About s2_splunk

s2_splunk · ‎05-17-2021

What do you expect to do with pagefile.sys in Splunk? That's the OS swap file, probably locked exclusively and hence not accessible by any other process. Plus, it is a binary file and thus not really suitable for ingestion into Splunk.

s2_splunk · ‎05-12-2021

I don't think you need to escape/triple your backticks around logic time, it should work without it. Can you share your macros.conf with the two macro definitions?

s2_splunk · ‎05-12-2021

Have you tried using mvexpand? Maybe you can share your search so it's easier to help, if you can't get it to work.

s2_splunk · ‎05-12-2021

Yes, you will need to provide access to indices as needed by role (not user). Please review docs how to go about it.

s2_splunk · ‎05-07-2021

Ah, yes. You are correct. It should show up as soon as it phones home, even without matching apps. Sorry I misunderstood your description. So, likely there is some connectivity issue between the deployment client and the DS. Forwarder logs will have clues.

s2_splunk · ‎05-04-2021

https://community.splunk.com/t5/Security/How-to-Reset-the-Admin-password/m-p/10622

s2_splunk · ‎05-04-2021

It's not so much a question about how many indices you have (within reason). Also, it is the total bucket count in the cluster that contributes the most to any operational processes, like restarts and such. The real benefit of increasing your indexer count would be in being better able to distribute & parallelize the searches your users run against the data, which will likely improve search performance overall. Also, with only two peers in a cluster, the cluster can never return to valid and complete status when you lose a peer (assuming you have RF=2). You would certainly want to scale your existing cluster vs. creating a second cluster and dealing with the administrative overhead of managing a second cluster manager and ensuring the cluster configurations are identical. Going wider also gives you more replication targets that can receive replicas during/after any peer outages. For normal/planned restarts, consider putting the cluster into maintenance mode to prevent any fixup attempts (which will fail anyway given you only have two peers). Finally, there are some significant improvements implemented for the cluster manager in 8.1.x that greatly reduce the time it takes for peers and/or cluster manager to restart, so consider upgrading if you are not already on that version.

s2_splunk · ‎05-04-2021

The DS never reaches out to clients, connections are always initiated by the deployment client every phoneHomeInterval seconds. What hostname does the Azure VM present to the DS? Maybe it simply doesn't match any of your defined serverclass.conf entries? You can try to set clientName in deploymentclient.conf to a static value that matches serverclass.conf rules to test this theory. Also, splunkd.log on the DC will provide clues; look for component=HttpPubSubConnection to see if the connection is successful. HTH

s2_splunk · ‎05-04-2021

I don't see anything wrong here. Can you append | fields JsonData, myfield How do you determine that the value is not extracted? It works fine in this run-anywhere example: | makeresults | eval d = "2021-04-28 - 22:01:14.728 - INFO : Action completed in 7.90478181839 seconds, result is { \"images-deleted\": 8, \"images\": 444, \"account\": \"012345678901\", \"task\": \"DELETE-AMI-TASK\", \"metrics\": { \"Action\": \"Ec2DeleteImageAction\", \"Data\": { \"DeletedImages\": 8 }, \"Version\": \"1.0\", \"Type\": \"action\", \"ActionId\": \"aac9da60-d325-4ed5-ae30-2e11fe7a7e39\" }, \"deleted\": { \"us-east-1\": [ \"ami-0dfd9eee9557ffcb3\", \"ami-0fec918b8f4b5bf04\", \"ami-00b68913ba31e0590\", \"ami-0859ee921a1ff93d0\", \"ami-06bdf5c91701957a2\", \"ami-00945fa203dba66df\", \"ami-0b35e3e1f90ff9233\", \"ami-032006127456fba8a\" ] }, \"region\": \"us-east-1\" } - ReconNum:1619647200000" | rex field=d "(?<JsonData>{[^}].+})" | spath input=JsonData output=myfield path=metrics.Data.DeletedImages | fields JsonData, myfield

s2_splunk · ‎05-04-2021

OK, it's JSON format, that's helpful to know.... [yourSourcetypeName] SHOULD_LINEMERGE=false INDEXED_EXTRACTIONS = json KV_MODE = none TIMESTAMP_FIELDS = timestamp TIME_FORMAT = %s You may have to add other settings here depending on other requirements, like line breakers etc., but this should parse your epoch timestamp as expected.

s2_splunk · ‎05-03-2021

This should get you started: | makeresults | eval n="00:24 01:44 02:23 00:54" | makemv delim=" " n | mvexpand n | eval hhmm = substr("00:00:00",1,8-len(n)).n | convert dur2sec(hhmm) as seconds | stats avg(seconds) as avgsec | eval AvgDur = tostring(avgsec, "duration") First four lines are generating test events from your example data. If you are fine with the average time in seconds, you can skip the last line.

s2_splunk · ‎05-03-2021

This should work as long as your fields are returned in the correct order, i.e. day name followed by the numerical value. You can always add | fields weekday, number to ensure that.

s2_splunk · ‎05-03-2021

Can you run $SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus to check if it provides any hints as to why your wildcards don't match? Many moons ago, spaces in wild-carded directories on Windows caused issues, but those should be fixed by now. I don't really see anything wrong with your config.

s2_splunk · ‎05-03-2021

Can you be certain that there always is a header line and that it is always line 1? Have you tried to set HEADER_FIELD_LINE_NUMBER to '0' to let Splunk figure it out? Also, is it possible that the file is being overwritten vs. being rolled while it is read?

s2_splunk · ‎05-03-2021

| makeresults | eval n="lxw0000.usr.osd.mil,amico0000,alsedx.osd.mil" | makemv delim="," n | rex field="n" "^(?<host>\w+)\.?" First three lines to generate your test dataset. Will extract anything before your first "." (which is optional)

s2_splunk · ‎05-03-2021

sourcetype=Unix:Version has a bunch of the fields (os_*) you are looking for. I am not sure the distribution name is part of that dataset, since there is no standard way of figuring that out across all *nix platforms. Do have that sourcetype in your indexed data?

s2_splunk · ‎05-03-2021

I don't see why not, any directory or file can be monitored. You'd probably want to index this into a dedicated and short-lived index since this can possibly be a significant amount of data.

s2_splunk · ‎05-03-2021

Sounds like your user role doesn't have permission to look at internal indices?

s2_splunk · ‎05-03-2021

| mvexpand product at the end of your search should do the trick. mvexpand docs here.

s2_splunk · ‎05-03-2021

Many ways to do it, here's another one: | makeresults | eval noTrip = "^never|pull|push$" | eval Stops=".madrid-plane.taxi$tour.Home&depart push pull never" | makemv delim=" " Stops | mvexpand Stops | rex field=Stops "(?<First_Stop>\.[^\.]+)\.[^\.]+\.(?<Last_Stop>.+)" | eval First=if(match(Stops, noTrip), Stops, First_Stop) | eval Last=if(match(Stops, noTrip), "N/A", Last_Stop) | fields Stops, First, Last The first four lines are there to generate some test data, so you can run this search without pulling actual data. Here's what it should produce: Happy Splunking!

s2_splunk · ‎05-03-2021

You don't need to resort to the command line to do what you want to do; apologies if it sounded like that's a must. Splunk's primary purpose is to ingest data on an ongoing basis, for which the monitor approach is exactly the right thing to do. Your use case is about loading large amounts of historical data and there are some product features available to support one-time ingest that are not exposed via the UI. I would suggest you try to configure a monitor input on the directory containing your files. Follow the UI process as shown in the video I linked and instead of selecting a file, select a directory on your Splunk server. Once you have done that, copying/moving files into that directory should cause them to be indexed into Splunk. If that doesn't work for you, please respond and we can troubleshoot from there.

s2_splunk · ‎05-03-2021

Here's the simple way to do this in search. You cannot modify _raw as indexed, but you could certainly do it as you outline for the current search. This run anywhere example assumes shows using the replace function to do the character substitution: | makeresults | eval _raw="<some, other, text> SQL_TEXT=\"grant create database link to aaa01, bbb02, yyy03, xxx04\", <more,other,text>" | rex field=_raw "SQL_TEXT=\"(?<sqltxt>.*)\"" | eval newsqltext=replace(sqltxt,",","$") Depending on how you have this datasource configured, you may already have a field called SQL_TEXT extracted, so you may not have to do the rex at all. Here's how you could do it following your approach: | makeresults | eval _raw="<some, other, text> SQL_TEXT=\"grant create database link to aaa01, bbb02, yyy03, xxx04\", <more,other,text>" | rex field=_raw "^(?<prefix>.+)SQL_TEXT=\"(?<sqltxt>.*)\"(?<suffix>.+)$" | eval new_raw = prefix+"SQL_TEXT="+replace(sqltxt,",","$")+suffix | fields _raw, new_raw HTH

s2_splunk · ‎05-03-2021

As a user new to Splunk, I suggest you review the video on getting data into Splunk Enterprise for the general approach to monitor a directory using the UI. There are a myriad of ways to go about getting data into Splunk. For historic data, you would normally not choose a monitor, since you don't expect historic files to be updated. Since the UI imposes a 500MB limit on uploaded files, you can use the CLI and the oneshot or spool commands for a one-time ingest. If you want to explore configuring file monitoring, please review this part of our documentation, which contains example settings. One note regarding old data: There are some settings that control how far back of a timestamp Splunk will consider valid. Specifically, MAX_DAYS_AGO is used to discard data that is older than a set amount of time. This defaults to 2000 days, so you may have to adjust this for data older than ~5.5 years.

s2_splunk · ‎04-30-2021

Paul, how did you ingest the initial file? Did you upload it to your instance via the UI or did you setup a file monitor? You need to make sure you have an inputs.conf file configured with a [monitor://....] stanza that points to your directory/file. If you do that, and that input is enabled, changes to the file should be picked up and indexed. HTH

s2_splunk · ‎04-30-2021

Try this: <yourbasesearch> | stats count(eval(action="click")) as clickCount, count(eval(action="search")) as searchCount | eval percentage = clickCount/searchCount

Posts	859
Solutions	132
Karma Given	2
Karma Received	345
Member Since	‎10-01-2013

Online Status	Offline
Date Last Visited	‎11-03-2021 03:43 PM

What are Splunk Validated Architectures and where ...

Where do I configure my various Splunk settings?

Re: When i check logfile and found process cannot ...

Re: Macro oddness with inputlookup

Re: Export MV field values to CSV

Re: Not able to search index=_internal from search...

Re: Azure VM - Won't report to Deployment server

Re: change admin password in centos 7

Re: How Many Indexes Per Peer (Overall size)

Re: Azure VM - Won't report to Deployment server

Re: rex -> spath -> field extract not working?

Re: Epoch Time

Re: Find average time duration in hh:mm

Re: How to generate a column chart off a lookup?

Re: Issues with wildcard input stanza

Re: Why the header from psv file sometimes being ...

Re: Extract Field value

Re: inputs.conf entry to get linux operating syste...

Re: Can I configure Splunk to index the search.log...

Re: Not able to search index=_internal from search...

Re: How to split count by product by another value...

Re: Extracting first and last pattern from a strin...

Re: How to get Splunk to recognise new data added ...

Re: Replacing commas with another character for pa...

Re: How to get Splunk to recognise new data added ...

Re: How to get Splunk to recognise new data added ...

Re: Basic percentage question

Join the Conversation