Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jroedel
jroedel
Path Finder
Member since:
10-31-2019
10-11-2024
Community Statistics
| Posts | 14 |
| Solutions | 2 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 10-31-2019 |
Activity Feed
- Karma Re: How to deal with Logon/Logoff scatterd over multiple events for PickleRick. 10-11-2024 03:42 AM
- Karma Re: How to deal with Logon/Logoff scatterd over multiple events for PickleRick. 10-11-2024 03:42 AM
- Posted Re: How to deal with Logon/Logoff scatterd over multiple events on Splunk Search. 10-11-2024 02:33 AM
- Posted Re: How to deal with Logon/Logoff scatterd over multiple events on Splunk Search. 10-10-2024 06:11 AM
- Posted Re: How to deal with Logon/Logoff scatterd over multiple events on Splunk Search. 10-10-2024 06:00 AM
- Posted How to deal with Logon/Logoff scatterd over multiple events on Splunk Search. 10-10-2024 04:48 AM
- Tagged How to deal with Logon/Logoff scatterd over multiple events on Splunk Search. 10-10-2024 04:48 AM
- Tagged How to deal with Logon/Logoff scatterd over multiple events on Splunk Search. 10-10-2024 04:48 AM
- Got Karma for Re: Parsing Multi Line Timestamp. 10-01-2024 12:46 PM
- Posted Re: Parsing Multi Line Timestamp on Getting Data In. 10-01-2024 06:43 AM
- Posted Re: Parsing Multi Line Timestamp on Getting Data In. 10-01-2024 02:54 AM
- Posted Re: Parsing Multi Line Timestamp on Getting Data In. 10-01-2024 02:47 AM
- Posted Parsing Multi Line Timestamp on Getting Data In. 10-01-2024 02:38 AM
- Posted SPL: Longest common substring on Splunk Search. 02-23-2024 06:59 AM
- Tagged SPL: Longest common substring on Splunk Search. 02-23-2024 06:59 AM
- Tagged SPL: Longest common substring on Splunk Search. 02-23-2024 06:59 AM
- Got Karma for Re: Reimporting Event Data / Fixing Data Holes. 06-05-2020 12:50 AM
- Posted Re: Reimporting Event Data / Fixing Data Holes on Getting Data In. 11-26-2019 12:02 AM
- Posted Re: Reimporting Event Data / Fixing Data Holes on Getting Data In. 11-25-2019 11:51 PM
- Posted Re: Reimporting Event Data / Fixing Data Holes on Getting Data In. 11-25-2019 05:27 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-11-2024
02:33 AM
Thanks for clearifying, @PickleRick . So what would be the best practice for creating such synthetic events? A scheduled search every 5 (or so) Minutes? If yes, how to deal with: - SH-Downtimes - logins where only one of both needed events for a successful login is in the search time range, and the other is in the search time range of the previous run of the scheduled search
... View more
10-10-2024
06:11 AM
Lets for now focus on a *successful* login. As shown in my initial post, there are multiple events for the same successfull login. One does carry the username, the other carries the source ip. On which one should I set the event type and tag? And how do I enrich that event with the field from the other one?
... View more
10-10-2024
06:00 AM
Maybe I just do not see it: How would I apply an event type for a successfull login event, that is scattered over multiple log entries? My requirement is, to achieve cim-comliance with this data source.
... View more
10-10-2024
04:48 AM
I have onboarded data from a system, that scatters actual events over many logging events. Especially successful or failed logins cause me some headache. Successful login: <timestamp> Connection 'id123' from '192.168.1.100' has logged onto the server
<timestamp> User 'johndoe' logged on (Connection id='id123')
[ Time passes until John eventually decides to logoff again]
<timestamp> Connection 'id123' from has logged off the server Failed login: <timestamp> Connection 'id123' from '192.168.1.100' has logged onto the server
<timestamp> Connection 'id123' from has logged off the server Of course, I can fiddle around with transaction or even stats or whatever to list successful and failed logins or create an alert for it. However that is absolutely not elegant. What is best practice, to get those data nicely streamlined with eventtypes and tags?
... View more
- Tags:
- eventtypes
- tagging
10-01-2024
06:43 AM
1 Karma
Finally after a lot of testing I found a solution via transforms.conf [timestamp-fix]
INGEST_EVAL= _time=json_extract(_raw,"instant.epochSecond").".".json_extract(_raw,"instant.nanoOfSecond") Furthermore, it turned out that regex is not allowed in TIME_FORMAT field in props.conf.
... View more
10-01-2024
02:54 AM
Thanks for your second attempt. I tried, but still no luck. Might there be the possibility, that the "Add Data" WebUI Wizard does not support this correctly?
... View more
10-01-2024
02:38 AM
I have to parse the timestamp of JSON logs and I would like to include subsecond precision. My JSON-Events start like this: {
"instant" : {
"epochSecond" : 1727189281,
"nanoOfSecond" : 202684061
},
... Thus I tried as config in props.conf: TIME_FORMAT=%s,\n "nanoOfSecond" : %9N
TIME_PREFIX="epochSecond" :\s
MAX_TIMESTAMP_LOOKAHEAD=500 That did unfortunately not work. What is the right way to parse this time stamp with subsecond precision?
... View more
Labels
- Labels:
-
JSON
-
props.conf
-
time
02-23-2024
06:59 AM
Hello everyone, I am looking for a SPL-solution to determine how long the longest common substring of two strings is. Is there any built-in way to do that? Or is there any app that provides me with some command for that? Thanks in Advance!
... View more
- Tags:
- spl
- string comparison
Labels
- Labels:
-
eval
11-26-2019
12:02 AM
1 Karma
I found a solution myself in the meantime. In particular for step three and four:
3) export as json file
4.1) let the json-file run through my python-script (see below) ./script.py > /tmp/missingdata.txt
4.2) one-shot the outputs of this to the index ./splunk add oneshot /tmp/missingdata.txt -index foo -sourcetype logimport
my python3 script:
#!/usr/bin/python3
import json
fp=open('./export.json', 'r')
line = fp.readline()
while line:
parsedline=json.loads(line)
print(parsedline["result"]["_raw"])
print("HOST = "+parsedline["result"]["host"])
print("SOURCE = "+parsedline["result"]["source"])
print("SOURCETYPE = "+parsedline["result"]["sourcetype"])
print("###")
line=fp.readline()
fp.close()
props.conf:
[logimport]
LINE_BREAKER=(###\n)
TRANSFORMS = importsource, importsourcetype, importhost, importraw
transforms.conf:
[importhost]
REGEX =\nHOST = (.*)
FORMAT= host::$1
DEST_KEY = MetaData:Host
WRITE_META = true
[importsource]
REGEX=\nSOURCE = (.*)
FORMAT= source::$1
DEST_KEY = MetaData:Source
[importsourcetype]
REGEX=\nSOURCETYPE = (.*)
FORMAT= sourcetype::$1
DEST_KEY = MetaData:Sourcetype
[importraw]
REGEX=^(.*)\nHOST
DEST_KEY = _raw
FORMAT = $1
... View more
11-25-2019
11:51 PM
With this solution I would have to repeat the procedure manually for every sourcetype. Furthermore the HF only just forwards most of data, which are coming from UFs on which I have no shell-access.
Thus I am sorry, this solution does not work for me.
... View more
11-25-2019
05:27 AM
There is a mistake in the SPL-query. It should be eventstats count by _raw .
... View more
11-25-2019
05:25 AM
Because of network problems between my HFs and my indexing tier I have some "holes" in my data. With holes I mean missing data. These Holes need to be fixed. My Idea for this goes as follows:
reindex all logs (and rotated logs) within the timerange, but to a new index
search for index=newindex OR index=originalindex | eventstats count by raw | where count=1 | eval count=null
exporting these events in a file
reimporting these events into the original index
Generally this seems to work, but there is still one problem: My data comes from my different sources with many different source types. How can I export data with source and sourcetype and keep those fields when reimporting? I am also open to better solutions to my general problem.
Thanks in advance.
... View more
10-31-2019
09:01 AM
I am about to set up Splunk in a PCI environment. Therefore I need to know for every event where it comes from. Many inputs seem to be a little difficult from this perspective. For now i just want to deal with cisco ACI.
I have the Cisco ACI app on a heavy forwarder which collects all events and forwards the events to my indexer cluster. All events are there, but every event has the HF as host and the collector script path as source.
That makes it quite hard to compile a list of all hosts, from which i have logs in splunk. I would like to have the origin of the event (not the ACI controller, but the real origin) in the host field.
Is there a way to get the right host into the host field? Or is there any other best practice?
Thanks in advance.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-11-2024
05:54 AM
|
