Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About quihong
quihong
Path Finder
Member since:
10-30-2016
06-05-2020
Community Statistics
| Posts | 18 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 2 |
| Member Since | 10-30-2016 |
Activity Feed
- Got Karma for Re: Best Practice for Setting Up Server Classes per OS?. 06-05-2020 12:50 AM
- Karma Re: Deployment Client Query Help - How many server class are you a member of and what are they? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Re: Deployment Client Query Help - How many server class are you a member of and what are they?. 06-05-2020 12:48 AM
- Karma Re: REST API Modular Input App - Tokens not resetting for ext_thales_dami. 06-05-2020 12:47 AM
- Karma Re: Unable to Add Cluster Peer Back to Cluster master - get Error -Adding a non-standalone bucket as standalone! for ehollima. 06-05-2020 12:46 AM
- Posted Re: Best Practice for Setting Up Server Classes per OS? on All Apps and Add-ons. 08-20-2019 04:53 PM
- Posted Splunk_TA_tomcat - Extract has regex error? on All Apps and Add-ons. 03-06-2018 09:43 AM
- Tagged Splunk_TA_tomcat - Extract has regex error? on All Apps and Add-ons. 03-06-2018 09:43 AM
- Posted Re: Cisco AMP for Endpoints: How to get a clear view (via API) of how many agents are currently installed in the environment(Phone Home Event type)? on Getting Data In. 02-13-2018 12:48 PM
- Posted REST API Modular Input - Token not updating on All Apps and Add-ons. 01-22-2018 10:32 AM
- Tagged REST API Modular Input - Token not updating on All Apps and Add-ons. 01-22-2018 10:32 AM
- Tagged REST API Modular Input - Token not updating on All Apps and Add-ons. 01-22-2018 10:32 AM
- Posted Re: REST API Modular Input App - Tokens not resetting on All Apps and Add-ons. 01-22-2018 10:02 AM
- Posted Re: Help with custom response handler for REST API Modular input. on All Apps and Add-ons. 01-19-2018 07:38 PM
- Posted Re: Help with custom response handler for REST API Modular input. on All Apps and Add-ons. 01-17-2018 05:13 PM
- Posted Help with custom response handler for REST API Modular input. on All Apps and Add-ons. 01-17-2018 03:19 PM
- Tagged Help with custom response handler for REST API Modular input. on All Apps and Add-ons. 01-17-2018 03:19 PM
- Posted How can I run a local search on my deployment server and make the results accessible for search? on Deployment Architecture. 08-18-2017 11:31 AM
- Tagged How can I run a local search on my deployment server and make the results accessible for search? on Deployment Architecture. 08-18-2017 11:31 AM
- Tagged How can I run a local search on my deployment server and make the results accessible for search? on Deployment Architecture. 08-18-2017 11:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-20-2019
04:53 PM
1 Karma
I know this is an old question, but for future readers that stumble on this question...
1) Naming convention. Typically servers are named differently from workstations, but in your comment you mentioned you don't have a separate naming convention for workstations versus servers.
2) IP Address/Subnet. Hopefully you have your servers sitting on a separate network from your workstations. I use this method to send data to the appropriate indexers for a particular site.
... View more
03-06-2018
09:43 AM
Hello,
I'm working on ingesting some JIRA access logs which using Splunk_TA_tomcat. My field extractions aren't working and I'm trying to troubleshoot the issue.
Within the props.conf, I pulled out the regex extraction for the sourcetype tomcat:access:log and pasted it into regex101.com. However, regex101 came back with errors in the regex pattern - "An unescaped delimiter must be escaped with a backslash ()"
from props.conf:
EXTRACT-access = ^(?P<ip>(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})\s-\s(?P<user>(-|\w+))\s\[\d+/\w+/\d{4}:\d{2}:\d{2}:\d{2}\s[\+\-]\d{4}\]\s"(?P<method>[A-Z]{3,7})\s(?P<request_uri>[\S]+)\s(?P<protocol>[\w/\.]+)"\s(?P<status>\d{3})\s(?P<bytes_sent>(?:\d+|-))$
Here is a sample event:
10.2.104.195 576x4475468x5 userName [06/Mar/2018:09:36:20 -0800] "POST /jira/rest/analytics/1.0/publish/bulk HTTP/1.0" 200 - 6 "https://atlassian/jira/browse/ASSIGN-149353" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36" "etohye"
Wanted to know if the regex is faulty or if regex101 is wrong. Also an help on why my event isn't parsing correctly is appreciated.
... View more
02-13-2018
12:48 PM
Yes. Check out the REST API MODULAR INPUT App on Splunkbase.
You'll need a create a custom response handler to parse out the data.
... View more
01-22-2018
10:32 AM
Hello,
I created a new token in the tokens.py file, however it is not updating as expected.
I found this posting - https://answers.splunk.com/answers/311261/rest-api-modular-input-app-tokens-not-resetting.html - which the author stated, "Token substitution only happens once , before the initial request.".
There are two solution presented:
1) Use a custom Response Handler to set the parameters for the next request
2) Modify the rest.py file (endpoint_list = replaceTokens(original_endpoint)) so that the tokens are always updated before a REST API call.
Solution two makes more sense to me (expected behavior), but I wanted to get the author/community opinion on this.
Thank you.
... View more
01-22-2018
10:02 AM
I like this solution better as it's the expected behavior versus using the Response Handler to set the parameter for the next request (which is confusing).
Wondering what Damien, the author, thinks regarding this solution.
... View more
01-19-2018
07:38 PM
Thank you very much!
Had to escape the quotes, other than that perfect.
[yoursourcetype]
TIME_PREFIX =\" createdAt\":
... View more
01-17-2018
05:13 PM
Sorry I was not clear...
I would like the custom response handler to break out the raw json into individual events with proper timestamp (createdAt field). Each event starts with the {"id":
... View more
01-17-2018
03:19 PM
Hello,
I've been tasked with ingesting some audit events from a online application (Lever Hire). I'm looking at using the REST API Modular input and need help parsing the data. Originally I thought I had to create a new sourcetype to do the parsing, but now I believe the correct method is to create a custom Response Handler.
I've found some examples here: https://github.com/damiendallimore/SplunkModularInputsPythonFramework/blob/master/implementations/rest/bin/responsehandlers.py
However, I'm not familiar enough with python to write my own response handler. I'm hoping someone in the community can quickly help me with the code.
Here is what the raw data looks like. Any help is appreciated.
{
"data": [{
"id": "5b628f1e-2bcf-45f7-90fa-7b1264987d42",
"user": {
"role": "super admin",
"id": "8810816c-03da-48db-b3c1-d47a8f5c024f",
"name": "Joe Mama",
"email": "[email protected]"
},
"type": "key:added",
"createdAt": 1515609233213,
"target": {
"type": "key",
"id": "8d0501a2-f613-4154-b2e7-fc4b416ad213",
"label": "Splunk"
},
"meta": {
"key": {
"tokenLastFour": "w2jU",
"id": "8d0501a2-f613-4154-b2e7-fc4b416ad213",
"name": "Splunk",
"partner": false,
"service": "data-api"
}
}
}, {
"id": "85374119-2af3-48b2-838f-7821fb15ef7c",
"user": {
"role": "super admin",
"id": "8810816c-03da-48db-b3c1-d47a8f5c024f",
"name": "Joe Mama",
"email": "[email protected]"
},
"type": "key:removed",
"createdAt": 1515609175385,
"target": {
"type": "key",
"id": "21b0fb88-006d-4a9a-a1e1-2164fcd8d243",
"label": "Splunk"
},
"meta": {
"key": {
"tokenLastFour": "RhgT",
"id": "21b0fb88-006d-4a9a-a1e1-2164fcd8d243",
"name": "Splunk",
"partner": false,
"service": "data-api"
}
}
}, {
"id": "b368c76a-f7a5-4cc8-8201-ce4051847976",
"user": {
"role": "super admin",
"id": "8810816c-03da-48db-b3c1-d47a8f5c024f",
"name": "Joe Mama",
"email": "[email protected]"
},
"type": "user.authentication:succeeded",
"createdAt": 1515609122117,
"target": {
"type": "user",
"id": "8810816c-03da-48db-b3c1-d47a8f5c024f",
"label": "Joe Mama"
},
"meta": {
"user": {
"role": "super admin",
"id": "8810816c-03da-48db-b3c1-d47a8f5c024f",
"name": "Joe Mama",
"email": "[email protected]"
},
"authentication": {
"method": "direct"
}
}
}, {
"id": "5b88b646-f141-4be7-a970-e39c56ce13ad",
"user": {
"role": "super admin",
"id": "lever-support",
"name": "Lever Support",
"email": "[email protected]"
},
"type": "key:added",
"createdAt": 1515520786845,
"target": {
"type": "key",
"id": "82cedc33-87ff-4d68-bc44-7dcc7559da4c",
"label": "click-boarding"
},
"meta": {
"key": {
"tokenLastFour": "RAof",
"id": "82cedc33-87ff-4d68-bc44-7dcc7559da4c",
"name": "click-boarding",
"partner": false,
"service": "data-api"
}
}
}, {
"id": "c4ef90e5-449d-4a2b-a724-8cde900f1a1f",
"user": {
"role": "super admin",
"id": "cd6751d7-998a-451b-ab22-fb2e0fa96da5",
"name": "superman",
"email": "[email protected]"
},
"type": "user.authentication:succeeded",
"createdAt": 1515456274871,
"target": {
"type": "user",
"id": "cd6751d7-998a-451b-ab22-fb2e0fa96da5",
"label": "superman"
},
"meta": {
"user": {
"role": "super admin",
"id": "cd6751d7-998a-451b-ab22-fb2e0fa96da5",
"name": "superman",
"email": "[email protected]"
},
"authentication": {
"method": "direct"
}
}
}],
"hasNext": false
}
... View more
08-18-2017
11:31 AM
Hello,
I have a query that needs to run locally on the deployment server, but I want the results accessible on my search head cluster.
For instance, on the Deployment Server:
|rest /services/deployment/server/clients count=0 splunk_server=local
|fields hostname name ip dns utsname
|outputlookup deployment_clients.csv
And now on a member of my search head cluster I want to run and get the results back:
|inputlookup deployment_clients
Can someone point me in the right direction on how to accomplish this? Thank you.
... View more
03-10-2017
12:00 PM
1 Karma
@somesoni2, you're my SPL hero! Thank you so much.
... View more
03-10-2017
09:53 AM
Hello,
I'm looking for some help on reporting on the status of my deployment client for better coverage.
I know the Deployment Client data is available via rest using the following server on the Deployment Server:
"I rest /services/deployment/server/clients count=0 splunk_server=local"
However, I need some help with pulling out exactly what I need. which is the clientName, number of serverclasses the client is a member of and the names of the serverclasses (in one field).
So something like this:
clientName, NumberOfServerClasses, ServerClassNames
myServer | 3 | thisclass;thatclass;andtheotherone
Any help is greatly appreciated. Thank you
... View more
01-05-2017
10:00 AM
Thank you for the reply. Yes, I'm aware that I will need to run the report as owner. Good to know for anyone reading this in the future.
Still looking for some ideas/thoughts about navigation and a better end user experience. Thank you
... View more
01-04-2017
05:59 PM
Hello,
I have a set of very non-technical users that has no access to any Splunk indexes, but need access to a hand full of scheduled reports.
Currently I have the role setup with the default search app. The user needs to select Reports->All and then search for the reports by name.
Typing this out, maybe a custom app for this role, so instead of "Reports->All", it would be "Reports->This App's" and they would see a list of their reports?
Any thoughts on the custom app solution or maybe a better alternative? Thanks
... View more
12-14-2016
11:56 AM
Most recent IP. However, best practice would be to not use DHCP data (only) to build your asset list for Enterprise Security.
Here are the fields needed:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
Reference:
http://docs.splunk.com/Documentation/ES/4.5.1/User/AssetandIdentityLookupReference
DHCP data will only get you the first four fields. Combine it with Active Directory, SCCM, McAfee ePO and etc., would get your better results.
... View more
12-01-2016
12:35 PM
Thanks for the reply. I figured it out using a join and alert.
Here it is. I joined by "name" which is the "Client Name" (aka GUID).
| rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname
| join name [| rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| stats count by name | where count > 1 |fields - count] |sort name | rename name as clientGUID
... View more
12-01-2016
11:51 AM
Hello,
We recently deployed Splunk in our environment and recently discovered that our engineering teams are cloning systems without clearing out the universal forwarder GUID and related logs prior to cloning the machine.
I'm trying to set up a search and email alert to identify these problematic systems.
I have the following search that I can run on my Deployment Server which will give me back duplicate UF GUIDs and count.
| rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| stats count by name | where count > 1
I also have this search that returns all my UF installations from my deployment server.
| rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| rename name as clientName
I need help tying these two searches together.
...search... | rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| stats count by name | where count > 1) WHERE GUID IN (| rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| stats count by name | where count > 1)
I'm familiar with SQL, but still learning SPL so I'm not sure how to link the two separate searches together with a equivalent SQL IN clause.
Lastly, I want to schedule this search and email me a report of machines with duplicate GUIDs (but not email me an empty report).
Any help is appreciated. Thank you.
... View more
11-05-2016
10:48 AM
I'm having issues deploying the Win Infrastruture App - "Key Value store must be enabled"
I have two Search Head Clusters (one for core Splunk one for ES). The Win Infrastructure App is working on my ES SH Cluster but not on my core SH Cluster.
My question is, do I need two KV Store, one per SH Cluster or is it one KV store shared by both SH Cluster?
Just wanted to understand this before I continue troubleshooting. Thanks
... View more
- Tags:
- splunk-enterprise
11-05-2016
10:06 AM
First some quick background, I have new but fairly complex Splunk Enterpirse ES environment with HA Index Clustering and two Search Head Cluster (one for ES and one for core splunk). All servers are physical with 20 cores and 32GB.
Can I have more than one DMC? Currently we have the DMC on our Cluster Master (CM) and License Master (LM). I want to move the DMC to my Deployment Server + ES Seach Head Cluster Deployer. Any issues with that plan? So server #1 would have DMC+DS+ES SHCD. Server #2 will have CM + LM.
For server #2 (CM+LM), I would like to use it to host Splunk Apps such as DBConnect, Stream, eStreamer. I'm not convince this is a good idea, but wanted to get the community opinion on this.
My thought is that I'm always using the DS and DMC and would prefer them to be on the same server. Secondly, I need a place to install Splunk Apps such as DBConnect and eStreamer that needs to pull data into Splunk. If I move the DMC off the CM+LM, I feel that the server is really under utilize just acting as a CM+LM. My other thought is to move the CM+LM to virtual if it's an issue.
I appreciate any thoughts around this. Thank you.
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
