Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bandit
bandit
Motivator
Member since:
03-19-2013
03-09-2021
Community Statistics
| Posts | 390 |
| Solutions | 16 |
| Karma Given | 319 |
| Karma Received | 422 |
| Member Since | 03-19-2013 |
Activity Feed
- Got Karma for Re: How can I generate a list of users and assigned roles?. a month ago
- Posted Re: Is there a way to display more than 20 charts at a time using new trellis layout? on Dashboards & Visualizations. 03-09-2021 09:03 AM
- Posted Re: FEATURE REQUEST: Splunk Alert: All Clear Notification on Reporting. 03-05-2021 02:31 PM
- Got Karma for Re: Systemd broken on new install. 02-21-2021 11:59 PM
- Got Karma for Re: Splunk 7.2.2 - systemd - Root privileges required when starting/stopping Splunk?. 02-09-2021 04:56 AM
- Got Karma for Re: Splunk 7.2.2 - systemd - Root privileges required when starting/stopping Splunk?. 02-09-2021 04:53 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 01-22-2021 05:55 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 01-20-2021 04:16 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 01-20-2021 04:15 AM
- Got Karma for Diagram of Splunk Common Network Ports. 01-20-2021 04:12 AM
- Got Karma for Re: Splunk 7.2.2 - systemd - Root privileges required when starting/stopping Splunk?. 12-29-2020 09:02 PM
- Got Karma for Re: how can i find a directory where i installed splunk in centos?. 12-10-2020 03:50 PM
- Karma Re: What are the ports that I need to open? for jdinkel. 12-04-2020 07:55 AM
- Got Karma for FEATURE REQUEST: Splunk Alert: All Clear Notification. 11-26-2020 09:50 PM
- Got Karma for FEATURE REQUEST: Splunk Alert: All Clear Notification. 11-26-2020 09:39 PM
- Got Karma for Re: Reusable Script - Reset All Tokens with a Single Click. 11-20-2020 06:39 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 11-16-2020 06:28 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 11-04-2020 08:13 AM
- Posted Re: Splunk Answers Username on Feedback. 10-07-2020 07:39 AM
- Karma Re: Splunk Answers Username for thambisetty. 10-07-2020 07:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 1 | |||
| 0 | |||
| 20 |
03-09-2021
09:03 AM
Vote for Trellis 1000 on Splunk Ideas! https://ideas.splunk.com/ideas/EID-I-862
... View more
10-06-2020
03:45 AM
Hi @thambisetty it tells me @Rob_Jordan is already taken - looks like that is an even older account of mine - wonder if they could be merged? I think one was rob_jordan and one was Rob_Jordan on the old system and they collided on the new system. Maybe old system was case-sentive?
... View more
10-05-2020
07:32 PM
Hi, I've have had the screen name rob_jordan on Splunk Answers since 2013. Somehow it changed to rob_jordan1 during the recent Splunk Answers migration. Is there someone who can help me correct it? Thanks, Rob for reference: https://www.splunk.com/en_us/blog/splunklife/smart-answers-59.html
... View more
- Tags:
- splunkanswers
08-14-2020
11:43 AM
Thanks for the updated answer @preactivity 🙂 as most of the older answers are no longer valid on the newer Splunk releases. Rob
... View more
07-06-2020
10:31 AM
1 Karma
Ok, I would first start with verifying that either the "RUNNING"/"NOT RUNNING" values (I'm assuming there is an inverse value to RUNNING) are recognized by Splunk as a field. You can check apps.splunk.com to see if there is an addon that will parse your sourcetype into key/value pairs or you may have to write regex to capture the value of the run state into a field. Once it's in a field you can run statistic commands against that field such as | top state by host example inline regex command to extract the state | rex "(?<state>(RUNNING|DOWN))" If you are getting overwhelmed, you may want to start with one of the free classes which will cover fields in Splunk https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html I also noticed you are running a script from crontab. You could modify the format of your log to log in key-pair values. i.e. process_status="RUNNING" or process_status="UP" or process_status="DOWN" etc. When Splunk encounters key/pair values it will auto extract fields which should make this task much simpler. https://dev.splunk.com/enterprise/docs/developapps/logging/loggingbestpractices/
... View more
07-06-2020
08:11 AM
1 Karma
I'm not familiar with your specific dataset, however you would want to come up with a base query that matches the events in Splunk that have the states you are trying to track. i.e. index=myindex sourcetype=mysourcetype host IN (host1,host2,host3) service IN (service1,service2,service3) note: you can wildcard parts of the host or service filters with * as well. If wanting all hosts and services, you probably don't need to add a host or service constraint.
... View more
07-06-2020
07:55 AM
your base query | dedup host application | chart values(state) over host by application note: modify fields names to match your dataset then you can color code in a table or single value chart using trellis option
... View more
06-11-2020
12:47 PM
My Karma points went down as I believe they have a new scoring system, however, my relative ranking is about the same.
... View more
06-04-2020
08:22 AM
Thanks @anthonymelita - @vnguyen46 - it seems it gets broken when I try to export the code from the simple xml source code and post here as code. I appologize for the incovenience.
Sample of query
Sample of source code
... View more
03-10-2020
10:45 AM
Try something like this for yesterday
index="your_index_here" EventCode="*"
| eval bytes=len(_raw)
| bucket _time span=1d
| stats count sum(bytes) as bytes by _time sourcetype EventCode
| eval KB=round(bytes/1024,0)
| eval MB=round(bytes/1024/1024,0)
| eval GB=round(bytes/1024/1024/1024,2)
| table _time sourcetype EventCode count bytes KB MB GB
| sort -bytes
You can also filter for specific codes like this using the IN command with a list of codes or patterns
index="your_index_here" EventCode="" EventCode IN(515,462*,40962)
| eval bytes=len(_raw)
| bucket _time span=1d
| stats count sum(bytes) as bytes by _time sourcetype EventCode
| eval KB=round(bytes/1024,0)
| eval MB=round(bytes/1024/1024,0)
| eval GB=round(bytes/1024/1024/1024,2)
| table _time sourcetype EventCode count bytes KB MB GB
| sort -bytes
I haven't tried getting an exact match, however you may have to search all time and use _indextime as constraint. _indextime being the time the indexer see the event. That's the time that should match with the ingest volume.
... View more
03-09-2020
11:54 AM
If you're looking estimate license volume for specific events, you can use the length of an event in bytes and then convert to MB/GB.
index=your index here your search constraints here
| eval bytes=len(_raw)
| timechart sum(bytes) as bytes
| eval KB=bytes/1024
| eval MB=bytes/1024/1024
| eval GB=bytes/1024/1024/1024
... View more
03-08-2020
04:02 PM
Also consider that timestamps and index time can factor into this calculation as well.
If you add a new input on to a forwarder, you could potentially ingest data today that is more than a day old.
The license counts against data ingested in the current day regardless of whether the event timestamp is in the past or the future.
tstats will use what Splunk considers the event time (_time) in count not the index time (_indextime)
... View more
03-06-2020
05:28 AM
1 Karma
Spitballing...
Possibly two forwarders on the same host and put one rule on each forwarder?
https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html
Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI
Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing
PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7 https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples
Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html
... View more
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
09:14 AM
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
09:13 AM
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
08:00 AM
1 Karma
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-12-2020
09:06 PM
Example query of calculating step_time by adding step_offset_ms to the _time field
source="graphics.log" host="splunk_lab" sourcetype="display_log"
| rex "(?<step_offset_ms>\d+(\.)?\d+)\s(?<step_description>.+)"
| eval epoch_time=_time
| eval step_time=epoch_time+step_offset_ms
| convert ctime(step_time)
| table _time step_offset_ms step_time step_description
| sort _time step_time
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-09-2021
01:38 PM
|
Karma from
