Activity Feed
- Got Karma for Re: How to do you change ownership of a lookup file?. 06-12-2023 07:46 AM
- Posted Re: How to do you change ownership of a lookup file? on Splunk Search. 08-07-2019 08:12 AM
- Posted Re: How can I schedule a search to throttle repeat results but still supply any new results? on Reporting. 12-01-2016 09:08 AM
- Posted Re: How can I schedule a search to throttle repeat results but still supply any new results? on Reporting. 10-12-2016 02:33 PM
- Posted Re: How can I schedule a search to throttle repeat results but still supply any new results? on Reporting. 09-30-2016 01:29 PM
- Posted How can I schedule a search to throttle repeat results but still supply any new results? on Reporting. 09-30-2016 11:18 AM
- Tagged How can I schedule a search to throttle repeat results but still supply any new results? on Reporting. 09-30-2016 11:18 AM
- Tagged How can I schedule a search to throttle repeat results but still supply any new results? on Reporting. 09-30-2016 11:18 AM
- Tagged How can I schedule a search to throttle repeat results but still supply any new results? on Reporting. 09-30-2016 11:18 AM
- Tagged How can I schedule a search to throttle repeat results but still supply any new results? on Reporting. 09-30-2016 11:18 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
08-07-2019
08:12 AM
1 Karma
In addition to the above, please also look at the following link as the instructions there solved my ownership issue:
https://answers.splunk.com/answers/46339/change-app-and-object-ownership.html
In some cases the file is stored under the app context and moving it won't change the ownership. This happened to me while updating a lookup file for a custom app. There is a metadata folder in the app folder which contains default and local .meta files. I edited the local.meta file, found my owner=[myuseraccount] and changed this to nobody (or whatever user you want). Found the metadata files under $SPLUNK_HOME$/etc/apps/[appname]/metadata.
... View more
12-01-2016
09:08 AM
Hi Aaraneta,
Unfortunately I ran into more pressing issues that I've had to deal with that put this on hold. I'll update once I have had a chance to test.
... View more
10-12-2016
02:33 PM
Hi dperre,
I think this solution will work in this instance, we actually have another rule that functions off a lookup table. We are going to do some testing on our side to see if this works. Thanks for the help so far!
... View more
09-30-2016
01:29 PM
Hi dperre
Unfortunately I'm not familiar with the .conf files and how they relate to functionality in Splunk, at least not yet. I can't post screenshots unfortunately, but:
Schedule
Schedule Type = Basic
Run Every = 5 minutes
Schedule Window = 0
Alert
Condition=if number of events
is greater than=0
Alert Mode=once per result
Throttling=after triggering the alert, don't trigger is again for 4 hours per result throttling fields user,dest
What it does:
First Event - Alert Sends, Throttling Begins---->Second Event - No Alert Sent Due to Throttle
Username | Source IP | Destination IP | Count ----> Username | Source IP | Destination IP | Count -----> X
John Doe | 1.1.1.1 | 2.2.2.2 | 33 ---> Jane Doe | 1.1.1.2 | 2.2.2.2 | 54+John Doe | 1.1.1.1| 2.2.2.2 | 35 = Lost to oblivion
What I need it to do:
First Event - Throttling Begins--->Second Event--->Alert on new unique event, but remove repeat data
Username | Source IP | Destination IP | Count ----> Username | Source IP | Destination IP | Count -----> Username | Source IP | Destination IP | Count
John Doe | 1.1.1.1 | 2.2.2.2 | 33--->Jane Doe | 1.1.1.2 | 2.2.2.2 | 54+John Doe | 1.1.1.1 | 2.2.2.2 | 35=Jane Doe | 1.1.1.2 | 2.2.2.2 | 54
Also if the destination value change at all I need it to still provide results. The idea is to reduce events where there is consistent issue that is already being remediated, but catch anything new in the event the issue evolves or a new event occurs. Right now it is stripping everything it finds because one entry of data matched the previous event that was throttled Hopefully that helps.
... View more
09-30-2016
11:18 AM
I have a regular scheduled search in Splunk that is producing a large volume of repeat events. I attempted to throttle these using the once per result option, per throttling fields. I have two fields in the throttling, user and dest. This was in effort to reduce volume for repeat events, but to show any event that has changed so they are not missed.
I noticed during my testing (new throttled rule alongside old un-throttled) that one search returned two new unique results, and one result that had appeared before. As a result, Splunk did not show ANY of the results in the throttled search, even the new hits because one event was repeated. Is this how throttling is intended to function? Is there a way around this? I need the search to throttle repeat results but still supply any new results.
... View more
