Activity Feed
- Karma Re: Timestamp within event for richgalloway. 06-05-2020 12:50 AM
- Karma Re: Search failing and not returning all results in Statistics for teunlaan. 06-05-2020 12:50 AM
- Karma Re: How to make filldown permanent? for FrankVl. 06-05-2020 12:50 AM
- Got Karma for Re: Unable to recognize hostname from source. 06-05-2020 12:50 AM
- Karma Re: restore a default file that is failing integrity check for richgalloway. 06-05-2020 12:49 AM
- Karma Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0? for woodcock. 06-05-2020 12:47 AM
- Karma Re: Timechart with Where Clause for tedwroks. 06-05-2020 12:46 AM
- Karma Re: Lookup command - multiple input fields for guarisma. 06-05-2020 12:46 AM
- Posted Re: Self-signed certificate without warnings? on Security. 08-07-2019 08:13 AM
- Posted Re: Self-signed certificate without warnings? on Security. 08-07-2019 07:49 AM
- Posted Self-signed certificate without warnings? on Security. 08-01-2019 06:33 AM
- Tagged Self-signed certificate without warnings? on Security. 08-01-2019 06:33 AM
- Posted Re: How to show trend in a dashboard that uses a shared time picker on Dashboards & Visualizations. 07-29-2019 01:15 AM
- Posted Re: How to show trend in a dashboard that uses a shared time picker on Dashboards & Visualizations. 07-29-2019 01:13 AM
- Posted Re: How to show trend in a dashboard that uses a shared time picker on Dashboards & Visualizations. 07-25-2019 02:27 AM
- Posted Re: Search failing and not returning all results in Statistics on Splunk Search. 07-25-2019 01:28 AM
- Posted Re: Search failing and not returning all results in Statistics on Splunk Search. 07-19-2019 07:40 AM
- Posted Re: Search failing and not returning all results in Statistics on Splunk Search. 07-18-2019 06:10 AM
- Posted Search failing and not returning all results in Statistics on Splunk Search. 07-18-2019 05:31 AM
- Tagged Search failing and not returning all results in Statistics on Splunk Search. 07-18-2019 05:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-07-2019
08:13 AM
As a workaround, Firefox accepts the certificate with a green lock icon.
... View more
08-07-2019
07:49 AM
Chrome is telling me the certificate is invalid because it doesn't specify Subject Alternative Names.
I tried following instructions from these two links:
https://answers.splunk.com/answers/476596/how-to-generate-csr-files-with-subjectaltnames-san.html
https://www.hurricanelabs.com/splunk-tutorials/splunk-certificates-master-guide
Basically, editing the file $SPLUNK_HOME/openssl/openssl.cnf to uncomment the line "req_extensions = v3_req" and included this under the stanza [v3_req]: subjectAltName=DNS:splunk.a.b.c.d, DNS:splunk, IP:127.0.0.1
Obviously, a.b.c.d is replaced with the real domain. For info, I access splunk web using the internal URL https://splunk:8000
... View more
08-01-2019
06:33 AM
Has anybody figured out how to use a self-signed certificate without getting a warning that it's invalid?
I can access Splunk anyway and it does in fact use my certificate, but for the long haul I would want there to be no annoying warnings.
I followed these instructions exactly:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Self-signcertificatesforSplunkWeb
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/SecureSplunkWebusingasignedcertificate
I imported the myCACertificate.pem into Chrome by the way.
It's also a testing environment with no live feeds.
... View more
07-29-2019
01:15 AM
Hi woodcock, sorry for my poor explanation. niketnilay has answered my question, thanks for your help though!
... View more
07-29-2019
01:13 AM
Hello niketnilay, that perfectly solved my problem, well done for understanding my poor explanation. Now I don't even need a separate time picker for my single value trend visual. I did not know about those default times so that's very helpful, thank you.
... View more
07-25-2019
02:27 AM
I managed putting in a manual trendline just by doing "source=source_name | timechart span=5m count", I just have to make sure not to go beyond the earliest time I have indexed, and refer to the panel's own time frame picker token in the time range setting. I've not yet managed to automatically adjust the trend time depending on the main time frame used for the other panels.
... View more
07-25-2019
01:28 AM
Thank you adonio. This won't work for me, as my base searches are like this:
source=source1 type=inbound | rename source_IP as ip
| append [search source=source1 type=outbound | rename destination_ip as ip ]
| append [search source=source2 internal_src="NONE" | rename source_ip as ip ]
| append [search source=source2 internal_dest"=NONE" | rename destination_ip as ip ]
If I did "source=source1 type=inbound source_ip=* OR type=outbound destination_ip=*", it wouldn't get me useful results because every event contains source_ip and destination_ip and I am looking to resolve a list of external IP's.
... View more
07-19-2019
07:40 AM
Thanks, I will probably leave as it is not vital for me to do this, though it would have been nice.
... View more
07-18-2019
06:10 AM
The point of failure seems to be the dnslookup.
... View more
07-18-2019
05:31 AM
My search does not complete even after giving it an over hour. The progress bar is all the way at the end, and it tells me that 441,760 of 28,000,000 odd events have been matched, which is the correct number of results expected. But in the Statistics tab, only 4,226 results are displayed. When I stop the search, Splunk lets me know that the search failed due to an error.
base_search1 | rename destination_ip as ip
| append [search base_search2 | rename source_ip as ip ]
| append [search base_search3 | rename source_ip as ip ]
| append [search base_search4 | rename destination_ip as ip ]
| dedup ip | table ip | sort 0 + ip
| outputlookup ip.csv
| lookup dnslookup clientip AS ip OUTPUTNEW clienthost AS ip_resolved
| fillnull value="not found" ip_resolved
| table ip, ip_resolved
| outputlookup hosts.csv
I have done the same search for a smaller dataset before which had 52,000 odd results of 28 million events and worked fine. Last time I made it work by ensuring I use sort 0, and edited limits.conf maxresultrows value to be 60,000. For the new search, even after increasing the maxresultrows value to 500,000 after my search first failed, it didn't work but returned 4,000 odd results instead of 2,000 odd results in my earlier attempt. However, the ip.csv is created correctly and contains all the values.
Do I need to make any other conf file changes or something else?
My limits.conf looks like this:
[searchresults]
maxresultrows = 500000
Maximum number of times to try in the atomic write operation
(1 = no retries)
tocsv_maxretry = 5
Retry period is 1/2 second (500 milliseconds)
tocsv_retryperiod_ms = 500
... View more
07-17-2019
08:49 AM
I have Dashboard #1 where a panel uses a dropdown for a timechart count by. Example values of that dropdown are src_ip and dst_ip. I can populate the text input for Destination IP (token=destination_ip) in Dashboard #2 using this drilldown on Dashboard #1's panel: form.destination_ip=$click.name2$
Is it possible to drilldown the correct field value in Dashboard #2 depending on what field is selected from the dropdown in Dashboard #1?
For info, Dashboard #1 is used to look at one source for a summary, and Dashboard #2 looks at 2 sources so I can investigate correlations of more specific event groups once I see something insteresting in Dashboard #1.
... View more
07-17-2019
06:40 AM
I don't quite understand this. Will this give me two panels? Is it possible to do this using search strings only?
By the way not sure if it was clear, but I have a single value visualisation which I want to show the trend such as "50000 ↓450" , I don't have a chart.
... View more
07-16-2019
06:41 AM
My dashboard has various panels that all use one shared time picker at the top of the screen.
I want my first panel to show the total events, with a trend.
Modifying the panel's own time range, even putting the earliest and latest, doesn't work, because the time picker at the top overrides it.
Ideally, the trend should also adapt to the time picker, such that if the time picker is set to "Last 5 Minutes", the trend will show total events from the last 5 minutes compared to the previous 5 minutes.
If the time picker is set to "Last Hour", the trend should show total events from the last hour compared to the previous hour and so on.
Is this possible?
... View more
07-15-2019
03:03 AM
Okay, I have already figured it out myself - I had to change the minimum results in my host lookup definition to 0 instead of 1! That's all. I hope this can help someone else and does not just waste everyone's time having to read this post!
... View more
07-15-2019
01:58 AM
Hello, I have data with internal and external IP addresses. Every event has either an internal source or destination IP. For all internal IP addresses, I have prior created a lookup table with ip, ip_resolved and the department which is taken from part of the host name (this lookup should prevent having to do too many dns lookups at search time and gets updated every day). The ip_resolved field is the resolved DNS Name using Splunk's external_lookup.py script, and in cases where no DNS name is found, ip_resolved and department are successfully fillnulled with the value "not found".
Now, when I set up an automatic lookup for each the source and destination ip, about 15% of the results for ip_resolved are the value NONE, which is the default value for my lookup definition. If I make sure that I filter my search to only show events where the destination IP is internal, no NONE values are returned (but some "not found", as expected). I think it's maybe because destination comes before source alphabetically, and Splunk does that lookup first which then breaks the source lookup. I know I can rename the source and destination IP's to "ip" in the search and then do a lookup, but I need to be able to use the lookup fields, especially the department, related to source or destination.
Hopefully this long explanation makes sense!
... View more
07-03-2019
08:02 AM
I definitely agree with those flaws after looking closely at the results. I think I can avoid appending search so can also avoid filldown as well.
... View more
07-03-2019
07:31 AM
I do have to note that eventstats is notably slower. If I append a search and use eventstats in both, nothing comes up at all even waiting a long time. I have decided to use filldown because it seems to be good enough for my purpose.
... View more
07-02-2019
04:55 AM
No, the hostname does not exist in another field.
For your second question, yes and no. I have found that a logon_id may sometimes contain 2 hostnames, which is the same hostname in upper and lower case. When I use "| eventstats values(client_ip) as client_ip by logon_id" instead, I only get one IP per logon_id. Similar to hostnames, the client_ip only appears once for each logon_id. I checked how many client_ip's occur for each logon_id using this search which returned "1" for everything:
" base_search logon_id=* | stats dc(client_ip) by logon_id | sort - dc(client_ip)"
... View more
07-02-2019
03:52 AM
Shame it doesn't work like that, but thanks for the safer option using eventstats.
... View more
07-02-2019
02:58 AM
I have logs where most events contain a Logon ID, but only one event with any logon_id contains a hostname. This means, two events may have the same logon_id, but only one of them will have a hostname. I want all of those events to contain a hostname though. I can do this by using filldown in a search like this: " base_search logon_id=*| filldown hostname", but how do I permanently insert a hostname field into the events that only come with a logon_id? I looked at calculated fields, but they need eval, and transform fields need a regex. Any ideas?
... View more
- Tags:
- splunk-enterprise
06-27-2019
01:04 AM
Thank you for that simple solution. I found the second option called "Zero" looked nicer though!
... View more
06-26-2019
08:10 AM
When I use "(base search) | timechart sum(packets) by destination useother=f usenull=f" , I get gaps in my timechart:
When I use a longer time frame of 1 day, I also get gaps:
In another timechart, I have the exact same base search and just "| timechart sum(packets)" , and it has no gaps. I found that when I add "by destination" to this one, it also gets the gaps/dots.
As far as I can see on https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Timechart timechart should convert null values to 0 by default...
Any ideas?
... View more
06-19-2019
03:32 AM
This worked perfectly - I didn't know the streamstats command and had to step through your solution to see how it works, very useful thanks.
... View more
06-18-2019
08:23 AM
I have a list of top 10 users, but I also want the top 3 IP addresses used by those users in a table. Some users will have only used 1 IP while other users have sent traffic from more than 3 IP addresses. I can get top 3 IP's per user: "blah | top client_ip by user limit=3" but I can't get it into the top 10 overall users list. Any ideas?
... View more
- Tags:
- splunk-enterprise
