Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bandit
bandit
Motivator
Member since:
03-19-2013
08-18-2021
Community Statistics
| Posts | 391 |
| Solutions | 16 |
| Karma Given | 320 |
| Karma Received | 432 |
| Member Since | 03-19-2013 |
Activity Feed
- Got Karma for Re: What are the ports that I need to open?. 2 weeks ago
- Got Karma for Re: How can I generate a list of users and assigned roles?. 4 weeks ago
- Got Karma for FEATURE REQUEST: Splunk Alert: All Clear Notification. 08-20-2021 03:30 AM
- Karma Re: Can Enterprise Security use search-head clustering? for starcher. 08-18-2021 11:50 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 08-10-2021 10:22 AM
- Posted Re: How to determine which deployment server a forwarder is phoning home to? on Splunk Search. 06-30-2021 08:01 AM
- Got Karma for Re: Create Alert for Failed Scheduled Saved Search. 06-29-2021 04:53 AM
- Got Karma for Re: Create Alert for Failed Scheduled Saved Search. 06-11-2021 02:15 PM
- Got Karma for Re: How can I generate a list of users and assigned roles?. 05-26-2021 09:07 AM
- Got Karma for Re: Splunk Usage Audit Report. 05-16-2021 05:19 PM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 05-14-2021 12:59 PM
- Got Karma for Re: How can I generate a list of users and assigned roles?. 03-19-2021 02:36 AM
- Posted Re: Is there a way to display more than 20 charts at a time using new trellis layout? on Dashboards & Visualizations. 03-09-2021 09:03 AM
- Posted Re: FEATURE REQUEST: Splunk Alert: All Clear Notification on Reporting. 03-05-2021 02:31 PM
- Got Karma for Re: Systemd broken on new install. 02-21-2021 11:59 PM
- Got Karma for Re: Splunk 7.2.2 - systemd - Root privileges required when starting/stopping Splunk?. 02-09-2021 04:56 AM
- Got Karma for Re: Splunk 7.2.2 - systemd - Root privileges required when starting/stopping Splunk?. 02-09-2021 04:53 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 01-22-2021 05:55 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 01-20-2021 04:16 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 01-20-2021 04:15 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 1 | |||
| 0 | |||
| 21 |
06-30-2021
08:01 AM
Dashboard to show forwarder phone home counts per deployment server with host fqdn ip guid Requires you to route your deployment server splunkd.log to your indexers in a distributed environment. <form theme="dark"> <label>Forwarder Phone Home</label> <fieldset submitButton="false"> <input type="time" token="time" searchWhenChanged="true"> <label>Time Range</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="deployment_server" searchWhenChanged="true"> <label>Deployment Server</label> <choice value="*">All</choice> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" | dedup host | table host | sort host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*</default> </input> <input type="text" token="forwarder_host_pattern" searchWhenChanged="true"> <label>Forwarder Host Pattern</label> <default>*</default> </input> <input type="text" token="forwarder_fqdn_pattern" searchWhenChanged="true"> <label>Forwarder FQDN Pattern</label> <default>*</default> </input> <input type="text" token="forwarder_ip_pattern" searchWhenChanged="true"> <label>Forwarder IP Pattern</label> <default>*</default> </input> <input type="text" token="forwarder_id_pattern"> <label>Forwarder ID Pattern</label> <default>*</default> </input> </fieldset> <row> <panel> <title>Unique Forwarders</title> <single> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" | dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id | stats count</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="rangeColors">["0x006d9c","0x006d9c"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> </panel> </row> <row> <panel> <title>Phone Home Timeline</title> <chart> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" host="$deployment_server$" | eval device=forwarder_ip+"-"+forwarder_id | bucket _time span=5m | dedup _time forwarder_id | timechart partial=false span=5m dc(device) as unqiue_forwarders by host | rename host as deployment_server | addtotals</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisY.scale">linear</option> <option name="charting.chart">column</option> <option name="charting.chart.overlayFields">Total</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">1</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">1</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Deployment Server Summary</title> <table> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" | dedup forwarder_ip forwarder_id | top host | rename host as deployment_server count as unqiue_forwarders</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="deployment_server"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> <panel> <title>Duplicate Hosts</title> <table> <title>(hosts expected to be unique in most cases)</title> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" | dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id | stats count by forwarder_host | search count>1 | sort -count | append [| makeresults | eval count=0 | table count ]</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="drilldown">none</option> </table> </panel> <panel> <title>Duplicate Forwarder IDs (GUIDs)</title> <table> <title>(indicates cloning post install)</title> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" | dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id | stats count by forwarder_id | search count>1 | sort -count | append [| makeresults | eval count=0 | table count ]</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Forwarder Summary</title> <table> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" host="$deployment_server$" | dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id | table _time host forwarder_host forwarder_fqdn forwarder_ip forwarder_id | rename host as deployment_server</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="count">40</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="deployment_server"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </form>
... View more
03-09-2021
09:03 AM
Vote for Trellis 1000 on Splunk Ideas! https://ideas.splunk.com/ideas/EID-I-862
... View more
10-06-2020
03:45 AM
Hi @thambisetty it tells me @Rob_Jordan is already taken - looks like that is an even older account of mine - wonder if they could be merged? I think one was rob_jordan and one was Rob_Jordan on the old system and they collided on the new system. Maybe old system was case-sentive?
... View more
10-05-2020
07:32 PM
Hi, I've have had the screen name rob_jordan on Splunk Answers since 2013. Somehow it changed to rob_jordan1 during the recent Splunk Answers migration. Is there someone who can help me correct it? Thanks, Rob for reference: https://www.splunk.com/en_us/blog/splunklife/smart-answers-59.html
... View more
- Tags:
- splunkanswers
08-14-2020
11:43 AM
Thanks for the updated answer @preactivity 🙂 as most of the older answers are no longer valid on the newer Splunk releases. Rob
... View more
07-06-2020
10:31 AM
1 Karma
Ok, I would first start with verifying that either the "RUNNING"/"NOT RUNNING" values (I'm assuming there is an inverse value to RUNNING) are recognized by Splunk as a field. You can check apps.splunk.com to see if there is an addon that will parse your sourcetype into key/value pairs or you may have to write regex to capture the value of the run state into a field. Once it's in a field you can run statistic commands against that field such as | top state by host example inline regex command to extract the state | rex "(?<state>(RUNNING|DOWN))" If you are getting overwhelmed, you may want to start with one of the free classes which will cover fields in Splunk https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html I also noticed you are running a script from crontab. You could modify the format of your log to log in key-pair values. i.e. process_status="RUNNING" or process_status="UP" or process_status="DOWN" etc. When Splunk encounters key/pair values it will auto extract fields which should make this task much simpler. https://dev.splunk.com/enterprise/docs/developapps/logging/loggingbestpractices/
... View more
07-06-2020
08:11 AM
1 Karma
I'm not familiar with your specific dataset, however you would want to come up with a base query that matches the events in Splunk that have the states you are trying to track. i.e. index=myindex sourcetype=mysourcetype host IN (host1,host2,host3) service IN (service1,service2,service3) note: you can wildcard parts of the host or service filters with * as well. If wanting all hosts and services, you probably don't need to add a host or service constraint.
... View more
07-06-2020
07:55 AM
your base query | dedup host application | chart values(state) over host by application note: modify fields names to match your dataset then you can color code in a table or single value chart using trellis option
... View more
06-11-2020
12:47 PM
My Karma points went down as I believe they have a new scoring system, however, my relative ranking is about the same.
... View more
06-04-2020
08:22 AM
Thanks @anthonymelita - @vnguyen46 - it seems it gets broken when I try to export the code from the simple xml source code and post here as code. I appologize for the incovenience.
Sample of query
Sample of source code
... View more
03-10-2020
10:45 AM
Try something like this for yesterday
index="your_index_here" EventCode="*"
| eval bytes=len(_raw)
| bucket _time span=1d
| stats count sum(bytes) as bytes by _time sourcetype EventCode
| eval KB=round(bytes/1024,0)
| eval MB=round(bytes/1024/1024,0)
| eval GB=round(bytes/1024/1024/1024,2)
| table _time sourcetype EventCode count bytes KB MB GB
| sort -bytes
You can also filter for specific codes like this using the IN command with a list of codes or patterns
index="your_index_here" EventCode="" EventCode IN(515,462*,40962)
| eval bytes=len(_raw)
| bucket _time span=1d
| stats count sum(bytes) as bytes by _time sourcetype EventCode
| eval KB=round(bytes/1024,0)
| eval MB=round(bytes/1024/1024,0)
| eval GB=round(bytes/1024/1024/1024,2)
| table _time sourcetype EventCode count bytes KB MB GB
| sort -bytes
I haven't tried getting an exact match, however you may have to search all time and use _indextime as constraint. _indextime being the time the indexer see the event. That's the time that should match with the ingest volume.
... View more
03-09-2020
11:54 AM
If you're looking estimate license volume for specific events, you can use the length of an event in bytes and then convert to MB/GB.
index=your index here your search constraints here
| eval bytes=len(_raw)
| timechart sum(bytes) as bytes
| eval KB=bytes/1024
| eval MB=bytes/1024/1024
| eval GB=bytes/1024/1024/1024
... View more
03-08-2020
04:02 PM
Also consider that timestamps and index time can factor into this calculation as well.
If you add a new input on to a forwarder, you could potentially ingest data today that is more than a day old.
The license counts against data ingested in the current day regardless of whether the event timestamp is in the past or the future.
tstats will use what Splunk considers the event time (_time) in count not the index time (_indextime)
... View more
03-06-2020
05:28 AM
1 Karma
Spitballing...
Possibly two forwarders on the same host and put one rule on each forwarder?
https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html
Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI
Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing
PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7 https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples
Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html
... View more
02-17-2020
09:16 AM
1 Karma
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
09:14 AM
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
09:13 AM
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
08:00 AM
1 Karma
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2021
03:10 PM
|
Karma given to
