Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dokaas_2
dokaas_2
Explorer
Member since:
01-31-2019
07-18-2020
Community Statistics
| Posts | 11 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 01-31-2019 |
Activity Feed
- Posted Re: Using a clickable image to select query on Dashboards & Visualizations. 07-18-2020 04:44 AM
- Tagged Re: Using a clickable image to select query on Dashboards & Visualizations. 07-18-2020 04:44 AM
- Karma Re: In a mulit-site cluster, does Splunk replicate just the data to the remote and then the remote site indexer indexes the data? for nickhillscpl. 06-05-2020 12:51 AM
- Karma Re: How do you add notes for events? for woodcock. 06-05-2020 12:50 AM
- Karma Re: image in dashboard for tormodbp. 06-05-2020 12:48 AM
- Posted Re: How to prevent getting an error using brackets < > in a rex expression while creating a dashboard view in XML? on Dashboards & Visualizations. 05-08-2020 09:44 AM
- Posted Re: Using a clickable image to select query on Dashboards & Visualizations. 03-31-2020 04:42 AM
- Posted Using a clickable image to select query on Dashboards & Visualizations. 03-25-2020 06:46 AM
- Tagged Using a clickable image to select query on Dashboards & Visualizations. 03-25-2020 06:46 AM
- Tagged Using a clickable image to select query on Dashboards & Visualizations. 03-25-2020 06:46 AM
- Tagged Using a clickable image to select query on Dashboards & Visualizations. 03-25-2020 06:46 AM
- Tagged Using a clickable image to select query on Dashboards & Visualizations. 03-25-2020 06:46 AM
- Tagged Using a clickable image to select query on Dashboards & Visualizations. 03-25-2020 06:46 AM
- Posted Opps. Passwords in UserID field on Getting Data In. 03-17-2020 10:49 AM
- Tagged Opps. Passwords in UserID field on Getting Data In. 03-17-2020 10:49 AM
- Tagged Opps. Passwords in UserID field on Getting Data In. 03-17-2020 10:49 AM
- Tagged Opps. Passwords in UserID field on Getting Data In. 03-17-2020 10:49 AM
- Tagged Opps. Passwords in UserID field on Getting Data In. 03-17-2020 10:49 AM
- Tagged Opps. Passwords in UserID field on Getting Data In. 03-17-2020 10:49 AM
- Posted Re: In a mulit-site cluster, does Splunk replicate just the data to the remote and then the remote site indexer indexes the data? on Deployment Architecture. 03-02-2020 10:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-18-2020
04:44 AM
in the previous solution post I made reference to the image being sizable. the answer that I arrived at was to save the image as an SVG file and use the SVG visualization addon. I used MS Visio and was able to select a Visio element and add an http reference to the element. Another gotcha that when you save as an scalable vector graphic from Visio you must deselect the "Include Visio data in files". The other thing I did was to put the SVG file in a saved macro and used it to pass the SVG code visualization.
... View more
- Tags:
- in
05-08-2020
09:44 AM
The easiest way I've found is to create a macro of your query. The use the macro in your dashboard query statement. Be sure permissions are properly set.
<query>`your_query`</query>
... View more
03-31-2020
04:42 AM
So the answer to my problem was in formatting the href in the element. The html file is show and goes in the /appserver/static folder. The image goes in /appserver/static/images folder.
In the dashboard, the reference to the html file is in an html panel using the element.
The challenge now is that when one resizes the browser, the image also resizes which causes problem b/c the imagemap uses absolute positioning. I'm assuming a script can be written to fix this.
+++++++++++++++++
... View more
03-25-2020
06:46 AM
I've generated an image of our network perimeter with the major equipment (Cisco ASA, Palo Alto, etc) providing a visual image of how data flows through the perimeter wall. The image is on the left hand pane of the dashboard. The image is contained in a dashboard through the use of the HTML element to make it clickable. On the right hand pane I have a table.
What I want to do is to use the clickable image in the left pane to display events in the right hand table pane depending on what piece of equipment they click. The fundamental query will change depending on the equipment (firewall versus IDS versus VPN, etc)
Does anyone have a good solution (other than using a dropdown input box?
... View more
03-17-2020
10:49 AM
You'd be surprised at how many times a user will type their password in the UserID field. This shows up in a Windows EventCode=4625. By itself it wouldn't be an issue since in a single 4625 event you don't know the userID. However, if you correlate that to other events on the same host, you probably can figure out both the username and password. You'd want to keep the usernames in the field if they didn't look like a password. So my question is this:
Q: How would one propose to selectively find usernames that look like passwords and then substitute a character string (e.g. "********") at index time?
... View more
03-02-2020
10:06 AM
Two sites, RF=2 SF=2 + Splunk SmartStore. Design for 3TB/day at one site and 2TB/day at the second site (5TB/day total). Both sites will search across all data.
... View more
03-02-2020
08:52 AM
Thanks. I can see the benefits and pitfalls of both ways.
So if the data is replicated to the remote site (target) to be indexed, assuming two sites, does one need to size the number of indexers based on the combined ingestion rate at both sites?
... View more
03-02-2020
05:57 AM
Thanks, but after a little further research, that seems inconsistent with https://docs.splunk.com/Documentation/Splunk/;atest/Indexer/Howclusteredindexingworks. Of course this does not specifically address multisite clusters, but I'd assume this would apply. What do you think?
++++++++++++++++++++++++++++++++++++++
These events occur when a peer node starts up:
1. The peer node registers with the master and receives the latest configuration bundle from the master.
The master rebalances the primary bucket copies across the cluster and starts a new generation.
The peer starts ingesting external data, in the same way as any indexer. It processes the data into events and then appends the data to a rawdata file. It also creates associated index files. It stores these files (both the rawdata and the index files) locally in a hot bucket. This is the primary copy of the bucket.
The master gives the peer a list of target peers for its replicated data. For example, if the replication factor is 3, the master gives the peer a list of two target peers.
If the search factor is greater than 1, the master also tells the peer which of its target peers should make its copy of the data searchable. For example, if the search factor is 2, the master picks one specific target peer that should make its copy searchable and communicates that information to the source peer.
The peer begins streaming the processed rawdata to the target peers specified by the master. It does not wait until its rawdata file is complete to start streaming its contents; rather, it streams the rawdata in blocks, as it processes the incoming data. It also tells any target peer(s) if they need to make their copies searchable, as communicated to it by the master in step 5.
The target peers receive the rawdata from the source peer and store it in local copies of the bucket.
Any targets with designated searchable copies start creating the necessary index files.
The peer continues to stream data to the targets until it rolls its hot bucket.
... View more
03-02-2020
03:33 AM
In an multi-site cluster Splunk replicates the data to the remote site, but doe Splunk also replicate the index information or is indexing left up to the remote site indexer? Also, does Splunk replicate raw data or compressed data?
... View more
04-11-2019
05:55 AM
So this is bugging me. I've got the following script in an HTML form in Splunk:
//
// Get the collection of indexes
var myindexes = service.indexes();
// Get an index to send events to
myindexes.fetch(function(err, myindexes) {
var myindex = myindexes.item("main");
// Submit an event to the index
myindex.submitEvent("Case Opened - lit", {
sourcetype: "notes"
}, function(err, result, myindex) {
console.log("Submitted event: ", result);
});
});
//
Which works. But, if I add a line to use a variable instead of a literal string such as:
//
// Get the collection of indexes
var myindexes = service.indexes();
var event = "Date=" + formDate + ", BacklogID=" + formBacklogID + ", evtID=" + formevtID + ", Comments=" + formComments + ", Author=" + form_Author;
// Get an index to send events to
myindexes.fetch(function(err, myindexes) {
var myindex = myindexes.item("main");
// Submit an event to the index
myindex.submitEvent(event, {
sourcetype: "siem:alarm:notes"
}, function(err, result, myindex) {
console.log("Submitted event: ", result);
});
});
//
it doesn't give an error, but it doesn't add the record either. I've debugged and stepped into the code and the var event does have data, but nothing gets pushed to the index.
What gives? Anybody have an idea?
... View more
- Tags:
- add
- api
- javascript
- rest
04-01-2019
02:07 PM
I'm looking for a way to use a modal form to add comments to events. The behavior would be to click on an event, have a modal form displayed with a textfield box, the user adds their comments, and then posts the comments to a Splunk index.
The modal form isn't too much of a problem, I don't know how to get the information into Splunk (REST API maybe)?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-18-2020
08:06 AM
|
