Activity Feed
- Got Karma for How do I display a token value unescaped in an HTML panel?. 09-04-2024 07:21 AM
- Got Karma for Re: How do you use an eval command to calculate 'latest' for use in a search?. 12-21-2023 01:29 PM
- Got Karma for Re: How do I display a token value unescaped in an HTML panel?. 11-26-2020 03:52 PM
- Got Karma for Re: can't read "splunkdestinationip_withrd": no such variable. 06-05-2020 12:50 AM
- Karma Re: What are the ports that I need to open? for bandit. 06-05-2020 12:46 AM
- Karma Re: What are the ports that I need to open? for mnatkin_splunk. 06-05-2020 12:46 AM
- Posted Re: edit datetime.xml for my custom date and time in source field on Splunk Search. 02-01-2019 12:35 PM
- Posted Re: SNMP Splunk MA App for Netcool is not sending traps on All Apps and Add-ons. 01-30-2019 11:03 AM
- Posted Re: edit datetime.xml for my custom date and time in source field on Splunk Search. 01-30-2019 10:44 AM
- Posted Re: How do you discard events from the cron.log? on Splunk Search. 01-30-2019 09:59 AM
- Posted Re: How do you use an eval command to calculate 'latest' for use in a search? on Splunk Search. 01-25-2019 11:03 PM
- Posted Re: Splunk scheduled report 'Email when done' option sends me a link with a private IP that I cannot open. on Security. 01-06-2019 03:35 AM
- Posted Re: How read the data from splunk using search query using postman (not curl )get reuest. on Getting Data In. 01-01-2019 11:13 PM
- Posted Re: can't read "splunkdestinationip_withrd": no such variable on All Apps and Add-ons. 12-19-2018 11:21 AM
- Posted Re: How do I write a regex for different field extractions according to event value? on Splunk Search. 12-16-2018 10:14 AM
- Posted Re: How do I display a token value unescaped in an HTML panel? on Dashboards & Visualizations. 12-16-2018 09:48 AM
- Posted How do I display a token value unescaped in an HTML panel? on Dashboards & Visualizations. 12-15-2018 11:35 PM
- Tagged How do I display a token value unescaped in an HTML panel? on Dashboards & Visualizations. 12-15-2018 11:35 PM
- Tagged How do I display a token value unescaped in an HTML panel? on Dashboards & Visualizations. 12-15-2018 11:35 PM
- Tagged How do I display a token value unescaped in an HTML panel? on Dashboards & Visualizations. 12-15-2018 11:35 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
02-01-2019
12:35 PM
No, it won't help. I said that in my comment. You need to upgrade to version 7.2 and that opens door to get the timestamp from source.
... View more
01-30-2019
11:03 AM
Is there a firewall between your search head and Netcool SNMP probe?
Either local, OS firewall (iptables) or external in the path between the search head and the probe.
... View more
01-30-2019
10:44 AM
Try to use the following regex:
<text><![CDATA[^(?:|source::)(\d{4})(\d{2})(\d{2})T(\d{2}):(\d{2}):(\d{2})]]</text>
That should fix the error, but it will still not populate timestamp (_time field) from the source filename.
... View more
01-30-2019
09:59 AM
@scamarda if you want to do parsing of the input, you have to do it either on Heavy Forwarder or on Indexer.
Universal Forwarder is not capable of parsing or transforms.
The some good reading about it:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Deploy/Datapipeline
and subsequently next page:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Deploy/Componentsofadistributedenvironment
Other interesting article about where to configure what in the data pipeline and for which part of the pipeline is here:
https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
... View more
01-25-2019
11:03 PM
1 Karma
@kamlesh_vaghela was on the right direction, just that the subsearch has to return a valid search string. and his subsearch does not end creating a plain string, which can be used in parent search
try the following:
index=aws sourcetype=aws:guardduty [ | makeresults | eval earliest=strptime("01/15/2019:20:00:00","%m/%d/%Y:%H:%M:%S") | eval latest=relative_time(earliest,"+2d@d") | return earliest latest ]
@scottprigge to answer your question, why your technique doesn't work. It is because in your search query you are creating a result set first and then you add filter using search command. However, this search command will only filter events from the results you are already passing to it and those results do not contain fields index and sourcetype and don't have a timestamp (you removed field _time ), which you are also trying to filter on by adding earliest and latest constraints.
To show you what you are actually doing in your expression, try to modify it by removing all conditions in the search command. Something like this:
| makeresults
| fields - _time
| eval earliest=strptime("01/15/2019:20:00:00","%m/%d/%Y:%H:%M:%S")
| eval latest=relative_time(earliest,"+2d@d")
| eval earliest=strftime(earliest,"%m/%d/%Y:%H:%M:%S"), latest=strftime(latest,"%m/%d/%Y:%H:%M:%S")
| search
If it is still not clear, let's extend your query even more by adding some additional field, e.g. foo , and play with filtering by that field:
| makeresults
| fields - _time
| eval earliest=strptime("01/15/2019:20:00:00","%m/%d/%Y:%H:%M:%S")
| eval latest=relative_time(earliest,"+2d@d")
| eval earliest=strftime(earliest,"%m/%d/%Y:%H:%M:%S"), latest=strftime(latest,"%m/%d/%Y:%H:%M:%S")
| eval foo="bar"
| search foo="ba*"
What confused you is that search command, when it is first in the query pipeline, then it retrieves data from the indexes according to the condition. And
| search index=aws sourcetype=aws:guardduty
is the same as just
index=aws sourcetype=aws:guardduty
But when it is anywhere else in the pipeline, then it filters events arriving to it from previous command.
... View more
01-06-2019
03:35 AM
Have you restarted Splunk after applying the configuration?
It should work as @burwell wrote it.
... View more
01-01-2019
11:13 PM
There is a pretty good documentation available on Splunk website related to Splunk REST API.
You might want to have a look at it. The link below is related to Search endpoint:
https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTREF/RESTsearch
But basically what you need is:
1) url is https://splunkserver:8089/services/jobs/export (export - to export search results, there are other search endpoints available too)
2) use basic authentication with your login name and password
3) method either POST or GET (see the docs), but let's say you use POST
4) as request parameters (key / value pairs in Params tab in Postman) use (note, colon below is a separator between key and value):
earliest_time : -1h (last 1 hour)
latest_time : now
output_mode : json (or csv or xml, see the docs)
search : sourcetype="httpevent" 69272d19-53a9-4539-b149-9fc46bbc73cf
Results of the query will be in the format you specified in output_mode parameter.
... View more
12-19-2018
11:21 AM
1 Karma
This error is related to iApp running on F5 LTM.
Would it be this one?
https://devcentral.f5.com/codeshare/f5-analytics-iapp
Try to check on F5 site.
I assume that there is missing configuration, which didn't populate splunkdestinationip_withrd variable.
... View more
12-16-2018
10:14 AM
@eyirik data sample you provided, seem to me similar for each MODEL. It's just that some fields are optional.
If it is so and you know what those fields mean, you can just use one universal regex and create a field extraction via UI or configure it in props.conf :
EXTRACT-models = ^(?<timestamp>.*?),(?<model>.*?),(?<fieldA>.*?)(?:,(?<fieldB>.*?))?(?:,(?<fieldC>.*?))?(?:,(?<fieldD>.*?))?(?:,(?<fieldE>.*?))?(?:,(?<fieldF>.*?))?(?:,(?<fieldG>.*?))?(?:,(?<fieldH>.*?))?(?:,(?<fieldI>.*?))?(?:,(?<fieldJ>.*?))?(?:,(?<fieldK>.*?))?(?:,(?<fieldL>.*?))?(?:,(?<extras>.*))?$
extras is there only for cases when there are some additional / unknown fields and those will be stored in the extras field.
And basically if you need to extend the number of fields to be extracted, just copy the sequence (?:,(?<fieldL>.*?))? over and over and change the name of the field.
... View more
12-16-2018
09:48 AM
1 Karma
@niketnilay, I don't really agree with you that the token value should be escaped in html regardless.
As per Splunk documentation, there is a token filter available in the form of $token|h$ , which will make it secure by escaping html. There are also other filters available for other cases / requirements.
I fully understand if Splunk decided to make html escaping in html panel as a default token filter. However, $token|n$ filter says Prevents the default token filter from running. No characters in the token are escaped. and it does not work.
There can be cases, why we may want to apply no filters.
Regarding JS, I am fully aware of it and I have already done some development with it as well as I've done a dashboard fully in HTML format (with javascript of course), rather than Simple XML, before.
In this particular case I have some silly limitations of the project and I cannot really upload any resource files (images, javascript, etc.). So I am just sort of stuck with Simple XML.
As I mentioned in my question, focus is on pure Simple XML. And actually why the documented feature is not working.
... View more
12-15-2018
11:35 PM
1 Karma
I have the following simple dashboard in Simple XML format to test displaying of autogenerated html code. The html code is stored in a token.
<dashboard>
<label>HTML Test</label>
<init>
<set token="testHtml"><![CDATA[<b>Hi there!</b>]]></set>
</init>
<row>
<panel>
<html>
$testHtml|n$
</html>
</panel>
</row>
</dashboard>
However, I am unable to display it as a proper HTML formatted output. It always gets escaped and I see raw HTML code instead of formatted text, meaning I get
<b>Hi there!</b>
instead of
Hi there!
According to the documentation for Tokens, syntax $token|n$ should return unescaped content, which I would assume, in my case, would be a raw HTML, which gets rendered by the browser.
Does anybody have experience with this?
I don't want to convert it to an HTML dashboard. I would like to use it Simple XML. And yes, I could upload a JavaScript, which could do it for me. But focus here is, why the documented syntax does not work.
... View more
12-07-2018
07:28 AM
Just replace the "invalid" timestamp value with something else. E.g.:
index=tenable
| eval PatchPubDate=if(patchPubDate=-1, "unknown", strftime(patchPubDate,"%Y-%m-%d"))
| stats by riskFactor,severity.id,pluginID,description,solution,pluginText,PatchPubDate,ip
or if you still need it to be a timestamp, then:
index=tenable
| eval PatchPubDate=if(patchPubDate=-1, "1970-01-01", strftime(patchPubDate,"%Y-%m-%d"))
| stats by riskFactor,severity.id,pluginID,description,solution,pluginText,PatchPubDate,ip
... View more
12-07-2018
07:18 AM
In Splunk web UI right below the search bar is menu for sampling.
Do you have there "No Event Sampling" ? Or is there something like "Sampling 1:10" ?
And you can upload sample logs by attaching an attachment, I guess. I am a bit new to this forum as a registered user and me myself I don't have enough points yet to attach an attachment. I would attach a screenshot of the sampling settings if I can 😉
... View more
12-06-2018
11:26 PM
Use values mapping. E.g. :
<index and filter> | xmlkv | search "ns0:ApplicationFunction"=NotifyBusinessPartnerUpdate_Update_1
| eval dynvalue=case(ns0:Code="value1","label1", ns0:Code="value2","label2", ....)
| timechart count by dynvalue
... View more
12-06-2018
11:15 PM
As per inputs.conf try this:
blacklist1 = EventCode="5152"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist4 = EventCode="4932"
blacklist5 = EventCode="4933"
or simply just:
blacklist1 = 5152,4932,4933
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
... View more
12-06-2018
11:03 PM
The query provided by @JensT is the query you are looking for.
If you are sure that your sample dataset is as per real data, then verify if you don't have any event sampling turned on by coincidence.
Here is a link describing how to turn the event sampling off:
https://docs.splunk.com/Documentation/Splunk/7.2.1/Search/Retrieveasamplesetofevents#Specify_a_sampling_ratio
... View more
