Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About bandit
bandit
Motivator
Member since:
03-19-2013
05-19-2025
Community Statistics
| Posts | 400 |
| Solutions | 16 |
| Karma Given | 329 |
| Karma Received | 459 |
| Member Since | 03-19-2013 |
Activity Feed
- Got Karma for Re: How to determine which deployment server a forwarder is phoning home to?. 06-26-2025 11:48 PM
- Karma Re: How do you display a blank panel? for cmerriman. 05-19-2025 07:07 AM
- Got Karma for Re: What are the ports that I need to open?. 06-04-2024 04:39 AM
- Posted Re: dedup on Field over time span on Splunk Search. 05-20-2024 07:34 AM
- Got Karma for Re: Splunk Restart Tracking. 04-27-2024 08:31 PM
- Got Karma for Re: What are the ports that I need to open?. 04-16-2024 09:29 AM
- Got Karma for Re: How do I suppress web page pop-up when I uninstall Splunk?. 04-04-2024 05:12 PM
- Karma Re: Is there a way to display more than 20 charts at a time using new trellis layout? for chrisyounger. 03-04-2024 01:18 PM
- Got Karma for Re: Splunk Restart Tracking. 02-15-2024 11:52 PM
- Got Karma for Re: Best ways to report on large volumes of data?. 12-21-2023 05:36 AM
- Got Karma for Re: How to write a search to list roles and their capabilities in a Splunk environment?. 11-08-2023 12:18 PM
- Karma Re: Where are Noteable Event Suppressions stored in Splunk? for woodcock. 08-18-2023 09:55 AM
- Karma Re: Where are Noteable Event Suppressions stored in Splunk? for woodcock. 08-18-2023 09:54 AM
- Got Karma for Re: How to write a search to not display the last bucket of data in a timechart?. 07-31-2023 12:00 AM
- Got Karma for Re: Diagram of Splunk Common Network Ports. 07-30-2023 04:56 AM
- Got Karma for Re: Splunk 7.0.1 Init script is not configured to run at boot. 07-18-2023 10:20 AM
- Got Karma for Re: How to resolve error "Error pulling configurations from the search head cluster captain"?. 07-04-2023 06:33 AM
- Got Karma for Re: How to write a search to list roles and their capabilities in a Splunk environment?. 03-06-2023 05:12 PM
- Got Karma for Re: How to write a search to list roles and their capabilities in a Splunk environment?. 03-06-2023 03:42 AM
- Posted Re: How can I break out streamstats into multiple groups? on Splunk Search. 12-02-2022 09:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 4 | |||
| 1 |
05-20-2024
07:34 AM
@triva79 How about...
| timechart span=1h limit=50 useother=false dc(userName) as count by userName
or maybe...
| eval session=userName+":"+sessionKey
| timechart span=1h limit=50 useother=false dc(session) as count by session
... View more
12-02-2022
09:49 AM
Thanks for the help @bowesmana - much appreciated!
... View more
12-01-2022
12:31 PM
I'm wanting to group streamstats results by either one or two fields. Grouping by sourcetype would be sufficient. Grouping by index and sourcetype would be ideal. This query works fine for a single sourcetype, however does not work for multiple sourcetypes. The desired outcome is one record per unique sourcetype and/or index. Example query: | tstats count as event_count where index="aws_p" sourcetype="aws:cloudwatch:guardduty" by _time span=1m index sourcetype | sort _time | streamstats window=1 current=false sum(event_count) as event_count values(_time) as prev_time by index sourcetype | eval duration=_time-prev_time | eval minutes_between_events=duration/60 | stats min(minutes_between_events) as min_minutes_between_events avg(minutes_between_events) as avg_minutes_between_events max(minutes_between_events) as max_minutes_between_events by index sourcetype | eval avg_minutes_between_events=round(avg_minutes_between_events,0) | eval max_hours_between_events=round(max_minutes_between_events/60,2) results for multiple sourcetypes results for a single sourcetype
... View more
06-20-2022
11:20 AM
@robjackson - I haven't had issues in the past regarding the license server functionality when having Search Heads, Indexers, Heavy Forwarders subscribing to a license server on a higher version. I'd recommend you make full backup of your configuration so you can easily restore if you run into issues as version 9.0 is very new. Another option might be to migrate your license to another Splunk instance such as a Monitor Console or Heavy Forwarder. Rob
... View more
06-16-2022
01:06 PM
Right, it's a workaround and does reload the dash, but it will clear the tokens as long as link back to the base of the app and include no arguments in your link. See below. Example where I used this in one of my dashboards.
... View more
06-16-2022
12:01 PM
I've wanted this functionality as well. @mnj1809 here's a workaround which is essentially creating an html link back to the same dashboard. https://community.splunk.com/t5/Getting-Data-In/Reusable-Script-Reset-All-Tokens-with-a-Single-Click/m-p/472141 Rob
... View more
06-16-2022
09:57 AM
Good note about the impact of new clients that might need the deployment server online for initial configuration @FrankVl
... View more
Splunk recently announced a Critical vulnerability for the Splunk deployment server. Advisory ID: SVD-2022-0608 Published: 2022-06-14 CVSSv3.1 Score: 9.0, Critical CWE: CWE-284 CSAF: 2022-06-14-svd-2022-0608 CVE ID: CVE-2022-32158 Last Update: 2022-06-14 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Bug ID: SPL-176829 Security Content: Splunk Process Injection Forwarder Bundle Downloads What can you do to take action right away? My first recommendation would be to shut down your deployment servers as they are really only need to be online for changes to apps/addons deployed via the deployment server and won't disrupt forwarding of Universal or Heavy Forwarders which subscribe/phone home to said deployment servers. Shutting down the deployment server will NOT undeploy apps/addons on client forwarders. The only impact you should have is you won't be able to make updates to forwarder apps/addons to new or existing forwarders while the deployment server is offline. This will block the threat and give you time to make a plan. At present, the only option is to upgrade to Splunk 9.0 which has only been out for a few days. If you take this course of action, I'd highly recommend that you take a full backup of your SPLUNK_HOME directory - often /opt/splunk on many systems so you can roll back if you encounter problems with the upgrade. Typically deployment servers of higher version usually don't have issues working with forwarders on a few versions lower. Technically, the deployment server functionality is packaged with all versions of Splunk Enterprise. My understanding is should shouldn't have to patch Splunk if you don't use this functionality. i.e. you haven't configured deploymentclient.conf on your Universal or Heavy Forwarders to phone home to a deployment server. An alternative to stopping your deployment server is to disable the deployment server functionality from the command line. $ /opt/splunk/bin/splunk disable deploy-server $ /opt/splunk/bin/splunk restart How can you check whether you are using the deployment server functionality if you are unsure? There are a multiple ways. 1. Run this query on your deployment server or your search heads depending on whether you have deployment server splunkd logs forwarding to your indexers or not. index=_internal sourcetype=splunkd_access "phonehome" This will show clients phoning home to deployment server. The host name in the host field should be your deployment server. 2. Check the UI of your deployment server under settings/forwarder management. Under the clients tab, look to see the count of clients phoning home. If you see zero, this instance is not actively being used as a deployment server. i.e. nothing is phoning home to it. If you see 1 or more, then this instance is an active deployment server. 3. Run Btool on the command line of a forwarder that you want to check to see if it's using a deployment server. $ /opt/splunkforwarder/bin/splunk btool deploymentclient list [default] phoneHomeIntervalInSecs = 60 [target-broker:deploymentServer] targetUri = 1.1.123.123:8089 If a targetUri is returned, that's the host/IP of the deployment server this forwarder is trying to use. If you do not get targetUri returned, this forwarder is not using a deployment server. Here's a query you can use to see what classes/apps are pushed out to your clients via deployment server and review for anything suspicious. index=_internal sourcetype=splunkd component="PackageDownloadRestHandler"
| stats values(host) as deployment_server dc(peer) as clients by serverclass app
| sort -clients Here's a dashboard you can drop on either your deployment server or search heads which uses the data found in the deployment server's splunkd.log and will show you deployment server names and hosts checking into your deployment server. <form theme="dark" version="1.1">
<label>Forwarder Phone Home</label>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="deployment_server" searchWhenChanged="true">
<label>Deployment Server</label>
<choice value="*">All</choice>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>index=_internal sourcetype=splunkd_access "phonehome/connection"
| dedup host
| table host
| sort host</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<default>*</default>
</input>
<input type="text" token="forwarder_host_pattern" searchWhenChanged="true">
<label>Forwarder Host Pattern</label>
<default>*</default>
</input>
<input type="text" token="forwarder_fqdn_pattern" searchWhenChanged="true">
<label>Forwarder FQDN Pattern</label>
<default>*</default>
</input>
<input type="text" token="forwarder_ip_pattern" searchWhenChanged="true">
<label>Forwarder IP Pattern</label>
<default>*</default>
</input>
<input type="text" token="forwarder_id_pattern">
<label>Forwarder ID Pattern</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>Unique Forwarders</title>
<single>
<search>
<query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$"
| rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)"
| search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*"
| dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id
| stats count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0x006d9c","0x006d9c"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Phone Home Timeline</title>
<chart>
<search>
<query>index=_internal sourcetype=splunkd_access "phonehome/connection"
| rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)"
| search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" host="$deployment_server$"
| eval device=forwarder_host+"-"+forwarder_fqdn+"-"+forwarder_ip+"-"+forwarder_id
| timechart partial=true span=10m dc(device) as unqiue_forwarders by host
| rename host as deployment_server</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Deployment Server Summary</title>
<table>
<search>
<query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$"
| rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)"
| search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*"
| dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id
| top host
| rename host as deployment_server count as unqiue_forwarders</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="deployment_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
<panel>
<title>Duplicate Hosts</title>
<table>
<title>(hosts expected to be unique)</title>
<search>
<query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$"
| rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)"
| search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*"
| dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id
| stats count by forwarder_host
| search count>1
| sort -count
| append
[| makeresults
| eval forwarder_host="add_zero"
| eval count=0
| table forwarder_host count ]
| search forwarder_host!="add_zero"</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="totalsRow">true</option>
</table>
</panel>
<panel>
<title>Duplicate Forwarder IDs</title>
<table>
<title>(indicates cloning post install)</title>
<search>
<query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$"
| rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)"
| search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*"
| dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id
| stats count by forwarder_id
| search count>1
| sort -count
| append
[| makeresults
| eval forwarder_id="add_zero"
| eval count=0
| table forwarder_id count ]
| search forwarder_id!="add_zero"</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="totalsRow">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Forwarder Summary</title>
<table>
<search>
<query>index=_internal sourcetype=splunkd_access "phonehome/connection"
| rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)"
| search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" host="$deployment_server$"
| dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id
| table _time host forwarder_host forwarder_fqdn forwarder_ip forwarder_id
| rename host as deployment_server</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">40</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="deployment_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
</form>
... View more
10-29-2021
02:39 PM
Updated my previous example to use tokens as input for the date ranges. <form theme="dark">
<label>Cascading Date Selector</label>
<fieldset submitButton="false">
<input type="radio" token="day_type" searchWhenChanged="true">
<label>Day Type</label>
<choice value="*">All</choice>
<choice value="day_of_week IN (Mon,Tue,Wed,Thu,Fri)">Business Week (Mon-Fri)</choice>
<choice value="day_of_week IN (Sat,Sun)">Weekends (Sat-Sun)</choice>
<default>day_of_week IN (Mon,Tue,Wed,Thu,Fri)</default>
</input>
<input type="radio" token="year" searchWhenChanged="true">
<label>Year</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>year</fieldForLabel>
<fieldForValue>year</fieldForValue>
<search>
<query>| gentimes start=-$days_to_look_back$ end=$days_to_look_forward$
| sort -starttime
| eval day_of_week=strftime(starttime,"%a")
| eval day_of_week_num=strftime(starttime,"%w")
| eval day_of_month=strftime(starttime,"%d")
| eval year=strftime(starttime,"%Y")
| eval month=strftime(starttime,"%b")
| eval month_num=strftime(starttime,"%m")
| eval date=strftime(starttime,"%a %m-%d-%Y")
| search $day_type$
| dedup year
| table year
| sort -year</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="month" searchWhenChanged="true">
<label>Month</label>
<default>*</default>
<fieldForLabel>month</fieldForLabel>
<fieldForValue>month</fieldForValue>
<search>
<query>| gentimes start=-$days_to_look_back$ end=$days_to_look_forward$
| sort starttime
| eval day_of_week=strftime(starttime,"%a")
| eval day_of_week_num=strftime(starttime,"%w")
| eval day_of_month=strftime(starttime,"%d")
| eval year=strftime(starttime,"%Y")
| eval month=strftime(starttime,"%b")
| eval month_num=strftime(starttime,"%m")
| eval date=strftime(starttime,"%a %m-%d-%Y")
| search $day_type$ year=$year$
| dedup month
| sort num(month_num)
| table month</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
</input>
<input type="dropdown" token="day_of_week" searchWhenChanged="true">
<label>Day of Week</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>day_of_week</fieldForLabel>
<fieldForValue>day_of_week</fieldForValue>
<search>
<query>| gentimes start=-$days_to_look_back$ end=$days_to_look_forward$
| sort -starttime
| eval day_of_week=strftime(starttime,"%a")
| eval day_of_week_num=strftime(starttime,"%w")
| eval day_of_month=strftime(starttime,"%d")
| eval year=strftime(starttime,"%Y")
| eval month=strftime(starttime,"%b")
| eval month_num=strftime(starttime,"%m")
| eval date=strftime(starttime,"%a %m-%d-%Y")
| search $day_type$ year=$year$ month=$month$
| dedup day_of_week
| table day_of_week day_of_week_num
| sort num(day_of_week_num)
| table day_of_week</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="day_of_month" searchWhenChanged="true">
<label>Day of Month</label>
<choice value="*">All</choice>
<fieldForLabel>day_of_month</fieldForLabel>
<fieldForValue>day_of_month</fieldForValue>
<search>
<query>| gentimes start=-$days_to_look_back$ end=$days_to_look_forward$
| sort starttime
| eval day_of_week=strftime(starttime,"%a")
| eval day_of_week_num=strftime(starttime,"%w")
| eval day_of_month=strftime(starttime,"%d")
| eval year=strftime(starttime,"%Y")
| eval month=strftime(starttime,"%b")
| eval month_num=strftime(starttime,"%m")
| eval date=strftime(starttime,"%a %m-%d-%Y")
| search $day_type$ year=$year$ month=$month$ day_of_week=$day_of_week$
| dedup day_of_month
| sort num(day_of_month)
| table day_of_month</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
</input>
<input type="dropdown" token="date_time_range" searchWhenChanged="true">
<label>Date</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>date</fieldForLabel>
<fieldForValue>time_range</fieldForValue>
<search>
<query>| gentimes start=-365 end=1
| sort -starttime
| eval earliest=starttime
| eval latest=endtime
| eval time_range="earliest="+earliest+" latest="+latest
| eval day_of_week=strftime(starttime,"%a")
| eval day_of_week_num=strftime(starttime,"%w")
| eval day_of_month=strftime(starttime,"%d")
| eval year=strftime(starttime,"%Y")
| eval month=strftime(starttime,"%b")
| eval month_num=strftime(starttime,"%m")
| eval date=strftime(starttime,"%a %m-%d-%Y")
| search $day_type$ year=$year$ month=$month$ day_of_week=$day_of_week$ day_of_month=$day_of_month$ $date_time_range$
| table date time_range</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="text" token="days_to_look_back" searchWhenChanged="true">
<label>Days to look back 365=1 year</label>
<default>365</default>
</input>
<input type="text" token="days_to_look_forward" searchWhenChanged="true">
<label>Days to look forward 1=Today</label>
<default>1</default>
</input>
</fieldset>
<row>
<panel>
<title>Example query with subsearch to return date ranges as query constraints:</title>
<html>
<strong href="" style="color:white">your base query
[| gentimes start=-$days_to_look_back$ end=$days_to_look_forward$
| sort -starttime
| eval earliest=starttime
| eval latest=endtime
| eval time_range=\"earliest=\"+earliest+\" latest=\"+latest
| eval day_of_week=strftime(starttime,\"%a\")
| eval day_of_month=strftime(starttime,\"%d\")
| eval year=strftime(starttime,\"%Y\")
| eval month=strftime(starttime,\"%b\")
| eval date=strftime(starttime,\"%a %m-%d-%Y\")
| search year="+"$"+"year"+"$"+" month="+"$"+"month"+"$"+" day_of_month="+"$"+"day_of_month"+"$"+" day_of_week="+"$"+"day_of_week"+"$"+" "+"$"+"day_type"+"$"+" "+"$"+"date_time_range"+"$"+"
| table earliest latest
| return 1000 earliest latest]
</strong>
</html>
</panel>
</row>
<row>
<panel>
<title>Dates</title>
<table>
<search>
<query>| gentimes start=-$days_to_look_back$ end=$days_to_look_forward$
| sort -starttime
| eval earliest=starttime
| eval latest=endtime
| eval time_range="earliest="+earliest+" latest="+latest
| eval day_of_week=strftime(starttime,"%a")
| eval day_of_month=strftime(starttime,"%d")
| eval year=strftime(starttime,"%Y")
| eval month=strftime(starttime,"%b")
| eval date=strftime(starttime,"%a %m-%d-%Y")
| search year=$year$ month=$month$ day_of_month=$day_of_month$ day_of_week=$day_of_week$ $day_type$ $date_time_range$
| table year month day_of_month day_of_week date time_range</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">100</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
<option name="wrap">true</option>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="day_of_month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="year">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="day_of_month">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="day_of_week">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
<panel>
<title>Date Constraints Returned</title>
<table>
<search>
<query>| gentimes start=-$days_to_look_back$ end=$days_to_look_forward$
| sort -starttime
| eval earliest=starttime
| eval latest=endtime
| eval time_range="earliest="+earliest+" latest="+latest
| eval day_of_week=strftime(starttime,"%a")
| eval day_of_month=strftime(starttime,"%d")
| eval year=strftime(starttime,"%Y")
| eval month=strftime(starttime,"%b")
| eval date=strftime(starttime,"%a %m-%d-%Y")
| search year=$year$ month=$month$ day_of_month=$day_of_month$ day_of_week=$day_of_week$ $day_type$ $date_time_range$
| table earliest latest
| return 1000 earliest latest</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
... View more
06-30-2021
08:01 AM
1 Karma
Dashboard to show forwarder phone home counts per deployment server with host fqdn ip guid Requires you to route your deployment server splunkd.log to your indexers in a distributed environment. <form theme="dark"> <label>Forwarder Phone Home</label> <fieldset submitButton="false"> <input type="time" token="time" searchWhenChanged="true"> <label>Time Range</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="deployment_server" searchWhenChanged="true"> <label>Deployment Server</label> <choice value="*">All</choice> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" | dedup host | table host | sort host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*</default> </input> <input type="text" token="forwarder_host_pattern" searchWhenChanged="true"> <label>Forwarder Host Pattern</label> <default>*</default> </input> <input type="text" token="forwarder_fqdn_pattern" searchWhenChanged="true"> <label>Forwarder FQDN Pattern</label> <default>*</default> </input> <input type="text" token="forwarder_ip_pattern" searchWhenChanged="true"> <label>Forwarder IP Pattern</label> <default>*</default> </input> <input type="text" token="forwarder_id_pattern"> <label>Forwarder ID Pattern</label> <default>*</default> </input> </fieldset> <row> <panel> <title>Unique Forwarders</title> <single> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" | dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id | stats count</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="rangeColors">["0x006d9c","0x006d9c"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> </panel> </row> <row> <panel> <title>Phone Home Timeline</title> <chart> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" host="$deployment_server$" | eval device=forwarder_ip+"-"+forwarder_id | bucket _time span=5m | dedup _time forwarder_id | timechart partial=false span=5m dc(device) as unqiue_forwarders by host | rename host as deployment_server | addtotals</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisY.scale">linear</option> <option name="charting.chart">column</option> <option name="charting.chart.overlayFields">Total</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">1</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">1</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Deployment Server Summary</title> <table> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" | dedup forwarder_ip forwarder_id | top host | rename host as deployment_server count as unqiue_forwarders</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="deployment_server"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> <panel> <title>Duplicate Hosts</title> <table> <title>(hosts expected to be unique in most cases)</title> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" | dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id | stats count by forwarder_host | search count>1 | sort -count | append [| makeresults | eval count=0 | table count ]</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="drilldown">none</option> </table> </panel> <panel> <title>Duplicate Forwarder IDs (GUIDs)</title> <table> <title>(indicates cloning post install)</title> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" host="$deployment_server$" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" | dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id | stats count by forwarder_id | search count>1 | sort -count | append [| makeresults | eval count=0 | table count ]</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Forwarder Summary</title> <table> <search> <query>index=_internal sourcetype=splunkd_access "phonehome/connection" | rex "phonehome/connection_(?<forwarder_ip>[^\_]+)_80\d\d_(?<forwarder_fqdn>[^\_]+)_(?<forwarder_host>[^\_]+)_(?<forwarder_id>[^\s]+)" | search forwarder_host="*$forwarder_host_pattern$*" forwarder_fqdn="*$forwarder_fqdn_pattern$*" forwarder_ip="*$forwarder_ip_pattern$*" forwarder_id="*$forwarder_id_pattern$*" host="$deployment_server$" | dedup forwarder_host forwarder_fqdn forwarder_ip forwarder_id | table _time host forwarder_host forwarder_fqdn forwarder_ip forwarder_id | rename host as deployment_server</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <option name="count">40</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="deployment_server"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </form>
... View more
03-09-2021
09:03 AM
Vote for Trellis 1000 on Splunk Ideas! https://ideas.splunk.com/ideas/EID-I-862
... View more
08-14-2020
11:43 AM
Thanks for the updated answer @preactivity 🙂 as most of the older answers are no longer valid on the newer Splunk releases. Rob
... View more
07-06-2020
10:31 AM
1 Karma
Ok, I would first start with verifying that either the "RUNNING"/"NOT RUNNING" values (I'm assuming there is an inverse value to RUNNING) are recognized by Splunk as a field. You can check apps.splunk.com to see if there is an addon that will parse your sourcetype into key/value pairs or you may have to write regex to capture the value of the run state into a field. Once it's in a field you can run statistic commands against that field such as | top state by host example inline regex command to extract the state | rex "(?<state>(RUNNING|DOWN))" If you are getting overwhelmed, you may want to start with one of the free classes which will cover fields in Splunk https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html I also noticed you are running a script from crontab. You could modify the format of your log to log in key-pair values. i.e. process_status="RUNNING" or process_status="UP" or process_status="DOWN" etc. When Splunk encounters key/pair values it will auto extract fields which should make this task much simpler. https://dev.splunk.com/enterprise/docs/developapps/logging/loggingbestpractices/
... View more
07-06-2020
08:11 AM
1 Karma
I'm not familiar with your specific dataset, however you would want to come up with a base query that matches the events in Splunk that have the states you are trying to track. i.e. index=myindex sourcetype=mysourcetype host IN (host1,host2,host3) service IN (service1,service2,service3) note: you can wildcard parts of the host or service filters with * as well. If wanting all hosts and services, you probably don't need to add a host or service constraint.
... View more
07-06-2020
07:55 AM
your base query | dedup host application | chart values(state) over host by application note: modify fields names to match your dataset then you can color code in a table or single value chart using trellis option
... View more
06-04-2020
08:22 AM
Thanks @anthonymelita - @vnguyen46 - it seems it gets broken when I try to export the code from the simple xml source code and post here as code. I appologize for the incovenience.
Sample of query
Sample of source code
... View more
03-10-2020
10:45 AM
Try something like this for yesterday
index="your_index_here" EventCode="*"
| eval bytes=len(_raw)
| bucket _time span=1d
| stats count sum(bytes) as bytes by _time sourcetype EventCode
| eval KB=round(bytes/1024,0)
| eval MB=round(bytes/1024/1024,0)
| eval GB=round(bytes/1024/1024/1024,2)
| table _time sourcetype EventCode count bytes KB MB GB
| sort -bytes
You can also filter for specific codes like this using the IN command with a list of codes or patterns
index="your_index_here" EventCode="" EventCode IN(515,462*,40962)
| eval bytes=len(_raw)
| bucket _time span=1d
| stats count sum(bytes) as bytes by _time sourcetype EventCode
| eval KB=round(bytes/1024,0)
| eval MB=round(bytes/1024/1024,0)
| eval GB=round(bytes/1024/1024/1024,2)
| table _time sourcetype EventCode count bytes KB MB GB
| sort -bytes
I haven't tried getting an exact match, however you may have to search all time and use _indextime as constraint. _indextime being the time the indexer see the event. That's the time that should match with the ingest volume.
... View more
03-09-2020
11:54 AM
If you're looking estimate license volume for specific events, you can use the length of an event in bytes and then convert to MB/GB.
index=your index here your search constraints here
| eval bytes=len(_raw)
| timechart sum(bytes) as bytes
| eval KB=bytes/1024
| eval MB=bytes/1024/1024
| eval GB=bytes/1024/1024/1024
... View more
03-08-2020
04:02 PM
Also consider that timestamps and index time can factor into this calculation as well.
If you add a new input on to a forwarder, you could potentially ingest data today that is more than a day old.
The license counts against data ingested in the current day regardless of whether the event timestamp is in the past or the future.
tstats will use what Splunk considers the event time (_time) in count not the index time (_indextime)
... View more
03-06-2020
05:28 AM
1 Karma
Spitballing...
Possibly two forwarders on the same host and put one rule on each forwarder?
https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html
Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI
Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing
PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7 https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples
Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html
... View more
02-17-2020
09:16 AM
1 Karma
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
09:14 AM
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
09:13 AM
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
08:00 AM
1 Karma
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-19-2025
07:07 AM
|
Karma given to
