28 PM
1 Karma
OK
first U have to go to server settings and check if SSL is enabled in Splunk Web ....... if not enable it...Restart it
If u r not getting mail after restart then go to
1.Gmail --------> Settings -----------> Forwarding and POP/IMAP---------> IMAP Access------>
IMAP Access: enable it ......
Gmail --------> Myaccount -----------> Sign-in & security----------> Connected apps & sites------>
Allow less secure apps: enable it .......
... View more
01-25-2016
03:41 AM
-----try using eventstats instead of stats in the queries.....bcz ex: index=x|stats count by y| table z ,y wont return any results ...but evenstats will work...bcz stats wont forward events .. replace your second query with first bcz mapping more events ---> less events will result in redundancy ... query is very big try to reduce it ...use tags for specific events --give your own naming conventions
Index=X earliest=-1d maxsearches=42 filter_result!=DENIED | eventstats earliest(_time) as blocktime by cs_host | eval nice_time = strftime(first_event,"%F %T")| eval check_from = relative_time(first_event, "-d") | eval check_from = strftime(check_from,"%F %T") |eval acesstimes = strftime(_time,"%F %T") | transaction cs_host | dedup cs_uri_path | table cs_host, cs_uri_path, cs_uri_query, acesstimes, cs_username | join 3rd Query ......
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma from
