About mihenn

mihenn · ‎03-09-2020

I checked on that, too. That's where I found out that a lookup is used. Unfortunately not which one. Finally I found the source on the searchhead by searching all lookups with find. It would be nice to have a mouseover in Splunk, which shows if the value is from _raw or was modified.

mihenn · ‎03-09-2020

Hi, is there a way to trace the origin of a specific value in Slunk? Currently I am trying to figure out with eventtype, lookup or eval is setting a tag and a field value for some events in Splunk. I used the btool the figure out, if the are some evals. But they do not apply. I found some lookups, but these do not contain the value I am looking for. A code trace or data lineage function would be very helpfull sometimes. Does anyone know a function in Splunk or an app for this? Thank you.

mihenn · ‎07-26-2019

I wrote my own TA with the Addon-Bulider and I got the same error when trying to send the request. After that I did some research I found out, that it is a problem related to string formatting in Python. You have to use the same method all over the script. I mixed up two different types. But I will test your TA with this settings and report the result here.

mihenn · ‎07-23-2019

Sure, here is my current configuration I removed the URL, accescode and search. action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 action.nbtstat.param.verbose = 0 action.notable.param.verbose = 0 action.nslookup.param.verbose = 0 action.ping.param.verbose = 0 action.risk.param.verbose = 0 action.send_custom_rest_request = 1 action.send_custom_rest_request.param.custom_headers = Authorization='XXX'&SOAPAction=CREATEINCIDENT action.send_custom_rest_request.param.endpoint = http://XXX?OpenWebService action.send_custom_rest_request.param.payload = data={body} action.send_custom_rest_request.param.qs_params = action.threat_add.param.verbose = 0 alert.digest_mode = 0 alert.suppress = 0 alert.track = 1 cron_schedule = * * * * * description = Test der Verbindung dispatch.earliest_time = rt dispatch.latest_time = rt display.events.fields = ["host","source","sourcetype","name","F001","id"] display.events.maxLines = 0 display.page.search.mode = fast display.visualizations.charting.chart = pie enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = search request.ui_dispatch_view = search search = XXX

mihenn · ‎07-23-2019

Hi, I am trying to send data from Splunk to a Lotus Notes bases Incident Management. This system can recieve events as SOAP messages. So I built the required XML structure within the search as an eval command and trigger the HTTP Alert Action. There I put in all necessary headers and the XML as data. Now I have this problem, that no messages reach their destination. How can I troubleshoot this? I transmitted the XML manually with curl. That works. So the XML format is correct and the server is reachable over the network. Sometimes I get an error code 4 in Splunk Internal index. What is error 4? Thank you.

mihenn · ‎05-05-2019

This way you can generate hashes. But it isn´t possible to revert this to get the original value. There is no password or certificate based encryption implemented in Splunk yet. As far as I know.

mihenn · ‎04-03-2018

How do you do this in Splunk? I can't find any encryption function.

mihenn · ‎03-21-2018

I know. TRUNCATE=0 is very dangerous. But you cannot set TRUNCATE higher than 999999 and that ist too small. The props.conf is not final yet. Line Breaking and time formats are missing. This was just an sandbox testing. Now I have to implement it on the real events.

mihenn · ‎03-21-2018

I don't know what happened, but everything's working now. Splunk showed me the wrong index for some events. After about 5 minutes all events were where they should be. It could be that the pipeline was full because the data is very large. Therefore, my changes may have been implemented with a considerable delay. Sometimes you just have to be patient.

mihenn · ‎03-21-2018

The events come from the log of an application processing large json objects. If an error occurs during processing. The corresponding json object is transferred to Splunk for further analysis. Unfortunately, I cannot provide such an event here, as it is confidential data.

mihenn · ‎03-21-2018

The large events slow down the performance of splunk web. It is nearly unusable with events >1MB. So I want to seperate them. A scheduled search copies summaries of this events to index normal. This summaries contains a link to the full event. So the user can decide to open it if necessary, but the overall performance is fine.

mihenn · ‎03-21-2018

Hi everyone, I would like to send events based on their size in different indexes. I'm currently using the props.conf and the transforms.conf. unfortunately this doesn't work as it should. My goal is that all events with a length of 2048 or less get into the index normally. All events larger than this should be stored in the big index. But this does not work. I suspect that my REGEX is wrong. This is my props.conf: [big_events] TRUNCATE = 0 SHOULD_LINEMERGE = TRUE TRANSFORMS-1 = big_index TRANSFORMS-2 = normal_index And my transforms.conf: [big_index] REGEX = ^.{2049,}$ SOURCE_KEY = _raw DEST_KEY = _MetaData:Index FORMAT = big [normal_index] SOURCE_KEY = _raw REGEX = ^.{1,2048}$ DEST_KEY = _MetaData:Index FORMAT = normal Currently, all events are placed in the index that is queried first or in main. So if I call the big_index first, then the events are distributed randomly between big and main. On the other hand, the events are divided between normal and main. Does anyone know why? Thank you very much. P.S. The TRUNCATE=0 is necessary because the events are very large (>5MB)

mihenn · ‎02-07-2018

Hello, I have an unusual requirement for Splunk. I have a source that returns error messages from Java applications. These applications process messages from a Kafka cluster. If an error occurs, the message from Kafka is sometimes appended to the error message. These messages are about 5MB in size. I get the events in Splunk. However, the display of this data is a problem. If I search the corresponding index, I get back these very big events among other smaller ones. These cause SplunkWeb to stop responding. Is it possible to truncate events in SplunkWeb. The events should be available in the index, but should not be visible in their full length in Splunk. I have already tried ui-prefs. conf. This allows me to limit the display of events to a certain number of lines via display. events. maxLines. However, this only applies to the preview. The complete event is still included in the HTML code of the page. Is there any way to limit this data earlier? Thank you very much.

mihenn · ‎10-12-2017

Are there any new ideas for this problem? How do I get Splunk to write the sum per bar next to it? You can display the single values, the maximum value and the minimum value, but not the total. What is the reason for this?

mihenn · ‎09-07-2017

Thanks, that works!

Posts	21
Solutions	1
Karma Given	7
Karma Received	1
Member Since	‎08-17-2016

Online Status	Offline
Date Last Visited	‎03-18-2022 06:10 AM

Trace a value in Splunk / data lineage

How to monitor the HTTP Alert Action?

dynamicly assigning index based on eventsize

How to truncate events in SplunkWeb

How to build a multi-level piechart?

How to split event into multiple rows in a table?

Re: Trace a value in Splunk / data lineage

Trace a value in Splunk / data lineage

Re: How to monitor the HTTP Alert Action?

Re: How to monitor the HTTP Alert Action?

How to monitor the HTTP Alert Action?

Re: Encrypt data during anonymization

Re: Encrypt data during anonymization

Re: dynamicly assigning index based on eventsize

Re: dynamicly assigning index based on eventsize

Re: dynamicly assigning index based on eventsize

Re: dynamicly assigning index based on eventsize

dynamicly assigning index based on eventsize

How to truncate events in SplunkWeb

Re: Show Total count on Stacked bar/column chart

Re: How to use auto formatting on a QWERTZ layout?