Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About sivaranjiniG
sivaranjiniG
Path Finder
Member since:
07-12-2016
12-17-2020
Community Statistics
| Posts | 30 |
| Solutions | 1 |
| Karma Given | 10 |
| Karma Received | 2 |
| Member Since | 07-12-2016 |
Activity Feed
- Karma Re: Need help in extracting network events before indexing for to4kawa. 12-17-2020 06:27 AM
- Karma Re: Need help in extracting network events before indexing for to4kawa. 12-17-2020 06:27 AM
- Posted Re: Need help in extracting network events before indexing on Getting Data In. 12-17-2020 05:55 AM
- Posted Need help in extracting network events before indexing on Getting Data In. 12-17-2020 05:10 AM
- Karma Re: Is it possible to Monitor network ports using Splunk Universal Forwarder? for saravanan90. 12-15-2020 09:22 PM
- Posted Is it possible to Monitor network ports using Splunk Universal Forwarder? on Getting Data In. 12-15-2020 06:48 PM
- Posted Is to possible to find indexing volume without using any internal indexes on Installation. 11-24-2020 01:39 AM
- Tagged Is to possible to find indexing volume without using any internal indexes on Installation. 11-24-2020 01:39 AM
- Posted Re: Data is not pushed to indexer from endpoint server on Monitoring Splunk. 11-03-2020 10:20 PM
- Posted Data is not pushed to indexer from endpoint server on Monitoring Splunk. 11-02-2020 08:00 PM
- Posted Re: UF is not sending data to indexer on Deployment Architecture. 08-07-2020 06:09 AM
- Posted Re: UF is not sending data to indexer on Deployment Architecture. 08-07-2020 06:01 AM
- Posted Re: UF is not sending data to indexer on Deployment Architecture. 08-06-2020 03:33 AM
- Posted Re: UF is not sending data to indexer on Deployment Architecture. 08-06-2020 03:02 AM
- Posted UF is not sending data to indexer on Deployment Architecture. 08-06-2020 02:32 AM
- Karma Re: Splunkd error message from: FileClassifierManager for jbsplunk. 08-05-2020 07:22 AM
- Karma Re: Splunk SPL best practice for richgalloway. 07-13-2020 06:05 AM
- Posted Re: Splunk SPL best practice on Splunk Search. 07-12-2020 09:46 PM
- Karma Re: Splunk SPL best practice for richgalloway. 07-12-2020 09:42 PM
- Posted Re: Splunk SPL best practice on Splunk Search. 07-12-2020 09:41 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-17-2020
05:55 AM
Is it possible to use props and transforms in UF?
... View more
12-17-2020
05:10 AM
I have a file with full of logs from different sources. But i want to monitor only logs from a particular network device(cisco-ise). Please help me do it using props here in the example wherever <ise-hostname> those has to be monitored(means before going to indexer it should extract ise logs Oct 6 03:44:01 <hostname> rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1294" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Oct 6 03:44:02 <hostname> rhsmd: This system is registered to RHN Classic.
Oct 6 03:44:06 <ise-hostname> <hostname>: Dropping Primary discovery request from AP - limit for maximum APs supported 30 reached
Oct 6 03:40:16 <ise-hostname> CISE_Failed_Attempts 1 0 2019-10-06 03:40:16.968 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=<ip-address>, Device Port=<PORT>, DestinationIPAddress=<ip-address>, DestinationPort=<PORT>, Protocol=Radius, User-Name=ppp, Acct-Status-Type=Start, Acct-Session Id=sfaksdaksf, Event-Ti
mestamp=1569504083, AcsSessionID=<hostname>/asdasd, FailureReason=11007 Could not locate Network Device , Step=333, Step=55, Step=22, Step=11, #44
Oct 6 03:44:09 <hostname>: MOBILESTATION_NOT_FOUND: Could not find the mobile sadas in internal database
Oct 6 03:40:26 <ise-hostname> CISE_Failed_Attempts 1 0 2019-10-06 03:40:26.180 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=<ip-address>, Device Port=<port>, DestinationIPAddress=<ip-address>, DestinationPort=<port>, Protocol=Radius, User-Name=wipro, Acct-Status-Type=Start, Acct-Session-Id=sdfsdfs, Event-Timestamp=1569504083, AcsSessionID=dfsdf, FailureReason=33 Could not locate Network Device , Step=343, Step=231, Step=55, Step=11, #44
... View more
Labels
12-15-2020
06:48 PM
I have a Bluecoat device i want to monitor that device logs using UF. after have opened port from bluecoat to a relay server(Windows server with UF installed). But Data is not getting forwarded to Indexer..Please let me know if forwarding logs from network devices through tcp port using Splunk UF is possible.. If thats possible please suggest me some way to troubleshoot this issue(from Splunk UF data is not sent to Indexer)
... View more
Labels
- Labels:
-
universal forwarder
11-24-2020
01:39 AM
i need to find daily indexing volume but without using any internal indexes..
... View more
- Tags:
- search query
Labels
- Labels:
-
search head
11-03-2020
10:20 PM
Okay. Thanks for your response. I have multiple monitor stanzas in my inputs conf file..So you are saying this mistake i made in one stanza will not affect other stanzas..data will still sent to indexer?
... View more
11-02-2020
08:00 PM
Hello, i have a windows machine(Windows Version 10) which is configured to send data to a indexer. but data is not sent to indexer. while checking splunkd log, i see a warning WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\apps\<app_name>\local\inputs.conf, line 1: Cannot parse into key-value pair: ?#################################### there is this as issue in inputs conf which is corrected now. but could it be the issue which blocks the UF to send data to indexer?
... View more
08-07-2020
06:09 AM
I never have got data in indexer before deleting fishbucket so i thought it didnt read log file..moreover i didnt see any crc related issue in splunkd log..i am not sure how to find out these types of issue in splunkd log
... View more
08-07-2020
06:01 AM
Thanks For all the Answers...But after deleting fishbucket, data are being pushed to indexer
... View more
08-06-2020
03:33 AM
yes /var/log/messages /var/log/rhsm /var/log/secure /var/log/yum.log /var/log/cron /var/log/maillog these are being sent to indexer without any issue
... View more
08-06-2020
03:02 AM
forwarder is not running with root account but Splunk user has access to read auditd log..that should be enough to read logs..i guess
... View more
08-06-2020
02:32 AM
Some one please help me here.. i am trying to monitor /var/log/audit/audit.log using universal forwarder and sending it to indexer.. but logs are not being sent to indexer..here is the log i m seeing in splunkd of forwarder 08-06-2020 13:48:17.728 +0530 DEBUG TailingProcessor - Item '/var/log/audit/audit.log' matches stanza: /var/log/audit/audit.log.
08-06-2020 13:48:17.728 +0530 DEBUG TailingProcessor - Storing config '/var/log/audit/audit.log' for app ''.
08-06-2020 13:48:17.728 +0530 DEBUG TailingProcessor - Entry is associated with 1 configuration(s).
08-06-2020 13:48:17.728 +0530 DEBUG TailReader - Will attempt to read file: /var/log/audit/audit.log.
08-06-2020 13:48:17.730 +0530 DEBUG TailReader - Got classified_sourcetype='linux_audit' and classified_charset='UTF-8'.
08-06-2020 13:48:17.730 +0530 DEBUG WatchedFile - Storing pending metadata for file=/var/log/audit/audit.log, sourcetype=linux_audit, charset=UTF-8
08-06-2020 13:48:17.730 +0530 DEBUG WatchedFile - setting trailing nulls to false via 'true' or 'false' from conf'
08-06-2020 13:48:17.730 +0530 DEBUG WatchedFile - Loading state from fishbucket.
08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - Attempting to load indexed extractions config from conf=source::/var/log/audit/audit.log|host::xxx|linux_audit|3 ...
08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - Reading for plain initCrc...
08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - initcrc has changed to: 0x153ce0cdaa107eee.
08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - Record found, will advance file by offset=12920 initcrc=0x153ce0cdaa107eee.
08-06-2020 13:48:17.731 +0530 DEBUG WatchedFile - Creating new pipeline input channel with channel id: 4.
08-06-2020 13:48:17.732 +0530 DEBUG WatchedFile - Attempting to load indexed extractions config from conf=source::/var/log/audit/audit.log|host::xxx|linux_audit|4 ...
08-06-2020 13:48:17.732 +0530 DEBUG TailReader - About to read data (Opening file: /var/log/audit/audit.log).
08-06-2020 13:48:17.732 +0530 DEBUG WatchedFile - seeking /var/log/audit/audit.log to off=12920
08-06-2020 13:48:17.732 +0530 DEBUG WatchedFile - Reached EOF: /var/log/audit/audit.log (read 0 bytes)
08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Hit EOF immediately.
08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Have definitely hit EOF.
08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Finished reading file='/var/log/audit/audit.log' in tailreader0 thread, disposition=ACKNOWLEDGE_CHANGE, deferredBy=0.000
08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Returning disposition=ACKNOWLEDGE_CHANGE for file=/var/log/audit/audit.log
08-06-2020 13:48:17.732 +0530 DEBUG TailReader - Start reading file="/opt/splunkforwarder/var/log/splunk/splunkd.log" in tailreader0 thread
... View more
Labels
- Labels:
-
indexer
-
universal forwarder
07-12-2020
09:46 PM
Hi, I am not sure how to use multiple indexes without using IN in the query..i dont want to use OR as it takes only one index.i want to use 2 indexes Can you help?
... View more
07-12-2020
09:41 PM
I checked job Inspect there is difference in seconds..as i said its a big query it may impact performance Thanks for suggesting me to check job inspect
... View more
- Tags:
- There
07-12-2020
08:41 AM
Will a parentheses Surrounded SPL queries make any difference? For Example: (index IN (“indexA*”,”indexB*”) source=”sourceA”) and index IN (“indexA*”,”indexB*”) source=”sourceA” this is a big query want to know if adding parentheses make any difference in performance wise ?
... View more
06-25-2020
12:55 AM
example i have multiple indexes like index1, index2, index3. amoung these a field named "Category" presents in index2. I want to write a query without using OR (index=index1 OR index=index2 OR index=index3), which searches my field "Category" first in index1 then comes to index2 finds the result and doesnt go to index3. reason being i dont want to load a index after i found my result in previous index. if i go with OR it loads all three indexes in the result. Someone please help me here..
... View more
Labels
- Labels:
-
using Splunk Enterprise
02-19-2020
02:20 AM
Hi All,
I am not able to find any solution of how to convert any Splunk SPL Query to Sigma File. I want to write a script to do the process.
Objective :
SPL Query will be entered as input and python script should convert the SPL Query to SIgma File. Please help me if there is any existing packages or any other solution.
... View more
- Tags:
- splunk-enterprise
02-04-2020
10:27 PM
1 Karma
Is it Splunk version 8.x???
I am not able to use eventtype
Still getting this error In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index.
... View more
01-29-2020
09:33 PM
i have created eventtype say for ex:
eventtype_name = "index = _internal"
in the data model constraints i gave eventtype_name
... View more
01-28-2020
03:58 AM
I have created eventtype using splunk inernal index and trying to use that in datamodel as a constraints of a dataset
i am getting below error:
In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index. (test is my dataset name)
Same is working in 7.0 version is that got changed in new version splunk?
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-17-2020
10:42 AM
|
Karma given to
