Activity Feed
- Karma Re: Non-Repoonding hosts lists non F5 for kbocchino. 06-05-2020 12:48 AM
- Got Karma for Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"?. 06-05-2020 12:48 AM
- Posted Return user who matches only one value in same field on Splunk Search. 05-03-2020 08:37 AM
- Tagged Return user who matches only one value in same field on Splunk Search. 05-03-2020 08:37 AM
- Tagged Return user who matches only one value in same field on Splunk Search. 05-03-2020 08:37 AM
- Posted Re: Non-Repoonding hosts lists non F5 on All Apps and Add-ons. 02-08-2017 09:03 AM
- Posted Non-Repoonding hosts lists non F5 on All Apps and Add-ons. 02-07-2017 08:04 AM
- Tagged Non-Repoonding hosts lists non F5 on All Apps and Add-ons. 02-07-2017 08:04 AM
- Posted Re: Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"? on All Apps and Add-ons. 01-19-2017 12:48 PM
- Posted Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"? on All Apps and Add-ons. 01-19-2017 11:57 AM
- Tagged Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"? on All Apps and Add-ons. 01-19-2017 11:57 AM
- Tagged Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"? on All Apps and Add-ons. 01-19-2017 11:57 AM
- Tagged Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"? on All Apps and Add-ons. 01-19-2017 11:57 AM
- Tagged Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"? on All Apps and Add-ons. 01-19-2017 11:57 AM
- Posted Re: How to duplicate the Cisco Networks App and Cisco Security Suite to separate different groups of Cisco devices into separate indexes? on All Apps and Add-ons. 01-11-2017 08:37 AM
- Posted Re: How to create a dashboard on uptime reporting for management? on Dashboards & Visualizations. 06-06-2016 01:33 PM
- Posted Re: How to create a dashboard on uptime reporting for management? on Dashboards & Visualizations. 06-06-2016 01:23 PM
- Posted How to create a dashboard on uptime reporting for management? on Dashboards & Visualizations. 06-06-2016 12:46 PM
- Tagged How to create a dashboard on uptime reporting for management? on Dashboards & Visualizations. 06-06-2016 12:46 PM
- Tagged How to create a dashboard on uptime reporting for management? on Dashboards & Visualizations. 06-06-2016 12:46 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-03-2020
08:37 AM
I appologize if this is already answered. I'm having trouble figuring out how to even search for it.
I am trying to search through logs that have two fields: user and software version. I am trying to find a way to search through this data and return any user who has not upgraded their software so I would like to be able to return a list of all users who have never matched software version x but have matches other versions. How would I search for that?
... View more
02-08-2017
09:03 AM
I can't believe that I missed that index=* line. Index updated and it works as expected. Thank you
... View more
02-07-2017
08:04 AM
I have recently installed the F5 Analytics app and it works well with one exception.
For some reason that I am unable to figure out, on the Dashboard, the non-responding hosts section lists every device that is monitored in Splunk (we also monitor Syslog from several hundred network devices).
Any idea how to fix this?
... View more
01-19-2017
12:48 PM
Looks like you are right, it looks like this isn't sflow at all. After capturing the traffic, opening it in wireshark and decoding it as Netflow, it loaded. And told me it was Cisco NetFlow/IPFIX version 9. Unfortunately now, when I change the input to Netflow, I'm getting these errors:
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 88
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 260
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 260 from source 0 . Dropping flow data set of size 68
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 776
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 88
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 604
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 261 from source 0 . Dropping flow data set of size 56
... View more
01-19-2017
11:57 AM
1 Karma
I am trying to get Splunk Stream working with Flows from an ASA v9.6(2). I finally have it mostly working but now I'm seeing the error:
ERROR [140349472376576] (NetflowManager/sflowDecoder.cpp:34) stream.NetflowReceiver - sFlowDecoder::generateEvents Decoding sFlow version 589829 is not supported yet.
I assume that this means that my version isn't supported. Doesn't anybody know if there is a workaround for this? If not, is there a different app that might work?
... View more
01-11-2017
08:37 AM
Out of curiosity, were you able to make any headway on a workaround for the panels not being index aware?
... View more
06-06-2016
01:33 PM
I tried changing it to:
index=logs earliest=1h@h | convert num(loss) as uptime| eval uptime=(100-uptime) | stats avg(uptime) as uptime
That seems to work
... View more
06-06-2016
01:23 PM
Thanks. This looks much better, except that loss is actually packet loss (0% loss is good). This search gives me 0% uptime when I should be getting 100%. Any suggestions on reversing it?
... View more
06-06-2016
12:46 PM
I have been asked to come up with a dashboard for my management team. I am trying to pull it from some Nagios performance stats. The data has an icmp poll against every network device on the network, every 5 minutes. The data looks like this:
June 4 00:00:00 host_name = switch1 loss=0%
June 4 00:00:00 host_name = switch2 loss=100%
June 4 00:05:00 host_name = switch1 loss=0%
June 4 00:05:00 host_name = switch2 loss=0%
I created the following search
| eval ping_up=if(loss!="100%", 100,0)
| stats avg(ping_up_ as uptime
| eval uptime=round(uptime,2)
| eval uptime = uptime
| "%"
First of all, this doesn't seem very efficient. Second of all, now they are asking for a monthly trend over the past 2 years as well as a real-time dashboard (ie current uptime is X%). I can't seem to find a way to do these without a huge hit to the system.
... View more
01-25-2016
09:00 AM
I apologize if this has been answered before. I couldn't find it anywhere.
I am trying to use the Nagios addon and app to create some reports for management. At the moment, I am working on Ping availability. The issue that I have is that we would like to only include a specific group of devices in these reports.
Is there a way to add a field or tag to this data so that:
if hostname = (device1 or device 2 or device 2) set TAG=LOCATION1
if hostname = (device3 or device4) set TAG = LOCATION2
else set TAG = OTHER
... View more
01-11-2016
07:09 AM
So I just did this and it does seem to work. As you said, a bunch of the panels don't seem to reflect the change but "Diagnostic Messages" only lists the messages from the index in question.
... View more
01-08-2016
09:22 PM
Thanks for looking into it. Do you think that this is something that I could correct temporarily for now?
... View more
01-08-2016
05:58 AM
Thanks. I tried this but I came up to a bit of a roadblock. I copied the etc/apps/cisco_ios folder to etc/apps/network1_cisco_ios and fixed the permissions but I was unable to find the eventtypes file in this folder. I did locate this in:
etc/apps/TA-cisco-ios - There is a search string here but I'm not sure how to tie it to a different app. Would I need to make a copy of this as well and try to tie it to the new app?
etc/users/admin - this file is blank. There is no eventtype.conf file in the folder of any other user
... View more
01-07-2016
11:43 AM
We are trying to separate different groups of Cisco devices into separate indexes. These indexes will all be managed by the same groups of people so I don't believe that role based authentication will work in this case.
What I would like to do is duplicate the Cisco_Networks app and the Cisco_Security_Suite app and have each copy read from a different index ie:
Cisco_Networks_Network 1 uses index=network1
Cisco_Networks_Network 2 uses index=network2
All administrators should be able to pull up either app to see the status of devices in each network.
Unfortunately, I have no idea how to go about this (or if there is a better way). The purpose is simply to be able to differentiate between different networks.
... View more
04-16-2015
08:04 AM
After going through all the different posts about Infoblox, DHCP, I thought that I had it, but I can't seem to get it to work properly. I installed the posix DHCP tool and updated all the Regex statements to deal with the Infoblox syslog changes. The regex should be working but while I can see all my events show up as dhcpd_events, when I search for any fields (ie dhcp_message), I get nothing.
I'm kind of new to Splunk so I'm sure that I'm missing something. Hopefully somebody can point me in the right direction.
Some examples of the Syslogs that I am getting:
Apr 15 20:01:00 10.1.140.216 dhcpd[15805]: DHCPINFORM from 10.10.237.42 via 10.10.236.3
Apr 15 20:01:00 10.1.140.216 dhcpd[15805]: DHCPACK to 10.10.237.42 (f8:bc:12:d5:0e:19) via eth1
Apr 16 02:55:26 10.1.140.216 dhcpd[15805]: DHCPREQUEST for 10.11.23.114 from 00:1e:4a:92:02:30 (SEP001E4A920230) via 10.11.22.1 uid 01:00:1e:4a:92:02:30 (RENEW)
Transforms.conf (backslashes are being stripped to I have replaced them with ' )
[dhcpinform]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPINFORM)'sfrom's('S+)'svia's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 dest_int::$4
[dhcpack_type2]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPACK)'sto's('S+)'s(?:'(([^')]+)')'s)?via's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_mac::$4 dest_int::$5
[dhcprequest]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPREQUEST)'sfor's('S+)'s(?:'(([^')]+)')'s)?from's('S+)'s(?:'(([^')]+)')'s)?via's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_nat_ip::$4 src_mac::$5 src_host::$6 dest_int::$7
... View more
- Tags:
- infoblox
- Linux DHCP
