Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About mcm10285
mcm10285
Communicator
Member since:
02-09-2011
06-05-2020
Community Statistics
| Posts | 57 |
| Solutions | 4 |
| Karma Given | 7 |
| Karma Received | 14 |
| Member Since | 02-09-2011 |
Activity Feed
- Karma Re: How to improve search efficiency for monthly vpn users login data averaging 50 million events per day? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: How to improve search efficiency for monthly vpn users login data averaging 50 million events per day? for rtadams89. 06-05-2020 12:47 AM
- Karma Re: Shifting from advanced XML to simple XML: How to resize forms input box? for jkat54. 06-05-2020 12:47 AM
- Got Karma for How to improve search efficiency for monthly vpn users login data averaging 50 million events per day?. 06-05-2020 12:47 AM
- Got Karma for How to improve search efficiency for monthly vpn users login data averaging 50 million events per day?. 06-05-2020 12:47 AM
- Got Karma for My Named Searches are being Audited, can I put a title on my search?. 06-05-2020 12:47 AM
- Got Karma for Is Splunk mobile access unable to display advanced XML dashboards?. 06-05-2020 12:47 AM
- Got Karma for Re: Shifting from advanced XML to simple XML: How to resize forms input box?. 06-05-2020 12:47 AM
- Got Karma for Re: Shifting from advanced XML to simple XML: How to resize forms input box?. 06-05-2020 12:47 AM
- Karma Re: Field Extraction identification for stefano_guidoba. 06-05-2020 12:46 AM
- Karma Re: How to extract a field based on other defined fields? for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: rare command for Ayn. 06-05-2020 12:46 AM
- Karma Re: rare command for kristian_kolb. 06-05-2020 12:46 AM
- Got Karma for Re: 2 independent dropdowns data does not show in some users. 06-05-2020 12:46 AM
- Got Karma for makemv delims not working. 06-05-2020 12:46 AM
- Got Karma for Re: makemv delims not working. 06-05-2020 12:46 AM
- Got Karma for Search result as input to another search. 06-05-2020 12:46 AM
- Got Karma for Can a drilldown that redirects to an external site be done for multiple columns?. 06-05-2020 12:46 AM
- Got Karma for Top Values of 2 fields. 06-05-2020 12:45 AM
- Got Karma for Top Values of 2 fields. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 2 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
01-05-2016
10:13 PM
I thought updating an existing CSS file just needed a page refresh. However, a restart of the splunkweb service actually did the trick.
... View more
01-05-2016
10:11 PM
2 Karma
Individually, that should be the ID used.
Generally for the text input boxes, the below will work as well.
textarea, input[type="text"], .uneditable-input {
width: 400px !important;
... View more
12-28-2015
11:03 PM
I am currently shifting my advanced XML dashboards to simple xml as it appears to be the direction of Splunk.
In advanced XML I was able to resize the forms text input box by applying a custom CSS and editing the Extended_Field_Search class (sample below)
ExtendedFieldSearch_3_2_1 input {
min-width: 800px;
}
Now in simple XML, when inspecting the html, I see the xpath below for the input box
<div class="input input-text splunk-view" id="input1">
<label for="input1_2796">Label</label>
<div id="input1_2796" class="splunk-textinput splunk-view"><input type="text" id="input1_2796-input" value=""></div></div>
However, I can't seem to change the id using a custom CSS (I used "input1").
Anyone can help me out here? Thanks.
... View more
04-14-2015
07:58 PM
I have an app that contains saved searches (alerts). However, when I look into /$SPLUNKHOME/etc/apps/old_app/local/savedsearches.conf , I don't see all the saved searches I see in the UI settings (Settings - Searches, Reportsand Alerts).
Now I have a second app (new_app) and I would want all those saved searches from the old_app be moved/copied to this new_app. I know there is a "Move" and "Clone" functionality in the UI. But is there a better way?
... View more
- Tags:
- alert
- saved-search
11-25-2014
05:46 PM
Has anyone figured this one out? I'm running into the same issues.
... View more
09-29-2014
06:05 PM
Thanks for the response aweitzman. I was hoping that someone was able to pull up some complex search that can return the desired results.
I had the same thoughts of flipping the main and sub searches around. However doing that would make the correlation different as the event I'm looking into starts off with sourcetype2. The lookup idea is something that can be explored, but it is possible it will be a dynamic lookup.
... View more
09-28-2014
10:49 PM
I have a search with one subsearch, that looks like this.
sourcetype=sourcetype1 <search string> [search sourcetype=sourcetype2 <search string>|fields + src_ip dst_ip message|stats values(dst_ip) AS Network_Address] | fields + hostname Network_Address | search hostname!="*Unknown*" OR hostname!="-"|convert ctime(_time) AS timestamp | stats values(Network_Address) AS dst_ip values(hostname) AS Hostname values(src_ip) AS SourceIP values(message) AS Message count by timestamp
What the whole search should do is get the dst_ip address from the subsearch, input the values into the main search, then main search gets the hostname of the dst_ip values. After the searching, it should be tabled to display the fields "timestamp" "src_ip" "dst_ip" "hostname" "message"
The fields or values for the fields "src_ip" and "message" are not picked up and rendered in the main search table. How do I get those fields included?
... View more
- Tags:
- subsearch
09-24-2014
06:46 PM
All answers have different good points and trying out each of them would probably help anyone who has a similar issue decide what's best. In my case, I decided to stick with the original search and make it a scheduled search since the need for the information is not urgent. Running it as a report in the background made more sense.
... View more
07-27-2014
06:16 PM
1 Karma
Does this mean splunk mobile access is unable to display advanced XML dashboards?
Transforms SimpleXML dashboards in Splunk Enterprise to HTML dashboards on your mobile device. The mobile server uses the Splunk Web Framework to render views on the device http://docs.splunk.com/Documentation/MobileServer/1.0/Install/AudienceandFeatures
If yes, anyone know if there is a roadmap for including all types of dashboards?
Thanks.
... View more
07-24-2014
06:49 PM
That's it! So simple! Thank you!
... View more
07-24-2014
06:19 PM
1 Karma
Our named searches are being audited. Named searches are those that have a specific User name in the actual search syntax. Those are audited and I would like to find a way to attach a ticket number to the search so a named search would be labeled by a ticket number.
Is there a way to do this on an inline search?
... View more
07-21-2014
10:13 PM
To clarify, the 24 hours I originally mentioned, I ran the search during peak hours of our infra. I ran the job on the background on off peak hours and finished the job after 6 hours.
... View more
07-21-2014
10:07 PM
Martin, this is a great point. It'll be on my list to further narrow down events. Thanks.
... View more
07-21-2014
10:06 PM
Thanks gkanapathy.
So I ran a background job on this earlier and was still running as I posted the question. It finished at around 6 hours which is close to the estimate. So I am expecting any optimization on the search itself will still come around the same duration.
... View more
07-21-2014
10:00 PM
Hi gkanapathy,
Thanks for that note, will keep that in mind.
... View more
07-21-2014
07:32 PM
rtadams,
Very interesting!!! I think I will give this a test run.
... View more
07-21-2014
07:29 PM
Martin,
Thank you for the insight and I like the idea of troubleshooting the bottleneck. To answer your question, ' ' contains very minimal strings, in fact just a 5-letter word.
I've been considering the summary indexing option as it seems to be my best bet so far, but I would be interested if someone can still tweak this more.
... View more
07-21-2014
06:02 PM
2 Karma
I would like to get advice on how to make the search below more efficient (and probably simpler). The sourcetype contains massive amounts of log and the search takes about 24hours or more to finish. Also, let's consider that summary indexing is not an option at this point of time.
Below is what the search is:
The search will simply look for vpn users logging in for 11 or more days in a month.
There are two regex field extractions because the data sources have different formats.
The sourcetype has an average of 50 million events per day.
sourcetype=vpn <my search>|bucket _time span=1d |rex field=_raw "(?i)\(LOCAL\\\(?P<Username>[^)]+)\)" | rex field=_raw "(?i)\((?P<UserAcct>[^\d]+)\)"| eval user=coalesce(Username,UserAcct)|fields + Username UserAcct user|convert ctime(_time) as timestamp | stats dc(timestamp) AS "Days_Logged_In" by user|where Days_Logged_In>11|sort -Days_Logged_in
... View more
01-23-2014
02:13 AM
Found it, was right under my nose. I used $row.fieldname$ instead of the $click.value3$ (which is I believe is non-existent)...by the way, the popups don't really work (not in code level) unless ctrl-click is done.
Now the next questions is:
1.Is it possible to search for one value in two external sites launched at the same time?
I guess that's for another topic.
... View more
01-23-2014
01:38 AM
1 Karma
I have the code below to drilldown the values of a specific field to an external website (e.g. google and ipvoid). For one field it will popout a new window and search in google. For another field, it will also popout a new window and search in IP void.
The closest I can get is use this.
<module name="SimpleDrilldown">
<param name="links">
<param name="Malware_Name">https://www.google.com/#q=$click.value2$</param>
<param name="IP">http:www.ipvoid.com/scan/$click.value3$/</param>
</param>
This results to both popup windows working. First field ("Malware_Name") is properly searched on google. Second field ("IP"), successfully redirects to www.ipvoid.com but it takes the "$click.value3$" literally.
So the question is, is this possible? Is there an argument that will replace "click.value3" and still make both drilldowns work?
Thanks.
... View more
10-07-2013
08:08 PM
First item cannot deliver the requirement.
Second item not feasible at this time, I am at 5.0.3.
"Lastly, use tokens to select a macro. This allows you to specify different search snippets based on user input. This is useful in either advanced xml or simple xml."
--> Is this applicable to v5.0.3? Also, would you have references that you can point me to? Thanks.
... View more
10-06-2013
08:03 PM
Is it possible to have a customized drilldown result per link? The idea is a form, which will initially result to displaying the different sourcetypes of the search, then per sourcetype result, I can drilldown to a simple table or a stats table that is created based on the sourcetype that is clicked on.
For example, the form search returned 3 sourcetypes, firewall, URL filter and AV. When I click on firewall, it will drill down to a table that shows fields related to the sourcetype (src,dst,port,etc.). Same follows for the other results when clicked on, URL filter (src,dst,URL,operation, argument,user-agent, etc.) and AV (sr,dst,signature,file,etc.)
Hope this is possible and someone can share an idea.
... View more
09-11-2013
12:24 AM
1 Karma
Figured this out. The duration of allowable data that can be searched by the other user profile is shorter than mine. I adjusted the time frame (shortened) of the searches to accommodate the other user profile and properly populate the dropdowns.
... View more
09-10-2013
11:32 PM
somewhow this just worked..might have been a delayed indexing...
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma given to
