Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About boromir
boromir
Explorer
Member since:
07-31-2020
a month ago
Community Statistics
| Posts | 11 |
| Solutions | 2 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 07-31-2020 |
Activity Feed
- Karma Re: After deleting an alert on our Splunk Cloud instance, why am I getting spammed with email alerts? for htidore. a month ago
- Karma Re: Restarting Splunk triggers all my alerts (and floods my inbox) for nickhills. a month ago
- Posted Re: dynamically assigned maxspan in transactions on Splunk Search. 01-15-2021 03:19 AM
- Tagged Re: dynamically assigned maxspan in transactions on Splunk Search. 01-15-2021 03:19 AM
- Karma Re: dynamically assigned maxspan in transactions for ITWhisperer. 01-15-2021 03:18 AM
- Posted Re: dynamically assigned maxspan in transactions on Splunk Search. 01-14-2021 04:40 AM
- Posted dynamically assigned maxspan in transactions on Splunk Search. 01-14-2021 04:09 AM
- Posted Re: wrong year in _time on Getting Data In. 11-12-2020 01:57 AM
- Posted Re: wrong year in _time on Getting Data In. 11-11-2020 11:18 PM
- Posted wrong year in _time on Getting Data In. 11-11-2020 03:10 AM
- Posted Re: Why is my alert not triggering? on Alerting. 09-02-2020 12:00 AM
- Posted Re: WILDCARD in LookUp .csv files on Splunk Search. 08-04-2020 03:06 AM
- Posted Re: WILDCARD in LookUp .csv files on Splunk Search. 08-03-2020 03:16 AM
- Posted Re: WILDCARD in LookUp .csv files on Splunk Search. 07-31-2020 02:29 AM
- Tagged WILDCARD in LookUp .csv files on Splunk Search. 07-31-2020 02:20 AM
- Posted WILDCARD in LookUp .csv files on Splunk Search. 07-31-2020 01:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-15-2021
03:19 AM
hi, this thing does work and provide the expected result, I have to say that i was hping to make it a bit simpler, but hey, if it works, it works. Thanks!
... View more
- Tags:
- This
01-14-2021
04:40 AM
Hi, unfortunately no, I tried it.....to no avail. I have also tried with changing the mx_span using eval span=tonumber(mx_span), in case the maxspan does like only integer values, but it didn't work.
... View more
01-14-2021
04:09 AM
Hi I am searching for an option to dynamically assign value for MAXSPAN in a transaction. The value should come as a result of a LOOKUP. So far I have no success whatsoever. I have tried the proposed solution here: https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398004 however this does not work for me, in particular the proposed solution "fixes" the maxspan to the value in the eval expression. which is 7m in this case. | makeresults | eval maxspan="7m"
| map search="search index=_* | transaction host maxspan=$maxspan$" in essence i would like to be able to notify myself for related events that happen for a certain period of time, however that time and the number of event per each type is dynamically assigned as per the lookup. here is an example of my search line: sourcetype=servername host=hostname |lookup flex_test f1 as f1 OUTPUT mx_span AS mx_span , ev_count AS ev_count |transaction f1 f2 maxspan={dynamic value should come here} |eval alert = if(eventcount>ev_count,"ev_ALERT","OK") |...... and here is an example of the lookup table (tried different formats) f1,mx_span,ev_count 34,1,5 35,60,10 36,2m,5 kind regards!
... View more
Labels
- Labels:
-
transaction
11-12-2020
01:57 AM
Just an update, We got a different perspective now. We managed to take a fresh look at it , and as usual the problem was easy to solve and infront of our eyes. Date formats.....it is just that we are used to D/M/Y, while the SPLUNKs defaults are M/D/Y ..... 🙂 kind regards!
... View more
11-11-2020
11:18 PM
Hi, thanks for the response. I spent a bit more time trying to narrow down the actual problem, and have some new findings. The year change actually happened only once, and it could have been because of a SPLUNK restart, or restart of some of the machines with the Forwarders(or any other event) however, i managed to find out that it is not the year change was that is the real problem . It seems that the search plays some game with us when searching for events. here is an explanation. An event is logged and existing(known date, know hour) alert is triggered - correctly alert_fire event is logged correctly in _audit if search for the actual event in logs (_main index)is performed using "All time" option, the event is present in the results if the search is performed using any "Relative" option the event is not present - despite the event being within the relative range if the search is performed using "Date range" or "Date and time range" with "before" sub-option, the event is there and it is fine. If i use the aforementioned options with "Since or Between" sub-options.....nothing That is for every type of event , and so far I do not see any connection to Sourcetype or Host..... baffling isn't it....
... View more
11-11-2020
03:10 AM
Hi, I have several data sources that have each their own timestamp(different times, one format) due to Geo differences, however according to source_type time settings, they should all be indexed according to the time of the enterprise. That works like a charm most of the times, however every now and then, SPLUNk decides to change the year of my events from 2020 to 2019, or some other time change. This does not happen to all indexes, For example , I read the _audit for fired alerts, which are then dashboareded correctly, however, the events themselves are nowhere to be found, unless I decide to change the search to 2019. So far I can not relate such situations to anything out of normal. Any ideas? kind regards!
... View more
Labels
- Labels:
-
time
09-02-2020
12:00 AM
I have a similar issue..... my Real-Time alerts are triggering always, no problem with that, mails are being received, so no issue there. However the scheduled alerts are not always triggering. I have days when the alerts are fine, and then i have days when though the search finds an event, the alert is never triggered. We do suspect that the difference between system time and the time stamp of the event might have something into that, but will let you know if we manage to prove it. regards!
... View more
08-04-2020
03:06 AM
Hi all, I have to say , I found the issue that was bugging me. As suggested, it was something simple , that was in front of me all the time. Here is what didn't work: sourcetype="log2" | lookup ranges.csv comment OUTPUT state | table comment state And here is what worked: sourcetype="log2" | lookup ranges comment OUTPUT state | table comment state I can't believe I didn't figure it out earlier, but hey, learning is a process 🙂 Thanks!
... View more
08-03-2020
03:16 AM
Hi, Thanks, I will try to explain it better. My client provides me a table(csv 1000x lines , 2 columns) with prefixes that I will be able to find in the logs from the monitored equipment. Based on those prefixes, I have to structure them, assign them new values, which we will use later. Based on what I have read, Lookup with wildcard in the lookup table is the solution to my challenge, and based on https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/... I should be able to get exactly what i need, however , it still doesn't work. I have tested your example, but it gets me exactly the same result. The wildcard does not match. Kind regards!
... View more
07-31-2020
02:29 AM
Hi, Thanks for responding:) Exacltly the same. I feel like I am missing something. I can't even make the example work. As mentioned, I am now fighting to make the example from the link to work, and have completely put my put my case on the backburner. So here is what i have , and doesn't work: userlookup.csv user,username user*,USERNAME transforms.conf [userlookup] batch_index_query = 0 case_sensitive_match = 1 filename = userlookup.csv match_type = WILDCARD(user) Props.conf [log2] LOOKUP-user = userlookup user OUTPUT username ...And for the full picture : I think that the solution is in front of my eyes, but I fail to see it.
... View more
07-31-2020
01:31 AM
Hi all, I have a challenge, that i have been struggling for the past few days, and can't find the correct solution. I have read https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/94513 and done pretty much exactly the same thing, but it doesn't work for me. So here are the details. I have a simple lookup csv file (2 columns ), first one with starting digits prefix, state 23401*, log1 23402*,log2 34602*,log5 ....etc I have used the GUI to create the lookup definitions, but i have also double-cheked transformes.conf and props.conf. It is exactly as in the example in the link. I can't make the wildcard work for me. Here is a simple search line just to illustrate source="log2.log" host="prod-splunk-indexer" sourcetype="testsource" | lookup prefixlookup.csv prefix OUTPUT state | table prefix state If i create lookup with exact matches, it works for the match everytime, however, my client requires only prefixchecks, and to me WILDCARD is the only solution. Any ideas? PS. I have actually created exact replica of the case(user,username, userlookup, etc) in the linked example, still doesn't work Have a great day!
... View more
- Tags:
- wildcard
Labels
- Labels:
-
lookup
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
