Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About splunkbeginner
splunkbeginner
Engager
Member since:
02-20-2019
06-05-2020
Community Statistics
| Posts | 25 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 02-20-2019 |
Activity Feed
- Karma Re: how to create a table to show port status of Cisco switch? for riddhichandaran. 06-05-2020 12:50 AM
- Posted Re: How to display 0 when there is No Records Found or Nothing returned on Splunk Search. 04-20-2020 06:18 PM
- Posted Re: How to display 0 when there is No Records Found or Nothing returned on Splunk Search. 04-19-2020 08:41 PM
- Posted Re: How to display 0 when there is No Records Found or Nothing returned on Splunk Search. 04-19-2020 06:11 PM
- Posted Re: How to display 0 when there is No Records Found or Nothing returned on Splunk Search. 04-17-2020 09:49 PM
- Posted How to display 0 when there is No Records Found or Nothing returned on Splunk Search. 04-17-2020 07:13 PM
- Tagged How to display 0 when there is No Records Found or Nothing returned on Splunk Search. 04-17-2020 07:13 PM
- Posted Re: timechart to show the number of total events before filtering and number of filtered events on Dashboards & Visualizations. 04-17-2020 06:39 PM
- Posted Re: timechart to show the number of total events before filtering and number of filtered events on Dashboards & Visualizations. 04-17-2020 07:12 AM
- Posted Re: timechart to show the number of total events before filtering and number of filtered events on Dashboards & Visualizations. 04-17-2020 03:42 AM
- Posted timechart to show the number of total events before filtering and number of filtered events on Dashboards & Visualizations. 04-16-2020 06:36 PM
- Tagged timechart to show the number of total events before filtering and number of filtered events on Dashboards & Visualizations. 04-16-2020 06:36 PM
- Posted create a dashboard (timechart) to show number of concurrent users logged in to the devices on Dashboards & Visualizations. 03-19-2020 11:17 PM
- Tagged create a dashboard (timechart) to show number of concurrent users logged in to the devices on Dashboards & Visualizations. 03-19-2020 11:17 PM
- Posted Re: Fail on start splunk after the upgrade of Splunk Enterprise Security from v4.7.0 to 5.3.1. on Splunk Enterprise Security. 10-15-2019 12:46 AM
- Posted Fail on start splunk after the upgrade of Splunk Enterprise Security from v4.7.0 to 5.3.1. on Splunk Enterprise Security. 10-14-2019 11:14 PM
- Tagged Fail on start splunk after the upgrade of Splunk Enterprise Security from v4.7.0 to 5.3.1. on Splunk Enterprise Security. 10-14-2019 11:14 PM
- Tagged Fail on start splunk after the upgrade of Splunk Enterprise Security from v4.7.0 to 5.3.1. on Splunk Enterprise Security. 10-14-2019 11:14 PM
- Tagged Fail on start splunk after the upgrade of Splunk Enterprise Security from v4.7.0 to 5.3.1. on Splunk Enterprise Security. 10-14-2019 11:14 PM
- Tagged Fail on start splunk after the upgrade of Splunk Enterprise Security from v4.7.0 to 5.3.1. on Splunk Enterprise Security. 10-14-2019 11:14 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-20-2020
06:18 PM
@harishalipaka
thanks but it somehow doesn't work for me.
nevertheless i tried a query from another splunk answer and its working fine.
| appendpipe [ stats count | eval "NoResults"="0" | where count=0 |table "NoResults"]
... View more
04-19-2020
08:41 PM
@to4kawa
thanks again. maybe i don't know how to fit your suggestion to my search... but thanks anyway.
nevertheless i tried a query from another splunk answer and its working fine.
| appendpipe [ stats count | eval "NoResults"="0" | where count=0 |table "NoResults"]
... View more
04-19-2020
06:11 PM
@to4kawa
thanks but still I get nothing on the timechart for "total" or "filter" when there is no matched event return for "total" or "filter",
... View more
04-17-2020
09:49 PM
@to4kawa
Thanks for the link. Any idea how i can tune the appendage to yield correct events? Thanks
| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechart span=1d count as filter]
| appendpipe
[| timechart count
| where count=0
| eval ???,count=0
| appendpipe
[| eval ???,count=0]]
... View more
04-17-2020
07:13 PM
the search (thanks for who provided this) is:
| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechart span=1d count as filter]
If there is no matched event to return for "total" and "filter", I get "Not Results Found". If there is no matched event return for "total" or "filter", I get nothing on the timechart for "total" or "filter"
I would instead like a 0 displayed. Any idea will be much appreciated.
... View more
- Tags:
- splunk-enterprise
04-17-2020
06:39 PM
@to4kawa
it really helps. thank you.
... View more
04-17-2020
07:12 AM
@renjith.nair,
much appreciated. there are some output.
if I want to use a timechart to show number of TOTAL and number of Filtered each day, the search will be like?
host=linux01 sourcetype="linux:audit" |eventstats count as TOTAL
|search key="linux01_change" NOT comm IN (vi, rm, ls)
|timechart span=1d TOTAL and filter???
Sorry for the trivial question again
... View more
04-17-2020
03:42 AM
thx renjith.nair,
sorry for some missing info. The base search shall be:
host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
and the the number of total events wanted is (host=linux01 sourcetype="linux:audit"), not (host=linux01 sourcetype="linux:audit" key="linux01_change")
the number of filtered events wanted is host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
i want the search to become sth like this:
host=linux01 sourcetype="linux:audit" | timechart count(host=linux01 sourcetype="linux:audit") as Total, count( host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls) ) as Filtered
could you fine tune the search? much appreciated.
... View more
04-16-2020
06:36 PM
the search is like this: host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi)
how can I create a timechart to show the number of total events (host=linux01 sourcetype="linux:audit") and the number of filtered events (host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi))?
thanks for any help!
... View more
- Tags:
- splunk-enterprise
Labels
- Labels:
-
timechart
03-19-2020
11:17 PM
my 2 devices (System01 and System02) as cluster are each sending one event per hour to Splunk like this:
00:00:00 – System01 - Number of concurrent users logged in to the device: 7 00:00:05 – System02 - Number of concurrent users logged in to the device: 1
00:01:00 - System01 - Number of concurrent users logged in to the device: 3 00:01:05 - System02 - Number of concurrent users logged in to the device: 2
00:02:00 - System01 - Number of concurrent users logged in to the device: 4 00:02:05 - System02 - Number of concurrent users logged in to the device: 2
00:03:00 - System01 - Number of concurrent users logged in to the device: 12 00:03:05 - System02 - Number of concurrent users logged in to the device: 26
00:04:00 - System01 - Number of concurrent users logged in to the device: 166 00:04:05 - System02 - Number of concurrent users logged in to the device: 20
00:05:00 - System01 - Number of concurrent users logged in to the device: 12 00:05:05 - System02 - Number of concurrent users logged in to the device: 5 ... 00:23:00 - System01 - Number of concurrent users logged in to the device: 12 00:23:05 - System02 - Number of concurrent users logged in to the device: 3
it shall not requrie any stats/count command as the concurrent number is already given each hr. Could anyone advise a timechart/search command to display number of concerrent users each hr? thanks. 00hr 01hr 02hr 03hr 04hr 05hr … 23hr 7+1=8 3+2=5 4+2=6 12+26=38 166+20=186 12+5=17 12+3=15
... View more
- Tags:
- splunk-enterprise
Labels
- Labels:
-
timechart
10-15-2019
12:46 AM
as far as I know perfmon is a process associated with Windows OS, however our splunk was installed on linux.
... View more
10-14-2019
11:14 PM
After upgrade to Splunk Enterprise Security v 5.3.1, fail on startup with the following error:
[root@splunk02 bin]# ./splunk start
Splunk> Another one.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Problem parsing indexes.conf: Cannot load IndexConfig: stanza=perfmon Required parameter=homePath not configured
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue
... View more
04-16-2019
12:31 AM
thx mikaelbje, it does work now.
... View more
04-15-2019
09:12 PM
thanks riddhichandarana, it certainly helps!
... View more
04-15-2019
09:09 PM
thx again. in fact I did change it already. In the screenshot I attached, I have changed it as follows:
Name: Search string:
cisco_ios sourcetype=cisco
but it somehow does not work at all
... View more
04-15-2019
06:35 PM
Thanks, in fact i did install both Cisco Networks Add-on and Cisco Networks App.
But there seems no outputs at all. Please see their configurations below:
https://imgur.com/ftwtoZj
... View more
04-15-2019
02:17 AM
There are two Cisco devices; I call them “1st IP” and “2nd IP” hereafter.
I have managed to configured and send syslog of “1st IP” to Splunk. Please see following 2 screenshots.
Now i would like to another Cisco device, i.e. “2nd IP” to Splunk, by adding the “2nd IP”. It turned out to be weird to me.
All i wanted is something like this by always using soucetype:cisco, if possible:
UDP port---------------------souce type
192.168.1stIP:514-------- cisco
192.168.2ndIP:514--------cisco
... View more
04-15-2019
01:24 AM
Cisco has been configured and sent syslog to Splunk as follows:
I would like a table to show port status of Cisco switch with format as follows:
Interface status count
GigabitEthernet1/0/27 up 1
GigabitEthernet1/0/27 down 1
GigabitEthernet2/0/2 up 3
GigabitEthernet2/0/2 down 3
GigabitEthernet2/0/1 up 1
GigabitEthernet2/0/1 down 0
Can someone help to complete the search below (or come with some regex) to achieve this? great thanks!
(sourcetype=cisco ("%LINK-3") AND ("changed state to up" OR "changed state to administratively up")) OR (sourcetype=cisco ("%LINK-3") AND ("changed state to down" OR "changed state to administratively down")) | table Interface, status, count ???
... View more
02-26-2019
07:51 PM
thank you for your answer which really helps.
... View more
02-26-2019
07:51 PM
thank you for your prompt answer.
that could two apps must be installed and willl appear on the Splunk Web home screen's left hand side?
what are the differences between "Splunk add-on for Symantec DLP" and "Symantec Data Loss Prevention (DLP)". I thought "Splunk add-on for Symantec DLP" is superior to supersede "Symantec Data Loss Prevention (DLP)"?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
