cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
dangeloma
Explorer
Member since: ‎07-24-2020
Community Statistics
Posts 9
Solutions 0
Karma Given 22
Karma Received 2
Member Since ‎07-24-2020
Activity Feed
View All

MS Windows AD Object - Getting Data In - Missing D...

by in All Apps and Add-ons
‎06-02-2021 09:32 AM
‎06-02-2021 09:32 AM
I'm in the process of configuring the MS Windows AD Object app via the Configuration - Getting Data In dashboard and not having any luck with the indexes being recognized. The index status for all indexes is Warning: Missing Data. I have validated the macros are pointing to the correct index and that the macro is working by manually entering the macro into Search and and checking for results. Any ideas? I'm running the latest version of the app and Splunk Enterprise. ... View more

Re: Indexing Log files which are in zip format

by in Getting Data In
‎12-08-2020 10:17 AM
‎12-08-2020 10:17 AM
For anyone using 7.3.8 that stumbles upon this and needs a current link to the docs regarding exported Windows log files: https://docs.splunk.com/Documentation/Splunk/7.3.8/Data/MonitorWindowseventlogdata  ... View more

Re: Stats count and field with oldest event

by in Splunk Search
‎11-06-2020 04:25 AM
‎11-06-2020 04:25 AM
Thank you, this also got me a lot closer. I ended up having to convert the time with "mktime".   | rename "First Discovered" AS FD | convert timeformat="%b %d, %Y %H:%M:%S %Z" mktime(FD) | stats count min("FD") AS FD BY Plugin,Severity | fieldformat FD=strftime(FD,"%m-%d-%Y %H:%M:%S %Z") | sort -count     This post helped with the conversion: https://community.splunk.com/t5/Splunk-Search/How-can-i-convert-String-Type-Time-field-a-to-a-human-readable/m-p/93941#M24184  ... View more

Re: Stats count and field with oldest event

by in Splunk Search
‎11-05-2020 12:30 PM
‎11-05-2020 12:30 PM
Thank you, that gets me a lot closer. I can't use "_time" because I'm ingesting the data from a CSV. So all of the events are stamped with the same ingestion time. I did modify your search to use the "First Discovered" field. | stats count first("First Discovered") as "First Discovered" by Plugin, Severity It returned "Jul 2, 2020 02:23:25 EDT" but the oldest value I have for the sample plugin I searched is "Sep 9, 2019 18:13:38 EDT". I also tried "| stats count earliest" and the same date was returned. If I run the search with "| sort 1 -"First Discovered" and leave out the stats functions I get the date from 2019. ... View more

Stats count and field with oldest event

by in Splunk Search
‎11-05-2020 12:04 PM
‎11-05-2020 12:04 PM
I'm sure it's out there somewhere and maybe I'm just brain fried from looking at Splunk for too long, but I wasn't able to find or figure it out. Any help linking me to the answer or providing the answer would be greatly appreciated. I'm generating the results shown in the screen capture with this search - index="<my index>" sourcetype="<my sourcetype>" | stats count BY Plugin,Severity | sort -count I'd like to add a column called "First Discovered" which contains a date value and I only want to see the oldest date from that field data. If I add to the stats count command "First Discovered" it's not going to work because there are multiple unique values. What's the best way to return the data I already have but add a column containing the oldest date from the field "First Discovered", for each of the Plugins. "First Discovered" data sample is - Jul 2, 2020 02:23:25 EDT and in case I wasn't clear, this field is extracted from the logs along with the "Plugin" and "Severity" fields. Thanks in advance! ... View more
Labels

Re: Splunk App for Windows Infrastructure, Guided ...

by in All Apps and Add-ons
‎10-30-2020 05:50 AM
1 Karma
‎10-30-2020 05:50 AM
1 Karma
Can you determine if data for those sourcetypes exist? Maybe run a search for each of those sourcetypes across the past 24 hours to make sure you are even ingesting that data. If so, determine which index the data is going to and see if that index aligns with the index the app is searching. You may need to change which index the app is searching or send the data to the index the app is searching. I remember when I set up the add-ons and apps for Windows all of the recommendations for sourcetypes and indexes were covered in the docs.  https://docs.splunk.com/Documentation/MSApp/2.0.1/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindows I know you said the indexes aren't present and you rebuilt the indexer, maybe the data is going to an index that no longer exists on the indexer. Bottom line, I would determine if you are even getting the data into an index and go from there. Hope this provides some help. ... View more

Splunk Add-on for McAfee ePO Syslog Dashboards

by in All Apps and Add-ons
‎10-30-2020 05:25 AM
1 Karma
‎10-30-2020 05:25 AM
1 Karma
Does anyone have any queries or dashboards they would be willing to share for use with data being ingested via syslog and leveraging the Splunk Add-on for McAfee ePO Syslog? I started to write my own but would rather not re-create the wheel if I don't need to.   Thanks in advance! ... View more
Labels
Contact Me
Karma from
View All
Karma given to