Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About ferdbiffle
ferdbiffle
Explorer
Member since:
01-30-2017
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 01-30-2017 |
Activity Feed
- Got Karma for Re: No results on first run of Search - correct results on second run. 06-05-2020 12:48 AM
- Posted Re: DBConnect 3 - Need to use multiple columns to distinguish Rising Column filter on All Apps and Add-ons. 05-03-2019 06:58 AM
- Posted DBConnect 3 - Need to use multiple columns to distinguish Rising Column filter on All Apps and Add-ons. 05-02-2019 01:19 PM
- Tagged DBConnect 3 - Need to use multiple columns to distinguish Rising Column filter on All Apps and Add-ons. 05-02-2019 01:19 PM
- Tagged DBConnect 3 - Need to use multiple columns to distinguish Rising Column filter on All Apps and Add-ons. 05-02-2019 01:19 PM
- Posted Re: Permission Trouble with using Scheduled Export of Indexed Data (SEND) to File on Splunk Enterprise. 04-23-2018 01:18 PM
- Posted Permission Trouble with using Scheduled Export of Indexed Data (SEND) to File on Splunk Enterprise. 03-30-2018 09:05 AM
- Tagged Permission Trouble with using Scheduled Export of Indexed Data (SEND) to File on Splunk Enterprise. 03-30-2018 09:05 AM
- Posted Re: No results on first run of Search - correct results on second run on Splunk Search. 06-06-2017 01:30 PM
- Posted Re: No results on first run of Search - correct results on second run on Splunk Search. 06-06-2017 12:32 PM
- Posted Re: No results on first run of Search - correct results on second run on Splunk Search. 06-06-2017 11:45 AM
- Posted No results on first run of Search - correct results on second run on Splunk Search. 06-06-2017 11:01 AM
- Tagged No results on first run of Search - correct results on second run on Splunk Search. 06-06-2017 11:01 AM
- Tagged No results on first run of Search - correct results on second run on Splunk Search. 06-06-2017 11:01 AM
- Posted Re: How to extract name/value pair from XML datasource? on Splunk Search. 02-01-2017 08:14 AM
- Posted Re: How to extract name/value pair from XML datasource? on Splunk Search. 01-30-2017 03:30 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-03-2019
06:58 AM
Thanks for your reply grittonc 🙂
In each case, the inputs that need to be filtered are single table/view database sources. Therefore, we need a "blended" rising column (with multiple column values) that can look for changes in daily batch records vs. existing records on previously indexed data in Splunk.
Does that make sense?
... View more
05-02-2019
01:19 PM
We would like to use Splunk and DBConnect to archive unique records for several datasets. Each of these datasets are produced on a daily basis through batch processing. Over 95% of the records each day have not changed or are not new records. We would like to collect and index only those changed and new records from each daily run.
Has anyone created an effective, working method to do this type of filtering?
... View more
04-23-2018
01:18 PM
We solved this issue by creating a CIFS mount to the Windows Share. We mount this at Splunk startup and utilize an AD service account/password to authenticate for the connection. All subsequent "send_file" actions write to the share flawlessly!
... View more
03-30-2018
09:05 AM
I'm trying to use the Scheduled Export of Indexed Data (SEND) to File modular alert to send a file to a specified folder on a Windows share. We are running Splunk on CentOS 7 running on the same V-Lan as the target domain of the share.
In the config for the modular alert:
Output Directory //hostname/sharename
Output Filename TestSchedExport.csv
When the alert runs I get the following results:
WARN sendmodalert - action=sendfile - Alert action script returned error code=2
INFO sendmodalert - action=sendfile - Alert action script completed in duration=45 ms with exit code=2
FATAL sendmodalert - action=sendfile STDERR - Failed trying to send file
ERROR sendmodalert - action=sendfile STDERR - [Errno 2] No such file or directory: u'/hostname/sharename/TestSchedExport1.csv'
My inkling is that I need to somehow modify the Python script that runs the modular alert to include authentication, but I am not Python conversant so I'm not sure where to start... Any takers out there?
Thanks,
Eric
... View more
- Tags:
- splunk-enterprise
06-06-2017
01:30 PM
1 Karma
Turns out the issue was the assigned "Owner" of the saved search. For this search the Owner was set to "Nobody".
When the search is run for the first time in either the Visualization or the Search window, Splunk uses the "Splunk_System_User" in the "dispatchRunner - search context" if the owner is not set to Admin. Then when the search is initiated in the Search window, it uses the current User account (Admin in this case) for the search context.
We navigated to the /opt/splunk/etc/apps/CIS Top 20 Critical Controls/metadata/local.meta file and changed the owner for this search to Admin.
Bingo! It works as expected now 🙂
... View more
06-06-2017
12:32 PM
We examined the search.log files for differences between failed first run and successful second run... No apparent errors or glaring differences 😞
... View more
06-06-2017
11:45 AM
Search size doesn't appear to be the issue... It's looking for the last 60 minutes against a sourcetype with only 264K events. No errors in the "Inspect Job" panel after first run - just "did not return any data".
One other clue... the Search completes with results only if run in the edit Search window accessed through the visualization Search icon. If I try to Refresh the visualization, the search does not return results.
... View more
06-06-2017
11:01 AM
I have been modifying searches to accommodate Windows data in the CIS Top 20 Critical Controls app. The following search does not return results when invoked by the visualization on the Dashboard or on the first run when opening the Search window. If I run it again in the Search window, it runs and delivers the correct result.
Control #1 - Inventory of Unauthorized Devices - Count
tag=dhcp signature=DHCPREQUEST OR signature="A lease was renewed by a client"
| lookup approved_device_inventory clientip AS dest_ip
| eval approval_status = if(is_approved==1,"1","0")
| where approval_status = 0
| dedup dest_ip
| stats count by dest_ip
| stats sum(count)
| rename sum(count) AS Unauthorized_Devices
The Search works fine and populates the visualization on the installation I created on a Sandbox instance. The only difference on my Prod install is that I have added the OR clause: OR signature="A lease was renewed by a client"
Has anyone else encountered this "second run works" issue?
... View more
- Tags:
- cis
- splunk-enterprise
02-01-2017
08:14 AM
Update:
The props/transforms method allowed us to successfully extract KV pairs for all fields that are not Null. And for our use case that works just fine! 🙂
Thanks so much Matthew and Rich for your help in tackling this sticky issue!
Eric
... View more
01-30-2017
03:30 PM
Hello!
I applied the modified REGEX into an inline search. The search successfully gives us a list of the desired field names under the "KEY_" field, and the desired values in a list under the "VAL_" field. Unfortunately not as individual key-val pairs. But getting much closer 🙂
I will give the Props/Transforms route a try next and post the results.
Thanks!
... View more
