×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lukeasplunk
Observer
Member since: ‎10-22-2020
‎11-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-22-2020
Activity Feed
View All

How to create an alert via geostats count by Count...

by in Alerting
‎11-05-2020 10:18 AM
‎11-05-2020 10:18 AM
I am trying to create an alert based on sourcetype=iis | iplocation True_Client_IP | geostats count by Country that if one of my true client IPs show up in a Country where its not supposed to be it will generate an alert with the IPs listed. I think I would some how need to input a list of locations that would trigger such an alert.  Any help on how to create such an alert would be appreciated. ... View more
Labels

Re: Time Stamps not seperating

by in Getting Data In
‎11-05-2020 09:55 AM
‎11-05-2020 09:55 AM
See above response ... View more

Re: Time Stamps not seperating

by in Getting Data In
‎10-29-2020 10:51 AM
‎10-29-2020 10:51 AM
Yes each event any time there is a new MXT time should be a separate event.  I recently changed the host settings to constant value from regex value. I think I need to fix the event breaks so it doesnt think the entire file is one event.  See the default for props.conf below:   [default] CHARSET = AUTO LINE_BREAKER_LOOKBEHIND = 100 TRUNCATE = 10000 DATETIME_CONFIG = \etc\datetime.xml ADD_EXTRA_TIME_FIELDS = True ANNOTATE_PUNCT = True HEADER_MODE = MATCH_LIMIT = 100000 DEPTH_LIMIT = 1000 MAX_DAYS_HENCE=2 MAX_DAYS_AGO=2000 MAX_DIFF_SECS_AGO=3600 MAX_DIFF_SECS_HENCE=604800 MAX_TIMESTAMP_LOOKAHEAD = 128 SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True MAX_EVENTS = 256 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = TRANSFORMS = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard LEARN_SOURCETYPE = true LEARN_MODEL = true maxDist = 100 AUTO_KV_JSON = true detect_trailing_nulls = auto sourcetype = priority = ... View more

Time Stamps not seperating

by in Getting Data In
‎10-22-2020 12:52 PM
‎10-22-2020 12:52 PM
Hello Splunk Community, Just starting out configuring Splunk and having an issue with my Time Stamps and line Breaks.  Currently Events in the log are using one time stamp seen below in the top left (red).  I want to separate all the events that have all their unique MXT time events (green).  I tried setting sourcetypes to Auto but also believe I need to fix my line breaks and not sure how/where to configure this. Any help is appreciated, thank you. Example: 10/22/20 3:45:04.000 AM ... 24 lines omitted ... BLANKUSER  10/16/20 03:10:13 MXT   CMND TSS ADD(XFERER) SUS BLANKUSER  10/16/20 03:10:13 MXT   CMND TSS ADD(XFDGWR) SUS BLANKUSER 10/16/20 07:00:07 MXT   CMND TSS CRE(DFETET) NAME('DOE, JOHN') TYPE(USER) DEPT(SA81195) PASS( ,60,EXP) PROFILE(PRO                                       ADTCS) BLANKUSER  10/16/20 07:00:08 MXT   CMND TSS ADD(EREFETE) DSNAME(DRERER.) ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-05-2020 04:33 PM