the search is like this: host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi) how can I create a timechart to show the number of total events (host=linux01 sourcetype="linux:audit") and the number of filtered events (host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi))? thanks for any help! ... View more

my 2 devices (System01 and System02) as cluster are each sending one event per hour to Splunk like this: 00:00:00 – System01 - Number of concurrent users logged in to the device: 7 00:00:05 – System02 - Number of concurrent users logged in to the device: 1 00:01:00 - System01 - Number of concurrent users logged in to the device: 3 00:01:05 - System02 - Number of concurrent users logged in to the device: 2 00:02:00 - System01 - Number of concurrent users logged in to the device: 4 00:02:05 - System02 - Number of concurrent users logged in to the device: 2 00:03:00 - System01 - Number of concurrent users logged in to the device: 12 00:03:05 - System02 - Number of concurrent users logged in to the device: 26 00:04:00 - System01 - Number of concurrent users logged in to the device: 166 00:04:05 - System02 - Number of concurrent users logged in to the device: 20 00:05:00 - System01 - Number of concurrent users logged in to the device: 12 00:05:05 - System02 - Number of concurrent users logged in to the device: 5 ... 00:23:00 - System01 - Number of concurrent users logged in to the device: 12 00:23:05 - System02 - Number of concurrent users logged in to the device: 3 it shall not requrie any stats/count command as the concurrent number is already given each hr. Could anyone advise a timechart/search command to display number of concerrent users each hr? thanks. 00hr 01hr 02hr 03hr 04hr 05hr … 23hr 7+1=8 3+2=5 4+2=6 12+26=38 166+20=186 12+5=17 12+3=15 ... View more

Cisco has been configured and sent syslog to Splunk as follows: I would like a table to show port status of Cisco switch with format as follows: Interface status count GigabitEthernet1/0/27 up 1 GigabitEthernet1/0/27 down 1 GigabitEthernet2/0/2 up 3 GigabitEthernet2/0/2 down 3 GigabitEthernet2/0/1 up 1 GigabitEthernet2/0/1 down 0 Can someone help to complete the search below (or come with some regex) to achieve this? great thanks! (sourcetype=cisco ("%LINK-3") AND ("changed state to up" OR "changed state to administratively up")) OR (sourcetype=cisco ("%LINK-3") AND ("changed state to down" OR "changed state to administratively down")) | table Interface, status, count ??? ... View more

i would like to add prebuilt panels to Splunk add-on for Symantec DLP's dedicated webpage. This is my current Splunk add-on for Symantec DLP's dedicated webpage. I would like to have all the prebuilt panels shown in Symantec DLP's dedicated webpage as follows; that is what is shown in "Splunk Add-on for Symantec DLP from Splunkbase at http://splunkbase.splunk.com/app/3029." In fact, i already followed every step in https://docs.splunk.com/Documentation/AddOns/released/Overview/Prebuiltpanels, but it seems not the same as the second pic. or what steps else shall i make? ... View more

I make sure the search results can return the results which is within 24h period as expected. I am trying to use the prebuilt panel included with Splunk add-on for Symantec DLP - "symantec_dlp_top_10_incident_senders_in_last_24h" to show the particular intertesed senders who caused the incidents. The following is the context of prebuilt panel of "symantec_dlp_top_10_incident_senders_in_last_24h". I expect they shall be correct, without having any further modification? <query>sourcetype="symantec:dlp:syslog" earliest=-24h | top limit=10 showperc=false sender</query> Then i added the prebuilt panel to dashboards in order to view the results, but no luck. In fact, I tried all the prebuilt panels included with Splunk add-on for Symantec DLP as follows. symantec_dlp_activities_by_action_in_last_24h symantec_dlp_severity_distribution_in_last_24h antec_dlp_top_10_incident_senders_in_last_24h antec_dlp__severity_distribution_in_last_24h The above panels are found in > Splunk Web > Settings > User interface > Prebuilt panels. Again I expect they shall be correct, without having any further modification? FYI: As per the official instructions, I have specified the following variables to extract from my Symantec DLP system and send them to Splunk. Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Rules: $POLICY_RULES$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$ ... View more

I have specified the following variables to extract from my Symantec DLP system and send them to Splunk. Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Rules: $POLICY_RULES$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$ The following are the search results using the “sourcetype=symantec:dlp:syslog” Feb 21 09:39:11 192.168.1.5 Feb 21 09:40:23 ABCcompany Message = ID: 97712, Policy Violated: IT-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint Removable Storage Device, Recipient: N/A, Sender: N/A, Severity: 1:High, Subject: N/A, Target: N/A, Filename: Confidentail2.txt, Blocked: None, Endpoint: PC_David Feb 21 09:43:48 192.168.1.5 Feb 21 09:46:23 ABCcompany Message = ID: 97713, Policy Violated: IT-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint Removable Storage Device, Recipient: N/A, Sender: N/A, Severity: 1:High, Subject: N/A, Target: N/A, Filename: Confidentail.txt, Blocked: None, Endpoint: PC_David Feb 21 09:43:48 192.168.1.10 Feb 21 09:46:23 ABCcompany Message = ID: 97714, Policy Violated: HR-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint HTTPS, Recipient: Unknown, Sender: 192.168.2.122, Severity: 1:High, Subject: N/A, Target: N/A, Filename: N/A, Blocked: None, Endpoint: PC_Ryan I would like to create a pie chart comparing number (better with percentage) of policies violated; which should be 2 IT-IDM-Policy (66%), and 1 HR-IDM-Policy (33%). I have extracted a field named “Policy_Violated” by regular expression ^(?:[^:\n]*:){6}\s+(?P[^,]+). And the results are expected as follows: Values Count % IT-IDM-Policy 2 66.6 HR-IDM-Policy 1 33.3 But then what search keywords shall be used in order to generate statistic or visualization results which can be used afterwards to create a pie chart? ... View more