Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About DavidGuarneri
DavidGuarneri
Path Finder
Member since:
07-24-2013
02-13-2025
Community Statistics
| Posts | 23 |
| Solutions | 2 |
| Karma Given | 13 |
| Karma Received | 1 |
| Member Since | 07-24-2013 |
Activity Feed
- Posted Re: Is splunklib api code portable to splunk-sdk on Splunk Search. 02-12-2025 05:05 PM
- Posted Is splunklib api code portable to splunk-sdk on Splunk Search. 02-12-2025 08:37 AM
- Karma Re: Python splunk-sdk vs Python requests library for livehybrid. 02-12-2025 08:04 AM
- Posted Python splunk-sdk vs Python requests library on Splunk Search. 02-12-2025 06:48 AM
- Karma Re: Eventgen: Where do I put the transforms.conf that I copied from production? for koshyk. 06-05-2020 12:48 AM
- Got Karma for Eventgen: Where do I put the transforms.conf that I copied from production?. 06-05-2020 12:48 AM
- Karma Why am I getting search error "In handler 'savedsearch': Cannot get username when all users are selected."? for fmpa_isaac. 06-05-2020 12:47 AM
- Karma Re: Custom Condition Search for Alert for HTTP status code report for linu1988. 06-05-2020 12:46 AM
- Karma Re: Custom Condition Search for Alert for HTTP status code report for zeroactive. 06-05-2020 12:46 AM
- Karma Re: Time zone difference for yannK. 06-05-2020 12:46 AM
- Karma Re: Time zone difference for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Specifying today's date in the source file on a search for Ayn. 06-05-2020 12:46 AM
- Karma Re: Specifying today's date in the source file on a search for yannK. 06-05-2020 12:46 AM
- Karma Line breaks being removed from raw data in email alerts after upgrade to 6.1 for nvonkorff. 06-05-2020 12:46 AM
- Karma Table data formatting incorrect in alert emails for senior_splunk. 06-05-2020 12:46 AM
- Karma What is the best custom log event format for Splunk to eat? for maverick. 06-05-2020 12:45 AM
- Karma What is the best timestamp format to use for my custom log to be indexed by Splunk? for ftk. 06-05-2020 12:45 AM
- Posted Re: How to find out what SIM model is established for the security logs in Splunk? on Splunk SOAR. 01-12-2017 11:00 AM
- Posted Re: Eventgen: Where do I put the transforms.conf that I copied from production? on All Apps and Add-ons. 01-12-2017 10:45 AM
- Posted Re: Eventgen: How do you specify the size of the output file and control the rotation? on All Apps and Add-ons. 01-12-2017 10:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
02-12-2025
05:05 PM
I've given up. I don't know if it's a network issue on my side or what, but I'm just going to use standard Restful API libraries. All the samples around splunk-sdk that I could find seem out of date and I'm concerned about long-term support.
... View more
02-12-2025
08:37 AM
How much syntax has changed from splunklib (which ran on Python 2.x) to splunk-sdk (which runs on Python 3.x)? Just seems like a lot of the tutorials and info on Splunk API is super outdated. Is nobody doing this anymore? Currently mainly interested in running a search and getting results into Pandas using Python. Also breaking up a search into multiple smaller time spans if the time period is too long and/or the return data set too large. I have old code from the splunklib Python 2.0 days but basically just starting over and using it as reference.
... View more
02-12-2025
06:48 AM
Is there any particular reason for using Python splunk-sdk over standard restful API libraries or tools (such as Python requests library)? Using standard Python, you should be able to import data into pandas with 3 lines: response = requests.get(url)
data = response.json()
pd.DataFrame(data) What does splunk-sdk have that Python requests does not? Thanks!
... View more
01-12-2017
11:00 AM
You mean the Common Information Model (CIM)? The reference document is here: http://docs.splunk.com/Documentation/CIM/4.7.0/User/Overview . The latest version is 4.7.0 as of today.
... View more
01-12-2017
10:45 AM
Came back to answer my own question. Replay mode not needed.
You should have a separate app where you are doing your configurations. For example, make a blank app in C:\Program Files\Splunk\etc\apps\mytesting
The "local" directory is where props.conf and transforms.conf should go. I've tested this, and it works.
Props.conf will have the name of the sourcetype as the stanza header/title. It will then have additional options and reference the configuration in transforms.conf.
In transforms.conf, Regexes can be on one line, or separately in multiple lines under the same stanza.
Below is an example:
props.conf:
[apache_access]
KV_MODE = none
REPORT-apache_extracts = ub_apache_extracts
FIELDALIAS-apache = user AS userid clientip AS src_ip
transforms.conf
[ub_apache_extracts]
REGEX = ^(?\d\d/..... blah blah blah
When you do a search, make sure you are in your "mytesting" app, or whatever you named it.
Copying stanzas from production may or may not work. Try the regexes in Splunk first before trying to make them work in transforms.conf. Do a little bit at a time.
... View more
01-12-2017
10:33 AM
Came back to answer my own question. The root of my issues was that I was not including milliseconds in my logs. The reason I left them out at first was because I was struggling to find a regex that worked in Eventgen. I would test it in Splunk but, Eventgent would not take it. Eventually, I found and an extraction that worked for me:
# 10/07/2016 14:00:04.123456
token.0.token = \d{1,2}/\d{2}/\d{4}\s\d{1,2}:\d{2}:\d{2}.\d{6}
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S.%f
After I did this, it worked much better, and I no longer had to output to file.
If you think about it, the time multiplier can't work very well if you have a large number of events in the same second.
Here is a tip: to have uniform time regexes in eventgen.conf, concatenate the datetime in a uniform format with the _raw field in the source data that you export. Eventgen will get the first date that it reads in the event line according to your regex. This eliminates a lot of the troubleshooting when trying to catch the date field, especially with logs that have multiple date time formats.
... View more
12-09-2016
01:27 PM
I tried fileSize=xxxx but it didn't work.
The file output seems to max at 10MB and then rotates out. My concern is that it happens so fast that it's rotating out before Splunk has the chance to read it, or that it overflows at a single burst. The output file is persisently at 0 KB, with the rotated files are 10,275KB, so it is hard to see what exactly is happening. I'd like to change it to at least 100MB.
Here's my apache config:
[job_output--apache_20m_data.csv]
mode = sample
outputMode=file
fileName=D:/eventgen_generated_files/apache/apache.log.txt
sampletype = csv
timeMultiple = 36
backfill = -20m
backfillSearch = index=apache sourcetype=splunkd
index=apache
# 10/07/2016 14:00:00
token.0.token = \d{1,2}/\d{2}/\d{4}\s\d{1,2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
[job_output--apache_20m_data.csv]
... View more
- Tags:
- eventgen
12-09-2016
11:10 AM
Output to file would probably work. The downside is that now I have to manage files from getting too big on the server. If the cleanup job fails, it could bring down the server. Secondly, the metadata that goes into eventgen, such as source and sourcetype, would be lost. For each index, I have one file output that has multiple sources and sourcetypes.
... View more
12-07-2016
09:33 PM
1 Karma
In Eventgen, how do I apply a transforms.conf extraction that I copied from production using the replay mode? I've looked everywhere for the answer but not able to find it. Putting the props.conf and trasnforms.conf files in $SPLUNK_HOME/etc/apps/SA-Eventgen/local did not work, and it didn't work putting it in the Splunk local path. I see how to do a field replacement in eventgen.conf , but I have many extractions I need to copy from production, and these are in context (fieldname1 fieldname2 etc), so defining a single field by a single regex doesn't work for me. Instead, for example, all I get in the apache index is metadata fields like date, sourcetype, etc. I don't get access_request, status, IP, etc.
I need to be able to just drop in the transforms.conf somewhere and see the field/value pairs show up in Splunk for the index. The point is to replicate production, and that's not a thing if I'm hand coding stuff.
I'm surprised this is nowhere to be found in the tutorial or the documentation.
... View more
06-16-2015
02:56 PM
Saw this just now. Turned out to be an bug with Splunk 6.1 . It can be rectified by making the change in sendemail.py. I no longer have the full details of this, so the best thing is to contact Splunk support.
... View more
08-19-2014
10:16 AM
We are having the same issue. This did not appear to be happening on the email alert table _raw output before the upgrade to 6.1 .
... View more
08-18-2014
09:28 AM
We are having the same issue. Customers are complaining about this. Stack traces are unreadable.
... View more
09-16-2013
01:43 PM
That worked, thank you!
... View more
09-16-2013
12:44 PM
Is there a way to specify today's date in the filename of the source on the search? I'm thinking in the same way you would put it in a bash script. Pseudocode:
source="C:logs\\path\\iislog_(time(%y%m%d)).log"
... View more
09-14-2013
07:10 AM
I've already created the simple 400 error real time alert. That one works. As far as the quarter hour report, I've thought of some workarounds, including having the first alert trigger the second one by using a script that changes a file with a flag. This seems very roundabout, however. There has to be a way to get the quarter hour report to fire only when the required conditions exist.
... View more
09-14-2013
07:06 AM
Unfortunately, the alert of all status codes did not fire after a test log entry was created 😞 . A simpler alert that only reports the count of 400 errors did fire, however. By the way, the 401 is a typo on my part, which I corrected. Should be 400.
... View more
09-14-2013
06:52 AM
The above didn't give any results. It gives results only if I type up to "as Error_Count"; however, it only shows the count of 400 errors.
I need a custom condition because the chart gives a larger data set than the condition that should fire the alert.
The requirements are to fire one simple alert the minute a 400 error appears for a certain application. After that, a quarter hour report of ALL http status codes broken down by application should fire. I've made both reports successfully, I just need the quarter hour report to fire only when that one application gets a 400 error.
... View more
09-13-2013
02:45 PM
Thanks! On props.conf on the indexer, I changed it to this format and then escaped the backslashes with a backslash and it worked. Example below.
[source::c:\\logs\\path\\*.log]
TZ = Atlantic/St_Helena
... View more
09-13-2013
12:48 PM
I have a source type where iis logs copied from another server to the forwarder are being recorded in UTC but not indicating such. Example:
2013-09-13 14:40:00 Blah 255.0.0.0 POST /example/index.aspx - 443 ...etc
The splunk forwarder (as well as the indexer) is in CDT (Central). In the forwarder, I created a props.conf in the path c:\Program Files\SplunkUniversalForwarder\etc\system\local and inserted the following:
[source://c:\logs\path\*.log]
TZ = SH
I restarted the forwarder's SplunkFowarder service . I've waited. Splunk is still not translating the times. I even made a change to one log entry as a test, and it's still showing logs from 7 hours ago as the current hour's logs when I do a search for a string in a log entry from 7 hours ago.
Help is appreciated.
Sources used:
docs.splunk.com/Documentation/Splunk/5.0.4/Data/Applytimezoneoffsetstotimestamps
en.wikipedia.org/wiki/List_of_zoneinfo_timezones
... View more
09-12-2013
12:12 PM
That looks closer to what I'm trying to do. I will try it, thank you!
... View more
09-12-2013
11:22 AM
I tried putting that in the custom condition field. I get the following error: "Encountered the following error while trying to update: In handler 'savedsearch': Cannot parse alert condition. Unknown search command 'source'."
... View more
09-12-2013
11:16 AM
Thanks for the response. I already had what you show in your first example as a separate alert. For this report, can I use this search in the custom condition search field? I don't want to change the format of the report. Thanks.
... View more
09-12-2013
10:06 AM
I have the following search in an alert that triggers every 15 minutes:
source="C:\logs\path\*.log" | chart count over http_status_code
http_status_code is a custom field. The search works well, and gives the nicely formatted output below via html-formatted email:
http_status_code count
200 432
400 3
401 4
I don't want to change the output of this report. It's perfect the way it is. I only want to set the condition to only send a notification if 400 gives a count of 1 or more.
I've searched for some time "splunk custom condition" for an answer on this, but the question is usually extremely complicated, and often the answer requires that the output of the report be changed. I've also searched the documentation. (So please no links with vague hints, I've seen them all).
I've tried the following, but the syntax does not appear to be correct. I think it should be a fairly simple deal, but apparently not. Help is appreciated.
http_status_code=400 | search eventcount>=1
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-13-2025
04:14 PM
|
