Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mpham07
mpham07
Path Finder
Member since:
06-07-2019
06-15-2020
Community Statistics
| Posts | 19 |
| Solutions | 2 |
| Karma Given | 9 |
| Karma Received | 0 |
| Member Since | 06-07-2019 |
Activity Feed
- Karma Re: Missing extra backslash in a "source" token to work properly in search query, any ideas? for jkat54. 06-05-2020 12:50 AM
- Karma Re: Missing extra backslash in a "source" token to work properly in search query, any ideas? for jazzypai. 06-05-2020 12:50 AM
- Karma Re: cannot finish the module in splunk fundamentals, for jnudell_2. 06-05-2020 12:50 AM
- Karma Re: How to create a list of all indexes with source, host, and sourcetype with last seen field? for jaime_ramirez. 06-05-2020 12:50 AM
- Karma Re: Custom Search drilldown is not working for richgalloway. 06-05-2020 12:50 AM
- Karma Re: Search for daily indexing rate per sourcetype and list the specific indexes for nareshinsvu. 06-05-2020 12:50 AM
- Karma Re: Indexer fails to join back cluster due to standalone buckets for keio_splunk. 06-05-2020 12:50 AM
- Karma Re: How can I create a historical search to see if a sourcetype didn't come in for certain hosts? for aberkow. 06-05-2020 12:50 AM
- Karma Re: How can I create a historical search to see if a sourcetype didn't come in for certain hosts? for gjanders. 06-05-2020 12:50 AM
- Posted Re: Splunk Enterprise Security Notable Event Title Not Working on Splunk Enterprise Security. 03-30-2020 03:45 PM
- Posted Re: Splunk Enterprise Security Notable Event Title Not Working on Splunk Enterprise Security. 03-30-2020 02:05 PM
- Posted Re: Splunk Enterprise Security Notable Event Title Not Working on Splunk Enterprise Security. 03-30-2020 01:34 PM
- Posted Splunk Enterprise Security Notable Event Title Not Working on Splunk Enterprise Security. 03-30-2020 01:14 PM
- Tagged Splunk Enterprise Security Notable Event Title Not Working on Splunk Enterprise Security. 03-30-2020 01:14 PM
- Tagged Splunk Enterprise Security Notable Event Title Not Working on Splunk Enterprise Security. 03-30-2020 01:14 PM
- Posted Re: How to calculate cisco asa VPN session duration time on Splunk Search. 03-27-2020 06:13 PM
- Posted Re: Is there a REST API for putting a Cluster Master into Maintenance mode? on Getting Data In. 03-11-2020 08:01 AM
- Posted Re: Splunk Db connect need to onboard 100+ tables with different raising column on All Apps and Add-ons. 03-03-2020 10:59 AM
- Posted Is there a REST API for putting a Cluster Master into Maintenance mode? on Getting Data In. 02-27-2020 02:18 PM
- Tagged Is there a REST API for putting a Cluster Master into Maintenance mode? on Getting Data In. 02-27-2020 02:18 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-30-2020
03:45 PM
So the correlation search looks like this:
index=test sourcetype="example" | stats dc(dest) AS host_count, values("dest") AS host_name, values("match_hash") AS hash, values("path") AS file_path by "intel_name"
So it outputs a table like this:
intel_name | host_count | host_name | hash | file_path
All of the fields are in the notable index when I checked. I used the hash field token just fine in the notable event title - not sure what's going on...
... View more
03-30-2020
02:05 PM
I cleared my browser cache and history but no luck.
There are two tokens used in the Notable Event title, it's just the host_count field doesn't work for some reason. Initially I didn't use the host_count in the drill down search title, but I just tested it just now and that also doesn't work for some reason. I only pass the working token to the actual drill down search and title and that works fine.
The issue just seems to be the host_count field.
... View more
03-30-2020
01:34 PM
Hi @memarshall63,
Thanks for the quick response. This correlation search isn't using a datamodel or tstats and we're just searching against a custom index (old searches previously made by someone else...)
So I verified the drill down search has the same field. I've been ripping my hair out trying different stuff to get it to work but no luck ;__; It's not a big deal but it bugs the heck outta me.
... View more
03-30-2020
01:14 PM
Hello all,
I'm currently stumped in trying to figure out why my notable event token is not working. I verified the field that the token uses exist in the correlation search result (example below).
| stats dc("dest") AS host_count
Notable Event Title:
on $host_count$ hosts.
The token for some reason doesn't expand and output the number 13...
Can you guys help in figuring this out? Thank you for your time.
... View more
03-27-2020
06:13 PM
Hi @johnward4,
Did you ever get the search to work? I'm currently going through the same process and wonder if you can share the answer if possible 🙂 Thanks.
... View more
03-11-2020
08:01 AM
Hello all,
I originally wanted to test stuff with curl and ansible for putting the cluster master in maintenance-mode.
So I found a solution with Ansible from github so all credit goes to the link below:
- name: "Put Splunk cluster into maintenance mode"
command: /opt/splunk/bin/splunk enable maintenance-mode --answer-yes -auth "admin:vagrant"
become: true
become_user: splunk
become_method: sudo
changed_when: False
ignore_errors: True
no_log: True
register: splunk_command_output
- debug: msg="{{ splunk_command_output.stdout }}"
https://github.com/hortonew/VagrantConfigs/blob/master/Splunk/Splunk-Cluster/ansible/roles/splunk_cm_maintenance_mode_enable/tasks/splunk-cm-maintenance-mode-enable.yml
... View more
03-03-2020
10:59 AM
It sounds like you might have to try the bulk operation under the Inputs page. I haven't tried it myself but it might be tricky if those tables all have unique rising column names.
https://docs.splunk.com/Documentation/DBX/3.2.0/DeployDBX/Bulkeditdatabaseinputs
... View more
02-27-2020
02:18 PM
I was just curious about this since I couldn't find anything on it in the following page:
https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTREF/RESTcluster
Thanks in advance.
... View more
12-31-2019
08:27 AM
Hi there aberkow,
So I created the sourceIngestByHost.csv with the SPL below:
index=my_index custom_tag=tag sourcetype="my_srctype"
| stats latest(_time) AS Latest by host sourcetype
| outputlookup sourceIngestByHost.csv
And when I ran the SPL below and then checked the "Latest" column in the "sourceIngestByHost.csv", it doesn't have any data.
index=my_index custom_tag=tag sourcetype="my_srctype"
| stats latest(_time) AS Latest by host sourcetype
| inputlookup append=t sourceIngestByHost.csv
| stats latest(Latest) as Latest by host, sourcetype
| outputlookup sourceIngestByHost.csv
... View more
12-30-2019
04:13 PM
Thank you for the quick response aberkow, I will definitely try this since it's quickest to implement in our current environment at the moment. I'll post an update once I tested everything out!
... View more
12-30-2019
01:54 PM
Hello all,
I currently have a search that checks to see if a sourcetype is coming for specific hosts tagged with a custom tag (example below). The issue is that you'll have to include the current day in the time picker for it to display the "success" message. A user requested to have it as a historical search to display if any host had any "fail" message for not forwarding their "my_srctype" log.
I tried looking into using metadata search but that doesn't narrow down to the custom tag we have.
Was wondering if you guys have any suggestions in creating a new search where it'll display an additional time-date column if the host failed to send the "my_srctype" data if the user want to perform a historical search for previous month etc.? Thank you in advance.
Current search for the panel:
index=my_index custom_tag=tag sourcetype="my_srctype"
| stats latest(_time) AS Latest by host sourcetype
| eval check1hour=(now()- Latest)/3600
| eval status=if(check1hour>1,"fail","success")
| eval LastIngestionTime=strftime(Latest, "%Y/%m/%d %H:%M:%S %Z")
| rename LastIngestionTime as "Last Ingestion Time"
| table host sourcetype "Last Ingestion Time" status | sort - _time
Example result:
host sourcetype Last Ingestion Time status
host01 my_srctype 2019/12/30 00:00:00 EST success
... View more
08-09-2019
10:38 AM
Thank you nareshinsvu! It worked perfectly.
... View more
08-08-2019
07:19 AM
Hello all,
I just came onto a new job and we're trying to figure out the daily indexing rate broken down by sourcetypes. Then we're going to get the average for X days. Is there another search that can list the throughput of each sourcetype within an index? I like the search below for per_sourcetype_thruput, but it doesn't list the indexes. I tried looking at the per_index_thruput to figure it out too but am now stuck trying to see if there are other commands out there that can help.
index=_internal component=Metrics per_sourcetype_thruput
| eval mb=kb/1024
| timechart span=1d sum(mb) by series useother=f limit=150
index=_internal component=Metrics per_index_thruput
| eval mb=(kb/1024)
| timechart span=1d sum(mb) by series useother=f limit=100
Thank you for your time, take care.
... View more
08-01-2019
06:55 AM
Thank you so much Jaime! Worked out perfectly and extremely fast search.
... View more
07-31-2019
12:39 PM
Hello all, I'm currently working on figuring how to create a list of as mentioned in the title with the last seen field.
This field will show when the host was last seen in our logs.
It's kind of similar to the solution below but will only list last seen time for all hosts.
Thank you in advance for your assistance.
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html
... View more
06-13-2019
08:13 AM
With the help of jazzypai and jkat54, the answer is below:
Thank you so much jazzypai! I got it to work with your rex line. Here is what I put in for the drop down search:
host="example_host" index="example_index" | rex field=source mode=sed "s/\\/\\\\/g" | chart count by source
Then it came out right for the search queries that used "source_csv" tokens! Thank you so much for the help and troubleshooting guys/gals! :'D
... View more
06-13-2019
08:09 AM
Thank you so much jazzypai! I got it to work with your rex line. Here is what I put in for the drop down search:
host="example_host" index="example_index" | rex field=source mode=sed "s/\\\/\\\\\\\/g" | chart count by source
Then it came out right for the search queries that used "source_csv" tokens! Thank you so much for the help and troubleshooting guys/gals! :'D
... View more
06-13-2019
07:16 AM
Hello jkat54,
I tried both and they didn't work, I get a "Could not create search. Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
Is this the correct way to input the search in the drop-down panel? Thanks again.
host="example_host" index="example_index" | rex mode=sed field=source "s/\/\/"| chart count by source
... View more
06-13-2019
06:42 AM
Hello all,
I am relatively new to Splunk and creating dashboard with XML, so any recommendations and tips are greatly appreciated.
So I have a dashboard with a drop-down menu with a list of sources - I did this because we a have a weekly CSV report so the user can pick a file based on its date within the file name. When the panel relying on the "source" token to do the search, it's missing a backslash to work properly. The source code and explanation below.
Drop-down menu:
<input type="dropdown" token="source_csv" searchWhenChanged="true">
<label>Select a report week:</label>
<prefix>source=</prefix>
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>
index="example_reports" | chart count by source
</query>
</search>
</input>
So when a panel with the search below is done, nothing shows up because it's missing a backslash.
host="example_host" index="example_index" $source_csv$ | stats distinct_count(ip)
The search query comes out as:
host="example_host" index="example_index" source=D:\example\report-2018-12-25.csv | stats distinct_count(ip)
The issue is that the source value needs two backslashes for it to work:
source=D:\example\report-2018-12-25.csv
Is there anyway to get the token to have two backslashes to the directory with the token or search query? Thank you in advance.
I did search for solutions on this by adding |s$ and search string, but couldn't get it to work right...
... View more
