Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About kvnpichon
kvnpichon
Path Finder
Member since:
06-26-2020
01-19-2022
Community Statistics
| Posts | 21 |
| Solutions | 3 |
| Karma Given | 1 |
| Karma Received | 3 |
| Member Since | 06-26-2020 |
Activity Feed
- Got Karma for How can I solve this error: Data model 'Cloud_Infrastructure' was not found?. 01-03-2023 02:55 AM
- Got Karma for Re: Add a filter on time field in a dashboard (to search a specific day). 03-08-2022 09:14 AM
- Got Karma for Add a filter on time field in a dashboard (to search a specific day). 03-08-2022 09:13 AM
- Karma Network Resolution (DNS) data model doesn't have any data in it for Tylerdygert. 01-19-2022 01:44 AM
- Posted Re: stanza's for props.conf on Getting Data In. 11-15-2021 01:25 AM
- Posted Why can't we launch an Indexer Health RapidDiag? on Monitoring Splunk. 11-15-2021 01:12 AM
- Posted Re: Extract fields from CSV log file without header on Getting Data In. 10-06-2021 01:52 AM
- Posted Re: Extract fields from CSV log file without header on Getting Data In. 10-01-2021 12:55 AM
- Posted Extract fields from CSV log file without header on Getting Data In. 09-30-2021 08:32 AM
- Posted Re: Implement lookup file to replace the "host" field value collected from the rsyslog on Getting Data In. 06-28-2021 05:04 AM
- Posted Implement lookup file to replace the "host" field value collected from the rsyslog on Getting Data In. 06-28-2021 04:26 AM
- Posted Re: Help with a regex (extract the file name from the file path) on Getting Data In. 04-19-2021 01:56 AM
- Posted Help with a regex (extract the file name from the file path) on Getting Data In. 04-16-2021 06:30 AM
- Tagged Help with a regex (extract the file name from the file path) on Getting Data In. 04-16-2021 06:30 AM
- Tagged Help with a regex (extract the file name from the file path) on Getting Data In. 04-16-2021 06:30 AM
- Posted How can I solve this error: Data model 'Cloud_Infrastructure' was not found? on Knowledge Management. 02-23-2021 06:52 AM
- Posted Re: Troubleshooting disk usage peak on the Search Head server on Monitoring Splunk. 11-18-2020 07:56 AM
- Posted Re: Rename the "host" field from stormshield sourcetype events on Getting Data In. 11-18-2020 07:32 AM
- Posted Troubleshooting disk usage peak on the Search Head server on Monitoring Splunk. 11-18-2020 07:21 AM
- Posted Rename the "host" field from stormshield sourcetype events on Getting Data In. 11-16-2020 06:09 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
11-15-2021
01:25 AM
Hi, If you search logs from the SH, the field "host" (Splunk default field) is the source host from which the event originated. Hope it helps
... View more
11-15-2021
01:12 AM
Hi,
I recently upgraded to Splunk 8.2.2.1, when I try to collect a RapidDiag report in Settings > RapidDiag > Indexer Health I have the following errors :
System Call Trace > Could not detect `strace` for the root user. on following instance(s) => Indexers
Network Packet > Could not detect `tcpdump` for the root user. on following instance(s) => Indexers
IOPS > Could not detect `iostat` for the splunk user. on following instance(s) => Indexers
Stack Trace > Could not detect `eu-stack` for the root user. on following instance(s) => Indexers
All indexers are running Splunk 8.2.2.1 on Debian 9.13.
Any idea ?
... View more
10-06-2021
01:52 AM
Hi guys, I still didn't find any solution, any body could help me ?
... View more
10-01-2021
12:55 AM
Hello @ashvinpandey , In fact I have no header line in my log file, the process you sent me allow me to delete the header line but doesn't extract fields from the csv logs file.
... View more
09-30-2021
08:32 AM
Hello, I have a CSV file in this form : 2021-08-30 15:45:32;MOZILLA;j.dupont;FR6741557ERF;1.1.1.1;CONNEXION;;
2021-08-30 15:45:24;MOZILLA;j.dupont;FR6741557ERF;1.1.1.1;STATUS;;BDD
2021-08-30 15:45:16;MOZILLA;j.dupontFR6741557ERF;1.1.1.1;START;App_start;WEB Corresponding to these 8 fields : date,application,user,host,ip,type,detail,module I have 2 questions : How can I extract these fields ? How can I extract field at search-time (to be able to be retroactive on old logs) ? This my actuals props.conf and transforms.conf deployed on Search Head + Indexers and the inputs.conf file on the Universal Forwarder : props.conf [csvlogs]
disabled = false
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
KV_MODE = none
REPORT-fieldsextraction = logs_fields transforms.conf [logs_fields]
DELIMS = ";"
FIELDS = date,application,user,hostname,ip,type,detail,module
KEEP_EMPTY_VALS = true inputs.conf [Monitor://D:\repository\logs.csv]
disabled = false
sourcetype=csvlogs
index=logs_index1 Do you have solutions ?
... View more
Labels
- Labels:
-
CSV
06-28-2021
05:04 AM
For information this is the props.conf file in the "default" folder (provided by Splunk) : #
# Aruba Networks Add-on for Splunk
# © Devbusters 2020
#
# File: props.conf
#
# Created: 2019-09-30
# Last updated: 2020-08-26
#
# Default sourcetype for sourcetype renaming
#
[aruba:syslog]
TIME_PREFIX = ^
TIME_FORMAT = %b %-d %H:%M:%S %Y
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\n\r]+)
TRUNCATE = 999999
KV_MODE = none
pulldown_type = true
rename = aruba
TRANSFORMS-sourcetypes = aruba_sourcetype_renaming, aruba_kernel_sourcetype_renaming, aruba_httpd_sourcetype_renaming, aruba_fw_visbility_sourcetype_renaming
#
# Renamed sourcetypes
#
[(?::){0}aruba*]
KV_MODE = none
REPORT-aa_aruba_basefields = aruba_basefields
REPORT-aa_aruba_vendor_log_level = aruba_vendor_log_level
REPORT-aa_aruba_message = aruba_message
REPORT-aa_aruba_dvc = aruba_dvc
LOOKUP-aruba_actions = aruba_actions vendor_action OUTPUTNEW action
LOOKUP-aruba_severities = aruba_log_level vendor_log_level OUTPUTNEW log_level
LOOKUP-aruba_events = aruba_events event_id OUTPUTNEW event_description
EVAL-dvc = coalesce(dvc_name,dvc_ip,dvc_host,dvc)
EVAL-dest = coalesce(dest_name,dest_ip,dest_host,dest)
EVAL-src=coalesce(src_name,src_ip,src_host,src)
EVAL-vendor = "Aruba Networks"
EVAL-product = "Aruba OS"
EVAL-vendor_product = "Aruba Networks"
[aruba:aaa]
pulldown_type = false
REPORT-aruba_aaa = aruba_aaa
[aruba:authmgr]
pulldown_type = false
REPORT-aruba_user = aruba_user
REPORT-aruba_traffic = aruba_traffic
REPORT-aruba_authmgr_action = aruba_authmgr_action
REPORT-aruba_src_ip = aruba_src_ip
REPORT-aruba_src_mac = aruba_src_mac
REPORT-aruba_role = aruba_role
REPORT-aruba_reason = aruba_reason
REPORT-aruba_policy = aruba_policy
REPORT-aruba_ssid = aruba_ssid
REPORT-aruba_bssid = aruba_bssid
REPORT-aruba_essid = aruba_essid
REPORT-aruba_method = aruba_method
REPORT-aruba_vlan = aruba_vlan
REPORT-aruba_ap_name = aruba_ap_name
REPORT-aruba_server_group = aruba_server_group
EVAL-transport = lower(transport)
[aruba:cfgm]
pulldown_type = false
[aruba:fpapps]
pulldown_type = false
REPORT-aruba_vlan = aruba_vlan
[aruba:fw_visiblity]
pulldown_type = false
[aruba:httpd]
pulldown_type = false
REPORT-aruba_httpd = aruba_httpd
REPORT-aruba_httpd_src=aruba_httpd_src
REPORT-aruba_httpd_referer = aruba_httpd_referer
REPORT-aruba_uri_path = aruba_uri_path
REPORT-aruba_uri_query = aruba_uri_query
EVAL-url_length = len(url)
[aruba:stm]
pulldown_type = false
REPORT-aruba_stm_ap = aruba_stm_ap
REPORT-aruba_stm_radio = aruba_stm_radio
[aruba:localdb]
pulldown_type = false
REPORT-aruba_sql_query = aruba_sql_query
[aruba:mdns]
pulldown_type = false
REPORT-aruba_mdns_method = aruba_mdns_method
REPORT-aruba_mdns_src_mac = aruba_mdns_src_mac
REPORT-aruba_mdns_src_ip = aruba_mdns_src_ip
REPORT-aruba_mdns_vlan = aruba_mdns_vlan
REPORT-aruba_mdns_role = aruba_mdns_role
REPORT-aruba_mdns_user = aruba_mdns_user
REPORT-aruba_mdns_ap_name = aruba_mdns_ap_name
REPORT-aruba_mdns_ap = aruba_mdns_ap
[aruba:wms]
pulldown_type = false
REPORT-aruba_wms = aruba_wms
REPORT-aruba_wms_change = aruba_wms_change
REPORT-aruba_wms_ap = aruba_wms_ap
REPORT-aruba_wms_additional_info = aruba_wms_additional_info
[aruba:isakmpd]
pulldown_type = false
[aruba:dbsync]
pulldown_type = false
[aruba:sapd]
pulldown_type = false
REPORT-aruba_sapd = aruba_sapd
[aruba:rsyncd]
pulldown_type = false
[aruba:sshd]
pulldown_type = false
[aruba:lldp]
pulldown_type = false
[aruba:kernel]
pulldown_type = false
#
# Sourcetype Fixes
#
[aruba:Visibility]
rename = aruba:fw_visbility
... View more
06-28-2021
04:26 AM
Hello Splunkers, I'm collecting Aruba AP (Aruba Access Point) logs from my rsyslog inputs. I use the Aruba_Networks add-on available on splunk.com to parse the logs. Actually the Splunk collect the "host" field as the IP address of the AP (host = ip). I created a lookup associating a hostname to the ip of the AP : hostname,host
hostname1,ip1
hostname2,ip2
hostname3,ip3
...,...
hostnameN,ipN The issue I get is I want a "hostname" field and an "ip" field but I have neither of these. I tried to change my props.conf file : [(?::){0}aruba*]
LOOKUP-aruba_ap_list=aruba_ap_list host OUTPUTNEW hostname host AS ip and in my transforms.conf (file exist in the lookup folder) : [aruba_ap_list]
filename=aruba_ap_list.csv But the field "hostname" isn't created and the "host" field alias named "ip" isn't created neither. I don't know what I'm doing wrong. Can you help me please ?
... View more
Labels
- Labels:
-
props.conf
-
syslog
-
transforms.conf
04-19-2021
01:56 AM
Hi, I tried to add your line in my props.conf file but the file_name isn't extracted as expected.
... View more
04-16-2021
06:30 AM
Hi Splunkers, I need some help with a regex/command to extract the file name from the file path : path\\to\\the\\file\\file_name or path\\to\\the\\file\\file_name (path\\inside\\file) Actually I have the EVAL command in my props.conf : EVAL-file_name = mvindex(split(filePath,"\\"),-1) The EVAL command working fine for most of the paths. But sometimes, the path is not common and contains parentheses and backslashs after the file_name value... This is some examples of unusual paths I encountered (what I want to extract is in bold) : T:\\test\\FileZilla_3.47.2.1_win64_sponsored-setup.exe (NONAMEFL) C:\\Users\\testuser\\Desktop\\testuser\\Local Settings\\Temporary Internet Files\\Content.IE5\\test\\ocspackage[1].exe($PLUGINSDIR\\$PLUGINSDIR\\RemCom.exe) C:\\TEST\\testing\\@Archives\\@SRV\\SRV_Servers\\tests\\ocs-inventory\\OCSNG_AGENT_DEPLOYMENT_TOOL_1.0.1.2.zip ($INSTDIR\\RemCom.exe) With my actual configuration I extract only the value after the last "\\" of the line... Could you help me to construct that regex/command to be able to exctract the right values ? Thanks
... View more
- Tags:
- props.conf
- regex
Labels
- Labels:
-
field extraction
02-23-2021
06:52 AM
1 Karma
Hello,
I have an error in the "_internal" index (sourcetype=splunkd) on my search head.
You see the error in the logs below :
02-23-2021 14:31:01.735 +0100 ERROR SearchOperator:datamodel - Error in 'DataModelEvaluator': Data model 'Cloud_Infrastructure' was not found. 02-23-2021 14:31:01.735 +0100 ERROR DataModelEvaluator - Data model 'Cloud_Infrastructure' was not found.
I don't understand we shoudn't use this data model, how can I find why/where the data model is called in order to delete or disable it ?
... View more
Labels
- Labels:
-
data model
11-18-2020
07:56 AM
OK, I will try to check it and I will be back to the post. Thanks for the reply @richgalloway and @somesoni2 If the issue comes from the dispatch folder, how can I reduce the max size of the folder in order to solve the issue ? or maybe there is a better way to do this ? Is there a history to check the size of the folder or something directly in Splunk ?
... View more
11-18-2020
07:32 AM
For the moment I found a solution : I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname). So I declared the lookup/fields in the props.conf and the transforms.conf. Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field. Thanks for reply.
... View more
11-18-2020
07:21 AM
Hello, This is my architecture : dedicated indexers (multiple servers on main site) dedicated search head (1 serveron main site) dedicated management server (1 server on main site) dedicated syslog/forwarders (1 server per site) I have an issue with my Search Head. When I check the DMC I can see there are disk usage peaks sometimes and it immediatly goes down. For example, the last peak is today, started at 10:15 and it goes down to 13:45. Meanwhile I don't understand this peaks and where did the data came from ? I checked logs in Splunk but I have no clues. I don't know if I miust check it in Splunk or in Linux. Hope you can help me Splunkers, Regards
... View more
Labels
11-16-2020
06:09 AM
Hello, I will try to describe the situation first; my problem and then ask you my question : This my architecture : 6 stormshield firewalls (one per remote site). 6 rsyslog/forwarders (one per remote site). The rsyslog/forwarders gather logs from /var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log The rsyslog/forwarders send logs to indexers with sourcetype = stormshield and source=/var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log The "host" field is the "%FROMHOST%" folder (defined by the hostname of the firewall) My problem is : The "host" field is not normalized because sometime the hostname is an IP address or the DNS name. I can't change hostname of my firewall because lot of things related to their hostname. I need to use the "host" field because it it used in lot of secruity dashboards. My question is : can I normalized the "host" field by renaming the firewalls somewhere in Splunk ? and how can I do it ? I want to have the "host" coresponding to my new names. Exemple 1 : For the firewall XX.XX.XX.1 (old "host" field) the "host" field must be ABC-001 Exemple 2 : For XX.XX.XX.19, the "host" field must be ABC-019 instead of XX.XX.XX.19, etc. Thanks Splunkers, Regards.
... View more
11-10-2020
03:12 AM
Hello, I tried your solution but it doesn't work. So I splitted my regex into 2 parts : Regex 1 : (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....|...|..|.) (?<response>[^\]]+)\] It extracts : opcode field hexflags field flags field response field Regex 2 : ....\s(?<operation>[R])\s It extracts : operation field And now it works properly !
... View more
11-10-2020
01:43 AM
Hello Splunkers, I'm actually trying to extract the "flags" field in the DNS logs. Meanwhile, the TA provided by Splunk isn't working properly because all logs haven't the same form. This is the regex provided by Splunk to extract flags field : (?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\] Log form case 1 : R Q [8381 A DR NXDOMAIN] Log form case 2 : R Q [8081 DR NOERROR] Log form case 3 : Q [0001 D NOERROR] In the case 1 the extract work properly and the field "flags=A DR" but in the case 2 or 3 none of the fields are extracted (because there are only 3 digits in the [] instead of 4). Any idea how to process to extract these values ?
... View more
Labels
- Labels:
-
regex
08-04-2020
07:52 AM
Hello Splunkers, This is my goal : A table with 3 column (field, field_type, field_len) and export it as CSV and CSV file name must be the sourcetype used in input (as a condition). field = list all field for the sourcetype field_type = string, bool, int, etc. field_len = field length The issue is that I must launch the search for each sourcetype in my indexes (that's a lot). My CSV file is that form (it lists all sourcetype I use) : Sourcetype
sourcetype1
sourcetype2
sourcetype3
...
sourcetypeN My query is actually like : index=* sourcetype=MY_SOURCETYPE
| fieldsummary
| eval field_type=typeof(field), field_len=len(field)
| table field, field_type, field_len
| dedup field I want to add the multiple export to CSV and use a CSV in input instead of sourcetype="MY_SOURCETYPE" It could be like : index=main sourcetype=$sourcetype_from_csv_file$
| fieldsummary
| eval field_type=typeof(field), field_lgth=len(field)
| table field, field_type, field_lgth
| depup field
| outputcsv $sourcetype_from_csv_file$.csv How can I build this request as I don't know how to export in search / how to use a csv as input ?
... View more
Labels
- Labels:
-
table
07-28-2020
12:57 AM
Hello, I really need your help guys. I'm still looking for a solution to create this dashboard. Thanks
... View more
07-28-2020
12:51 AM
1 Karma
Hello, I found a solution to my issue : I used a time range picker and used the $time$ token. In the source code of my dashboard (xml) I added 2 lines just after the query : <earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest> So, now its looks like : Thanks for reply.
... View more
07-27-2020
06:09 AM
1 Karma
Hello Splunkers, I have created a dashboard about the number of events indexed per day (history). This what it looks like : My question is, how can I create a select/search field to be able to specify a date (format : YYYY-MM-DD) and display the number of events for this specific date ? For example I specify the "2020-07-26" date in the search field and the dashboard must displays the only line with the date and the number of events at this date (Number of Events = 107119 in the example). Hope you can help me, Regards
... View more
06-26-2020
09:16 AM
Hi Splunkers, I have a testing project in progress to create multiples security dashboards from Microsoft Windows endpoints. For this one, I need to create a dashboard to display the threat detected on each device. My issue is I have actually no control on the McAfee server but I have only the McAfee following log files (%ProgramData%\McAfee\Endpoint Security\Logs) : EndpointSecurityPlatform_Activity.log SelfProtection_Activity.log AccessProtection_Activity.log ThreatPrevention_Activity.log ExploitPrevention_Activity.log OnDemandScan_Activity.log I added the files on the Spunk database but as I never get infected and I really don't know how the logs are working, I can't create my dashboard... Do you have clues about how to detect threat/malware/virus within the previous files to be able to create my dashboard ? Thanks, Splunk experts are really rare. Kevin
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-19-2022
06:31 AM
|
