Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About wnyricsplunk
wnyricsplunk
Explorer
Member since:
05-16-2019
04-22-2022
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 05-16-2019 |
Activity Feed
- Posted Missing "Message" field on Getting Data In. 04-22-2022 09:49 AM
- Posted Re: Raise alert for specific computers on Alerting. 07-14-2020 06:07 AM
- Posted Raise alert for specific computers on Alerting. 07-14-2020 05:31 AM
- Got Karma for What does Process %_Processor_Time greater than 100% mean?. 06-05-2020 12:50 AM
- Karma Re: generate a comma delimited list for Ayn. 06-05-2020 12:46 AM
- Posted Re: Process %_Processor_Time greater than 100% on Getting Data In. 12-27-2019 06:14 AM
- Posted Re: Process %_Processor_Time greater than 100% on Getting Data In. 12-24-2019 11:19 AM
- Posted What does Process %_Processor_Time greater than 100% mean? on Getting Data In. 12-24-2019 08:18 AM
- Tagged What does Process %_Processor_Time greater than 100% mean? on Getting Data In. 12-24-2019 08:18 AM
- Tagged What does Process %_Processor_Time greater than 100% mean? on Getting Data In. 12-24-2019 08:18 AM
- Posted Re: Search is waiting for input message caused by ldapsearch? on Splunk Search. 07-03-2019 07:35 AM
- Posted Re: Search is waiting for input message caused by ldapsearch? on Splunk Search. 07-03-2019 07:17 AM
- Posted Search is waiting for input message caused by ldapsearch? on Splunk Search. 07-03-2019 06:27 AM
- Tagged Search is waiting for input message caused by ldapsearch? on Splunk Search. 07-03-2019 06:27 AM
- Posted Re: Using Active Directory group membership as sub search to user logon search on Splunk Search. 05-18-2019 02:46 PM
- Posted Using Active Directory group membership as sub search to user logon search on Splunk Search. 05-16-2019 09:33 AM
- Tagged Using Active Directory group membership as sub search to user logon search on Splunk Search. 05-16-2019 09:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
04-22-2022
09:49 AM
We are moving away from using Windows Event Collection to installing the Universal Forwarder on as many Windows machines as we can. I ran into an interesting issue that I don't know how to resolve. Event 1646, when collected using WEC and then forwarded to Splunk shows this information, which doesn't appear if the same event is sent directly by the UF. I copied the stanza used by the UF on the WEC server and deployed it to the machine where the event is generated but I am still not seeing the "extra" data when not using WEC. What am I missing? (Something easy, no doubt). Seems as though I don't see the "Message" field when the event is collected by the UF. Thanks in advance.
... View more
Labels
- Labels:
-
universal forwarder
07-14-2020
05:31 AM
I would like to trigger an Alert when event 1074 (Windows Shutdown) is raised but only for specific computers. I have a group of about 50 servers and I would like to know if they shut down but I don't care about workstations in general. Since all events currently go to the same index I need a way to only trigger the alert when one of the servers raises the event. Short of a huge OR statement in my search, is there a way to do something like this?
... View more
Labels
- Labels:
-
alert condition
12-27-2019
06:14 AM
The VM being monitored has 1 Core and 1 Logical Processor. The Percent of Processor Time is %17,967. Going by the NumberOfProcessors x 100 formula, the machine would need 180 sockets/cores in order to reach that number?? I could see %101 percent due to threading issues, but %18,000? The only way I could see that being accurate is if the VM had knowledge of the underlying hardware (VM Hosts) but I'm fairly sure that is not the case.
... View more
12-24-2019
11:19 AM
Columns are _Total, 0,_Total, and 0,0
... View more
12-24-2019
08:18 AM
1 Karma
I have started collecting Process information on a virtual machine that has 1 processor. I am seeing %_Processor_Time statistics of upwards of 1000%. I understand that you could get a percentage greater than 100% on a machine with multiple sockets/cores, but that doesn't seem to be the case here. Can anyone explain what it is that I'm seeing? Running perfmon on the VM looks normal, so how can a process use a percentage of the CPU that is so high?
... View more
Labels
- Labels:
-
other
07-03-2019
07:35 AM
That did it! Thank you!!
... View more
07-03-2019
07:17 AM
It did change from waiting for input but now there are no results found.
... View more
07-03-2019
06:27 AM
I have created a dashboard which shows print jobs by Print Server/Printer/Time. I would like to include the actual name of the user instead of the sAMAccountName. I have added an ldapsearch to a "one-off" query and that works the way I expect.
sourcetype=xmlwineventlog EventCode=307 Computer="fqdnOfPrintServer" | fields UserData_Xml,ThreadID | xmlkv | eval Document=Param2,UserName=Param3,Workstation=Param4,Printer=Param5,IPAddress=Param6,Bytes=Param7,Pages=Param8 | search Printer=* | join type=inner Computer,ThreadID [search sourcetype=xmlwineventlog EventCode=805 | fields UserData_Xml,ThreadID | xmlkv | eval Copies=Copies] | eval TotalPages = Pages * Copies | ldapfilter search="(&(objectclass=user)(!(objectclass=computer))(samAccountName=$UserName$))" attrs="displayName" | table _time,displayName,Printer,Document,Workstation,Pages,Copies,TotalPages
When I put this query into my dashboard and substitute the tokens $host$ for the Print Server and $Printer$ for the printer name, I get a "search is waiting for input" message. From what I have read, this usually means an issue with a token. When I remove the ldapsearch part of the query it works fine but displays only the sAMAccountName. Is the issue the $Username$ token in the ldapsearch? I have tried removing the $ before and after UserName but then the search displays "No results found". Is there a way to mofify this to get the information I want?
<form theme="dark">
<label>Print Jobs</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="host" searchWhenChanged="true">
<label>Print Servers</label>
<choice value="*">All</choice>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>| inputlookup ServerRoles | WHERE Roles="Print-Server" | eval host=Name | sort host | table host</query>
<earliest>0</earliest>
<latest></latest>
</search>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="Printer" searchWhenChanged="true">
<label>Printer</label>
<choice value="*">All</choice>
<fieldForLabel>Printer</fieldForLabel>
<fieldForValue>Printer</fieldForValue>
<search>
<query>sourcetype=WinPrintMon | search host=$host$ | eval Printer = share | dedup Printer | sort Printer | table Printer</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="time" token="timetok" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>sourcetype=xmlwineventlog EventCode=307 Computer=$$host$$* | fields UserData_Xml,ThreadID | xmlkv | eval Document=Param2,UserName=Param3,Workstation=Param4,Printer=Param5,IPAddress=Param6,Bytes=Param7,Pages=Param8 | search Printer=$$Printer$$* | join type=inner Computer,ThreadID [search sourcetype=xmlwineventlog EventCode=805 | fields UserData_Xml,ThreadID | xmlkv | eval Copies=Copies] | eval TotalPages = Pages * Copies | ldapfilter search="(&(objectclass=user)(!(objectclass=computer))(samAccountName=$UserName$))" attrs="displayName" | table _time,UserName,displayName,Printer,Document,Workstation,Pages,Copies,TotalPages</query>
<earliest>$timetok.earliest$</earliest>
<latest>$timetok.latest$</latest>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
... View more
- Tags:
- splunk-enterprise
05-18-2019
02:46 PM
Figured it out:
[ldapsearch search="(&(objectclass=group)(distinguishedName=Distinguished Name of Group)"|ldapgroup|eval Target_User_Name = member_name | fields Target_User_Name] sourcetype="xmlwineventlog" EventCode=4624 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| table _time,Target_User_Name,WorkstationName, Logon_Type
Probably a more efficient way to do this but it works for me for now.
... View more
05-16-2019
09:33 AM
I am trying to use an ldapsearch as input to a seach which will list AD user logons. Both parts of the search work independently, but I don't know how to combine them into one search (sub search and main search?). The users returned are all members of one Active Directory group or another and I'd like to be able to use the group name to limit the search.
This search will show me exactly what I want to see, but I have to put in OR statements which doesn't scale very well.
sourcetype="xmlwineventlog" EventCode=4624 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (Target_User_Name=User1 OR Target_User_Name=user2 OR etc...)
This search returns all the sAMAccountNames of the members of a group:
| ldapsearch search="(&(objectclass=group)(distinguishedName=TheDN of the Group))"|ldapgroup|table member_name
Is there a way to combine them into one search without having to go to the trouble of creating a csv lookup? Since ldapsearch finds the correct user names, it seems inefficient to have to use that method.
... View more
- Tags:
- splunk-enterprise
