Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About jstaley
jstaley
Explorer
Member since:
08-02-2013
04-07-2026
Community Statistics
| Posts | 10 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 10 |
| Member Since | 08-02-2013 |
Activity Feed
- Karma Re: How to forward indexed data that needs to be SSL encrypted to a second indexer? for Ayn. 06-05-2020 12:47 AM
- Got Karma for How to forward indexed data that needs to be SSL encrypted to a second indexer?. 06-05-2020 12:47 AM
- Got Karma for How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Got Karma for How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to throttle email alerts on multiple unique values from one field?. 06-05-2020 12:47 AM
- Posted Re: Splunk UF on VDI image re-ingests old data when image is reloaded on Getting Data In. 07-03-2019 11:04 AM
- Posted Splunk UF on VDI image re-ingests old data when image is reloaded on Getting Data In. 07-02-2019 11:42 AM
- Tagged Splunk UF on VDI image re-ingests old data when image is reloaded on Getting Data In. 07-02-2019 11:42 AM
- Tagged Splunk UF on VDI image re-ingests old data when image is reloaded on Getting Data In. 07-02-2019 11:42 AM
- Posted Is there any way to restrict users/roles from accessing the activity - jobs list on the top right corner of the dashboard? on Dashboards & Visualizations. 12-18-2014 06:48 AM
- Tagged Is there any way to restrict users/roles from accessing the activity - jobs list on the top right corner of the dashboard? on Dashboards & Visualizations. 12-18-2014 06:48 AM
- Tagged Is there any way to restrict users/roles from accessing the activity - jobs list on the top right corner of the dashboard? on Dashboards & Visualizations. 12-18-2014 06:48 AM
- Tagged Is there any way to restrict users/roles from accessing the activity - jobs list on the top right corner of the dashboard? on Dashboards & Visualizations. 12-18-2014 06:48 AM
- Tagged Is there any way to restrict users/roles from accessing the activity - jobs list on the top right corner of the dashboard? on Dashboards & Visualizations. 12-18-2014 06:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 1 |
07-03-2019
11:04 AM
So, I talked to one of the server guys to figure out more along what the environment does. The image itself (Where Splunk runs) is not editable. So the fishbucket I would assume can simply never update and every time the server is rebooted / image is reloaded, it re-grabs all of the event log data it has access to (or from another post I found the modinputs directory). There is a persistent disk available so the question now is can can the fishbucket/modinputs be moved to this persistent directory. I think we can do this with a symbolic link.
... View more
07-02-2019
11:42 AM
I have no doubt this is a configuration problem, but unfortunately can't find how to proceed.
The problem occurs when a new Citrix image is put out to the user base. The image updated and the image is then saved. This image is then pushed out to the environment. Once this is done and the system starts the image and splunk starts to re-ingest all of that data which was ingested previously. The UF is unaware this data was already ingested.
I looked into a couple items such as followtail (recommended against doing) and as well as ignoreOlderthan (I believe the file is appended, not rolled over).
Normally I wouldn't really be bothered by this however this causes around an additional 30GB to be indexed. This doesn't occur too often (1-2 times per month) but it does trigger a license warning when it occurs.
Thanks for any help!
... View more
12-18-2014
06:48 AM
Hello,
Per our environment we would like to provide access to certain entities within our control access to our splunk environment. Specific dashboards, searches and access has been permitted. So far the system is pretty well locked down however the user is still able to view the activity/jobs in the top right corner. Is there any way to lock the access down further so the users/role can not access that report/list?
Thank you,
Justin
... View more
10-31-2014
11:45 AM
I do not believe they are multiline, and believe they are simply one long line. I did attempt to use (?s).* and din't have any luck.
... View more
10-31-2014
11:18 AM
I had not, however I just did and still seems to have the same issue.
... View more
10-31-2014
10:23 AM
Hello Everyone,
After doing quite a bit of research I believe I have the correct process for filtering out information before it is indexed however the traffic is still being indexed. 1 source is sending 3 types of information. One of those source types is network_traffic, which we want to not be indexed.
The sourcetype = network_traffic
cat /opt/splunk/etc/system/local/props.conf
[network_traffic]
TRANSFORMS-null=traffic_null
cat /opt/splunk/etc/system/local/transforms.conf
[traffic_null]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue
Any thoughts or ideas would be great. I've tried using specific regex to match on traffic inside the index, putting spaces / removing spaces before and after = signs, etc.
Thanks!
[Edit]
As a FYI. This traffic is being forwarded already cooked from another indexer. We didn't think this would be an issue however considering it is already cooked it could be?
... View more
I found my answer to this. When specifying a action for a alert you must select the "Action Options" "When triggered, execute actions for each result". Select throttle, and specify the fields you want to suppress. ,Found my answer for this.
Modify the Action within the Alert.
Under "Action Options" select "When triggered, execute actions - For each result"
Select the "Throttle" check box.
Suppress results containing field value (I specified "Attack Name" for the above example)
Save
... View more
Hello Everyone,
Unfortunately I may not be thinking outside of the box far enough for this one. Essentially a search is ran to identify a "critical" value within a "threat level" field, and from that search we alert based on the "attack name" field. The issue I am coming across is when creating the alert action, suppression (throttling) is based on the entire search. So in the event that 1 "attack name" out of 1,000 triggers the alert, it is suppressed for example 4 hours. This is an issue because I would like to alert for any attack name and only suppress if the attack name is identical. Without creating a alert for every single "attack name".
Assume 3 events are logged
1) 12:10 - Threat Level = Critical ; Attack Name = 123 (Alert via email)
2) 12:30 - Threat Level = Critical ; Attack Name = 654 (Alert via email)
3) 12:50 - Threat Level = Critical ; Attack Name = 123 (No alert, suppressed by event 1)
4) 12:54 - Threat Level = High ; Attack Name = 921 (No alert, threat level not = to Critical)
Thoughts and Ideas?
Thanks,
Justin
... View more
10-02-2014
10:21 AM
Thank you for your reply, it is much appreciated. I am in the process of setting up the labs to check everything over.
... View more
09-25-2014
04:39 PM
1 Karma
Hello,
Looking to forward data from one indexer to a second indexer. The are multiple reasons for the separate indexer and we have definitely looked into a majority of our options for this scenario. With this being said, the information being forwarded to the second indexer needs to be ssl encrypted. How would be go about this?
Thanks
... View more
- Tags:
- forwarding
- indexer
- ssl
