cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
japger_splunk
Splunk Employee
Member since: ‎06-24-2014
‎07-16-2021
Community Statistics
Posts 10
Solutions 3
Karma Given 0
Karma Received 1
Member Since ‎06-24-2014
Activity Feed
View All

Re: Conditional SPL

by Splunk Employee in Knowledge Management
‎02-25-2019 06:59 AM
‎02-25-2019 06:59 AM
Good point. I believe your example is a one-way condition but please correct me if I misunderstand. "Only do this if this condition is met" versus "Do this if it's met or do this if it's not met". ... View more

Re: Conditional SPL

by Splunk Employee in Knowledge Management
‎02-25-2019 06:54 AM
‎02-25-2019 06:54 AM
Use multireport to steer your search down the desired path. | makeresults 1 |eval search_name="TEST-RiskRule - DDNS Activity Detected - System" |multireport [|search NOT search_name="TEST*"|collect index=myindex] [|search search_name="TEST*"|collect index=myindex testmode=true] ... View more

Conditional SPL

by Splunk Employee in Knowledge Management
‎02-25-2019 06:53 AM
‎02-25-2019 06:53 AM
How do you build a query that takes two different SPL paths based on a condition within the data? Example: Write the results of a query to a summary index only if the search name does not begin with "TEST"? ... View more

Re: Error Code=3

by Splunk Employee in Alerting
‎03-23-2018 11:29 AM
‎03-23-2018 11:29 AM
If this issue was resolved, what was the fix? Permissions? Thanks. ... View more

Re: Splunk For U-verse Home modem: How can I extra...

by Splunk Employee in All Apps and Add-ons
‎10-24-2017 07:14 AM
‎10-24-2017 07:14 AM
Since you appear to be seeing data in the "All U-verse Events" view, it looks like you have the data routed into an index and have the sourcetype set correctly. The eventtypes (eventtypes.conf), tags (need to create tags.conf) and field extractions (props.conf) can be edited on the fly specific to your modems log format such that you create fields that match the search criteria that populate the dashboard (uverse_main.xml). ... View more

Re: Splunk For U-verse Home modem: How can I extra...

by Splunk Employee in All Apps and Add-ons
‎10-23-2017 10:05 AM
‎10-23-2017 10:05 AM
Unfortunately, the number of log formats and modems from U-Verse makes it tough to come up with default field extractions outside of the 2 modems we initially tested on. I do not have access to U-Verse log files anymore and this app needs to be re-written to be Common Information Model (CIM) compliant. You will need to edit eventypes.conf such that the [u-verse fw] section identifies the firewall related event correctly. You will also need to look at the props.conf to get the field extractions (this line: EXTRACT-fw) in place. If I were able to keep this app current, I would align it to this: http://docs.splunk.com/Documentation/CIM/4.9.0/User/NetworkTraffic and make sure the events are tagged (network and communicate) in addition to aligning with field names and their possible field values. ... View more

Re: how do I get splunk to work for my at&t uverse...

by Splunk Employee in All Apps and Add-ons
‎09-22-2016 05:36 AM
‎09-22-2016 05:36 AM
Unfortunately, there are many AT&T U-Verse modems being used and they utilize differing types and formats of data. The modem version (hardware/software) that the App supports and hints regarding the setup are detailed in the README.txt file. If you have the same modem or the modem uses the same logging format, you should be able to following the modem config instructions (README.txt also) to send the syslog messages to your Splunk instance. It is worth noting that the default port that the app uses is UDP:912 but you change change this by modifying the inputs.conf file. Everything else is taken care of for you. All searching within the app is based on sourcetype=u-verse. ... View more

Re: how do I get splunk to work for my at&t uverse...

by Splunk Employee in All Apps and Add-ons
‎09-22-2016 05:35 AM
1 Karma
‎09-22-2016 05:35 AM
1 Karma
Unfortunately, there are many AT&T U-Verse modems being used and they utilize differing types and formats of data. The modem version (hardware/software) that the App supports and hints regarding the setup are detailed in the README.txt file. If you have the same modem or the modem uses the same logging format, you should be able to following the modem config instructions (README.txt also) to send the syslog messages to your Splunk instance. It is worth noting that the default port that the app uses is UDP:912 but you change change this by modifying the inputs.conf file. Everything else is taken care of for you. All searching within the app is based on sourcetype=u-verse. ... View more

Re: Eventgen: Is there a known bug with backfill a...

by Splunk Employee in All Apps and Add-ons
‎09-08-2015 11:27 AM
‎09-08-2015 11:27 AM
No bug. After increasing the size of the backfill window and performing a more thorough analysis, I determined that the backfill window is respecting the specific timemultiple=600. The small period of time between the end of the backfill window and the beginning of the ongoing eventgen just happened to be producing 2 "blocks" that were within 1 second of each other. The above eventgen will reliably produce both backfill and ongoining "blocks". I should have caught that the timing between the last event in the backfill and the first event in the ongoining eventgen would be handled differently than as specified in the eventgen.conf file. I will leave this example up there as a reference for how to replay events that need to be modeled as transactions. ... View more

Eventgen: Is there a known bug with backfill and r...

by Splunk Employee in All Apps and Add-ons
‎09-08-2015 09:41 AM
‎09-08-2015 09:41 AM
I am trying to model transactions such that they are replayed using similar timing between events that are contained in the sample data file. The pause between each "block" of transactions also needs to be spaced out which is being correctly handled (every 600 seconds) in the below eventgen.conf file when ignoring the backfill. The token substitutions are also working as desired. PROBLEM: The problem shows up when I try to backfill these events over a previous window. It seems that the backfill process does not account for the 600 second pause and is defaulting back to a 1 second spacing between blocks of events. Is this a known bug? Any ideas for a workaround? eventgen.conf: [test2.raw] index=demo host=myHost source=test2.raw breaker = \r*\n\r*\n mode = replay sampletype=raw timeMultiple = 600 backfill = -10m backfillSearch = index=demo source=test2.raw outputMode = splunkstream token.0.token = \d{4}-\d{2}-\d{2}T\d{2}.\d{2}.\d{2} token.0.replacementType = replaytimestamp token.0.replacement = %Y-%m-%dT%H:%M:%S token.1.token = @@src_ip@@ token.1.replacementType = random token.1.replacement = ipv4 test2.raw: {"timestamp":"2015-09-04T15:45:00.454143Z","src_ip":"@@src_ip@@","comment":"web click #1"} {"timestamp":"2015-09-04T15:46:01.454143Z","src_ip":"@@src_ip@@","comment":"web click #2"} {"timestamp":"2015-09-04T15:47:02.454143Z","src_ip":"@@src_ip@@","comment":"web click #3"} {"timestamp":"2015-09-04T15:48:03.454143Z","src_ip":"@@src_ip@@","comment":"web click #4"} ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-16-2021 10:27 AM
Karma from
View All