cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sivaranjiniG
Path Finder
Member since: ‎07-12-2016
‎05-17-2022
Community Statistics
Posts 39
Solutions 2
Karma Given 11
Karma Received 4
Member Since ‎07-12-2016
Activity Feed
Topics I've Started
View All

What is the performance impact of custom command u...

by in Splunk Search
‎02-26-2022 01:57 AM
‎02-26-2022 01:57 AM
Will custom command created using python reduce search performance For example, If i try to write alternate script for |spath command, comparing to spath will custom command reduce the search time or increase it?? ... View more
Labels

Why are multiline fields not parsed properly?

by in Getting Data In
‎02-14-2022 01:22 AM
‎02-14-2022 01:22 AM
I have below logs file i indexed with props below.   type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx mode=file,644 type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds mode=file,644 ouid=root type=CWD msg=audit(02/08/2022 15:00:01.749:4321) : cwd=/ type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf ---- type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891 ---- type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891 ---- type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892 ----   Props.conf [src_type] SHOULD_LINEMERGE = false LINE_BREAKER = (----\s) Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values  for example, from the first event values(type) suppose to be multivalue field with  PROCTITLE, PATH, CWD,   SYSCALL but it only has single value  PROCTITLE   why type value is not properly getting extracted.    Am i missing something with props configuration???   Thanks for the help in advance ) ... View more

Field extraction using props and transforms

by in Developing for Splunk Enterprise
‎12-14-2021 04:06 AM
‎12-14-2021 04:06 AM
Hello, { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   i already a below props and transforms to extract all the fields from message.  Props.conf [json_no_new] REPORT-json = report-json,report-json-new KV_MODE = none INDEXED_EXTRACTIONS = json LINE_BREAKER = ^{ NO_BINARY_CHECK = true disabled = false pulldown_type = true Transforms.conf [report-json] SOURCE_KEY = message REGEX = (?P<json2>{.+) DEST_KEY = _raw [report-json-new] REGEX = \\*"([^"]+)\":[\s]*"*(\[.*?\]|\{.*?\}"*\}*|[^"]+|\d+),* FORMAT = $1::$2 SOURCE_KEY = json2 Now from the result i have below field with json value user = {"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]} again with props and transform i want to extract values from user field. Please some one let me know if thats possible  Thanks ... View more
Labels

Re: extract json inside another json object using ...

by in Developing for Splunk Enterprise
‎12-14-2021 03:02 AM
‎12-14-2021 03:02 AM
Thanks for the reply, but i need to use props and transforms either index or search time extraction  ... View more

extract json inside another json object using rege...

by in Developing for Splunk Enterprise
‎12-14-2021 02:25 AM
‎12-14-2021 02:25 AM
Hello I have this below data, { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   Need to extract user:{username:.....} user part alone  need to write once regex to extarct all the values inside user object..like user.username, user.uid, user.groups     ... View more
Labels

Re: How to do index time extraction of multiple fi...

by in Getting Data In
‎11-21-2021 07:49 AM
‎11-21-2021 07:49 AM
Here is the solution.. Referred these, https://community.splunk.com/t5/Getting-Data-In/Extract-JSON-data-within-the-logs-JSON-mixed-with-unstructured/td-p/195292  https://community.splunk.com/t5/Splunk-Search/Problem-with-using-SOURCE-KEY/m-p/40116  Props.conf [json_no_timestamp] REPORT-json = report-json,report-json-kv KV_MODE = none INDEXED_EXTRACTIONS = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true disabled = false pulldown_type = true   transforms.conf [report-json] SOURCE_KEY = message REGEX = (?P<json2>{.+) # Manually extract JSON key-value [report-json-kv] REGEX = \"(\w+)\":[\s]*\"([^\,\}\"]+) FORMAT = $1::$2 SOURCE_KEY = json2 ... View more

Re: How to do index time extraction of multiple fi...

by in Getting Data In
‎11-21-2021 04:00 AM
‎11-21-2021 04:00 AM
we used spath in the query but its making the query heavy. thats the reason why trying to do it in the index time.  All the available solution helps in extraction if whole event i json. but couldnt find anything to extract a fields from another field. ... View more

How to do index time extraction of multiple fields...

by in Getting Data In
‎11-17-2021 12:56 AM
‎11-17-2021 12:56 AM
I have a field message which have values has json format need to extract all the values in the json.   { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   here from message field need to extract kind, stage, requestURI... and these fields inside json are dynamic(it can be more in other event). need help in extracting these fields in index time using props and transforms   Thanks ... View more
Labels

Group events by _time while indexing

by in Splunk Search
‎09-19-2021 08:18 AM
‎09-19-2021 08:18 AM
I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/" type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039 type=PATH msg=audit(1631697722.980:2773): item=1 ouid=0 ogid=0 rdev=00:00 type=PROCTITLE msg=audit(1631697722.980:2773): proctitle=2F62696E2F626E2F6C6F67726F74617E66  While indexing i want events to be grouped by _time (taking above example, instead of having 4 events i want one single events with all the type). I used SHOULD_LINEMERGE = true but its not working  Please someone help me with this.. ... View more
Labels

Re: Need help in extracting network events before...

by in Getting Data In
‎12-17-2020 05:55 AM
‎12-17-2020 05:55 AM
Is it possible to use props and transforms in UF? ... View more

Need help in extracting network events before ind...

by in Getting Data In
‎12-17-2020 05:10 AM
‎12-17-2020 05:10 AM
I have a file with full of logs from different sources. But i want to monitor only logs from a particular network device(cisco-ise). Please help me do it using props here in the example wherever <ise-hostname> those has to be monitored(means before going to indexer it should extract ise logs Oct 6 03:44:01 <hostname> rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1294" x-info="http://www.rsyslog.com"] rsyslogd was HUPed Oct 6 03:44:02 <hostname> rhsmd: This system is registered to RHN Classic. Oct 6 03:44:06 <ise-hostname> <hostname>: Dropping Primary discovery request from AP - limit for maximum APs supported 30 reached Oct 6 03:40:16 <ise-hostname> CISE_Failed_Attempts 1 0 2019-10-06 03:40:16.968 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=<ip-address>, Device Port=<PORT>, DestinationIPAddress=<ip-address>, DestinationPort=<PORT>, Protocol=Radius, User-Name=ppp, Acct-Status-Type=Start, Acct-Session Id=sfaksdaksf, Event-Ti mestamp=1569504083, AcsSessionID=<hostname>/asdasd, FailureReason=11007 Could not locate Network Device , Step=333, Step=55, Step=22, Step=11, #44 Oct 6 03:44:09 <hostname>: MOBILESTATION_NOT_FOUND: Could not find the mobile sadas in internal database Oct 6 03:40:26 <ise-hostname> CISE_Failed_Attempts 1 0 2019-10-06 03:40:26.180 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=<ip-address>, Device Port=<port>, DestinationIPAddress=<ip-address>, DestinationPort=<port>, Protocol=Radius, User-Name=wipro, Acct-Status-Type=Start, Acct-Session-Id=sdfsdfs, Event-Timestamp=1569504083, AcsSessionID=dfsdf, FailureReason=33 Could not locate Network Device , Step=343, Step=231, Step=55, Step=11, #44   ... View more

Is it possible to Monitor network ports using Splu...

by in Getting Data In
‎12-15-2020 06:48 PM
‎12-15-2020 06:48 PM
I have a Bluecoat device i want to monitor that device logs using UF. after have opened port from bluecoat to a relay server(Windows server with UF installed). But Data is not getting forwarded to Indexer..Please let me know if forwarding logs from network devices through tcp port using Splunk UF is possible.. If thats possible please suggest me some way to troubleshoot this issue(from Splunk UF data is not sent to Indexer) ... View more
Labels

Is to possible to find indexing volume without usi...

by in Installation
‎11-24-2020 01:39 AM
‎11-24-2020 01:39 AM
i need to find daily indexing volume but without using any internal indexes.. ... View more
Labels

Re: Data is not pushed to indexer from endpoint se...

by in Monitoring Splunk
‎11-03-2020 10:20 PM
‎11-03-2020 10:20 PM
Okay. Thanks for your response. I have multiple monitor stanzas in my inputs conf file..So you are saying this mistake i made in one stanza will not affect other stanzas..data will still sent to indexer? ... View more

Data is not pushed to indexer from endpoint server

by in Monitoring Splunk
‎11-02-2020 08:00 PM
‎11-02-2020 08:00 PM
Hello, i have a windows machine(Windows Version 10) which is configured to send data to a indexer. but data is not sent to indexer. while checking splunkd log, i see a warning  WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\apps\<app_name>\local\inputs.conf, line 1: Cannot parse into key-value pair: ?#################################### there is this as issue in inputs conf which is corrected now. but could it be the issue which blocks the UF to send data to indexer?     ... View more
Labels

Re: UF is not sending data to indexer

by in Deployment Architecture
‎08-07-2020 06:09 AM
‎08-07-2020 06:09 AM
I never have got data in indexer before deleting fishbucket so i thought it didnt read log file..moreover i didnt see any crc related issue in splunkd log..i am not sure how to find out these types of issue in splunkd log ... View more

Re: UF is not sending data to indexer

by in Deployment Architecture
‎08-07-2020 06:01 AM
‎08-07-2020 06:01 AM
Thanks For all the Answers...But after deleting fishbucket, data are being pushed to indexer ... View more

Re: UF is not sending data to indexer

by in Deployment Architecture
‎08-06-2020 03:33 AM
‎08-06-2020 03:33 AM
yes  /var/log/messages /var/log/rhsm /var/log/secure /var/log/yum.log /var/log/cron /var/log/maillog these are being sent to indexer without any issue ... View more

Re: UF is not sending data to indexer

by in Deployment Architecture
‎08-06-2020 03:02 AM
‎08-06-2020 03:02 AM
forwarder is not running with root account but Splunk user has access to read auditd log..that should be enough to read logs..i guess ... View more

UF is not sending data to indexer

by in Deployment Architecture
‎08-06-2020 02:32 AM
‎08-06-2020 02:32 AM
Some one please help me here.. i am trying to monitor /var/log/audit/audit.log using universal forwarder and sending it to indexer.. but logs are not being sent to indexer..here is the log i m seeing in splunkd of forwarder    08-06-2020 13:48:17.728 +0530 DEBUG TailingProcessor - Item '/var/log/audit/audit.log' matches stanza: /var/log/audit/audit.log. 08-06-2020 13:48:17.728 +0530 DEBUG TailingProcessor - Storing config '/var/log/audit/audit.log' for app ''. 08-06-2020 13:48:17.728 +0530 DEBUG TailingProcessor - Entry is associated with 1 configuration(s). 08-06-2020 13:48:17.728 +0530 DEBUG TailReader - Will attempt to read file: /var/log/audit/audit.log. 08-06-2020 13:48:17.730 +0530 DEBUG TailReader - Got classified_sourcetype='linux_audit' and classified_charset='UTF-8'. 08-06-2020 13:48:17.730 +0530 DEBUG WatchedFile - Storing pending metadata for file=/var/log/audit/audit.log, sourcetype=linux_audit, charset=UTF-8 08-06-2020 13:48:17.730 +0530 DEBUG WatchedFile - setting trailing nulls to false via 'true' or 'false' from conf' 08-06-2020 13:48:17.730 +0530 DEBUG WatchedFile - Loading state from fishbucket. 08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - Attempting to load indexed extractions config from conf=source::/var/log/audit/audit.log|host::xxx|linux_audit|3 ... 08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - Reading for plain initCrc... 08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - initcrc has changed to: 0x153ce0cdaa107eee. 08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - Record found, will advance file by offset=12920 initcrc=0x153ce0cdaa107eee. 08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - Creating new pipeline input channel with channel id: 4. 08-06-2020 13:48:17.732 +0530 DEBUG WatchedFile - Attempting to load indexed extractions config from conf=source::/var/log/audit/audit.log|host::xxx|linux_audit|4 ... 08-06-2020 13:48:17.732 +0530 DEBUG TailReader - About to read data (Opening file: /var/log/audit/audit.log). 08-06-2020 13:48:17.732 +0530 DEBUG WatchedFile - seeking /var/log/audit/audit.log to off=12920 08-06-2020 13:48:17.732 +0530 DEBUG WatchedFile - Reached EOF: /var/log/audit/audit.log (read 0 bytes) 08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Hit EOF immediately. 08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Have definitely hit EOF. 08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Finished reading file='/var/log/audit/audit.log' in tailreader0 thread, disposition=ACKNOWLEDGE_CHANGE, deferredBy=0.000 08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Returning disposition=ACKNOWLEDGE_CHANGE for file=/var/log/audit/audit.log 08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Start reading file="/opt/splunkforwarder/var/log/splunk/splunkd.log" in tailreader0 thread   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-17-2022 08:26 AM
Karma from
Karma given to