Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Rhidian
Rhidian
Path Finder
Member since:
02-05-2021
3 weeks ago
Community Statistics
| Posts | 29 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 4 |
| Member Since | 02-05-2021 |
Activity Feed
- Posted Re: Modular inputs for Microsoft cloud services Add-on fill up the disk space??? on All Apps and Add-ons. 3 weeks ago
- Got Karma for Re: Add-on for VMware "No password found for this node please save a password". 3 weeks ago
- Posted Re: Parse NSG Flow Log on Getting Data In. 01-13-2023 12:04 PM
- Posted How to parse NSG Flow Log? on Getting Data In. 01-13-2023 06:40 AM
- Posted Re: Has anyone done anything with Azure scale sets? on Getting Data In. 12-02-2022 04:20 AM
- Posted Has anyone done anything with Azure scale sets? on Getting Data In. 11-23-2022 03:58 AM
- Posted Re: Process JSON Azure NSG Flow Log Tuples on All Apps and Add-ons. 11-17-2022 01:58 AM
- Posted Splunk Add-on for Microsoft Cloud Services Fields: How to make field names more usable? on Getting Data In. 10-07-2022 04:25 AM
- Posted Re: Calculate the number of Events Per Day on Splunk Search. 08-22-2022 04:52 AM
- Tagged Re: Calculate the number of Events Per Day on Splunk Search. 08-22-2022 04:52 AM
- Posted Re: Calculate the number of Events Per Day on Splunk Search. 08-01-2022 01:17 AM
- Posted Re: Calculate the number of Events Per Day on Splunk Search. 07-30-2022 12:43 AM
- Posted Re: How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS? on Splunk Search. 07-29-2022 02:31 PM
- Karma Re: Calculate the number of Events Per Day for richgalloway. 07-29-2022 02:31 PM
- Posted Re: Calculate the number of Events Per Day on Splunk Search. 07-29-2022 08:47 AM
- Posted How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS? on Splunk Search. 07-29-2022 08:05 AM
- Posted Re: ConnectError: Unable to open management session. Please confirm URI namespace exists. on All Apps and Add-ons. 07-04-2022 04:34 AM
- Got Karma for Re: How to calculate EPS over a month?. 03-30-2022 08:20 AM
- Posted Linux Data via Syslog: How to use the Splunk Add-on for Unix and Linux to make the parsing easier? on Getting Data In. 03-30-2022 07:01 AM
- Got Karma for Re: How to calculate EPS over a month?. 03-30-2022 06:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
3 weeks ago
Did you ever resolve this issue?
... View more
01-13-2023
12:04 PM
I thought of spat but I'm limited in what I can do as we use Splun Cloud. If I understand it I can use KV_MODE = xml and hopefully the parsing will be OK and do the rest through spath in the search bar. I'm not 100% convinced this is compliant XML especially when it get to the tuples as there are these are mulitline and don't have individual key pairs. I will try it later and see what happens.
... View more
01-13-2023
06:40 AM
Hi,
I'm trying to onboard NSG Flow Logs and while I have managed to break the events into the specific tuples as per this link [https://answers.splunk.com/answers/714696/process-json-azure-nsg-flow-log-tuples.html?_ga=2.123284427.1721356178.1673537284-343068763.1657544022] I lose a lot of useful information that I need such as "rule" does anyone have any ideas?
{ "records": [ { "time": "2017-02-16T22:00:32.8950000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": { "Version": 1, "flows": [ { "rule": "DefaultRule_DenyAllInBound", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D" ] } ] }, { "rule": "UserRule_default-allow-rdp", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A", "1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A", "1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A", "1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A" ] } ] } ] } }, { "time": "2017-02-16T22:01:32.8960000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": { "Version": 1, "flows": [ { "rule": "DefaultRule_DenyAllInBound", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D" ] } ] }, { "rule": "UserRule_default-allow-rdp", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A", "1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A", "1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A" ] } ] } ] } }, "records": [ { "time": "2017-02-16T22:00:32.8950000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A","1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A","1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A","1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A"]}]}]} } , { "time": "2017-02-16T22:01:32.8960000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A","1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A","1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A"]}]}]} } , { "time": "2017-02-16T22:02:32.9040000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282492,175.182.69.29,10.1.0.4,28918,5358,T,I,D","1487282505,71.6.216.55,10.1.0.4,8080,8080,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282512,91.224.160.154,10.1.0.4,59046,3389,T,I,A"]}]}]} }
... View more
Labels
- Labels:
-
field extraction
-
source
11-23-2022
03:58 AM
Hi,
Has anyone done anything with Azure scale sets, I guess I will need to correlate across a number of logs to deal with the lack of persistence of the devices if I want to use UF or just use the inbuilt logging provided by Microsoft?
... View more
Labels
11-17-2022
01:58 AM
Apologies for reviving this thread but I have implemented what has been suggested and my data still looks terrible. Can someone please post an example of what it should look like?
... View more
10-07-2022
04:25 AM
Hi,
I have implements the Splunk Add-on for Microsoft Cloud Services and while I can get data in the filed names are very difficult to make use of as they are appended with body.fieldname, any ideas on how to make this more usable?
... View more
Labels
08-01-2022
01:17 AM
Unfortunately summing ev suggests I had an EPS of 18396 which is way off the mark. Any other ideas?
... View more
07-30-2022
12:43 AM
Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?
... View more
07-29-2022
02:31 PM
Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?
... View more
07-29-2022
08:05 AM
Hi,
I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated?
index=_internal sourcetype=splunkd Metrics TERM(group=per_sourcetype_thruput) component=Metrics
| fields ev series _time
| rename ev as events, series as sourcetype
| timechart limit=15 partial=f minspan=30s per_second(events) as EPS by sourcetype
| append [ | tstats dc(source) as Sources, dc(sourcetype) as Sourcetypes, dc(host) as Hosts where index=* by _time | timechart partial=f sum(Sources) as Sources, sum(Sourcetypes) as Sourcetypes, sum(Hosts) as Hosts ]
| timechart partial=f first(*) as * | addtotals
| fields _time Total
| appendpipe [| stats count | where count=0 | eval Total="0"]
... View more
07-04-2022
04:34 AM
Hi, Did you get this to work?
... View more
03-30-2022
07:01 AM
Hi,
I have configured a Linux server to send events to Syslog-ng but now want to use the Splunk Add-on for Unix and Linux to make the parsing easier but looking at the inputs.conf it only seems relevant to a UF install. Has anyone manipulated it so the same results are achieved via a syslog ingest?
... View more
Labels
- Labels:
-
inputs.conf
-
intermediate forwarder
03-30-2022
06:55 AM
2 Karma
Hi, Apologies for the no reply, I figured it out. index="_internal" source="*metrics.log" group="per_host_thruput" | chart avg(eps) over series
... View more
03-02-2022
02:49 PM
Hi I need to calculate the EPS averaged over a month, any ideas?
... View more
- Tags:
- splunk-search
Labels
- Labels:
-
tstats
07-12-2021
02:53 AM
We are using Splunk Cloud and the Cloud Monitoring Console provides a graph showing the KB/s and Events/s per forwarding instance and I would like to manipulate this query to provide the total average per day across a number of different forwarders, does anyone know what the search being used is?
... View more
06-17-2021
07:26 AM
Does anyone have any experience of what will happen to a Heavy Forwarder configured as part Azure Site Recovery if a region fails, I will be installing a number of apps and wanted to know if they will continue to function without manual intervention?
... View more
Labels
05-10-2021
04:45 AM
Sure [fortigate_log] TRANSFORMS-Set-Host-By-DevName SHOULD_LINEMERGE = false
... View more
05-10-2021
04:30 AM
Hi, I'm receiving FortiGate event via FortiAnalyser and I need to set the Host to the name of the device that created the event which is contained in the event message as devname. May 10 10:44:30 10.90.223.5 date=2021-05-10 time=11:44:30 devname="test" devid="test" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1620643470882685981 tz="+0100" srcip= srcport=62408 srcintf="" srcintfrole="undefined" dstip= dstport=53 dstintf="port2" dstintfrole="wan" sessionid=81948384 proto=17 action="accept" policyid=23 policytype="policy" poluuid="cbd3e37e-5bf1-51eb-f2ad-0a49a47d1d1d" service="Domain Services UDP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=76 rcvdbyte=194 sentpkt=1 rcvdpkt=1 vpn="" vpntype="ipsec-dynamic" appcat="unscanned" I have started to build the transform below but it doesn't work. [Set-Host-By-Devname] REGEX = ([^.+?devname=\"[A-Z0-9]+") FORMAT = host::$1 DEST_KEY = MetaData:Host
... View more
Labels
04-21-2021
02:10 PM
Perfect thanks, any idea why the rest of the transform isn't working all my events are shown as coming from the WEC and not their actual devices also the source is ForwardedEvents and I would like that to be the actual log they came from, can this be done from the HF?
... View more
04-21-2021
09:26 AM
I have Windows Event Forwarding Configured and have installed a Universal Forwarder to send events to a Heavy Forward which then sends them on to the Indexers. I only have a basic configuration on the UF but I need to override a couple of fields such as computer name and index etc. I have setup the input.conf, props.conf and transforms.conf as detailed here https://community.splunk.com/t5/Getting-Data-In/how-can-we-split-forwarded-windows-event-logs-by-host/m-p/61463 on the HF but the configuration seems to get ignored. I have also simplified this to just having the following in the input.conf on the HF but it makes no difference as events still go to the main index. [WinEventLog://ForwardedEvents]
index=winevtlog
disabled = 0
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
