Activity Feed
- Got Karma for Splunk Add-on for McAfee ePO Syslog Dashboards. 03-21-2022 11:20 AM
- Karma Re: KV Store Process Terminated for jbradshaw. 07-28-2021 10:51 AM
- Karma Re: What should be added to my search to convert all the results to be lower case? for cmerriman. 07-19-2021 10:28 AM
- Karma Re: splunk app for palo Alto , Time Zone issue in the logs we received for GW. 06-28-2021 10:06 AM
- Karma Re: How do you subtract values from an appended search? for vishaltaneja070. 06-23-2021 09:56 AM
- Karma Re: Stats sum function for lguinn2. 06-23-2021 09:41 AM
- Karma Re: How to get a total count and count by specific field displayed in the same stats table? for somesoni2. 06-23-2021 08:53 AM
- Karma Re: get latest value and timestamp for stoomart. 06-23-2021 07:40 AM
- Karma Re: Insert a heading between rows and customise it.? for DalJeanis. 06-23-2021 07:34 AM
- Posted Re: MS Windows AD Object - Getting Data In - Missing Data on All Apps and Add-ons. 06-02-2021 09:33 AM
- Posted MS Windows AD Object - Getting Data In - Missing Data on All Apps and Add-ons. 06-02-2021 09:32 AM
- Karma Re: Why won't my multiple "eval if match" expressions work? for martin_mueller. 04-06-2021 06:56 AM
- Karma Re: how to find the earliest and latest event in an index? for ziegfried. 12-09-2020 09:22 AM
- Karma Re: how to find the earliest and latest event in an index? for Lowell. 12-09-2020 09:22 AM
- Posted Re: Indexing Log files which are in zip format on Getting Data In. 12-08-2020 10:17 AM
- Karma Re: Indexing Log files which are in zip format for lguinn2. 12-08-2020 10:17 AM
- Karma Re: Filename was different, therefore source is not indexed. Why? for Simeon. 11-12-2020 08:06 AM
- Posted Re: Stats count and field with oldest event on Splunk Search. 11-06-2020 04:25 AM
- Karma Re: How can i convert String Type Time field(a) to a human readable Date Type Time field(#)? for ghostworks. 11-06-2020 04:10 AM
- Karma Re: Stats count and field with oldest event for bowesmana. 11-06-2020 03:25 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 |
06-02-2021
09:32 AM
I'm in the process of configuring the MS Windows AD Object app via the Configuration - Getting Data In dashboard and not having any luck with the indexes being recognized. The index status for all indexes is Warning: Missing Data. I have validated the macros are pointing to the correct index and that the macro is working by manually entering the macro into Search and and checking for results. Any ideas? I'm running the latest version of the app and Splunk Enterprise.
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
12-08-2020
10:17 AM
For anyone using 7.3.8 that stumbles upon this and needs a current link to the docs regarding exported Windows log files: https://docs.splunk.com/Documentation/Splunk/7.3.8/Data/MonitorWindowseventlogdata
... View more
11-06-2020
04:25 AM
Thank you, this also got me a lot closer. I ended up having to convert the time with "mktime". | rename "First Discovered" AS FD
| convert timeformat="%b %d, %Y %H:%M:%S %Z" mktime(FD)
| stats count min("FD") AS FD BY Plugin,Severity
| fieldformat FD=strftime(FD,"%m-%d-%Y %H:%M:%S %Z")
| sort -count This post helped with the conversion: https://community.splunk.com/t5/Splunk-Search/How-can-i-convert-String-Type-Time-field-a-to-a-human-readable/m-p/93941#M24184
... View more
11-05-2020
12:30 PM
Thank you, that gets me a lot closer. I can't use "_time" because I'm ingesting the data from a CSV. So all of the events are stamped with the same ingestion time. I did modify your search to use the "First Discovered" field. | stats count first("First Discovered") as "First Discovered" by Plugin, Severity It returned "Jul 2, 2020 02:23:25 EDT" but the oldest value I have for the sample plugin I searched is "Sep 9, 2019 18:13:38 EDT". I also tried "| stats count earliest" and the same date was returned. If I run the search with "| sort 1 -"First Discovered" and leave out the stats functions I get the date from 2019.
... View more
11-05-2020
12:04 PM
I'm sure it's out there somewhere and maybe I'm just brain fried from looking at Splunk for too long, but I wasn't able to find or figure it out. Any help linking me to the answer or providing the answer would be greatly appreciated. I'm generating the results shown in the screen capture with this search - index="<my index>" sourcetype="<my sourcetype>" | stats count BY Plugin,Severity | sort -count I'd like to add a column called "First Discovered" which contains a date value and I only want to see the oldest date from that field data. If I add to the stats count command "First Discovered" it's not going to work because there are multiple unique values. What's the best way to return the data I already have but add a column containing the oldest date from the field "First Discovered", for each of the Plugins. "First Discovered" data sample is - Jul 2, 2020 02:23:25 EDT and in case I wasn't clear, this field is extracted from the logs along with the "Plugin" and "Severity" fields. Thanks in advance!
... View more
10-30-2020
05:50 AM
1 Karma
Can you determine if data for those sourcetypes exist? Maybe run a search for each of those sourcetypes across the past 24 hours to make sure you are even ingesting that data. If so, determine which index the data is going to and see if that index aligns with the index the app is searching. You may need to change which index the app is searching or send the data to the index the app is searching. I remember when I set up the add-ons and apps for Windows all of the recommendations for sourcetypes and indexes were covered in the docs. https://docs.splunk.com/Documentation/MSApp/2.0.1/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindows I know you said the indexes aren't present and you rebuilt the indexer, maybe the data is going to an index that no longer exists on the indexer. Bottom line, I would determine if you are even getting the data into an index and go from there. Hope this provides some help.
... View more
10-30-2020
05:25 AM
1 Karma
Does anyone have any queries or dashboards they would be willing to share for use with data being ingested via syslog and leveraging the Splunk Add-on for McAfee ePO Syslog? I started to write my own but would rather not re-create the wheel if I don't need to. Thanks in advance!
... View more
Labels
- Labels:
-
dashboard
