Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About yeahnah
yeahnah
Communicator
Member since:
01-28-2019
02-03-2021
Community Statistics
| Posts | 40 |
| Solutions | 8 |
| Karma Given | 26 |
| Karma Received | 12 |
| Member Since | 01-28-2019 |
Activity Feed
- Karma PDF chart does not display statistics correctly for dshakespeare_sp. 02-03-2021 03:31 PM
- Karma Re: PDF chart does not display statistics correctly for jdastmalchi_spl. 02-03-2021 03:31 PM
- Posted Re: Considerations regarding system-wide resource limits on *nix systems and data segment size (ulimit -d) on Installation. 01-31-2021 12:35 PM
- Tagged Re: Considerations regarding system-wide resource limits on *nix systems and data segment size (ulimit -d) on Installation. 01-31-2021 12:35 PM
- Tagged Considerations regarding system-wide resource limits on *nix systems and data segment size (ulimit -d) on Installation. 01-28-2021 11:56 AM
- Posted Considerations regarding system-wide resource limits on *nix systems and data segment size (ulimit -d) on Installation. 01-27-2021 09:04 PM
- Karma Re: How to create an alert using sendemail to send only particular set of results to repective email ID for marycordova. 09-15-2020 12:59 PM
- Posted Re: How to create an alert using sendemail to send only particular set of results to repective email ID on Splunk Enterprise. 09-14-2020 01:30 PM
- Posted Re: Parse JSON only at 1st level on Splunk Search. 09-11-2020 09:08 PM
- Got Karma for Re: Dynamic Sourcetype Extraction based in stanza. 09-11-2020 03:02 AM
- Posted Re: How to create an alert using sendemail to send only particular set of results to repective email ID on Splunk Enterprise. 09-10-2020 06:07 PM
- Posted Re: How to get the 3 columns result with 3 different time stamps on Dashboards & Visualizations. 09-10-2020 05:37 PM
- Posted Re: Timechart Table with "No results found" on Splunk Search. 09-10-2020 03:37 PM
- Karma Re: Timechart Table with "No results found" for kaeleyt. 09-10-2020 03:34 PM
- Got Karma for Re: Timechart Table with "No results found". 09-10-2020 08:17 AM
- Posted Re: Timechart Table with "No results found" on Splunk Search. 09-09-2020 02:44 PM
- Posted Re: Timechart Table with "No results found" on Splunk Search. 09-08-2020 03:33 PM
- Posted Re: Timechart Table with "No results found" on Splunk Search. 09-08-2020 01:27 PM
- Posted Re: Field extraction on Splunk Enterprise. 09-03-2020 01:29 PM
- Posted Re: Alert when 2/3 OOC grouped by host order by time on Alerting. 09-03-2020 12:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
01-31-2021
12:35 PM
Will answer my own question. I raised a case with Splunk and they basically came back and said they set their Linux servers to be unlimited for the data segment size value (ulimit -d unlimited). # vi /etc/security/limits.conf
...<snip>...
# Data segment size: ulimit -d
splunk soft data unlimited
splunk hard data unlimited Note, if using systemd then will be set under /etc/systemd/system/Splunkd.service - refer to doc links in question section. Not sure why Splunk docs don't just specify the same unlimited value, as the current recommendation is vague and more confusing than useful.
... View more
- Tags:
- Will a
01-27-2021
09:04 PM
Hi Splunk Admins Just looking for some advice around setting the data segment size (ulimit -d) in Splunk, on a Linux server (RHEL). Older documentation (v7.3) recommended setting this value to basically be an unlimited size, with a Kibibyte value of 1073741824 or ~1TB. https://docs.splunk.com/Documentation/Splunk/7.3.8/Installation/Systemrequirements#Considerations_regarding_system-wide_resource_limits_on_.2Anix_systems Data segment size ulimit -d 1073741824 I see the v8.x documentation has now changed the data segment size recommendation to be more a general guideline, with an 8GB example. https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Considerations_regarding_system-wide_resource_limits_on_.2Anix_systems Data segment size ulimit -d The maximum RAM you want Splunk Enterprise to allocate in kilobytes. For example, 8GB is 8000000. It appears Splunk do not really have a strong opinion on a minimum size now either. I think on RHEV Linux, the data segment size just defaults to unlimited anyway, or at least on our VM servers it does. I don't believe setting this value alone helps protect Splunk from excessive memory use either. From what I can tell with googling about data segments, if it was indeed set to a value, then it does not even need to be set to an excessively large value. Happy to admit I'm no expert though. Anyway, just wondering if anyone has some experience with setting this value in their environments, or even a view if this data segment size limit even really needs to be set at all - on Linux at least.
... View more
- Tags:
- ulimit
09-14-2020
01:30 PM
Hi @Jithu1717 I must admit to being a bit confused as to what you're actually asking for. If it is just to split the email body content into multi-line output per id, then something like the following will do it (adjust as per your fields etc) | makeresults
| eval id="12345"
| eval Account_ID=1234567
| eval Remediation_Contact_Email="abc123@xyz.com"
| append
[| makeresults
| eval id="67890"
| eval Account_ID=4567895
| eval Remediation_Contact_Email="abc123@xyz.com" ]
| append
[| makeresults
| eval id="13579"
| eval ,Account_ID=6785432
| eval Remediation_Contact_Email="abc123@xyz.com" ]
| eval msg="id: " . id . ",account id: " . Account_ID . ",next_field: ... , ... , |"
| stats values(msg) AS msg BY Remediation_Contact_Email
| map
[ makeresults
| eval msg=ltrim(split($msg$, "|"))
| mvexpand msg
| eval msg=split(msg, ",")
| eval Remediation_Contact_Email="$Remediation_Contact_Email$"
| stats list(msg) BY Remediation_Contact_Email
| sendmail ... ] Or is it to do with the attachment that is send with the email?
... View more
09-11-2020
09:08 PM
Hi @nagar57 You can use spath path=Address to extract the Address values. Here's a run anywhere example using your source example data ... | makeresults `comment("# generate dummy data ")`
| eval _raw="{
\"Name\": \"Naman\",
\"Age\":25,
\"Address\":
{\"H.No\":\"23\",
\"Street_no\":2,
\"Area\":\"Model Town\"},
\"Country\":\"IND\"
}"
| spath input=_raw
`comment("# use the following to extract Address; you should not need to specify input=_raw")`
| spath input=_raw path=Address
| rex mode=sed field=Address "s/[\}\{ ]//g"
| fields Name Age Address Country
| stats values(*) AS * BY Name
| table Name Age Address Country Please mark the post as solved if this helps. Note: you could also swap the rex command with this eval statement, if you prefer... | eval Address=replace(Address, "[\}\{ ]", "")
... View more
09-10-2020
06:07 PM
Hi @Jithu1717 The following should suit your use case (if you don;t mind the id and account id being on the same line in email body) ... | makeresults
| eval id="12345"
| eval Account_ID=1234567
| eval Remediation_Contact_Email="abc123@xyz.com"
| append
[| makeresults
| eval id="67890"
| eval Account_ID=4567895
| eval Remediation_Contact_Email="abc123@xyz.com" ]
| append
[| makeresults
| eval id="13579"
| eval Account_ID=6785432
| eval Remediation_Contact_Email="abc123@xyz.com" ]
| eval msg="id: " . id . " account id: " . Account_ID . "|"
| stats values(msg) AS msg BY Remediation_Contact_Email
| map
[ makeresults
| eval msg=ltrim(split($msg$, "|"))
| eval Remediation_Contact_Email="$Remediation_Contact_Email$"
| fields - _time
| sendemail to=$Remediation_Contact_Email$ subject="Test Sendemail" message="
Hello,
There is an alert for your account(s)
$msg$
Regards,
xyz Security Operation Team" maxinputs=10000 sendcsv=true inline=true format=csv priority=1
] Hope this helps. If it solves your issue then please mark the post as solved.
... View more
09-10-2020
05:37 PM
Hi @vvemula Based on your use case the following should do what you want ... index=_internal sourcetype=servers_list earliest=-90d@d
| stats
count(eval(if(_time <= relative_time(now(), "-30d@d"), Parameter, null() ) )) as "30 Days"
count(eval(if(_time <= relative_time(now(), "-60d@d"), Parameter, null() ) )) as "60 Days"
count(eval(if(_time <= relative_time(now(), "-90d@d"), Parameter, null() ) )) as "90 Days"
BY Value If you want distinct 30 days period counts then adjust the eval statement, e.g. stats ...
count(eval(if(_time > relative_time(now(), "-30d@d") AND _time <= relative_time(now(), "-60d@d"), Parameter, null() ) )) AS "30-60 Days"
... Hope this helps. If it does then please mark post as solved.
... View more
09-10-2020
03:37 PM
Great to see you arrived at a solution that works for you. Please mark this answer as solved in case it is useful for other Splunk community members.
... View more
09-09-2020
02:44 PM
Hi @kaeleyt Interested to know if this helped solve your problem?
... View more
09-08-2020
03:33 PM
1 Karma
Hi @kaeleyt The following will account for no results. The first append section ensures a dummy row with date column headers based of the time picker (span=1). This is ensure a result set no matter what you base searches do. It does expect the date columns to have the same date format, but you could adjust as needed. ... your base searches ...
| append [ | makeresults
| addinfo | eval min_max_time=mvappend(info_min_time, info_max_time)
| mvexpand min_max_time
| streamstats count
| eval _time=if(count=1, info_min_time, info_max_time)
| makecontinuous _time span=1d
| where isnull(count)
| eval Time= strftime(_time, "%m-%d-%y")
| table column Time count
| fillnull column value="dummy"
| fillnull count value=0
| xyseries column Time count
]
| append [ | makeresults | eval column=split("Row 1|Row 2|Row 3|Row 4", "|") | mvexpand column | table column ]
| stats values(*) AS * BY column
| fillnull value=0
| search column="Row*" The second append is as before and ensures the rows are created etc. You may want to make this a macro if it works. Hopefully, this suits your use case better now.
... View more
09-08-2020
01:27 PM
Hi @kaeleyt The question you asked was... Does anybody have a good way to create a timechart table of all 0's for searches that return "No results found"? The solution I provided does show an example way to solve this problem, based on your examples. However, your reply indicates that it does work, but then you say it due to needing to hard code the dates. So maybe there is some confusion with my answer, or your question has not been clear enough. This is the provided solution. | append [ |makeresults | eval column=split("Row 1|Row 2|Row 3|Row 4", "|") | mvexpand column | table column ]
| stats values(*) AS * BY column
| fillnull value=0 It does not care what the date columns and only hard codes the first row values (based on the example). But, I agree, the solution does expect that the initial base search(es) did return at least one result. So, is this the problem? At times, all your base searches return no results and hence the solution does not work? There is probably a way to fix this too, if that is the case, but you need to be clear with what is required. , what they are named or how many, but it does expect that the initial base search does find some results.
... View more
09-03-2020
01:29 PM
Hi @mbasharat Ah OK. Have you looked at the xpath command then. It should automatically be able to do this for you. https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Xpath Otherwise, using transforms.conf and props.conf configuration can be used on your search head to auto extract these fields. For example, on the search head(s) transforms.conf ...
[xml-extract]
REGEX = ^<(?:cm:)*([^\>]+)>([^<]+)
FORMAT = $1::$2 props.conf (references the transforms rule) ...
[...your sourcetype...]
REPORT-extractXMLfields = xml-extract This can be done via the search head UI too.
... View more
09-03-2020
12:32 AM
Hi @fh2020 You can use streamstats command to count the OOC values, like this ... ... your search ...
| streamstats count AS alert_trigger reset_on_change=true BY host OOC
| where alert_trigger=2 Here's a run anywhere example using dummy data matching your example table to better show how it works ... | makeresults `comment("# generate dummy data start")`
| eval host=split("A|A|A|B|B|A|A|B|A", "|")
| mvexpand host
| streamstats count
| eval _time=(_time +count)
| sort host _time
| streamstats count
| eval OOC=if(match(count, "[137]"), "NO", "YES")
,value=if(OOC="NO", 1, if(count=9, 5, 3))
| stats values(value) AS value values(OOC) AS OOC BY host _time
`comment("# generate dummy data end")`
| streamstats count AS alert_trigger reset_on_change=true BY host OOC
| where alert_trigger=2 Results: row host _time value OOC alert_trigger 1 A 2020-09-03 19:29:28 3 YES 2 2 B 2020-09-03 19:29:29 5 YES 2 Use where alert_trigger>=2 if you want every instance to trigger an alert event. Hope this helps.
... View more
09-02-2020
11:43 PM
Hi @mbasharat I believe you're asking for a regex to just extract the compliance-check-id for the event. Is this correct? There are a few ways to do this but if you just want that one field then this will work for you. ...
| rex "id>(?<complianceCheckID>[a-fA-F0-9]+)\<"
... Hope it helps.
... View more
09-01-2020
10:31 PM
Hi @kaeleyt Append the following to the end of your search query ... | append [ |makeresults | eval column=split("Row 1|Row 2|Row 3|Row 4", "|") | mvexpand column | table column ]
| stats values(*) AS * BY column
| fillnull value=0 Here's a run anywhere example with some dummy data which should help demonstrate how it works ... | makeresults
| eval column=split("Row 1|Row 2|Row 4", "|")
| mvexpand column
| eval date1=48, date2=0, date3=99
| table column date*
`comment("# append this to the end of your search query")`
| append [ |makeresults | eval column=split("Row 1|Row 2|Row 3|Row 4", "|") | mvexpand column | table column ]
| stats values(*) AS * BY column
| fillnull value=0 Hope it helps. Please mark post as answered, if it does.
... View more
09-01-2020
10:15 PM
Hi @ToniHuynh If you see no results with the () then I suspect the where clause may be at fault and would start debugging around there. So... index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="myServer" Account_Name!="*$"
| eval ObjectName=urldecode("D:\Company Data\Employee\contract\Michael (Tim)\Induction\Example (D) - .msg")
| eval ObjectName=replace(ObjectName,"\\\\","\\\\\\")
| where match(Object_Name,ObjectName)
| table Object_Name ObjectName If no results then change the where to negate the match, i.e. | where NOT match(.... If you get results now then the match function obviously consider the Object* fields are different so carefully compare each Object column for potential differences. You may then need to add some more eval statements to make ObjectName exactly align with Object_Name. That's where I'd start anyway. Hope it helps. Carefully compare the column outputs
... View more
08-31-2020
11:10 PM
Hi @ashj I don't believe this is possible. The y axis needs to be a number. A possible workaround is to convert the ETA / ETD time data points in to hours as a decimal numbers, e.g. 2:45pm = 14.75 which could then be plotted. Hope this helps
... View more
08-31-2020
10:28 PM
Hi @willadams Go back to the source csv file, I suspect that it must have a whitespace value or something so Splunk does not consider it a true null value, as the eval test proves in your example. Here's a run anywhere example of what I mean... | makeresults
| eval test=1, blank=" " , empty=""
| foreach blank empty [ eval <<FIELD>>_size=len(<<FIELD>>) ]
| foreach blank empty [ eval <<FIELD>>=if(isnull('<<FIELD>>'), "NULL", "NOT NULL") ]
| eval empty=null()
| appendpipe [
eval test=2
| foreach blank empty [ eval <<FIELD>>_size=len(<<FIELD>>) ]
| foreach blank empty [ eval <<FIELD>>=if(isnull('<<FIELD>>'), "NULL", "NOT NULL") ]
] Results _time blank blank_size empty empty_size test 1 2020-09-01 17:24:52 NOT NULL 1 0 1 2 2020-09-01 17:24:52 NOT NULL 8 NULL 2 Hope this helps.
... View more
08-31-2020
04:00 PM
Hi @gauravmsharma I think you need to read up on what a sourcetype is in Splunk and how it is used and should be used. It will not help you here and is confusing when used in the context of this question. So for your question So the query remains can be use this initializing line for creating a sourcetype and assign logs to the same sourcetype till it recived a message Killed in the events. The answer is no. From what I can tell you are trying to tie individual events in a log file together, but these individual events have no unique key value to tie then together. Depending on the log content and the order of events in the log, you may be able to tie the individual events together using the Splunk processing language (SPL) with commands like transaction and stats. Without a good look at the source log data it hard to know though. If you attach some to this question then may be able to help.
... View more
08-31-2020
12:34 AM
1 Karma
Hi @gauravmsharma I'm not exactly sure what you're asking for here but I'll give an answer a go. At least it might lead to some better understanding. I don't believe "dynamic sourcetype extraction based on the stanza" entry is something that can be done, or even should be done, if it was even possible in Splunk. The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data (ref: https://docs.splunk.com/Documentation/Splunk/latest/Data/Aboutdefaultfields#Source_vs_sourcetype). It a useful way of grouping similar data sources based on their data format/syntax/structure. If you could do this then you would also, potentially, have to configure lots of sourcetype entries to tell Splunk how to process the incoming data into events . It does not really matter anyway as you also have the source metadata field, which already contains the function-name (as you call it) in the monitor stanza. You can extract/manipulate it for every event when you search it. For example # inputs.conf
[monitor:///var/log/test-function_name.log]
sourcetype = some_sourcetype Events found in this file would all be assigned with source="/var/log/test-function_name.log" Now you can use regex or eval functions in the Splunk search language to extract the function_name from the source field's value, e.g. ... my base search ...
| rex field=source "\/(?<func_name>)[^\.]+)"
... Resulting in all events in the inputs file having a new key value pair of func_name="test-function_name" . This could also be automated in Splunk's field extractions so it just happens automatically without specifying it in the search query, Note, I'm just using examples above to show what could be done and you will need to adjust for your own needs. Hope this helps or gives you some ideas.
... View more
08-27-2020
09:07 PM
Good point about the search "Errorcode=*" @bowesmana, unless a "null" string is actually the output value in ErrorCode column. @irishmanjb, that will change the query I provided. The eval may need updating depending on the source data.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-03-2021
06:51 PM
|
Karma given to
