Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About gba8912
gba8912
Explorer
Member since:
11-19-2020
02-04-2021
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 11-19-2020 |
Activity Feed
- Karma Re: Alerts when indexing stops for burwell. 02-04-2021 08:28 AM
- Posted Re: Alerts when indexing stops on Alerting. 02-04-2021 08:27 AM
- Karma Re: Alerts when indexing stops for scelikok. 02-04-2021 08:27 AM
- Posted Re: Alerts when indexing stops on Alerting. 02-03-2021 11:55 AM
- Posted Alerts when indexing stops on Alerting. 02-02-2021 07:44 AM
- Posted Re: dedup by time on Getting Data In. 12-11-2020 07:22 AM
- Posted dedup by time on Getting Data In. 12-10-2020 09:51 AM
- Posted Events are Inconsistent on Reporting. 12-01-2020 08:58 AM
- Posted Re: We can't see events older than a day in Splunk on Reporting. 11-30-2020 09:58 AM
- Karma Re: We can't see events older than a day in Splunk for richgalloway. 11-30-2020 09:56 AM
- Posted We can't see events older than a day in Splunk on Reporting. 11-30-2020 08:59 AM
- Karma Re: We can't see events older than a day in Splunk for HoardingIO. 11-30-2020 08:58 AM
- Karma Re: Reducing License usage by eliminating duplicate events from WIndows for gcusello. 11-20-2020 08:46 AM
- Posted Reducing License usage by eliminating duplicate events from WIndows on Getting Data In. 11-19-2020 01:26 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-03-2021
11:55 AM
Hi Burwell, Thanks for your reply. I have searched _internal and have 1,136,041 events. I don't really see any errors but maybe I don't know what to look for. Also, I am using the search I posted and saving it as an alert. I have attached a screenshot of the settings that I currently have. I have also tried using the scheduled time feature. Neither works.
... View more
02-02-2021
07:44 AM
Hello, I am a noob at Splunk. I know there are a few posts on this already but I'm not able to find a solution for my specific problem. I want to make an alert for when indexing stops. I am using the following: | tstats latest(_time) as latest where index=* by host | where latest < relative_time(now(), "-1m") Normally, I want the "-1m" to be "-1d" but i changed it to test the alert. I can see on the search that I have a result from an ip address that is not indexing events every minute so I know the search is working. When I save it as an alert however, I get no alerts. I have tried real-time and scheduled alerts to attempts a trigger. Does anyone know why the alert doesnt work or if there is something off with the search I am trying to use? Thanks!
... View more
Labels
- Labels:
-
alert action
-
alert condition
-
email
12-11-2020
07:22 AM
An example is event 4624, when this event is triggered in our DC, it make 4 events for that single sign on by a user or system. I don't know why this is but that's how its happening. We then get 4 events in Splunk. We made a dashboard with the above search and want to filter out the duplicates in order to view only one event per successful authorization. I know time is not added, but we want to add it. I was hoping to add something that dedups events say within 0.1 seconds. This way it filters out 3 out of the 4 events that happened at the exact same time. Is this possible?
... View more
12-10-2020
09:51 AM
hello, I am trying to dedup events from successful authorizations in Splunk. Currently, our windows systems make about 4 events per authorization but we only want to see one. I would like to dedup based on time, 0.5 seconds for each event. Here is my current search: | tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.user=* (Authentication.src=* OR Authentication.dest=*) Authentication.action=failure by Authentication.user, Authentication.src, Authentication.dest | rename "Authentication.*" as "*" | eval source&destination=mvappend(src,dest) | eventstats dc(source&destination) AS host_count by user | where host_count >= 1 | sort - host_count | table source&destination, user | head 250 How can i add a dedup by time here? Thanks!
... View more
Labels
- Labels:
-
index
-
source
-
sourcetype
-
time
-
Windows
12-01-2020
08:58 AM
Hello, I am having an issue where sometimes I can see events and sometimes not. An example is: I tested event 4625 with my account and i can see it in Splunk, but a colleague generated the same event but it does not show up in Splunk. I can see both events in the event viewer so I am not sure why this is going on. I have made sure the search with correct time selection. Another note: I can see other events from his account in Splunk. Thanks!
... View more
11-30-2020
09:58 AM
thats what i was missing, thanks. guess its one of those days where i forget basic stuff...lol
... View more
11-30-2020
08:59 AM
hello, We recently set up Splunk on our system so we are still learning. We have an issue where we are not getting older events in searches. For example: Event id 4625 (failed logon), we can see the event on the same day it happens but the next day, it will not show up. A few things I have tried: 1. removed the ignore older that 2d line in the inputs.conf file. 2. checked to make sure we are not over on bucket size. Any suggestions on configuring this correctly? I can post config info if requested. Thanks
... View more
11-19-2020
01:26 PM
Hello, I am looking for a way to reduce our license usage by eliminating duplicate events being forwarded from a windows DC. For example, event id 4624 (successful logon) generates a handful of events in windows for every logon and all of those are being sent to Splunk. Is there a regex we can use in the input.conf file to only allow one event to be logged maybe based on the timestamp or something? Here is what we are currently using: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 0 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml=false index = wineventlog ignoreOlderThan = 2d current_only=1 whitelist = EventCode = "4624" blacklist1 = EventCode="4624" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]" thanks!
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-04-2021
11:48 AM
|
