Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Andrew_Banman
Andrew_Banman
Explorer
Member since:
07-05-2012
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 07-05-2012 |
Activity Feed
- Got Karma for Re: Building KV Pairs. 06-05-2020 12:46 AM
- Posted Re: Can I set a specific link for a given field in a search table on Splunk Search. 09-20-2012 10:56 AM
- Posted Re: Can I set a specific link for a given field in a search table on Splunk Search. 09-13-2012 01:27 PM
- Posted Re: Can I set a specific link for a given field in a search table on Splunk Search. 09-13-2012 11:28 AM
- Posted Can I set a specific link for a given field in a search table on Splunk Search. 09-11-2012 02:56 PM
- Tagged Can I set a specific link for a given field in a search table on Splunk Search. 09-11-2012 02:56 PM
- Tagged Can I set a specific link for a given field in a search table on Splunk Search. 09-11-2012 02:56 PM
- Posted Re: Building KV Pairs on Splunk Search. 08-23-2012 03:14 PM
- Posted Re: Building KV Pairs on Splunk Search. 08-23-2012 09:40 AM
- Posted Building KV Pairs on Splunk Search. 08-21-2012 03:00 PM
- Tagged Building KV Pairs on Splunk Search. 08-21-2012 03:00 PM
- Posted Re: Splunk for Fortigate Config on All Apps and Add-ons. 07-09-2012 11:45 AM
- Posted Re: Splunk for Fortigate Config on All Apps and Add-ons. 07-06-2012 03:08 PM
- Posted Re: Splunk for Fortigate Config on All Apps and Add-ons. 07-06-2012 03:06 PM
- Posted Splunk for Fortigate Config on All Apps and Add-ons. 07-06-2012 02:19 PM
- Tagged Splunk for Fortigate Config on All Apps and Add-ons. 07-06-2012 02:19 PM
- Tagged Splunk for Fortigate Config on All Apps and Add-ons. 07-06-2012 02:19 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-20-2012
10:56 AM
Nice, thanks. It's working now. I appreciate the help 🙂
... View more
09-13-2012
01:27 PM
OK, as often with Splunk documentation things look pretty easy but I don't get the desired results immediately. I guess I am missing something. Perhaps you can spot my error.
Per the docs ....
1) I've added the 2 critical bits to my Advanced XML. Ensuring that drilldown is set to row and that the module "NullModule" is added.
2) I went back to my search and ensured that the link field was first in the table and that it was properly labeled as "link".
Unfortunelately it still doesn't do what I want it too. When I click it just launches the result set as usual.
Here is a snippet of the AdvancedXML for this panel in case you can spot my error:
Advanced XML Snippet
Here is the tweaked search to make sure "link" is used first:
index="_audit" sourcetype="audittrail" action="alert_fired" ss_app="itg" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | `replace_numeric_severity_with_text` | rex "(?i) *ss_name=\"(?P<ss_prefix>[a-z]+_)" | lookup itg_app_alerts search_source as ss_prefix OUTPUT support_team as local_support_team, dashboard_url as link | table link, trigger_time, ss_name, severity, local_support_team | rename trigger_time AS TIME, ss_name AS SEARCH_NAME, severity AS SEVERITY, local_support_team AS SUPPORT_TEAM
And here is a screenshot of the output that unfortunately doesn't launch my custom link yet:
... View more
09-13-2012
11:28 AM
Thanks for this tip, I will start working through the doc you refenced. I hope this will get me there 🙂
... View more
09-11-2012
02:56 PM
Hi there folks,
I am building a custom alerts dashboard based on a search that returns a table (see demo screen below). I have it doing a lookup and adding a few custom fields I need based on the specific types of alerts found. Now I want to add a link to the dashboard so the user can go directly to the correct dashboard based on the specific alert. Unfortunately, the link I added based on a lookup doesn't actually work. This link is just a standard table drilldown.
Any ideas on how I can make my field use the link I give it? Can I specifiy this link in some part of the search so that when the table renders this field will use my link rather than a standard drilldown.
Here is the search in case it matters:
index="_audit" sourcetype="audittrail" action="alert_fired" ss_app="itg" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | `replace_numeric_severity_with_text` | rex "(?i) *ss_name=\"(?P<ss_prefix>[a-z]+_)" | lookup itg_app_alerts search_source as ss_prefix OUTPUT support_team as local_support_team, dashboard_url as local_dashboard_url | table trigger_time, ss_name, severity, local_support_team, local_dashboard_url
And here is a picture of the search thus far to give you context. As you can see I have an URL in the last field that I want to use. But my URL doesn't get used, it's just the standard drilldown URL used by default in Splunk tables.
Thanks for any thoughts you have 🙂
... View more
08-23-2012
03:14 PM
1 Karma
Good idea but it still failes. Thanks for the help. Multikv seems the answer but doesn't do what we expect it too. Not sure why! Thanks again for the ideas 🙂
... View more
08-23-2012
09:40 AM
Thanks for your responce but this doesn't seem to work. No change in the results I get at all. I wonder if it could be the % characters. It certainly doesn't build KV pairs as I would expect it to.
Any other thoughts anyone?
... View more
08-21-2012
03:00 PM
Hi folks,
I am trying to build KV pairs from some UNIX command output. The log entries look like the output below. In this case I would like to build keys from the headers (%usr, %sys, %wio, %idel) and values for each from the values shown (2, 5, 0, 93). I will then graph multiple entries over time. While the preview here shows this all in a line, the log is a preformatted table.
HP-UX van-sama B.11.31 U ia64 08/21/12
12:49:47 %usr %sys %wio %idle
12:49:48 2 5 0 93
The likely search function seems to be "extract(kv)" but I am unclear on how to go about this and the examples in the docs seem weak.
Can anyone put me on the right track?
Thanks 🙂
... View more
- Tags:
- lookups
07-09-2012
11:45 AM
Thanks for your responce and help. I don't see these deny's in the denied screens but ....
We will have to wait to use your excellent tool until we update I guess. We are fairly conservitive and almost NEVER run the latest release of anything.
... View more
07-06-2012
03:08 PM
Not sure about the index issue. I didn't do anything intentional with indexes and I didn't see instructions for this in the README.
... View more
07-06-2012
03:06 PM
Hi Abel,
Thanks for the speedy responce. Here is a vesion from the status dashboard on the Fortigate:
v4.0,build0328,110718 (MR2 Patch 😎
Cheers,
Andrew
... View more
07-06-2012
02:19 PM
I am trying to get the Splunk Fortigate application running as it would be very useful. When I go into it and give it a device and vdom it just reports no data is found. I have setup the UDP:512 port on Splunk and the sourcetype/IP config per the README file but I still seem to be unable to get the app to display the data. I am not sure what I have done wrong and I'm not sure even where to begin looking at this point. Can anyone offer some troubleshooting suggestions?
You can see I have log data per my splunk data:
date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=50962,dst=###.###.###.###,dstname=###.###.###.###,dst_port=53,service=53/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V645_ITG_MGMTS",dst_int="V998_MGMTN",SN=582346120,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=162,dst=###.###.###.###,dstname=###.###.###.###,dst_port=162,service=162/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346112,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:53,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=162,dst=###.###.###.###,dstname=###.###.###.###,dst_port=162,service=162/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346110,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=58072,dst=###.###.###.###,dstname=###.###.###.###,dst_port=53,service=53/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V645_ITG_MGMTS",dst_int="V998_MGMTN",SN=582346087,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346085,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346084,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346073,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346072,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
date=2012-07-06,time=13:48:52,devname=FW-NAME,device_id=FG###########,log_id=0022000003,type=traffic,subtype=violation,pri=warning,status=deny,vd="root",src=###.###.###.###,srcname=###.###.###.###,src_port=48295,dst=###.###.###.###,dstname=###.###.###.###,dst_port=514,service=514/udp,proto=17,app_type=N/A,duration=0,rule=0,policyid=0,identidx=0,sent=0,rcvd=0,shaper_drop_sent=0,shaper_drop_rcvd=0,perip_drop=0,shaper_sent_name="N/A",shaper_rcvd_name="N/A",perip_name="N/A",vpn="N/A",src_int="V998_MGMTN",dst_int="V999_MGMTS",SN=582346071,app="N/A",app_cat="N/A",user="N/A",group="N/A",carrier_ep="N/A"
... View more
