Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bcusick
bcusick
Communicator
Member since:
09-20-2013
06-05-2020
Community Statistics
| Posts | 56 |
| Solutions | 2 |
| Karma Given | 11 |
| Karma Received | 3 |
| Member Since | 09-20-2013 |
Activity Feed
- Karma Re: How to download .conf 2015 presentations? for muebel. 06-05-2020 12:47 AM
- Karma Re: How to download .conf 2015 presentations? for esix_splunk. 06-05-2020 12:47 AM
- Got Karma for Re: splunk not parsing txt file from forwarder correctly. 06-05-2020 12:47 AM
- Got Karma for Is there an easy way to export to csv a list of all my forwarder clients from my deployment server?. 06-05-2020 12:47 AM
- Karma Re: field alias for 2 fields in same sourcetype for lguinn2. 06-05-2020 12:46 AM
- Karma Re: show table results in descending count order for richgalloway. 06-05-2020 12:46 AM
- Karma Re: show multiple rows per one user for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: correlate two sources when event from source A happens in between 2 events on source B VPN session for chris. 06-05-2020 12:46 AM
- Karma Re: DB Connect to Remote MSSQL DB as Windows Authentication for ziegfried. 06-05-2020 12:46 AM
- Karma Re: Combine values for a field by user over 24 hours for richgalloway. 06-05-2020 12:46 AM
- Karma Re: identifying sourcetypes by index for somesoni2. 06-05-2020 12:46 AM
- Karma Re: How to extract date YYYYMMDD from _time? for Damien_Dallimor. 06-05-2020 12:46 AM
- Karma Re: finding greater than value from search resutls for Drainy. 06-05-2020 12:46 AM
- Got Karma for Re: field alias for 2 fields in same sourcetype. 06-05-2020 12:46 AM
- Posted How to download .conf 2015 presentations? on #Random. 09-26-2015 11:04 AM
- Posted Is there an easy way to export to csv a list of all my forwarder clients from my deployment server? on Getting Data In. 03-17-2015 11:42 AM
- Posted How to omit leading zeros for all fields in a csv file coming from a Splunk forwarder? on Splunk Search. 09-09-2014 01:02 PM
- Tagged How to omit leading zeros for all fields in a csv file coming from a Splunk forwarder? on Splunk Search. 09-09-2014 01:02 PM
- Tagged How to omit leading zeros for all fields in a csv file coming from a Splunk forwarder? on Splunk Search. 09-09-2014 01:02 PM
- Posted Re: How to compare same fieldname in two sources, but only return results if other fields are different? on Splunk Search. 09-05-2014 08:35 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-26-2015
11:04 AM
Hi,
Is there any way to download the presentations from .conf2015? I attended, and can access them on my iPhone app, but would like to download them to my computer. Any ideas?
... View more
03-17-2015
11:42 AM
1 Karma
Hi,
Is there an easy way of exporting a list of all my forwarder clients from my deployment server to csv? I just need a list of them without having to search for them via active data in Splunk.
Thanks!
B
... View more
09-09-2014
01:02 PM
Hi,
I'm trying to omit the leading zeros for all fields in a csv file that comes from a splunk forwarder. Is there any way to do this WITHOUT going through every single field in every single row?
My data looks like this:
QUANTITY
000040
000051
000149
000004
and I would like it to look like...
QUANTITY
40
51
149
4
... View more
09-05-2014
08:35 AM
This is close! How would I show which fields are matches/non-matches? I'm assuming checking for multiple fields would look like:
|eventstats count AS occurences BY pk, fieldA, fieldB, fieldC, etc.....assuming it's possible to use more than 2 fields in the "BY" portion of eventstats
... View more
09-04-2014
11:46 AM
Hi,
I'm trying to compare one field "primaryKey" in two sources; "sourceA" and "sourceB". There are other fields for each event, and I need to return results where those other field values don't match for the same primaryKey value in each source...
So if I had:
sourceA and sourceB each contain 1 event with "primaryKey=1"
sourceA's fields are: primaryKey=1, fieldA=apple...and..
sourceB's fields are: primaryKey=1, fieldA=Banana
How do I show that fieldA does or does not match for the same "event" (primaryKey=1) in both sources? They both share sourcetype=csv. Would I do this with a transaction on the primaryKey? if so, how?
I'm eventually going to have to compare 3 sources (sourceA, sourceB, and sourceC) for up to 21 fields in each source-using primaryKey. Figured I should start with figuring out just one. 🙂
Thanks,
Brian
... View more
09-04-2014
11:37 AM
So far so good on this one. The only discrepency I am seeing is the fact that it contains a "zero" in the month if it's a single-digit month. Is there any way to get rid of that?
sourcedata: 140823 090421
New field: 08/23/2014 09:54:21 AM
And what I'm looking for is: 8/23/2014 9:54:21 AM. It just needs to be an exact match to an already existing field in this format. Thanks
... View more
09-02-2014
05:10 PM
Thanks..I can combine the fields, but how about getting them into epoch? I fear that just throwing them together won't give me the correct time that I can convert correctly..or am I looking too far into this?
... View more
09-02-2014
01:53 PM
Hi, I have two separate fields that I'd like to combine into 1 timestamp field.
The fields are formatted "YYMMDD" and "HHMMSS"
I'd like to combine and eval them to read "mm/dd/yyyy hh:mm:ss".
Does anyone have any experience with this? The fields are "TRADE_YYMMDD" and "EXEC_TIME_HHMMSS"
... View more
08-26-2014
10:42 AM
Would it be possible to do this with raw data? Meaning using the field "_raw"? This runs, but results are incorrect due to the sources being different..Here's that example:
source="D:\Bluesheets\ExtractFromFES.csv" eval FESdata=_raw | appendcols [search source="D:\Bluesheets\SentToReg.csv" | eval Regdata=_raw] | eval result=if(FESdata=Regdata,"Matched","Unmatched") | table result
... View more
08-20-2014
12:30 PM
This keeps telling me I have mismatched "]" but I checked multiple times to ensure it's correct. Could the fact that my fields contain "." and "-" have anything to do with this?
... View more
08-19-2014
02:13 PM
This looks like it will work. Will provide an update tomorrow. Will this know to compare source1 event1 with source2 event1?
... View more
08-19-2014
09:19 AM
This is for reporting to regulators, so everything should be EXACTLY the same. Same timestamp, same field order, etc. I want to be able to check if any fieldname is different (I can pivot on field TRANSACTION_ID) for everything else. All field names static, and yes, If row numbers are the same (which they should be) I should be able to compare row1.source1 to row1.source2
... View more
08-19-2014
08:52 AM
Hi,
I'm trying to compare events from two sources to show where the outliers are (they "should" be the same but we know that there are discrepancies.
I can compare "number of rows/events" easily with a "chart count by source" command, but I also want to check the integrity of the field values.
Basically, each event has 10 fields (same ten fields in each source). How do I check that they are the same, and return some kind of message/raw event/field value if they are not the same?
Thanks.
... View more
08-19-2014
08:48 AM
It looks like this fizzled itself out. It took a while for Splunk to index everything (I'm guessing because the directory was large and across the network) but a few days later I have millions of events. 🙂
... View more
08-13-2014
09:34 AM
HI, I'm trying to use a forwarder to monitor a network share. My forwarder sits on one server, and needs to read the network drive. I've monitored other drives remotely with this same domain account and server (and still doing so).
The only difference here is that this directory "\trades\" contains multiple folders, instead of just text files under "\trades\" as I've done previously. I've set up the inputs file and restarted the forwarder, but I don't see any data in Splunk yet.
Do I need to specifically monitor EACH sub-folder that contains text files? Or should I be able to just monitor from the parent folder down with some special command? Thanks.
... View more
08-04-2014
09:10 AM
This is close...but I'm looking to show only these fields. If I use inputlookup, this works. But I need (if toAddress, bccAddress, or ccAddress) is in the lookup table, return the results. I can do this for one field (inputlookup Emaildomains | fields + toAddress)...but I want it to be any of the three fields
... View more
08-04-2014
08:02 AM
Hi, trying to use two lookup tables in one search. Is this possible?
Basically I have a list of email domains in one lookup table, and a list of users in another. I want to produce a report (with my email data that has both user/email domain fields) for these certain users sending mail to these certain domains. Is there any specific syntax I need to use? Won't see to work.
source=emailRecords, lookup tables are emailDomains.csv and leavers.csv
One thing to note is that I'm using wildcards in my emailDomains.csv....so the field "ToAddress" can look like
*gmail.com,
*yahoo.com, etc.
... View more
08-04-2014
07:55 AM
1 Karma
I added a field to the log records for "line number" which is basically "log record" and this worked like a charm. 🙂
... View more
07-10-2014
11:03 AM
Hi,
One of my forwarders is monitoring a directory where timestamped files populate every five minutes. The text output in the file includes a few-line header from the script along with all the results. The results are in the format "user ~ message"
For some reason, splunk is reading the ENTIRE file (source) as one log event. This is what's in my inputs file:
[monitor://D:\badPwdCount\logs\HIGH*.txt]
sourcetype = OVD_PW
disabled = false
SHOULD_LINEMERGE= false
crcSalt =
SOURCE is in between <> for crcSALT but it won't show up in comments. The issue is that Splunk is either picking up the entire file as an event, or a few events at a time as 1 event. Is a separate timestamp/unique identifier required for each line?
... View more
06-10-2014
10:52 AM
1 Karma
🙂 I actually tried this right after I posted it. I was confused by the use of "class", thank you!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
