Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Flobzh
Flobzh
Engager
Member since:
09-17-2020
09-21-2021
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-17-2020 |
Activity Feed
- Posted Re: Splunk cloud version tracking on Building for the Splunk Platform. 09-21-2021 02:32 AM
- Posted Splunk cloud version tracking on Building for the Splunk Platform. 09-17-2021 09:17 AM
- Posted Partial obfuscation in Splunk Cloud on Getting Data In. 06-16-2021 07:33 AM
- Tagged Partial obfuscation in Splunk Cloud on Getting Data In. 06-16-2021 07:33 AM
- Posted How to use metadata/header for all the following events on Splunk Search. 05-10-2021 04:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-21-2021
02:32 AM
Hello, What do you mean by entitlement? Is it something that we can configure in Splunk web UI? Thanks
... View more
09-17-2021
09:17 AM
Hello, We are using Splunk Cloud and frequently we get updates of our instance, it's fine so we are always up-to-date. The issue is that we have no warning before it happens and the update sometimes has some impacts that we only discover later. Questions: -How to know when an update will happen? -How can we get an history of updates of our instances. This search gives me the last restart of the instance and the version, but it doesn't necessary mean that the update was done at that time. | rest /services/server/info | eval LastStartupTime=strftime(startup_time, "%Y/%m/%d %H:%M:%S") | table LastStartupTime , version Thanks for your help
... View more
Labels
- Labels:
-
other
06-16-2021
07:33 AM
Hello experts, I'm trying to obfuscate the UserName and ComputerName from my events before indexation, while keeping the possibility of using the data to group from a common source. Configuration: data are pushed by a UniversalForwarder (no transform options) to a SplunkCloud instance (limited setup). Example: I have this: time1|UserName=user1|ComputerName=FR1234|EventStart time2|UserName=user1|ComputerName=FR1234|EventEnd time3|UserName=user2|ComputerName=US4321|EventStart time4|UserName=user2|ComputerName=US4321|EventEnd time5|UserName=user1|ComputerName=US4321|EventStart time6|UserName=user1|ComputerName=US4321|EventEnd And want something like this: time1|UserName=#####|ComputerName=FR#|GeneratedSessionID=eifiweuh|EventStart time2|UserName=#####|ComputerName=FR#|GeneratedSessionID=eifiweuh|EventEnd time3|UserName=#####|ComputerName=US#|GeneratedSessionID=fwefwe|EventStart time4|UserName=#####|ComputerName=US#|GeneratedSessionID=fwefwe|EventEnd time5|UserName=#####|ComputerName=US#|GeneratedSessionID=hkukuyy|EventStart time6|UserName=#####|ComputerName=US#|GeneratedSessionID=hkukuyy|EventEnd Where GeneratedSessionID=function(user1,FR1234,encryptKey) or something similar. Meaning that the same couple computer+user will always create the same GeneratedSessionID I'm looking at adding a SECCMD setting on the Advanced tab of my SourceType. I see how to anonymize the UserName and ComputerName, but not how to add a new field based on the others. Any advise in that direction would be welcome, or any solution that will match with the restriction of my configuration. Thanks in advance Florent
... View more
- Tags:
- seccmd
Labels
05-10-2021
04:55 AM
Dear all, I'm trying to retrieve some log metadata and associate them to all my events. Exemple: When my application starts, I'll get a few lines with what I'm calling metadata here (version, env, user, ... ) and then, the raw logs start. 2021-05-10T09:53:21.122+02:00|Criticity=INFO|Message=Version:3.4;Env=production 2021-05-10T09:53:46.474+02:00|Criticity=INFO|Message=blabla 2021-05-10T09:53:46.474+02:00|Criticity=DEBUG|Message=blabla2 2021-05-10T09:53:46.478+02:00|Criticity=DEBUG|Message=blabla3 I want this Version and Env to be usable as a field in all my events. Like if each event looked something like this from a sub-query search standpoint: 2021-05-10T09:53:46.474+02:00|Criticity=INFO|Message=blabla|Version:3.4;Env=production 2021-05-10T09:53:46.474+02:00|Criticity=DEBUG|Message=blabla2|Version:3.4;Env=production 2021-05-10T09:53:46.478+02:00|Criticity=DEBUG|Message=blabla3|Version:3.4;Env=production What would be the solution to end up with such usage? Context: The application I want to monitor is a heavy client, the users can choose the environnement to connect to from their desktop, and I capture the logs via a UniversalForwarder to Splunk Cloud. I don't have much control on the log format, I've to go with this one. Thanks in advance for your help
... View more
Labels
- Labels:
-
field extraction
-
fields
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-21-2021
05:53 AM
|
