Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About LuiesCui
LuiesCui
Communicator
Member since:
02-04-2015
06-05-2020
Community Statistics
| Posts | 82 |
| Solutions | 2 |
| Karma Given | 6 |
| Karma Received | 7 |
| Member Since | 02-04-2015 |
Activity Feed
- Got Karma for How to search the names of triggered alerts, their trigger time, and the events that triggered them?. 08-16-2022 05:01 PM
- Karma Re: Violent file caching in Splunk 6.2.x for mitch_1. 06-05-2020 12:47 AM
- Karma Re: timechart shows 0 when there is no result for woodcock. 06-05-2020 12:47 AM
- Karma Re: Can't update images , JS or CSS for s2_splunk. 06-05-2020 12:47 AM
- Karma Re: add more title to dashboard for woodcock. 06-05-2020 12:47 AM
- Karma How to create a table in Sideview Utils where the rows expand to show more data? for lyndac. 06-05-2020 12:47 AM
- Got Karma for Re: Why can't I drill down a table with the _time column renamed or converted to a different format?. 06-05-2020 12:47 AM
- Got Karma for Re: Why can't I drill down a table with the _time column renamed or converted to a different format?. 06-05-2020 12:47 AM
- Got Karma for How to forward old data from a forwarder to a new Splunk index?. 06-05-2020 12:47 AM
- Got Karma for Dashboard Input Error When Time Is Set As "All Time". 06-05-2020 12:47 AM
- Got Karma for Dashboard Input Error When Time Is Set As "All Time". 06-05-2020 12:47 AM
- Got Karma for How can I change the timezone of a forwarder?. 06-05-2020 12:47 AM
- Karma Re: drilldown from a hidden column for Jason. 06-05-2020 12:45 AM
- Posted Re: Event log cannot be fully displayed in Field Extractor on Splunk Search. 03-10-2019 07:26 PM
- Posted Event log cannot be fully displayed in Field Extractor on Splunk Search. 03-09-2019 11:53 PM
- Posted Re: How to customize the sourcetype in java? on Getting Data In. 12-03-2015 05:25 PM
- Posted Re: How to customize the sourcetype in java? on Getting Data In. 12-02-2015 07:42 PM
- Posted Re: How to customize the sourcetype in java? on Getting Data In. 11-30-2015 05:37 PM
- Posted Re: How to customize the sourcetype in java? on Getting Data In. 11-29-2015 05:15 PM
- Posted How to customize the sourcetype in java? on Getting Data In. 11-26-2015 10:27 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-10-2019
07:26 PM
Hi Skalli, thanks for you reply. I put CHARSET = UTF-16 to the props.conf in my app and still don't see the rest of the content.
... View more
03-09-2019
11:53 PM
Hey fellow Splunker's. I'm trying to extract some fields from Windows event logs. When I search these logs the content looks great:
But when I want to extract more fields, some of the content just disappear in Field Extractor:
So I can't get those fields extracted. Any suggestions? Thanks in advanced!
... View more
- Tags:
- eventlog
- extraction
12-03-2015
05:25 PM
Actually what I need to monitor is not the content of the logs, but the size, the modified time and the other properties of the log files. This script gets these properties and sends them to Splunk as events. Can I do this by using data input?
... View more
12-02-2015
07:42 PM
Well I tried using submit method and I could set the sourcetype correctly. But the reason I would rather to use attachWith method is the performance problem as mentioned in the docs. I'm not sure what you mean by "using an input". Is there any docs about this? Thx again.
... View more
11-30-2015
05:37 PM
Thank you for your answer. I tried this and found that the content of eventArgs would be upload to Splunk as a part of event. But it didn't make any different to the values of host, source and so on. And it's weird that when I set the timestamp with some certain time ( for example 2000-01-01 01:01:01, which is a little different from the example ), Splunk set the time I run the code as timestamp, not the time I set above. Any ideas about this?
... View more
11-26-2015
10:27 PM
Hi guys I got a trouble on getting data to Splunk by java and I really need your help!
I followed the instructions of To add data directly to an index in http://dev.splunk.com/view/java-sdk/SP-CAAAEJ2#add2index , using the attachWith method. Here is my code:
public static void main(String[] args) {
ServiceArgs serviceArgs = new ServiceArgs();
serviceArgs.setUsername("admin");
serviceArgs.setPassword("admin");
serviceArgs.setHost("local");
serviceArgs.setPort(8089);
Index myIndex = service.getIndexes().get("folder");
try {
myIndex.attachWith(new ReceiverBehavior() {
public void run(OutputStream stream) {
Event event = service.
DateFormat dateFormat = new SimpleDateFormat("yyyy/MM/dd-HH:mm:ss");
String date = dateFormat.format(new Date());
String eventText = date+" text=Testing!";
try {
stream.write(eventText.getBytes("UTF8"));
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
});
} catch (IOException e) {
e.printStackTrace();
}
}
The event was successfully indexed by Splunk, but with sourcetype "http-stream-too_small". By submit method in To add data directly to an index, it provides arguments to set the values of host, source, sourcetype and so on as we want. However, I don't see any argument as such in the example of attachwith method. Is it possible to customize the host and sourcetype by this way?
... View more
10-22-2015
11:48 PM
The time in the logs of iis server is different from the actual time here, which may cause some weird questions. I tried changing the time of performance data with Splunk 6.2.4 and didn't work, as above. Today I tried changing the time in the logs of iis server with Splunk 6.3.0 by the way you said and worked! How does this happen? Does the Splunk version matter or the type of data?
... View more
10-07-2015
09:21 PM
Oh my bad. The system time on the instance with forwarder is like 9s or 10s later than the system time on splunk server. So I guess the lagSecs is fine. Why my settings are not working? Are my steps correct?
... View more
10-07-2015
06:14 PM
The value of date_zone is "N/A" and lagSecs is like "-9" or "-10". How can I solve it?
... View more
09-30-2015
12:37 AM
Hi woodcock, I think I got some problems with this.
I have one indexer, let's call it instanceA, and three forwarders. One of the forwarders ( instanceB ) needs to be changed the timezone and the other two ( instanceC and instanceD ) don't.
As a test, I set my user's timezone in instanceA as GMT+8:00 (which is the timezone here). Then I put
[host::SYSAID7]
TZ = US/Eastern
in the props.conf in instanceB ( btw its host name is "SYSAID7").
After all this, I restarted instanceA and instanceB and found the _time of the events from instanceB were instanceB's system time still. Anything I missed or did wrong?
Update: InstanceB is sending the performance information with the system time in the events. Does it matter?
... View more
09-29-2015
09:29 PM
I see. So Could you show me an example of "TZvalueForYourEventTimestamps"? I don't see any in the default folder. And can I add this stanza to the props.conf in the indexer without adding in the forwarder?
... View more
09-29-2015
08:21 PM
Thank you! I'm using 6.2 on both forwarder and indexer. Just 3 more questions:
1. Can I use other fields instead of the "[yourSourcetype]", like host? If yes, what would that look like?
2. Could you show me an example of "TZvalueForYourEventTimestamps"? I'm not sure what I should put in here.
3. Can I add this stanza to the props.conf in the indexer without adding in the forwarder?
Thank you again!
... View more
09-29-2015
07:24 PM
1 Karma
Hi guys, I have a device monitored whose system time is set 8 hours earlier than the Splunk server. Every time I search the data of device I have to set the search time 8 hours earlier and some weird things happen when I search this device with the other. Since I cannot change the system time of this device, can I change the timezone by changing some configurations of the forwarder and make the _time of the data from this device the same with the Splunk server? Thanks in advance.
... View more
09-28-2015
12:05 AM
I see. "Delimit" cannot be replaced by ";", but "!","+","-",","and"."works!
... View more
09-27-2015
11:45 PM
Thank you for your reply. The result of this search line is pretty interesting because some of them are separated while some of them aren't. I have no idea how this happens but still thank you!
... View more
09-27-2015
11:11 PM
index="security"
| eventstats values(attName) as att by src
| where attName="$some certain attack name$"
| stats count as c by src attName des att
| stats values(att) as atts by src attName des c
| stats sum(c) as total list(des) as desips list(c) as LC values(atts) as otherAttack by src
| table src total desips LC otherAttack
| sort -total
Solved by this search line without using "join".
... View more
09-23-2015
06:30 PM
Thank you for your reply but it doesn't work. The otherAttack column remains the same and some values of LC column gone.
... View more
09-23-2015
06:29 PM
Thank you for your reply but it doesn't work. "Microsoft Windows HTTP Services Integer Underflow Vulnerability" just disappeared.
... View more
09-22-2015
12:32 AM
Hi guys, I want to make a table with list in it with Splunk and I really need some help!
I got a IPS to analyse and to see which source ips some certain attacks were from. When I get an ipA from attackA, I would like to how many times ipA did the attackA, which destiny ips are influnced and by how many times, and is there any other attacks ipA does.
Here is my search line:
index="security" attName="$some certain attack name$"
| stats count as c by src attName des
| stats sum(c) as total list(des) as desips list(c) as LC by src
| join src [ search index="security"
| stats values(attName) as otherAttack by src ]
| table src total desips LC otherAttack
| sort -total
The table I expect to get is like:
src total desips LC otherAttack
14.18.240.6 18 172.25.118.53 1 Adobe Reader And Acrobat Privilege Escalation Vulnerability
172.26.67.198 5 Microsoft Windows HTTP Services Integer Underflow Vulnerability
172.26.68.201 8
172.26.69.46 2
172.26.71.193 2
14.18.256.74 6 172.25.118.43 1 Adobe Reader And Acrobat Privilege Escalation Vulnerability
172.26.68.208 2
172.26.71.193 3
But what I really got was like:
src total desips LC otherAttack
14.18.240.6 18 172.25.118.53 1 Adobe Reader And Acrobat Privilege Escalation Vulnerability Microsoft Windows HTTP Services Integer Underflow Vulnerability
172.26.67.198 5
172.26.68.201 8
172.26.69.46 2
172.26.71.193 2
14.18.256.74 6 172.25.118.43 1 Adobe Reader And Acrobat Privilege Escalation Vulnerability
172.26.68.208 2
172.26.71.193 3
I found that if I put values/list in a subsearch, the values of the field values/list will be all put in one row. I tried "| stats delim="/n" values(attName) as otherAttack by src" and didn't work. How can we separate them in different lines in one cell?
... View more
09-08-2015
09:31 AM
Yes. As you can see in the images the alert belongs to admin and I searched the same search line and search time with admin then got different results. Now seems it's not caused by user issue. So what else can possibly cause this problem?
... View more
09-08-2015
08:21 AM
Well I got many alerts which are created by userA and userB and I did the search with userA. The alert in the images is created by userA and I messed it up with the other alerts. Sorry about that.
... View more
09-07-2015
09:21 PM
Images updated. Sorry I can't access to Splunk right now so I can't just copy the whole URLs.
... View more
09-07-2015
08:23 PM
Oops, sorry for my mistake. I have many alerts which are created by two users and I was using one of the users on searching. And the user who created the alert in the image was the same user who did the search (which is admin).
... View more
