Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About masonmorales
masonmorales
Influencer
Member since:
10-11-2013
05-09-2024
Community Statistics
| Posts | 556 |
| Solutions | 161 |
| Karma Given | 307 |
| Karma Received | 288 |
| Member Since | 10-11-2013 |
Activity Feed
- Got Karma for Re: Can I delete all data from a KV store at once?. 10-16-2024 08:54 PM
- Got Karma for Re: What is the TZ for America Central?. 04-23-2024 01:51 PM
- Got Karma for How can I get a list of all saved searches from all apps using the REST command?. 08-16-2023 01:28 AM
- Got Karma for Re: Help understanding the commands - Search vs Where after first pipe. 01-10-2023 08:48 AM
- Got Karma for Re: How do I permanently disable the deployment server?. 07-27-2022 12:25 AM
- Got Karma for Re: How can I tell if a heavy forwarder or universal forwarder was installed on a box?. 04-25-2022 01:40 PM
- Got Karma for Re: How to generate storage and license usage reporting in a distributed Splunk deployment?. 12-08-2021 08:29 PM
- Got Karma for Re: How to generate storage and license usage reporting in a distributed Splunk deployment?. 08-20-2021 01:29 AM
- Got Karma for Re: Firewall Rules: How are connections made when using a Heavy Forwarder?. 06-22-2021 09:23 PM
- Got Karma for Re: I need to get the very oldest log event displayed on a dashboard , any tricks to speeding this up?. 06-04-2021 03:55 PM
- Got Karma for Re: Can I delete all data from a KV store at once?. 05-29-2021 06:46 AM
- Posted Re: bash script , automating splunkforwarder installation. on Splunk Enterprise. 03-08-2021 10:22 AM
- Posted Re: Searchheads can not pull apps from Deployer on ansible env, error 401 on Splunk Enterprise. 03-08-2021 10:14 AM
- Got Karma for Re: What are these Interesting Fields returned from the search "index=os sourcetype=iostats"?. 02-19-2021 01:26 PM
- Got Karma for Re: Deployment with Ansible. 02-08-2021 10:43 AM
- Posted Re: Deployment with Ansible on Deployment Architecture. 02-05-2021 04:15 PM
- Posted Re: Deployment with Ansible on Deployment Architecture. 02-05-2021 04:11 PM
- Got Karma for Re: How to add the date to a report. 01-27-2021 06:47 AM
- Got Karma for Re: How to set up a scheduled search every 5 minutes and trigger an alert if a stats average on response time is greater than 30 seconds?. 10-19-2020 12:33 AM
- Karma Re: Splunk generic warning dialog box for thambisetty. 09-10-2020 12:34 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 4 | |||
| 5 | |||
| 0 | |||
| 8 | |||
| 1 | |||
| 1 | |||
| 0 |
03-08-2021
10:22 AM
See also: Splunk's official Ansible role for VMs and bare metal
... View more
03-08-2021
10:14 AM
If you're trying to manage apps on a SHC that is either bare metal, or running on VMs, take a look at: https://github.com/splunk/ansible-role-for-splunk If you're trying to do it in Docker, I'd recommend filing an issue on the splunk-ansible GitHub project at: https://github.com/splunk/splunk-ansible/issues
... View more
02-05-2021
04:15 PM
1 Karma
The name of the splunk-ansible project is a bit of misnomer. You are correct in that it was built solely for the purpose of deploying Splunk inside of Docker containers. ansible-role-for-splunk was built for managing non-Docker Splunk hosts. It also integrates with git for managing all of the apps, TAs, and configurations throughout your deployment and environments.
... View more
02-05-2021
04:11 PM
Hi @callemang I am one of the maintainers of ansible-role-for-splunk. If there is functionality that you'd like to see that is currently missing, please submit an enhancement request on our project's GitHub issue tracker.
... View more
09-10-2020
12:31 AM
Assuming they're already extracted, you can add | fieldsummary to your search.
... View more
05-27-2020
09:32 PM
Yes, it will work for Splunk 7 and Splunk 8. The configuration has not changed.
... View more
05-11-2020
12:21 PM
1 Karma
If you don't need TCP/8089 open on your forwarders and you're blocking it anyway, you can just disable it. Here's a TA you can deploy to your forwarders to do so: https://splunkbase.splunk.com/app/3246/
... View more
05-01-2020
03:29 PM
It sounds like you only have one column in your lookup file. Add a second column to it, call it something like "lookup_match" and set the value to "1" for every row. Then, adjust your query like this:
index=gcp_firewall
| rename data.jsonPayload.rule_details.reference as FW
| search FW = "network:prod*"
| rex field=FW "network:prod-a/firewall:(?.*)"
| rex field=FW "network:prod-b/firewall:(?.*)"
| rex field=FW "network:prod-c/firewall:(?.*)"
| rex field=FW "network:prod-d/firewall:(?.*)"
| rex field=FW "network:prod-e/firewall:(?.*)"
| lookup firewall-exception-prod.csv firewall_rule as fw OUTPUT lookup_match
| search NOT lookup_match=*
| dedup fw
| table fw
... View more
05-01-2020
03:14 PM
1 Karma
Change disabled=1 to disabled=0 , restart splunk. Then, change your curl command to port 8088 not 8089 and try again.
... View more
05-01-2020
03:08 PM
1 Karma
I tested your query and it correctly limits the results to 1 host for me. If you look at job inspector, does the query look correct? I'm thinking maybe there is a search filter on your role that is getting applied and skewing the results.
... View more
02-28-2020
10:24 AM
Why not just do a | table fields _time log ?
If you look at the raw events in search and expand a single event using the ">" under the "i" column (next to Time), do you see duplicate values for each of the fields? If so, that's a different problem, usually caused by both INDEXED_FIELDS = json enabled on the HF/indexer as well as KV_MODE = json being configured on the search head, which results in duplicate values in the JSON field extractions.
... View more
02-26-2020
06:03 PM
Take a look at https://answers.splunk.com/answers/342128/why-does-resultfieldname-token-not-work-in-alert-e.html
... View more
02-26-2020
05:44 PM
As you're a Splunker, I'd encourage you to search our internal Confluence. You'll find several examples in there.
... View more
02-26-2020
05:40 PM
Splunk has historically used term licenses that have a fixed daily max data volume. So, let's say that you buy a 1-year Splunk license that lets you index 15 GB/day for $1,000 (I'm making this number up to explain this - please contact sales for actual pricing)...
You can index up to 15 GB/day, every day, for the term of the license (1 year in this example). If you index 5 GB one day and 10 GB the next day, the cost of your license remains the same. You are buying the license based on the maximum amount of data that you plan to bring into Splunk every day for the term of the license.
So, in this scenario, let's say you have a very steady data stream and you send 15 GB of data into Splunk every day for 365 days. Your cost to do that was $1,000 for the entire year, and you ingested 15 GB x 365 days = 5475 GB of data for that $1,000. If you want monthly cost, divide the $1000 you paid for the year by 12 = $83.33/month.
If you exceed the 15 GB/day cap in any 24 hour period, you will get a license warning. If you get multiple license warnings, you end up with a license violation which prevents you from executing searches. You then have to contact Support and ask them for a reset key to clear the violation. If you violate the license multiple times throughout the year, your sales rep will tell you that you need to buy a bigger license. So, it's important to buy a license with enough daily capacity for the amount of data you plan to ingest. Any Splunk Sales rep can help you with this, but that's essentially how licensing has worked in the past.
All that said, we have new licensing models available that do not have a daily data ingestion cap. I'd encourage you to visit https://www.splunk.com/en_us/software/pricing.html for more information or contact Splunk sales to get a few quotes for your environment.
... View more
02-26-2020
05:26 PM
Read up on https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/Configureatime-boundedlookup
... View more
02-26-2020
05:24 PM
Yes. Pros: Less infrastructure. Cons: If the host goes down, you lose both. 🙂
... View more
02-26-2020
05:23 PM
What are you interested in doing with the data once you have the two events correlated with both the username and sessionid together?
... View more
02-26-2020
05:14 PM
This is not something natively supported on the UF. You could look at OS-specific tools for controlling process resource utilization [of the UF/splunkd], but realize that it could have a negative impact on UF performance.
... View more
02-26-2020
05:12 PM
Have you configured the new forwarders on the domain controllers with outputs.conf? Or, if you're using a Deployment Server, did you configure the forwarders to connect to it? (It can get outputs that way, assuming you're using a DS and it has an outputs app)
... View more
02-26-2020
05:04 PM
Is the data already cooked when it hits the indexer? / What's forwarding the data to the indexer?
... View more
02-26-2020
05:01 PM
I think you'd want to do something like this instead:
(index=x 2202) OR (index=y 2203)
| spath "EventStreamData.requestContext.id"
| spath "EventStreamData.httpStatus"
| rename EventStreamData.httpStatus as "STATUS"
| rename EventStreamData.requestContext.id as "transaction_number"
| spath "EventStreamData.requestContext.allRequestHeaders.client{}"
| search "EventStreamData.requestContext.allRequestHeaders.client{}"=77777
| spath "EventStreamData.response.transactionNumber"
| rename EventStreamData.response.transactionNumber as "transaction_number"
| stats count AS "COUNT" values(STATUS) as STATUS by transaction_number
| eval STATUS_MESSAGE= case(((STATUS==200) OR (STATUS==201)), "Success", ((STATUS==500) OR (STATUS==502) OR (STATUS==504) OR (STATUS==404)), "Server Error",((STATUS==400) OR (STATUS==401) OR (STATUS==403) OR (STATUS==409)), "Client Error")
| table STATUS_MESSAGE, STATUS, COUNT
| addcoltotals COUNT
Kind of hard to tell without sample data from both indexes though.
... View more
02-26-2020
04:59 PM
Also, if you'd like to vote on a new feature to disable data compression, visit: https://ideas.splunk.com/ideas/EID-I-67
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-09-2024
05:13 AM
|
Karma given to
