Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About asing13
asing13
Path Finder
Member since:
09-13-2020
07-18-2021
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 6 |
| Member Since | 09-13-2020 |
Activity Feed
- Posted Re: Junk characters showing when I use stats with list command to get the logins and logout of a VPN on Splunk Search. 07-17-2021 09:53 AM
- Posted Re: Junk characters showing when I use stats with list command to get the logins and logout of a VPN on Splunk Search. 07-17-2021 09:42 AM
- Posted Junk characters showing when I use stats with list command to get the logins and logout of a VPN on Splunk Search. 07-17-2021 09:41 AM
- Tagged Junk characters showing when I use stats with list command to get the logins and logout of a VPN on Splunk Search. 07-17-2021 09:41 AM
- Tagged Junk characters showing when I use stats with list command to get the logins and logout of a VPN on Splunk Search. 07-17-2021 09:41 AM
- Tagged Junk characters showing when I use stats with list command to get the logins and logout of a VPN on Splunk Search. 07-17-2021 09:41 AM
- Karma Re: Diff and % calculation 1st row vs 2nd row for Richfez. 12-01-2020 05:51 AM
- Posted Re: Extract a specific field values from a table in Splunk on Splunk Search. 12-01-2020 01:39 AM
- Karma Re: Extract a specific field values from a table in Splunk for Richfez. 12-01-2020 01:39 AM
- Posted Extract a specific field values from a table in Splunk on Splunk Search. 11-30-2020 01:03 PM
- Tagged Extract a specific field values from a table in Splunk on Splunk Search. 11-30-2020 01:03 PM
- Tagged Extract a specific field values from a table in Splunk on Splunk Search. 11-30-2020 01:03 PM
- Tagged Extract a specific field values from a table in Splunk on Splunk Search. 11-30-2020 01:03 PM
- Tagged Extract a specific field values from a table in Splunk on Splunk Search. 11-30-2020 01:03 PM
- Tagged Extract a specific field values from a table in Splunk on Splunk Search. 11-30-2020 01:03 PM
- Posted Re: Enable user id and password for starting splunk on Installation. 11-17-2020 02:37 AM
- Karma Re: Enable user id and password for starting splunk for richgalloway. 11-17-2020 02:35 AM
- Posted Enable user id and password for starting splunk on Installation. 10-29-2020 04:26 PM
- Tagged Enable user id and password for starting splunk on Installation. 10-29-2020 04:26 PM
- Tagged Enable user id and password for starting splunk on Installation. 10-29-2020 04:26 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
07-17-2021
09:53 AM
eventtype="my_eventtype_1" eventtype="my_eventtype_2" (((EventIDValue=gateway-auth OR EventIDValue=clientlessvpn-login) EventStatus=success SourceUserName!="pre-logon") OR Stage=logout) | stats list(EventIDValue) as Activity,list(_time) as Time by SourceUserName |convert ctime(Time)|sort SourceUserName,-Time
... View more
07-17-2021
09:42 AM
More examples of the issue.
... View more
07-17-2021
09:41 AM
Dear Community Members , In splunk cloud instance : I am trying to get VPN login and logout for users in a single table sorted by Username and Time. The query is as below: eventtype="my_eventtype_1" eventtype="my_eventtype_2" (((EventIDValue=gateway-auth OR EventIDValue=clientlessvpn-login) EventStatus=success SourceUserName!="pre-logon") OR Stage=logout) | stats list(EventIDValue) as Activity,list(_time) as Time by SourceUserName |rename SourceUserName as username|convert ctime(Time)|eval username=upper(username)|sort username,-Time The search is for a period of 24 hours. I am getting the data but along with it, I see junk characters (if I may call them so). Kindly help to understand how to resolve the same. I also tried adding limit=0 along with stats command but no use. Below is the screenshot of the fields. I have not shown the username field for security reasons. I have used a similar query for another VPN and it works fine there and I don't see these characters ! Regards, Abhishek Singh
... View more
Labels
- Labels:
-
fields
-
other
-
search job inspector
-
stats
12-01-2020
01:39 AM
Dear @Richfez , First of all, I would like to thank you for the quick response ! I tried the above mentioned query and this came as the output : Seems to be working perfectly but one issue which I noticed is the time stamp. It gives time 2 hours back. I tried to create a query, which is not how I should have done it but it seems to give me the required output: earliest=-1h@h latest=now index=_internal blocked=true name IN (parsingqueue,typingqueue,aggqueue,indexqueue,auditqueue,exec) | stats count | append [ search earliest=-2h@h latest=-1h@h index=_internal blocked=true name IN (parsingqueue,typingqueue,aggqueue,indexqueue,auditqueue,exec) | stats count] | append [| makeresults | eval count=relative_time(now(), "@h") | convert timeformat="%m\%d\%y %l:%M.%S%p" ctime(count) | fields - _time] | transpose header_field=a | fields - column | rename "row 1" as "event1","row 2" as "event2", "row 3" as Time | eval Event_This_Hour=(tonumber(event1)) | eval Event_Last_Hour=(tonumber(event2)) | eval change=Event_This_Hour-Event_Last_Hour | rename change as "Change_In_Number_Of_Events" | table Time,Event_This_Hour,Event_Last_Hour,"Change_In_Number_Of_Events" If it is not much of a pain to you, I would like to request you to take a look at this and provide your valuable suggestions: Once again, thanks alot @Richfez !!!! Regards, Abhishek Singh
... View more
11-30-2020
01:03 PM
Dear All, My question might seem naive and pardon me for that. I want to create an alert for data not being processed. The below was my query. An alert would be triggered, if the number of event are greater than 5000 or if the number of events are greater than 1000 and the change in events are more than 1000 between 2 hours. Used delta to get the difference. I am able to give the conditions and I am able to alert as well. However, I wanted to check if we could extract a specific column from a specific row and column number and create another table. For example, please look at below table. I want to create a new table with number of event at 15:00:00 , number of event at 14:00:00 , Change in number of events. Kindly let me know how to achieve the same.
... View more
11-17-2020
02:37 AM
Thanks alot @richgalloway ! Sorry I got confused with other operations we do in splunk like adding the deployment manager, etc which requires the user and password.
... View more
10-29-2020
04:26 PM
Hi Team, I started splunk with the below command after installation: ./splunk start --no-prompt --accept-license I then created a user using the below CLI command: splunk add user asing13 -role Admin -password notmypassword But now I don't get asked a password when start or stop splunk. How can I enable userid and password check for starting and stopping splunk. I have already gone through the below documentation but did not find my answer. Tried creating file and the hashed password and all stuff written. Maybe I missed something : https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Secureyouradminaccount Took backup of ldap.conf file as well to check if that could be the reason but still splunk doesn't ask for userid and password. Any help would be highly appreciated ! Thank you in Advance ! Regards, Abhishek Singh
... View more
10-23-2020
03:01 AM
2 Karma
Thank you @arjunpkishore5 ! I used these two queries : |eventcount summarize=false index=* report_size=true | eval GB=(size_bytes/1024)/(1024*1024) | stats sum(GB) as total by index|sort -total And | tstats earliest(_indextime) AS indexing_time where index=* OR index=_* by index|convert ctime(indexing_time) timeformat="%m/%d/%Y" The first query gave me all the disk space event logs would take (without a replication factor). I checked and found out that the replication factor is 3. Multiplied the values with 3 and got the total disk space required by each index (With replication). Now, I took the second query and got the total number of days from which the first indexing happened for an indexer. I got the total number of days for which indexers are being used by by substracting with current date. Now, I took the average disk required by dividing the two outputs and estimated the disk spaces for the next 3months, 6 months, 9 months and 12 months. Hope the way I took is ok. Regards, Abhishek Singh
... View more
10-23-2020
02:54 AM
1 Karma
Hi @o_calmels , Hope you are doing good during this pandemic. Actually, I want to combine 2 dashboards in one PDF, I assume that only one PDF could be generated for one dashboard and combining two dashboard to create one PDF is not out of the box. Not sure if my assumption is right or wrong. Could you please help me in understanding the same. If you have any links where I could get some info related to combining two dashboards together to generate a single scheduled view which in turn I could send it as a single pdf report then that would be awesome! Regards, Abhishek Singh
... View more
10-22-2020
02:42 PM
1 Karma
Hi Team, I wanted to ask if it is possible to create one pdf file from two dashboards using one rest API call or multiple API calls. I tried individually and they work as below: curl -u user:password -k https://localhost:8089/services/pdfgen/render?input-dashboard=health_overview >> test1.pdf (test1.pdf was created successfully) curl -u user:password -k https://localhost:8089/services/pdfgen/render?input-dashboard=sales_dashboard >> test2.pdf (test2.pdf was created successfully) Now, I have tried the below but none of them seems to work. I am certainly doing something terribly wrong. curl -u user:password -k https://localhost:8089/services/pdfgen/render?input-dashboard=health_overview >> test3.pdf curl -u user:password -k https://localhost:8089/services/pdfgen/render?input-dashboard=sales_dashboard >> test3.pdf (The result is that only sales_dashboard data is available and over writes health_overview) Then tried this : curl -u user:password -k https://localhost:8089/services/pdfgen/render -d input-dashboard=health_overview -d input-dashboard=sales_dashboard_clone_1 >> okdokey.pdf (The second paramerter(sales_dashboard) overwrites the first written pdf) Then I tried this: curl -u user:password -k https://localhost:8089/services/pdfgen/render?input-dashboard=sales_dashboard_clone_1?input-dashboard=health_overview >> testClone2.pdf (And Of course, this was a terrible stupidity and didn't work as expected and threw error. ) I don't want to use any python external module (like pyPDF and pdfwriter) to combine the PDFs. Any help/workaround would be appreciated. Any out of the box technique would be highly appreciated. Thanks In Advance! Regards, Abhishek Singh
... View more
Labels
- Labels:
-
other
10-22-2020
02:20 PM
1 Karma
Thanks @richgalloway ! I asked a guy to check the cloud monitoring app and it seems that the Query 1 is closer to the ingested volume of data that is shown in the app. I have a follow up question. If I need to calculate how much disk space will be required at server level, what all factors do I need to check. I believe that there is something as a multiplication factor(for replication of data) which determines the space taken by the data. What all other factors do I need to take care before coming to a conclusion?
... View more
10-22-2020
08:33 AM
1 Karma
Hi Team, Please note - No Admin privilege to run query on _internal index I want to calculate the amount of data ingested into splunk to evaluate licensing/disk space needs. I have two queries which I ran for 24 hours and for 30 days and in both I got different outputs with alot of difference. Query 1: index=* | eval size=len(_raw) | eval gbsize=(size/1024/1024/1024) | stats sum(gbsize) by index Query 2: | dbinspect index=*|eval sizeOnDiskGB=(sizeOnDiskMB/1024) | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskGB) AS diskTotalinGB by index|sort -diskTotalinGB I see a difference of around 3-4 GB for some indexes and presume one of these queries or even both of these queries might not be correct. Can anyone kindly suggest which one is the correct one to use. I can't use _internal as mentioned above. Thanks in Advance! Regards, Abhishek Singh
... View more
Labels
- Labels:
-
other
10-21-2020
11:25 PM
Hello Team, This is for Splunk Cloud Version 7.2 . I have a dashboard and by default it runs for a time range of last 24 hours. Time picker is also available on the dashboard (for the visualizations and reports). I need to generate a PDF and schedule it's delivery to a list of users every 3 months. The issue is that I want the time range for this dashboard to be for a period of 3 months instead of last 24 hours before publishing the PDF. Is it possible to achieve the same or do I need to create separate a dashboard for a period of 3 months to achieve the same? I tried looking up for answers over the community but I was unable to find the one which could answer my query. Any help/suggestion would be greatly appreciated. Thanks !
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-18-2021
09:32 AM
|
