Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Rhidian
Rhidian
Path Finder
Member since:
02-05-2021
03-14-2025
Community Statistics
| Posts | 40 |
| Solutions | 2 |
| Karma Given | 2 |
| Karma Received | 4 |
| Member Since | 02-05-2021 |
Activity Feed
- Posted Re: oracle:audit:unified Parsing Issue on All Apps and Add-ons. 03-14-2025 03:01 AM
- Karma Re: oracle:audit:unified Parsing Issue for kiran_panchavat. 03-12-2025 03:45 AM
- Posted Re: oracle:audit:unified Parsing Issue on All Apps and Add-ons. 03-12-2025 03:14 AM
- Posted Re: oracle:audit:unified Parsing Issue on All Apps and Add-ons. 03-12-2025 03:10 AM
- Posted Re: oracle:audit:unified Parsing Issue on All Apps and Add-ons. 03-12-2025 03:08 AM
- Posted Re: oracle:audit:unified Parsing Issue on All Apps and Add-ons. 03-12-2025 03:00 AM
- Tagged oracle:audit:unified Parsing Issue on All Apps and Add-ons. 03-12-2025 02:53 AM
- Posted oracle:audit:unified Parsing Issue on All Apps and Add-ons. 03-12-2025 02:38 AM
- Posted Re: coldtofrozenscript in a Clustered Enviroment on Monitoring Splunk. 09-12-2024 06:27 AM
- Posted Re: coldtofrozenscript in a Clustered Enviroment on Monitoring Splunk. 09-12-2024 04:50 AM
- Posted coldtofrozenscript in a Clustered Enviroment on Monitoring Splunk. 09-12-2024 01:32 AM
- Posted Re: Noteable Event Supression on Splunk Enterprise Security. 07-18-2024 12:58 AM
- Posted Noteable Event Supression on Splunk Enterprise Security. 07-17-2024 05:53 AM
- Posted Re: Modular inputs for Microsoft cloud services Add-on fill up the disk space??? on All Apps and Add-ons. 04-04-2024 04:02 AM
- Got Karma for Re: Add-on for VMware "No password found for this node please save a password". 04-03-2024 04:11 AM
- Posted Re: Parse NSG Flow Log on Getting Data In. 01-13-2023 12:04 PM
- Posted How to parse NSG Flow Log? on Getting Data In. 01-13-2023 06:40 AM
- Posted Re: Has anyone done anything with Azure scale sets? on Getting Data In. 12-02-2022 04:20 AM
- Posted Has anyone done anything with Azure scale sets? on Getting Data In. 11-23-2022 03:58 AM
- Posted Re: Process JSON Azure NSG Flow Log Tuples on All Apps and Add-ons. 11-17-2022 01:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-12-2025
03:10 AM
Wouldn't casting this to a new data type in DBConnect fix this or is that merely converting the additional along with the other data?
... View more
03-12-2025
03:00 AM
Thanks making this a bit odder if I look at the event in the fields the text seems OK but if I click on it in the Interesting fields that is when I see the spurious data see the screenshots.
... View more
03-12-2025
02:38 AM
Hi, I'm having an issues parsing the SQL_TEXT field from oracle:audit:unified. When the field comes through it contains spurious text that isn't returned by the query using DBConnect and the oracle:audit:unified template. For example: DBConnect grant create tablespace to test_splunk, Splunk grant create tablespace to test_splunk,4,,1,,,,,, The RAW event seems to come through as a CSV by virtue of the Oracle TA but we have a regex for the event extraction that looks like the below which seems to work in regex101: SQL_TEXT="(?<SQL_TEXT>(?:.|\n)*?)(?=(?:",\s\S+=|"$)) I know the data type is CLOD so I have tried to converting it using the substring command but I get the same result, any idea what is going on here?
... View more
- Tags:
- oracle
Labels
- Labels:
-
configuration
-
troubleshooting
09-12-2024
06:27 AM
This is to be used as coldToFrozenScript essentially I'm trying to avoid having multiple copies of my bucket. As per the guidance: "In an Indexer cluster, each individual peer node rolls its buckets to frozen, in the same way that a non-clustered indexer does; that is, based on its own set of configurations. Because all peers in a cluster should be configured identically, all copies of a bucket should roll to frozen at approximately the same time."
... View more
09-12-2024
04:50 AM
Thanks. So somthing simple like this should work? #!/bin/bash
# coldToFrozen script for Splunk
# Arguments:
# $1 - Path to the cold bucket
# $2 - Path to the frozen bucket
COLD_BUCKET_PATH="$1"
FROZEN_BUCKET_PATH="$2"
echo "Starting coldToFrozen transition..."
# Log paths for debugging
echo "Cold Bucket Path: $COLD_BUCKET_PATH"
echo "Frozen Bucket Path: $FROZEN_BUCKET_PATH"
# Ensure paths are not empty
if [ -z "$COLD_BUCKET_PATH" ] || [ -z "$FROZEN_BUCKET_PATH" ]; then
echo "Error: Cold or Frozen bucket path is not provided."
exit 1
fi
# Check if the cold bucket directory exists
if [ ! -d "$COLD_BUCKET_PATH" ]; then
echo "Error: Cold bucket path does not exist."
exit 1
fi
# Create frozen bucket directory if it does not exist
if [ ! -d "$FROZEN_BUCKET_PATH" ]; then
echo "Creating frozen bucket directory at: $FROZEN_BUCKET_PATH"
mkdir -p "$FROZEN_BUCKET_PATH"
fi
# Move files prefixed with 'db_' from cold to frozen
echo "Moving 'db_' files from cold to frozen..."
for file in "$COLD_BUCKET_PATH"/db_*; do
if [ -f "$file" ]; then
mv "$file" "$FROZEN_BUCKET_PATH"
if [ $? -ne 0 ]; then
echo "Error: Failed to move file $file to frozen storage."
exit 1
fi
fi
done
echo "Data successfully moved to frozen storage."
exit 0
... View more
09-12-2024
01:32 AM
Does anyone have an example of a coldtofrozenscript to be deployed in a clustered enviorment, I'm weary of having duplicate buckets etc?
... View more
Labels
07-18-2024
12:58 AM
Thanks, I wanted to avid that as I would need to updated a lot of correlation searches. Any idea why this isn'g possible as the search looks like standard SPL?
... View more
07-17-2024
05:53 AM
Is it possible to use a lookup file in the Noteble Event supression say to look up a list of assets/enviroments that we do/don't want to know about?
... View more
- Tags:
- Notables
Labels
04-04-2024
04:02 AM
Did you ever resolve this issue?
... View more
01-13-2023
12:04 PM
I thought of spat but I'm limited in what I can do as we use Splun Cloud. If I understand it I can use KV_MODE = xml and hopefully the parsing will be OK and do the rest through spath in the search bar. I'm not 100% convinced this is compliant XML especially when it get to the tuples as there are these are mulitline and don't have individual key pairs. I will try it later and see what happens.
... View more
01-13-2023
06:40 AM
Hi,
I'm trying to onboard NSG Flow Logs and while I have managed to break the events into the specific tuples as per this link [https://answers.splunk.com/answers/714696/process-json-azure-nsg-flow-log-tuples.html?_ga=2.123284427.1721356178.1673537284-343068763.1657544022] I lose a lot of useful information that I need such as "rule" does anyone have any ideas?
{ "records": [ { "time": "2017-02-16T22:00:32.8950000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": { "Version": 1, "flows": [ { "rule": "DefaultRule_DenyAllInBound", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D" ] } ] }, { "rule": "UserRule_default-allow-rdp", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A", "1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A", "1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A", "1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A" ] } ] } ] } }, { "time": "2017-02-16T22:01:32.8960000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": { "Version": 1, "flows": [ { "rule": "DefaultRule_DenyAllInBound", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D" ] } ] }, { "rule": "UserRule_default-allow-rdp", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A", "1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A", "1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A" ] } ] } ] } }, "records": [ { "time": "2017-02-16T22:00:32.8950000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A","1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A","1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A","1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A"]}]}]} } , { "time": "2017-02-16T22:01:32.8960000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A","1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A","1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A"]}]}]} } , { "time": "2017-02-16T22:02:32.9040000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282492,175.182.69.29,10.1.0.4,28918,5358,T,I,D","1487282505,71.6.216.55,10.1.0.4,8080,8080,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282512,91.224.160.154,10.1.0.4,59046,3389,T,I,A"]}]}]} }
... View more
Labels
- Labels:
-
field extraction
-
source
11-23-2022
03:58 AM
Hi,
Has anyone done anything with Azure scale sets, I guess I will need to correlate across a number of logs to deal with the lack of persistence of the devices if I want to use UF or just use the inbuilt logging provided by Microsoft?
... View more
Labels
11-17-2022
01:58 AM
Apologies for reviving this thread but I have implemented what has been suggested and my data still looks terrible. Can someone please post an example of what it should look like?
... View more
10-07-2022
04:25 AM
Hi,
I have implements the Splunk Add-on for Microsoft Cloud Services and while I can get data in the filed names are very difficult to make use of as they are appended with body.fieldname, any ideas on how to make this more usable?
... View more
Labels
08-01-2022
01:17 AM
Unfortunately summing ev suggests I had an EPS of 18396 which is way off the mark. Any other ideas?
... View more
07-30-2022
12:43 AM
Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?
... View more
07-29-2022
02:31 PM
Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?
... View more
07-29-2022
08:05 AM
Hi,
I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated?
index=_internal sourcetype=splunkd Metrics TERM(group=per_sourcetype_thruput) component=Metrics
| fields ev series _time
| rename ev as events, series as sourcetype
| timechart limit=15 partial=f minspan=30s per_second(events) as EPS by sourcetype
| append [ | tstats dc(source) as Sources, dc(sourcetype) as Sourcetypes, dc(host) as Hosts where index=* by _time | timechart partial=f sum(Sources) as Sources, sum(Sourcetypes) as Sourcetypes, sum(Hosts) as Hosts ]
| timechart partial=f first(*) as * | addtotals
| fields _time Total
| appendpipe [| stats count | where count=0 | eval Total="0"]
... View more
07-04-2022
04:34 AM
Hi, Did you get this to work?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-14-2025
10:29 AM
|
