Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About spunk311z
spunk311z
Path Finder
Member since:
12-21-2018
11-08-2023
Community Statistics
| Posts | 29 |
| Solutions | 0 |
| Karma Given | 36 |
| Karma Received | 4 |
| Member Since | 12-21-2018 |
Activity Feed
- Karma Re: add field to Selected Fields permanently (bar on left side of search results) for woodcock. 11-08-2023 11:54 AM
- Karma Re: add field to Selected Fields permanently (bar on left side of search results) for woodcock. 11-08-2023 11:54 AM
- Posted Selected Fields - Open in new tab (or window) - Value does not carry over. on Splunk Search. 08-07-2023 11:43 AM
- Karma Re: How to enable a new tab opening from within a dashboard? for Michael. 08-07-2023 11:20 AM
- Got Karma for Re: Monitoring file is not indexing anymore - WatchedFile - File too small to check seekcrc, probably truncated. 04-06-2022 11:33 AM
- Posted How to Recursive monitor all *.log files (in X directory) (via UF on Windows)? on Getting Data In. 04-02-2022 12:16 PM
- Posted Re: splunk list monitor does not show directories on Monitoring Splunk. 03-31-2022 12:07 AM
- Tagged Re: splunk list monitor does not show directories on Monitoring Splunk. 03-31-2022 12:07 AM
- Karma Re: Daily License Usage by Index across all Indexers? for hexx. 10-29-2021 10:54 AM
- Karma Increase 'Top 10' field values in Search App, increase limits of counted variations >100 for Thomas_Gresch. 10-29-2021 09:42 AM
- Karma Re: In Splunk Dashboard examples, how do I disable a report that is embedded? for burwell. 10-25-2021 03:09 PM
- Got Karma for Re: How to use the REST API to just run a search and stream the results back?. 08-09-2021 02:19 AM
- Posted Re: How to use the REST API to just run a search and stream the results back? on Splunk Search. 05-27-2021 10:57 AM
- Karma Re: How to use the REST API to just run a search and stream the results back? for kutzi. 05-27-2021 10:45 AM
- Posted Forwarder- seekptr checksum error and logs not being sent on Getting Data In. 08-24-2020 12:21 PM
- Tagged Forwarder- seekptr checksum error and logs not being sent on Getting Data In. 08-24-2020 12:21 PM
- Karma splunk why must XML sources be so complicated? for zenSplunk. 08-15-2020 10:17 PM
- Posted Re: Add newline into table cell? on Dashboards & Visualizations. 08-15-2020 11:13 AM
- Karma Re: Add newline into table cell? for nagendra008. 08-15-2020 11:11 AM
- Posted Re: How to track memory/cpu usage per search execution (on Search Head/Indexer)? on Splunk Search. 07-19-2020 01:04 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-07-2023
11:43 AM
There are several topics related to this , but it seems they not exactly what im asking (ie those are related to custom dashboards, while im asking with regard to the basic splunk search function). When viewing search results, on the left sidebar , if you try to open a new tab via the results of either "selected fields" or "Interesting fields", that value is not appended to the search (in the new tab). But rather you just get a duplicate of the current search results. Is there anyway to fix this? (or to manually modify the splunk JS files to support this?) animated gif screen cap of what im referring to (using v9.1.0.2 demo): (just adding screen shots, the web server keeps throwing a Less than 1m characters error when i add the animated gif); what im referring to: what we get: what im hoping for: This has bugged me since splunk v6 (im now on v8 latest), and just did a test / demo install of v9.1 and the issue remains with all versions. thanks some related topics that are very similar to what im asking here (but are not exactly the same): https://community.splunk.com/t5/Dashboards-Visualizations/how-to-create-drilldowns-which-open-in-new-window-so-that-the/td-p/399087?sort=oldest https://community.splunk.com/t5/Dashboards-Visualizations/How-to-enable-a-new-tab-opening-from-within-a-dashboard/m-p/388622#M25461 https://community.splunk.com/t5/Dashboards-Visualizations/How-to-drill-down-launch-another-search-with-parameter-from/td-p/49957
... View more
Labels
- Labels:
-
other
-
search job inspector
-
timechart
04-02-2022
12:16 PM
I always struggle with this common task (common for me) - I have a v8 UF setup on a windows10 machine, it is logging all of the winEvent logs beautifully (back to my splunk v8 server), however i need to monitor something specific on this machine. (NB: i do NOT use deployment-server in anyway, anywhere)
I need this windows UF to monitor all *.log files , recursively, within X Directory.
in this case, its :
C:\ProgramData\vMix\ (any/all *.log files recursively)
and
C:\Users\pc\Documents\vMixStorage\logs (any/all *.log files recursively)
So i edit inputs.conf:
notepad++.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf"
and i add these stanzas, one at a time (and then test to see if data is getting to my splunk server):
[monitor://C:\Users\pc\Documents\vMixStorage\log\*]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
[monitor://C:\ProgramData\vMix\...\*.log]
disabled = 0
index = pcs
blacklist = .*stream.*|stream.*
whitelist = *.log
recursive = true
sourcetype = vMIX
[monitor://C:\ProgramData\vMix\*.log]
disabled = 0
index = pcs
blacklist = .*stream.*|stream.*
sourcetype = vMIX
[monitor://C:\Users\pc\Documents\vMixStorage\...\*.log]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
[monitor://C:\Users\pc\Documents\vMixStorage\logs\]
disabled = 0
index = pcs
blacklist = .*stream.*
whitelist = *.log
recursive = true
sourcetype = vMIX
At some point in adding the above, one stanza at a time, i did get the *.logs to flow in, however they then stopped updating/ flowing in (but win event log is ofcourse still flowing in, rock solid).
I get this output from .\splunk.exe list monitor which to me seems like its NOT what i want (as i *think* i should be seeing those directories under "Monitored Directories" , but i have yet to be able to get that to occur.
PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe list monitor
Monitored Directories:
[No directories monitored.]
Monitored Files:
C:\ProgramData\vMix\*.log
C:\ProgramData\vMix\...\*.log
C:\Users\pc\Documents\vMixStorage\...\*.log
C:\Users\pc\Documents\vMixStorage\log\*
C:\Users\pc\Documents\vMixStorage\logs\
btool debug:
.\splunk.exe cmd btool inputs list --debug
## <snip> ##
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\ProgramData\vMix\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.*|stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\ProgramData\vMix\...\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.*|stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf whitelist = *.log
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\...\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\log\*]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\logs\]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf whitelist = *.log
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf [monitor://C:\Windows\System32\DHCP]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf crcSalt = <SOURCE>
## <snip> ##
Can anyone please help or point me to the correct Stanza i should be using here?
i really have spent hours searching and reading forum posts, (which is how i arrived at the stanzas above) as i know this is a common task, however i know im still not doing this correctly.
( + its not working 😞 ) - thank you!
(appologies for the poor spacing, i have tried to re-edit but it does not seem to be saving my changes on edit->post)
... View more
Labels
03-31-2022
12:07 AM
same question here unfortunately...
... View more
- Tags:
- same
05-27-2021
10:57 AM
1 Karma
@kutzi thank you SO MUCH for posting this!! I have spent several hours trying to figure out how to do a basic synchronous search via curl/api (have tried 100s of curl command variations). I have scripts working with the Async method (as that is clearly documented in splunk docs), however im not sure why the direct, synchronous method seems to have little/no documentation. (i realize the pros/cons of each and that synchronous search should rarely be used). Again thanks for taking the time to make this post, it was super helpful. Here is what is working for me: curl -u admin:mypw -k https://splunk.me:8089/services/search/jobs/export -d search="search index=routers Web Down | head 3" -d output_mode=csv -d exec_mode=oneshot
### also this works:
curl -u admin:mypw -k https://splunk.me:8089/services/search/jobs/export -d output_mode=json -d search="search index=routers |head 10"
... View more
08-24-2020
12:21 PM
While debugging an issue where a forwarder would not send a specific log to our main splunk instance, i found this great post (among others): https://community.splunk.com/t5/Deployment-Architecture/Unix-Forwarder-is-not-Sending-Logs/m-p/167347/highlight/true#M6237 in the inputs.conf on the Universal Forwarder, the fix was adding initCrcLength = 2048 to the specific logs stanza: ( in: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf) Apparently the default is initCrcLength = 256. This made me start thinking, how many other forwarder logs are we not getting/indexing that im not aware of !? thus, this search below showed me that 4 of our Forwarder's (of ~22 forwarders in total) where showing this same error for various specific log files (thus those specific logs have not been getting indexed): index=_internal source=*splunkd.log host=* "seekptr checksum" (while this is very unfortunate), my question is: Should we be manually setting something like initCrcLength = 2048 on every one of our Forwarders (and on future new forwarders)? I assume the downside is increased RAM and CPU usage on the forwarders (but this is not an issue for us, as volume is not very high, and resources plentiful). Anything else im not considering as a downside? question 2: I assume we can "globally" set this on a forwarders inputs.conf by simply placing: [default]
initCrcLength = 2048 and it will apply to all stanzas (unless a stanza overrides initCrcLength, of-course), Right? thanks!
... View more
- Tags:
- forward
08-15-2020
11:13 AM
thanks! this worked great for me as well. (nagendra008 's split method , not the css way) (i didnt want to mess with CSS nor make a new app for a quick table). if this helps others, i used the blank space as the linebreak / replace char; | eval dateonly=strftime(_time, "%m-%d %A %I:%M%P") | eval dateonly= split(dateonly," ") so i ended up with exactly what i wanted 🙂 - vs this before 😐 (unrelated- what is up with the login process for the forums here? its now login on page 1, pw on page2, which breaks chrome and FF password save/remember. maybe they are doing this to fight off bruteforce/bots? etherway its pretty annoying as i now have to lookup + type both 😞
... View more
07-19-2020
01:04 PM
Lots of great info and search queries in this thread (thanks), splunk really is amazing! One thing i can contribute is this search (below) that i often use to show all of my scheduled reports (it pairs nicely with some of the resource usage searches in this thread to help ID and modify your scheduled reports or their cron entry). Also its nice to review this from time to time as its easy to loose track of cron scheduled reports you may no longer need to run (or run as frequently); | rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | table author cron_schedule is_scheduled schedule_window title updated embed.enabled Search thanks
... View more
07-19-2020
11:06 AM
I frequently use my 400+ splunk saved reports. Thus im constantly accessing this url: http://splunkServer.com:8000/en-US/app/search/reports and then type into the search box in the middle (which filters the reports displayed in real-time). Is there any direct url which can search/list my saved reports? (ie a url that can give me the the same output as typing into the search box in the url above). ie something like http://splunkServer.com:8000/app/search/saved-reports/reports?q=Cisco (and then ill see any of my saved-reports where report-title matches "Cisco") Im trying to add my splunk saved searches as a "My Search Engines" entry in Chrome browser, such that i can just type into the chrome url bar: spr <tab> blah (and it will bring me to a page showing any saved reports matching "blah" ). The closest ive been able to pull out is a long splunk url which i can add a search query to, but it returns my saved-reports matches as raw JSON. thanks ----------- BTW: A super useful, related tip for others: Im already doing this for splunk searches (this= chrome url bar -> splunk search results) via this url below (note the %s at the end, chrome uses %s to fill in what you have typed into the chrome url bar) http://splunkServer.com:8000/en-US/app/search/search?earliest=-4h%40m&latest=now&q=search%20%s (the chrome setting for this is located in: Settings -> Search Engine -> Manage Search engines -> "Other Search Engines" (Add) ) So using chrome keyword "sp" im able to type into the chrome url bar: sp <tab> blah and i get the splunk search results for "blah" for the past 4 hours. (ofcourse i can also do: " sp <tab> index=network blah " , and so on ) thanks
... View more
Labels
- Labels:
-
saved search
07-17-2020
12:52 AM
can anyone help with this, i cant find any clear examples in the props.conf docs, and i cant get this to work in props.conf (ive tried many different variations and many escaping techniques ). [source::(udp:8002|udp:8009|udp:8012)] EXTRACT-blah...... any of them alone, ofcouse work as intended (ie [source::udp:8002] works) [source::udp:80**] works but covers too many thanks
... View more
- Tags:
- an an
06-18-2020
10:12 AM
2 Karma
awesome, thanks so much for this reply (and that you came back and posted the post-fix'd solution). Was having this exact same issue with splunk UF monitoring some log files (and to debug i was searching the last 4 hours on my indexer to see when/if i had fixed inputs.conf on the uf . was also monitoring splunkd.log on the uf - but I couldnt fix it!) This was the issue, splunk UF couldn't read the timestamp of the log files it was monitoring properly, so the files were being sent but in the past!. (so my fix, was the same as yours, in that i made a custom sourcetype with timestamp="current time" on the main splunk indexer (web gui), and then on the UF input.conf set the stanza for monitor://c:/blah/file.log.* to use that custom sourcetype) thanks again!
... View more
03-22-2020
12:00 PM
I cant imagine this is possible, but splunk continuously surprises me, so ill ask:
Is there anyway to exclude results, from the same host, + or - 2 seconds from a match.
(or N seconds/minutes)
example, in this image below, id like to exclude the results above and below the match on the ip address 68.x.x.x ?
(this is just an example, i know i could get to my goal in this case by just showing IP matches, and investigating any IPs not on a known good IP lookup csv)
thanks
... View more
03-21-2020
12:54 PM
thanks, it actually was your "Former / 1st" part, ie in search, i had to add index again via the web gui, and then it stuck for all future searches via search app. (even after restarting splunk server it stuck). FWIW, this is the grep'd output of running the command you requested:
c:\Program Files\Splunk\etc\system\local\ui-prefs.conf display.events.fields = ["host","index","source","sourcetype"]
one followup ? please:
To now add this "index" field to my previously saved reports (index is not showing currently), i would need to go to each report, and via the web gui- add index, and then save the report? (so any future manual runs of said report will now include "index" under "Selected Fields" , correct?
(thanks alot!)
... View more
03-21-2020
11:19 AM
we are running splunk v6.6 , and i have tried just about every answer on these forums, but i can not get anything to add to the "Selected Fields" on the left hand side (beyond the stock defaults of Host,Source,Sourcetype).
see image, im trying to add "index" to where i have the red line (which should also add it below each search result, ie where the 2nd red line is).
the change that makes the most sense (but is having no effect), is this one: add to the file: C:\Program Files\Splunk\etc\users\admin\user-prefs\local\ui-prefs.conf
[default]
display.events.fields = ["host","index","source","sourcetype"]
( from: https://answers.splunk.com/answers/634367/how-do-we-permanently-move-some-interesting-fields.html and from: https://docs.splunk.com/Documentation/Splunk/6.4.4/Admin/Ui-prefsconf )
And then restart splunk (i am always restarting splunk service , via splunk web gui, after each of these changes im trying).
another setting ive tried is in: C:\Program Files\Splunk\etc\apps\search\local\viewstates.conf to add:
[flashtimeline:_current]
FieldPicker_0_6_1.fields = host,sourcetype,source,index
(from: https://answers.splunk.com/answers/185864/selected-fields-in-fields-side-bar.html )
however none of these having any change, ie i still always have the default Host,Source,Sourcetype.
any suggestions? thanks!
... View more
- Tags:
- gui
- splunk-enterprise
Labels
- Labels:
-
search head
02-17-2020
07:35 AM
in my use cases it is better (safer) to export the results as csv (by hand, via the splunk results gui, top right download button) and then use the AWESOME Lookup editor splunk app to manually copy / paste the data i want to append. (i open the csv in excel to copy fields)
granted this is not automated, but it keeps me from making errors or accidentally overwriting prior data in the lookup.
app: https://splunkbase.splunk.com/app/1724/
... View more
02-15-2020
10:24 PM
I was able to resolve this by editing this file:
C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\eventtypes.conf
(and doing find-> "wineventlog-dns" ) and then commenting out that one stanza (was a stanza not relevant to me, espeically since it wasnt working anyway). I did the same thing for "wineventlog-ds" as i was getting an error on that as well. tks
... View more
02-14-2020
08:32 AM
Im a bit new to deploying forwarders on endpoints i manage (im not new to splunk)-
Many guides i see (including the install instructions for this sysmon TA), state that you should deploy this TA onto your forwarders.
To do this, the user will need to manually create a outputs.conf file (w indexer IP/dns) and place it in: \TA-microsoft-sysmon\default\
So why is there not a default/blank output.conf file located in \TA-microsoft-sysmon\default\ , from the start?
(or even a blank file, with just a #nothing line? I get that the devs dont know the IP / DNS of our indexers).
(im not complaining about this , im asking this incase im missing something and so that i can better understand, as it would seem to me a majority of users of this TA will be deploying it on forwarders as well as their indexer- so im wondering why there is not a outputs.conf "place holder").
thanks!
... View more
02-13-2020
03:28 PM
I was able to fix this, the issue does not appear to be with my orginal regex (although Giuseppe's suggestion is better form than mine and is what i will be using),
it was that i was editing props.conf and transform.conf in:
$SPLUNK_BASE$\etc\users\admin\search\local\
as opposed to the proper location of:
$SPLUNK_BASE$\etc\system\local\
once i copied my stanzas over to that location, and refreshed, the entries in question stopped coming in!
Can anyone explain the difference between .conf files in these two locations, please?
(i am logging into splunk with splunk user: admin).
thanks!
... View more
02-13-2020
02:39 PM
Thanks, But the events are still coming in even with this in my transforms.conf:
[setnull]
REGEX = process_image\=\".*vmtoolsd\.exe\"
DEST_KEY = queue
FORMAT = nullQueue
(i had run my original regex through regex tester.com and got a full match, fwiw. same on yours too). tks
Have tried both reloading and restarting splunk server.
... View more
02-13-2020
08:36 AM
hi, i have several universal forwarders deployed, and im getting lots of events i want to filter out.
I understand from reading answers here i need to do this on the indexer (or else install heavy forwaders on my endpoints, which i dont want to do).
This is a raw entry that im trying to drop / filter out from my indexer (ie to keep it from using up lots of my license):
02/13/2020 10:19:09.016
event_status="(0)The operation completed successfully."
pid=1216
process_image="c:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
registry_type="CreateKey"
key_path="HKLM\system\controlset001\services\tcpip\parameters"
data_type="REG_NONE"
data=""
This is the entry from the inputs.conf on the forwarders that is sending some of the events i want to filter out:
[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
And i have added these lines on my indexer (and restarted), but im still seeing the events come in:
#on props.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\props.conf):
[WinRegMon://default]
TRANSFORMS-set= setnull
#on transforms.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\transforms.conf):
[setnull]
REGEX = process_image=.+vmtoolsd.exe"
DEST_KEY = queue
FORMAT = nullQueue
Thanks!
(ive been referencing many answers, including this good one):
(h)ttps:// answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html
... View more
02-13-2020
08:22 AM
hi, i have several universal forwarders deployed, and im getting lots of events i want to filter out.
I understand from reading answers here i need to do this on the indexer (or else install heavy forwaders on my endpoints, which i dont want to do).
This is a raw entry that im trying to drop / filter out from my indexer (ie to keep it from using up lots of my license):
02/13/2020 10:19:09.016
event_status="(0)The operation completed successfully."
pid=1216
process_image="c:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
registry_type="CreateKey"
key_path="HKLM\system\controlset001\services\tcpip\parameters"
data_type="REG_NONE"
data=""
This is the entry from the inputs.conf on the forwarders that is sending some of the events i want to filter out:
[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
And i have added these lines on my indexer (and restarted), but im still seeing the events come in:
#on props.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\props.conf):
[WinRegMon://default]
TRANSFORMS-set= setnull
#on transforms.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\transforms.conf):
[setnull]
REGEX = process_image=.+vmtoolsd.exe"
DEST_KEY = queue
FORMAT = nullQueue
Thanks!
(ive been referencing many answers, including this good one):
(h)ttps:// answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html
... View more
02-11-2020
12:43 PM
to be more clear, i want to add that in a deployed app (on a universal forwarderder), i to make this work on a input.conf i had to add it like this:
[default]
index=xyz
Note the line break in my code block above, as on the inputs.conf adding it all as ONE LINE like this below:
[default] index=xyz
did not work / had effect. This was on a 6.6.x splunk setup / UF
tks
... View more
02-10-2020
12:08 PM
ive found that if you remove the quotes off of:
DEPLOYMENT_SERVER="me.com:9997”
so: DEPLOYMENT_SERVER=me.com:9997
it works..... I battled with this for a few hours. my working cmd line:
msiexec.exe /i splunkuf.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER=me.com:9997 LAUNCHSPLUNK=1 /quiet
... View more
01-01-2020
08:26 PM
thanks for your answer, so am i correct to assume that there is no way to do this in splunk directly? (ie there is no place or way to click run scheduled report now?)
tks
... View more
01-01-2020
03:19 PM
awesome! thanks so much, that did work!
for any others in the future, all i had to do was upload the csv file, create a lookup definition, (after which you should then see the Supported fields column update w the header from your csv file, in my case just 1x header/column). then you can use richgalloway's [ | inputlookup LIST.csv | fields asn | format ] to pull queries from that csv file, which makes for easy updating in the future!)
... View more
01-01-2020
10:38 AM
I have several search queries that i then save as reports (and schedule them), they ultimately are displayed on a dashboard (some are displayed on wall monitors).
Once seeing these dashboards Quite often, i have to come back and modify the query to remove some data.
So i was hoping i could add these terms into a single column CSV file (with 1 single header), and just add new terms, and re-upload the CSV file when i need to update the query. (but i cant figure out how to do this) Example:
original query:
index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=Bob asn!=frank asn!=joe
What im hoping for/asking:
index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=LIST.csv
Im hoping, as needed i can just reupload a new LIST.csv file that contains:
asn
frank
joe
Bob
new_term1
new_term2
and since its the LIST.csv being referenced, all my scheduled reports using LIST.csv will be updated.
I think what i want is to add/upload a lookup table file, create a CSV lookup definition (set permissions on both) and then cite/use that defined lookup table in my search query. But i havent been able to make much headway on this. These are the threads / docs ive been following or tried so far-
https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html
https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents
https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html
(any help is appreciated, or please do tell if this usecase is not something i should be hoping to do easily with splunk) thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-08-2023
03:24 PM
|
