Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About neusse
neusse
Path Finder
Member since:
03-01-2011
09-15-2020
Community Statistics
| Posts | 21 |
| Solutions | 2 |
| Karma Given | 7 |
| Karma Received | 13 |
| Member Since | 03-01-2011 |
Activity Feed
- Got Karma for Re: Transforms REGEX will not search past first line of multi line event. What gives?. 07-25-2022 01:32 AM
- Karma What happened to Answers? The change is for the worse for mrunals. 06-16-2020 10:53 AM
- Posted Re: Why would the SPL run in the Search App give different results than the same SPL run in a d/b panel? on Dashboards & Visualizations. 06-16-2020 10:50 AM
- Tagged Re: Why would the SPL run in the Search App give different results than the same SPL run in a d/b panel? on Dashboards & Visualizations. 06-16-2020 10:50 AM
- Karma Re: How do we define collections.conf in SplunkCloud? for morethanyell. 06-05-2020 12:50 AM
- Karma Re: Why is the monit process sometimes restarting for awyszkowski. 06-05-2020 12:48 AM
- Karma Re: How to run multiple universal forwarders on a single Linux host? for mattymo. 06-05-2020 12:48 AM
- Got Karma for Service not available error.. 06-05-2020 12:48 AM
- Got Karma for Re: Service not available error.. 06-05-2020 12:48 AM
- Got Karma for Re: How can I backup and maintain a version of dashboard XML files before updating anything in production?. 06-05-2020 12:47 AM
- Karma Re: Splunk DB Connect - dbquery inline search and time filtering not working for brunton2. 06-05-2020 12:46 AM
- Karma Re: Can I add python modules to the Splunk environment? for igor. 06-05-2020 12:45 AM
- Karma Re: Can I add python modules to the Splunk environment? for asifhj. 06-05-2020 12:45 AM
- Got Karma for Re: Yet another filtering problem. Many transforms in transforms.conf not filtering. 06-05-2020 12:45 AM
- Got Karma for Re: Yet another filtering problem. Many transforms in transforms.conf not filtering. 06-05-2020 12:45 AM
- Got Karma for Transforms REGEX will not search past first line of multi line event. What gives?. 06-05-2020 12:45 AM
- Got Karma for Transforms REGEX will not search past first line of multi line event. What gives?. 06-05-2020 12:45 AM
- Got Karma for Re: Transforms REGEX will not search past first line of multi line event. What gives?. 06-05-2020 12:45 AM
- Got Karma for Re: Transforms REGEX will not search past first line of multi line event. What gives?. 06-05-2020 12:45 AM
- Got Karma for Re: Transforms REGEX will not search past first line of multi line event. What gives?. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 2 | |||
| 0 |
06-16-2020
10:50 AM
It looks like you are doing an all time search. If the data is coming in at a good rate then they would not have the same results. it would be impossible for them to see the same exact data. If you change the search to look for a particular hour of data and the two searches use that same hour then it should match. You would not match if you searched relative for the last few hours as well. If the start and end are the same then the results should be the same.
... View more
05-06-2020
01:01 PM
I downvoted this post because this is not helpful or insightful.
... View more
05-06-2020
01:00 PM
1 Karma
Related to the question and I think a proper answer. I have played around with and think this is a very good tool. It can be run as a one shot as well as being run to keep real version control without having to edit in GIT.
It is called "Versioncontrol for Splunk" and can be found on Splunkbase. https://splunkbase.splunk.com/app/4355/
It is possible to write an exporter that uses the REST API to do an export of any of the Splunk knowledge objects. I have done this myself and something like that would be the simplest.
Here is curl example that will export a the dashboard from a given app. The output can be used to inport the dashboard back if needed and would be similar to what "versioncontrol for Spunk" does.
curl -k -u username:password https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard
There is another API call to get a list of all the dashboards in an app. Also if you omit the dashboard name in the API you will get all the dashboards in one output file.
A good toll to play with these endpoints is "insomnia", it is free and is feature rich.
Also here is a link to the docs. https://docs.splunk.com/Documentation/Splunk/8.0.3/RESTUM/RESTusing
The REST API can do just about anything in splunk and this is how splunk itself does most things.
I hope this helps people get going with exporting knowledge objects from splunk.
... View more
06-10-2019
07:41 AM
I downvoted this post because this statement of non compatibility of time is inaccurate.
... View more
06-10-2019
07:40 AM
My answer below actually fixes this issue between SQL and Splunk and allow for the fixed timepicker values to be passed into a SQL query and return correct results.
... View more
08-28-2017
04:14 PM
I don't agree that there are two types of time ranges from the time picker. Everything derives down to earliest and latest. It is really very simple. I have setup a macro that actually manages this. This allows the time picker to be transparent for the user. It only requires a small statement in the SQL like between.
makeresults
|addinfo
| eval info_max_time=if( info_max_time="+Infinity",now(),info_max_time)
| eval olate = strftime( info_max_time, "%Y-%m-%d %H:%M:%S.%3N" )
| eval oearl = strftime( info_min_time, "%Y-%m-%d %H:%M:%S.%3N" )
| map search="dbxquery yada yada \"select \"$X$\" from $table$ where $checkvar$ between to_timestamp('$oearl$', 'YYYY-MM-DD hh24:mi:ss.ff') and to_timestamp('$olate$', 'YYYY-MM-DD hh24:mi:ss.ff') \""
| eval _time=$checkvar$
This is the jist of what goes in the macro for Oracle. The date conversions would be different for other SQL. It works very well and is transparent.
Regards,
... View more
10-28-2016
04:47 PM
Is there a way to detect gaps in the middle like the chart shows above? So the red is two time spans. I can think of a way to detect that. If the data is always overlapping this works. But my data is not always overlapping.
Thanks,
... View more
10-28-2016
01:44 PM
I need to roll up several events with overlapping start and stop times. I need the total time of the events without doing a sum of the elapsed time for each event.
Each event in the series has a start time and an end time. The times may or may not overlap. The results need to be one or more time spans that equal the earliest and latest for each consecutive amount of time.
The green are the event time spans and the red is the needed result time. I am at a loss as to how to approach this.
Thanks.
... View more
07-25-2016
12:56 PM
1 Karma
It turns out that the Error is generated by the browser. Once debugging in the browser we can see that it is trying to access the KV Store.
After checking the KV Store was found to not be running. It was a file permissions error induced by someone applying global permissions.
Once the KV Store was brought up the App started working as advertised.
... View more
07-21-2016
11:20 AM
This is just in the sample app the is installed with Dashboard Assistant. When clicking the sample dashboard you get the error and nothing from Dashboard Assistant. Just the normal Simple XML. No additions as would be expected from the screen shots on the app download page.
I have not found this error in any of the logs. And there is no indication where to look. The js files are available in the app.
Are there any prerequisites that I am not aware of?
... View more
07-21-2016
10:11 AM
This is just in the sample app the is installed with Dashboard Assistant. When clicking the sample dashboard you get the error and nothing from Dashboard Assistant. Just the normal Simple XML. No additions as would be expected from the screen shots on the app download page.
I have not found this error in any of the logs. And there is no indication where to look. The js files are available in the app.
Are there any prerequisites that I am not aware of?
... View more
07-21-2016
08:25 AM
1 Karma
I am getting an unknown error service not available error. Nothing seems to function and I cannot find any errors in the logs. Is anyone else having this issue? It looks like a great enhancement that would solve many requests from users.
Thanks
... View more
03-08-2011
01:00 AM
2 Karma
Yes there is a solution. I found nothing anywhere describing this in splunk.com.
My issue of not being able to search into the event deep enough at index time was solved by using the simple command LOOKAHEAD in transforms.conf. Turns out splunk does not look far ahead related to REGEX at all when indexing. It seems to only be looking for the end ofthe transaction as a priority.
Here are my working props.conf and transforms.conf:
transforms.conf
[nomore]
LOOKAHEAD = 100000
REGEX=(?m)(404\sNot\sFound)
DEST_KEY=queue
FORMAT=nullQueue
props.conf
[mod_security]
SHOULD_LINEMERGE = true
MUST_NOT_BREAK_AFTER = (--[a-z0-9]+-A--)
MUST_BREAK_AFTER = (--[a-z0-9]+-Z--)
TRUNCATE = 0
TRANSFORMS-notfounderror = nomore
At least it is working now!
... View more
03-08-2011
12:58 AM
5 Karma
Yes there is a solution. I found nothing anywhere describing this in splunk.com.
My issue of not being able to search into the event deep enough at index time was solved by using the simple command LOOKAHEAD in transforms.conf. Turns out splunk does not look far ahead related to REGEX at all when indexing. It seems to only be looking for the end ofthe transaction as a priority.
Here are my working props.conf and transforms.conf:
transforms.conf
[nomore]
LOOKAHEAD = 100000
REGEX=(?m)(404\sNot\sFound)
DEST_KEY=queue
FORMAT=nullQueue
props.conf
[mod_security]
SHOULD_LINEMERGE = true
MUST_NOT_BREAK_AFTER = (--[a-z0-9]+-A--)
MUST_BREAK_AFTER = (--[a-z0-9]+-Z--)
TRUNCATE = 0
TRANSFORMS-notfounderror = nomore
At least it is working now!
... View more
03-04-2011
01:01 AM
I replaced all my stuff with yours. No go. It still indexes ALL Events. It is not regexing past the first line. If I change the match from 404 to -A-- like the first line, then Nothing indexes. But anything other than the first line and it never matches.
I wish it was as simple as this or I would have been done a week ago.
... View more
03-03-2011
10:28 PM
The above was a test. If it could match the last section then I would have no data indexed. But it is indexing ALL data.
... View more
03-03-2011
10:26 PM
I want to throw away the entire even. What I really want is to eliminate events that have "404 Not Found" in side them. But I cant get the regex to match past the first line.
The events are Mod_Security logs.
Each event has sections that start with "--ab123cd-A--" A-Z for all sections.
The last section has no data but marks the end of the event "-ab123cd-Z--"
Within section H there is the error for a "404 Not Found" I would like to match.
But I thought I could just match the error text. But the regex only matches against the first line. (m?) has no effect.
I am stumped at this point.
... View more
03-03-2011
09:24 PM
2 Karma
I am trying to match text inside a large multi line Event. I have the index working ok. But in transforms.conf it fails to match anything past the first line. I was able to verify this my matching . and then a regex that matched the first line. Then I tried to match the last line and it fails yet the data ends up in the index.
Here are my props.conf and my transforms.conf:
props.conf
[mod_security]
LEARN_MODEL = false
sourcetype = mod_security
TRUNCATE = 0
#SHOULD_LINEMERGE = true
MUST_NOT_BREAK_AFTER = (--[a-z0-9]+-A--)
MUST_BREAK_AFTER = (--[a-z0-9]+-Z--)
TRANSFORMS-nomore = nomore
transforms.conf
[nomore]
REGEX=(m?)--[a-z0-9]+-Z--
DEST_KEY=queue
FORMAT=nullQueue
As a test I tried to match the last line. It fails. But if I match the first line of the event or . it works. I makes no sense. Also I have tried both with and without SHOULD_LINEMERGE.
Thanks in advance to any help.
Here is an example Event as requested.
--6c7cd57c-A--
[12/Jan/2011:10:59:29 --0600] TS3d8UijBKywIAAABu 53047 99.99.99.99 80
--6c7cd57c-B--
GET /pcgi-bin/sreg2/register/0 HTTP/1.1
X-NATPath: 99.99.99.99:53047, 99.99.99.99, 99.99.99.99:60136
Host: www.neusse.com
X-Forwarded-For: 99.99.99.99, 99.99.99.99
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; MS-RTC LM 8)
True-Client-IP: 99.99.99.99
Pragma: no-cache
X-Akamai-CONFIG-LOG-DETAIL: true
Accept-Encoding: gzip
Akamai-Origin-Hop: 2
Via: 1.1 v1-akamaitech.net(ghost) (AkamaiGHost), 1.1 akamai.net(ghost) (AkamaiGHost)
Cache-Control: no-cache, max-age=0
SM_AUTHTYPE: Auto
SM_SDOMAIN: .neusse.com
Max-Forwards: 10
X-Forwarded-Host: www.neusse.com
X-Forwarded-Server: www.neusse.com
--6c7cd57c-F--
HTTP/1.1 404 Not Found
Last-Modified: Wed, 25 Oct 2006 03:10:45 GMT
ETag: "3cdd"
Accept-Ranges: bytes
Content-Length: 15581
CDCHOST: neusse-prod1-203
Content-Type: text/html
X-Pad: avoid browser bug
CDCWPB: neusse-prod1-02
CDCXRP: neusse-prod1-01
Connection: close
--6c7cd57c-H--
Apache-Handler: proxy-server
Stopwatch: 1294851569931732 32492 (168 9176 -)
Producer: ModSecurity v2.1.7 (Apache 2.x)
Server: Apache/2.2
--6c7cd57c-Z--
... View more
03-02-2011
06:25 PM
I made the change and it males no deference. I still get ALL events indexed. It seems this is a wide spread problem for folks, It would be nice if splunk had a little better method for filtering since there is a lot of noise in many logs.
I am at an impasse with this. For the volume of data, we need to filter to make better use of analysis time and system resources.
... View more
03-01-2011
10:25 PM
I am trying to filter with many transform statements. I believe everything is configured correctly. But I get ALL events indexed. None are going to the nullQueue. Please help!
It seems easy enough but I am not getting this.
As I understand it:
In my props.conf I have two sections. One is [mod_security] it does a few things for parsing the event and collects some fields.
Also in my props.conf I have a [source::/some/path/to/directory/]. This has all the transform statements that are checking if it should send the event to the nullQueue.
What happens is all events are indexed. None are filtered. I have also tried adding all the transform statements to the [mod_security] section. But I get the same, everything is indexed, issue.
Last I wanted to check that a couple of strings exist in the event after filtering. If they do then index the event. If not send the event to the nullQueue.
Here are my props.conf and transforms.conf. Any help would be appreciated.
Props.conf
[mod_security]
TRUNCATE = 0
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = (--[a-z0-9]+-A--)
REPORT-get = get
REPORT-post = post
REPORT-severity = severity
[source::/nas/log/cache/httpd-www-80/]
TRANSFORMS-f1 = f1
TRANSFORMS-f2 = f2
TRANSFORMS-f3 = f3
TRANSFORMS-f4 = f4
TRANSFORMS-f5 = f5
TRANSFORMS-f6 = f6
TRANSFORMS-ok = null,ok
=========================================
transforms.conf
[get]
REGEX = (GET.+?)$
FORMAT = AA_get::$1
[post]
REGEX = (POST.+?)$
FORMAT = AA_post::$1
[severity]
REGEX = (severity.+?)\]
FORMAT = AA_severity::$1
[f1]
REGEX = (99\.99\.99\.38)
DEST_KEY = queue
FORMAT = nullQueue
[f2]
REGEX = .*404\sNot\sFound.*
DEST_KEY = queue
FORMAT = nullQueue
[f3]
REGEX = .*401\sUnauthorized.*
DEST_KEY = queue
FORMAT = nullQueue
[f4]
REGEX = .*500\sInternal\sServer\sError.*
DEST_KEY = queue
FORMAT = nullQueue
[f5]
REGEX = .*403\sForbidden.*
DEST_KEY = queue
FORMAT = nullQueue
[f6]
REGEX = FILTERED\sTO\s
DEST_KEY = queue
FORMAT = nullQueue
[null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[ok]
REGEX = (Pattern\smatch)|(Matched\ssignature)
DEST_KEY = queue
FORMAT = indexQueue
... View more
- Tags:
- filter
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-15-2020
01:54 PM
|
Karma given to
