Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About ivan123357
ivan123357
Explorer
Member since:
11-09-2020
03-21-2024
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 11-09-2020 |
Activity Feed
- Posted Filter events to nullQueue on Getting Data In. 03-21-2024 05:14 AM
- Posted Re: Incorrect time extraction on Getting Data In. 12-12-2023 08:54 AM
- Posted Re: Incorrect time extraction on Getting Data In. 12-12-2023 08:28 AM
- Posted Incorrect time extraction on Getting Data In. 12-12-2023 08:11 AM
- Karma Re: Query with an additional condition for ITWhisperer. 12-12-2023 07:55 AM
- Karma Re: Query with an additional condition for gcusello. 12-12-2023 07:55 AM
- Posted Query with an additional condition on Splunk Search. 10-25-2023 06:55 AM
- Posted Re: Splunk query with condition verification on Splunk Search. 09-18-2023 01:26 PM
- Karma Re: Splunk query with condition verification for richgalloway. 09-18-2023 01:26 PM
- Posted How to create a search with condition verification? on Splunk Search. 09-18-2023 09:41 AM
- Posted Re: Search hosts, Windows updates on Splunk Search. 11-10-2020 01:32 AM
- Posted Re: Search hosts, Windows updates on Splunk Search. 11-09-2020 11:51 AM
- Posted Re: Search hosts, Windows updates on Splunk Search. 11-09-2020 10:24 AM
- Posted Search hosts, Windows updates on Splunk Search. 11-09-2020 09:08 AM
- Tagged Search hosts, Windows updates on Splunk Search. 11-09-2020 09:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-21-2024
05:14 AM
Hi! I am faced with the following problem. I need to filter the logs that I receive from the source. I get the logs via Heavy-Forwarder, using the following config: inputs.conf [udp://4514]
index=mylogs
sourcetype = mylogs:leef Before writing regex I tried the following configuration: props.conf [mylogs:leef]
TRANSFORMS-null= setnull_mylogs transoforms.conf [setnull_mylogs]
REGEX= .
DEST_KEY=queue
FORMAT=nullQueue But it is not working, I still receiving all events in indexes. This conf files store in <heavy_folder>/etc/apps/<app_name>/local. May be I need to use another stanza name in props, but I tried [source::udp://4514] and it is not working. Any ideas? My goal than to write a few regex and receive only useful logs from this source. Thank you.
... View more
Labels
- Labels:
-
heavy forwarder
12-12-2023
08:54 AM
Thanks for your answers. I tried both options. I removed everything about time from SHs and Indexers. Put your config to HF (changed timezone), restart splunkd process and generate a few new events. And again, it was indexed incorrect. I dont know why, but HF still thinking that time inside event is UTC, how i understood it is because timestamp inside event has "Z", but it is incorrect, this timestamp in my timezone, and splunk convert this correct timestamp into my timezone because he is thinking that it is UTC. Timezone i used from this url : https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
... View more
12-12-2023
08:28 AM
Yeah, sure 2023-12-12T19:39:25.400399Z <ip_address> CEF:0|vendor|product|version|AuditMessage_707|description|4|messageId=666 messageCategory=AuditMessage start=2023-12-12T19:39:25.400399Z user=user node=<ip_address> msg=<message>
... View more
12-12-2023
08:11 AM
Hi! I received an event with the following time string: 2023-12-12T13:39:25.400399Z CEF:0..... This time is already in the correct timezone, but because of Z, splunk adds to 5 hours. I understand that Z it is timezone indicator but how i can ignore it? Flow of this event is : Source --> HF --> Indexers. On HF or Indexers i dont have any props or transoforms settings. On Search Heads I extract a few fields from this event and it works. But i can't to extract this time correctly without Z. I put the following regex inside props.conf on my SHs. Also i tried to put this on indexer's props.conf: TIME_PREFIX = ^\d{2,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}\.\d{1,6} I tried to add TZ or TZ_ALIAS inside props.conf, but no effect. Where can I be wrong? Thanks
... View more
Labels
- Labels:
-
field extraction
-
props.conf
10-25-2023
06:55 AM
Hi! Faced with writing a query with an additional check and I can't find a way out. I will be glad if you tell me the direction or help with advice. We have the following custom logic: 1. When user do some action(it is not important) we generate an event in index=custom with the following fields: evt_id: 1, user_id: 555 (example) 2. The user should confirm that he is doing this "some action" in third-party app, and this app generate to the index=custom the next event: evt_id: 2, user_id:555 (example) msg:confirmed 3. If user NOT CONFIRMED the SOME ACTION from step 1 - we need to generate alert. It means, that Splunk didn't receive evt_id:2 in index=custom The alert logic is following: We need to alert when evt_id: 1 was more than 5 minutes ago(the time that the user has to confirm "some action') and when NO evt_id: 2 with the same user_id by the time the alert starts working. I understood that I need to do the first search like(example): index=custom evt_id=1 earliest=-5m latest=-7m But I have no idea how to implement additional condition with evt_id:2. if we didn't have the user_id field, then I could use stats count command but I need to correlate both events(1 and 2) with the field user_id. Thanks for you help, have a nice day.
... View more
09-18-2023
01:26 PM
Oh, thanks! It is working in the most cases. I found that it turns out there are cases when the installation event (new version) is generated faster than the removal event (old version). There are not many such cases, about 50 hits per week, but maybe it is possible to take this case in query? Thank you again so much for your help.
... View more
09-18-2023
09:41 AM
Hi!
I am faced with the following task and do not understand which way to go. I want to create an alert that will be triggered when a certain application is deleted. For example:
index=main source=<custom_source> Message="<program_name> is uninstalled"
Everything works as it should, I use the internal event type and that's not the question. Some software generates 2 events when UPDATING OR UPGRADING, the first: the program is uninstalled and the second: the program is installed. Therefore, in this case, my alert gives a false alarm. I have generated the following alert logic to correct false positives:
Search events for the last 30 Minutes:
index=main source=<custom_source> Message="<program_name> is uninstalled"
Next we need to check whether there were installation events:
index=main source=<custom_source> Message="<program_name> is installed" on the machines from the first request.
And if there was no installation event on the machine after the uninstalled event in the last 30 minutes, then issue an alert.
I cant create a query from this logic. If you could help me with advice, I would be very grateful.
P.S. We looked in the direction of events from the application log and MSI Installer Logs, but in our case this is not applicable and we must use custom source.
Thanks for you help, have a nice day.
... View more
- Tags:
- splunk search
Labels
- Labels:
-
subsearch
11-10-2020
01:32 AM
I tried this way but I didn't receive any result. I am a newbie in Splunk 😞 What do you think about this way?: I can search all events with a successful update using regex search source="WinEventLog:System" | regex Message = "KB5555555" and for example i receive a few events from two hosts. First question: How I can create a table with a list of these hosts? As I guess, then I can't use a search like "source="WinEventLog:System" | regex not Message = "KB5555555"" to find all hosts without this update because this search won't show any events. I'm stumped 😞
... View more
11-09-2020
11:51 AM
Hello! Sounds great. I will try it now. Can you give me an example too or a URL to documentation? It would be cool if I had a fewexamples
... View more
11-09-2020
10:24 AM
Thank you for your answer! If think logically, then I need to display hosts in the logs of which a certain number of updates is NOT found, which I indicate in the search. For example: source="WinEventLog:System" EventCode=19 | stats by host |where NOT like(Message, " Update_Number"). But this search shows all events without this string(update number) but I need only a list of hosts.
... View more
11-09-2020
09:08 AM
Hello! I am new in Splunk Search. I am using this query to find all hosts to which a specific update was installed: source="WinEventLog:System" | search "KB4579311" | stats last(Keywords) as lastStatus by _time, host | search lastStatus="Installation, Failure” But I need a query to find all hosts and create a table with hosts to which this update wasn't installed. It turns out that I need to display all hosts that were not found in the request above. Need help with it. Thank you!
... View more
- Tags:
- "Event_Logs"
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-21-2024
09:05 AM
|
