Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bapun18
bapun18
Communicator
Member since:
09-04-2019
3 weeks ago
Community Statistics
| Posts | 74 |
| Solutions | 3 |
| Karma Given | 24 |
| Karma Received | 3 |
| Member Since | 09-04-2019 |
Activity Feed
- Karma Re: How to remove decimal precision in single value visualization, but keep it in the trending value? for harishalipaka. 3 weeks ago
- Karma Re: How to limit on uploading of csv lookup by size for tscroggins. 04-10-2023 12:36 PM
- Posted Re: How to limit on uploading of csv lookup by size on Knowledge Management. 04-10-2023 11:47 AM
- Karma Re: How to limit on uploading of csv lookup by size for tscroggins. 04-10-2023 11:45 AM
- Posted How to limit on uploading of csv lookup by size? on Knowledge Management. 04-07-2023 12:56 PM
- Posted Splunk blacklist regex using inputs.conf of universal forwarder? on Getting Data In. 03-27-2023 01:49 PM
- Tagged How to disable save as option? on Splunk Search. 01-30-2023 08:04 PM
- Karma Re: Wanted to disable save as option for PickleRick. 01-30-2023 08:01 PM
- Posted Re: Wanted to disable save as option on Splunk Search. 01-27-2023 05:54 AM
- Posted How to disable save as option? on Splunk Search. 01-26-2023 07:49 AM
- Tagged How to disable save as option? on Splunk Search. 01-26-2023 07:49 AM
- Posted Re: Can I run the schedule saved search in one searchhead not in all members? on Alerting. 10-12-2022 01:43 PM
- Posted Can I run the schedule saved search in one searchhead not in all members? on Alerting. 10-12-2022 12:28 PM
- Posted Re: How to Run Universal Forwarder 9.1 as Root? on Splunk Enterprise. 10-07-2022 08:26 AM
- Posted Re: How to Run Universal Forwarder 9.1 as Root? on Splunk Enterprise. 10-07-2022 07:48 AM
- Posted Re: How to Run Universal Forwarder 9.1 as Root? on Splunk Enterprise. 10-07-2022 07:46 AM
- Karma Re: Include two index events without using JOIN command for kamlesh_vaghela. 10-07-2022 07:39 AM
- Karma Re: How can I extract a license file from existing license volume for micahkemp. 10-07-2022 07:17 AM
- Posted Re: I am running a query |tstats count latest(_time) where index=abcd by host, my requirement is to create an alert on Splunk Search. 09-26-2022 12:02 PM
- Posted Re: I am running a query |tstats count latest(_time) where index=abcd by host, my requirement is to create an alert on Splunk Search. 09-26-2022 11:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-10-2023
11:47 AM
Hi, thanks for the response, but my requirement is for specific roles, don't want to change it globally.
... View more
04-07-2023
12:56 PM
How to limit on uploading of CSV lookup by size. Hi, I want to restrict the upload of lookup files with a certain size, like let's say a user with some role has permission of uploading a lookup file, but I want to filter it in that role so that the user can able to upload or create a CSV lookup file but with 5MB not more than that.
... View more
- Tags:
- lookup
03-27-2023
01:49 PM
Needs to blacklist certain syslogs messages from the forwarder level. We have raw syslogs as below: 2023-03-27T00:00:00+00:00 10.10.33.15 Mar 27 2023 00:00:00.028 UTC : %UC_Test-4-DeviceTransientConnection: %[ConnectingPort=2000][DeviceName=AN004A1328478011][IPAddress=10.152.157.107][DeviceType=30027][Reason=3][Protocol=SCCP][IPAddrAttributes=2][UNKNOWN_PARAMNAME:LastSignalReceived=StationRegister][UNKNOWN_PARAMNAME:StationState=wait_register][AppID=Siso CallManager][ClusterID=c6801ccm][NodeID=c6801011ccm007]: A device attempted to register but did not complete registration 0.0.3.1 0 0 2023-03-27T00:00:00+00:00 10.10.33.15 Mar 27 2023 00:00:00.144 UTC : %UC_Test-4-DeviceTransientConnection: %[ConnectingPort=2000][DeviceName=ANF000673BC20003][IPAddress=10.70.56.248][DeviceType=30027][Reason=3][Protocol=SCCP][IPAddrAttributes=2][UNKNOWN_PARAMNAME:LastSignalReceived=StationRegister][UNKNOWN_PARAMNAME:StationState=wait_register][AppID=Siso CallManager][ClusterID=c6801ccm][NodeID=c6801011ccm007]: A device attempted to register but did not complete registration 0.0.3.1 0 0 2023-03-27T00:00:00+00:00 10.10.33.15 Mar 27 2023 00:00:00.147 UTC : %UC_Test-4-DeviceTransientConnection: %[ConnectingPort=2000][DeviceName=AN00A13274B800D][IPAddress=10.108.2.248][DeviceType=30027][Reason=3][Protocol=SCCP][IPAddrAttributes=2][UNKNOWN_PARAMNAME:LastSignalReceived=StationRegister][UNKNOWN_PARAMNAME:StationState=wait_register][AppID=Siso CallManager][ClusterID=c6801ccm][NodeID=c6801011ccm007]: A device attempted to register but did not complete registration 0.0.3.1 0 I need to filter the data before pushing it to the Splunk indexer, with respect to UC_Test-4-DeviceTransientConnection and Reason=3 which means I don't want to push the data which have UC_Test-4-DeviceTransientConnection and Reason=3. I have tried blacklisting it in inputs.conf blacklist = ^.*UC_Test-4-DeviceTransientConnection.*\[Reason=3\].*$ above isn't working then I have tried with props.conf and transforms.conf like below
[testsys] TRUNCATE = 0 TRANSFORMS-NULL = setnull
[setnull] REGEX = ^.*UC_Test-4-DeviceTransientConnection.*\[Reason=3\].*$ DEST_KEY = queue FORMAT = nullQueue
But unfortunately, it's still not filtering.
... View more
Labels
- Labels:
-
universal forwarder
01-26-2023
07:49 AM
I want to disable the feature of save as, user can able to search but shouldn't be able to save it as a dashboard or report or any knowledge object.
... View more
Labels
- Labels:
-
field extraction
10-12-2022
01:43 PM
I don't want to use adhok_searchhead other nodes, is there anything else we can do apart from this. adhoc_searchhead = true
... View more
10-12-2022
12:28 PM
Hi, I have a search head cluster of 3 members and I have a scheduled search which is basically doing an output CSV at the end, but my query is to is there a way I can run the scheduled search in only one node, not in all the nodes?
... View more
Labels
- Labels:
-
alert condition
10-07-2022
08:26 AM
@PickleRick wrote: But have you enabled the boot start with the root user or splunk user or what? Did you use initd or systemd? (the known issue you point to says about initd but is it really so?). You can use systemd
... View more
10-07-2022
07:48 AM
post changing this you can also use sudo /splunkhome/bin/splunk start/status/stop etc helps, please accept the solution and karma would be appreciated.
... View more
10-07-2022
07:46 AM
use splunk-launch.conf under $splunkHome/etc/ use below SPLUNK_HOME=/opt/splunk # By default, Splunk stores its indexes under SPLUNK_HOME in the # var/lib/splunk subdirectory. This can be overridden # here: # # SPLUNK_DB=/home/build/build-home/ember/var/lib/splunk # Splunkd daemon name # Splunkweb daemon name SPLUNK_WEB_NAME=splunkweb # If SPLUNK_OS_USER is set, then Splunk service will only start # if the 'splunk [re]start [splunkd]' command is invoked by a user who # is, or can effectively become via setuid(2), $SPLUNK_OS_USER. # (This setting can be specified as username or as UID.) # # SPLUNK_OS_USER SPLUNK_SERVER_NAME=Splunkd then you can use sudo systemctl start/stop/status Splunkd
... View more
09-26-2022
12:02 PM
what if I have 2 hosts rly01 and rly02 and I want to print 2 lines as below in case of no event for one host or two host count rly01 0 rly02 1456 or vice versa
... View more
09-26-2022
11:13 AM
I am running a query |tstats count latest(_time) where index=abcd by host, my requirement is to create an alert when the count is 0, when there would be no event in the index. My problem is when there is no event I am not getting the count field as 0.
... View more
- Tags:
- search
09-23-2022
05:37 AM
I can do it on search time but, don't want to ingest unformatted data, can you help me with indexer-level filters.
... View more
09-22-2022
04:01 PM
I want the values of the below fields ⦁ Date/time of the chain message ⦁ var_classname ⦁ var_entityname ⦁ var_deviceid ⦁ var_ipaddress ⦁ var_evententityid ⦁ var_eventpolicy ⦁ var_eventstate ⦁var_sys_id ⦁ var_composite_id ⦁ var_composite_criticality
... View more
09-22-2022
03:58 PM
https://drive.google.com/file/d/1wkjoejCrAyeTX5v6bfKTDPUXgmuHONJ6/view?usp=sharing
... View more
09-22-2022
03:54 PM
I want to extract as below using universal forwarder props.conf
Whatever data I have before: should be the field name and after : would be the value
eg- for Class field value is Catalyst 9500
"class": "Catalyst 9500",
"var_actionname": "Logstash - Chain",
"var_alertid": "4000",
"var_app_sys_id": "",
"var_assetfloor": "0",
"var_assetlocation": "",
"var_assetmake": "mycompany Systems",
"var_assetmodel": "Catalyst 9500",
"var_assetpanel": "",
"var_assetplate": "",
"var_assetpunch": "",
"var_assetrack": "",
"var_assetroom": "",
"var_assetserial": "",
"var_assetshelf": "",
"var_assettag": "",
"var_assetzone": "",
"var_autopolicyname": "Chain Active Events",
"var_autopolicynote": "",
"var_categoryid": "8",
"var_categoryname": "Network.Switches",
"var_classid": "6659",
"var_classname": "Catalyst 9500",
"var_classtype": "mycompany Systems",
"var_clearuser": "",
"var_collector": "csit2apacdca06",
"var_composite_criticality": 3,
"var_composite_id": "0",
"var_device_back_link": "https://123.121.12.13//index.?exec=registry&act=registry_device_management#devmgt_search.did=4526",
"var_deviceid": "4526",
"var_duty_pager": "",
"var_esp_class_name": "",
"var_event_back_link": "https://123.121.12.13//index.?exec=device_events&did=4526&etype=12708",
"var_event_guid": "EEBC704A15AFBB55FA19EF7D50A93993",
"var_eventcategory": "",
"var_eventcounter": "1",
"var_evententityid": "4526",
"var_evententityname": "ccntrx4-cn-bb-gw2.mycompany.com",
"var_evententitytype": "1",
"var_eventfirstoccurtime": "2022-09-22 22:32:05",
"var_eventid": "10784243",
"var_eventindexid": ".1199",
"var_eventlastoccurtime": "2022-09-22 22:32:05",
"var_eventmessage": "mycompany: Temperature problem. Currently, Temperature (TenGigabitEthernet1/0/40 Module Temperature Sensor) status: unavailable",
"var_eventpolicy": "mycompany: Temperature Unavailable",
"var_eventpolicycause": "<strong><!--StartFragment-->Description</strong><br>mycompany network device is reporting an "unavailable" status on temperature. Meaning that the agent presently can not report the temperature's sensor value.<br><br><strong>Probable Cause</strong><br><ul class=\"fr-tag\"><li class=\"fr-tag\">The sensor could have a hard failure (disconnected wire).</li><li class=\"fr-tag\">The sensor could have a soft failure such as out-of-range, jitter, or wildly fluctuating readings.</li></ul><br><strong>Resolution</strong><br>Manually check functioning of fan and replace if necessary.<!--EndFragment-->",
"var_eventpolicyexternalid": "",
"var_eventpolicyid": "12708",
"var_eventseverity_deprecated": "2",
"var_eventseveritylevel": "3",
"var_eventseveritytext": "MAJOR",
"var_eventsourceid": "4",
"var_eventsourcename": "Dynamic",
"var_eventstate": "Active",
"var_eventstateful": "1",
"var_eventsubentityid": "0",
"var_eventsubentityname": ".1199",
"var_eventsubentitytype": "0",
"var_eventticketid": "",
"var_eventtimeactive": "2022-09-22 22:32:05",
"var_eventtimedeleted": "None",
"var_eventurllink": "https://123.121.12.13//index.?exec=events&q_type=aid&q_arg=10784243&q_sev=1&q_sort=0&q_oper=0",
"var_eventusercleared": "",
"var_eventusernote": "",
"var_ipaddress": "10.79.194.32",
"var_orgbillingid": "",
"var_orgcrmid": "ff7ac89f1b5f8d94d73aec22b24bcbe9",
"var_orgid": "2",
"var_orgimpacted": "",
"var_orgname": "mycompany IT",
"var_parentid": "",
"var_parentname": "",
"var_priority": "",
"var_resultvalue": "unavailable",
"var_rootid": "",
"var_rootname": "",
"var_slsystemname": "",
"var_super_organization": "unknown",
"var_support_group": "",
"var_sysid": "fd19769ddb00c3ccdaeaf9551d961908",
"var_threshold": "",
"var_ticketemailsubject": "2",
"var_ticketid": "0",
"var_username": "",
"external_id": "ScienceLogic_",
"manager": "SCIENCELOGIC__ASSURED",
"signature": "ccntrx4-cn-bb-gw2.mycompany.com::Catalyst 9500::.1199",
"source": "ccntrx4-cn-bb-gw2.mycompany.com",
"source_id": "1234"
I will attach the example of the log file that needs to be pushed with extracted fields, in the comment section
... View more
- Tags:
- Universal Forwarder
Labels
- Labels:
-
field extraction
09-04-2022
07:21 AM
sorry, my outputs.conf was incomplete, working fine now post adding below lines.
... View more
09-04-2022
06:59 AM
I am getting the below error, but my outputs.conf is already configured.
Here is the outputs.conf
server.conf
Checked metics.log nothing is blocked.
... View more
Labels
- Labels:
-
splunkd
-
universal forwarder
04-18-2022
10:22 PM
I want to specify a field that contains time as earliest and another field as latest so that my spl will be executed with the earliest value of the earliest value of fileld1 and latest value as the latest value of the filed 2. Example, index=abcd |table starttimeUTC endtimeutc in the above search should run as earliest=<earlier value of tarttimeUTC> and latest=<latest value of endtimeutc>
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
Karma given to
