Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Rhidian
Rhidian
Path Finder
Member since:
02-05-2021
01-16-2023
Community Statistics
| Posts | 28 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 02-05-2021 |
Activity Feed
- Posted Re: Parse NSG Flow Log on Getting Data In. 01-13-2023 12:04 PM
- Posted How to parse NSG Flow Log? on Getting Data In. 01-13-2023 06:40 AM
- Posted Re: Has anyone done anything with Azure scale sets? on Getting Data In. 12-02-2022 04:20 AM
- Posted Has anyone done anything with Azure scale sets? on Getting Data In. 11-23-2022 03:58 AM
- Posted Re: Process JSON Azure NSG Flow Log Tuples on All Apps and Add-ons. 11-17-2022 01:58 AM
- Posted Splunk Add-on for Microsoft Cloud Services Fields: How to make field names more usable? on Getting Data In. 10-07-2022 04:25 AM
- Posted Re: Calculate the number of Events Per Day on Splunk Search. 08-22-2022 04:52 AM
- Tagged Re: Calculate the number of Events Per Day on Splunk Search. 08-22-2022 04:52 AM
- Posted Re: Calculate the number of Events Per Day on Splunk Search. 08-01-2022 01:17 AM
- Posted Re: Calculate the number of Events Per Day on Splunk Search. 07-30-2022 12:43 AM
- Posted Re: How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS? on Splunk Search. 07-29-2022 02:31 PM
- Karma Re: Calculate the number of Events Per Day for richgalloway. 07-29-2022 02:31 PM
- Posted Re: Calculate the number of Events Per Day on Splunk Search. 07-29-2022 08:47 AM
- Posted How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS? on Splunk Search. 07-29-2022 08:05 AM
- Posted Re: ConnectError: Unable to open management session. Please confirm URI namespace exists. on All Apps and Add-ons. 07-04-2022 04:34 AM
- Got Karma for Re: How to calculate EPS over a month?. 03-30-2022 08:20 AM
- Posted Linux Data via Syslog: How to use the Splunk Add-on for Unix and Linux to make the parsing easier? on Getting Data In. 03-30-2022 07:01 AM
- Got Karma for Re: How to calculate EPS over a month?. 03-30-2022 06:59 AM
- Posted Re: How to calculate EPS over a month? on Splunk Search. 03-30-2022 06:55 AM
- Posted How to calculate EPS over a month? on Splunk Search. 03-02-2022 02:49 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-13-2023
12:04 PM
I thought of spat but I'm limited in what I can do as we use Splun Cloud. If I understand it I can use KV_MODE = xml and hopefully the parsing will be OK and do the rest through spath in the search bar. I'm not 100% convinced this is compliant XML especially when it get to the tuples as there are these are mulitline and don't have individual key pairs. I will try it later and see what happens.
... View more
01-13-2023
06:40 AM
Hi,
I'm trying to onboard NSG Flow Logs and while I have managed to break the events into the specific tuples as per this link [https://answers.splunk.com/answers/714696/process-json-azure-nsg-flow-log-tuples.html?_ga=2.123284427.1721356178.1673537284-343068763.1657544022] I lose a lot of useful information that I need such as "rule" does anyone have any ideas?
{ "records": [ { "time": "2017-02-16T22:00:32.8950000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": { "Version": 1, "flows": [ { "rule": "DefaultRule_DenyAllInBound", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D" ] } ] }, { "rule": "UserRule_default-allow-rdp", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A", "1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A", "1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A", "1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A" ] } ] } ] } }, { "time": "2017-02-16T22:01:32.8960000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": { "Version": 1, "flows": [ { "rule": "DefaultRule_DenyAllInBound", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D" ] } ] }, { "rule": "UserRule_default-allow-rdp", "flows": [ { "mac": "000D3AF8801A", "flowTuples": [ "1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A", "1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A", "1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A" ] } ] } ] } }, "records": [ { "time": "2017-02-16T22:00:32.8950000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A","1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A","1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A","1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A"]}]}]} } , { "time": "2017-02-16T22:01:32.8960000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A","1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A","1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A"]}]}]} } , { "time": "2017-02-16T22:02:32.9040000Z", "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282492,175.182.69.29,10.1.0.4,28918,5358,T,I,D","1487282505,71.6.216.55,10.1.0.4,8080,8080,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282512,91.224.160.154,10.1.0.4,59046,3389,T,I,A"]}]}]} }
... View more
Labels
- Labels:
-
field extraction
-
source
11-23-2022
03:58 AM
Hi,
Has anyone done anything with Azure scale sets, I guess I will need to correlate across a number of logs to deal with the lack of persistence of the devices if I want to use UF or just use the inbuilt logging provided by Microsoft?
... View more
Labels
11-17-2022
01:58 AM
Apologies for reviving this thread but I have implemented what has been suggested and my data still looks terrible. Can someone please post an example of what it should look like?
... View more
10-07-2022
04:25 AM
Hi,
I have implements the Splunk Add-on for Microsoft Cloud Services and while I can get data in the filed names are very difficult to make use of as they are appended with body.fieldname, any ideas on how to make this more usable?
... View more
Labels
08-01-2022
01:17 AM
Unfortunately summing ev suggests I had an EPS of 18396 which is way off the mark. Any other ideas?
... View more
07-30-2022
12:43 AM
Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?
... View more
07-29-2022
02:31 PM
Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?
... View more
07-29-2022
08:05 AM
Hi,
I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated?
index=_internal sourcetype=splunkd Metrics TERM(group=per_sourcetype_thruput) component=Metrics
| fields ev series _time
| rename ev as events, series as sourcetype
| timechart limit=15 partial=f minspan=30s per_second(events) as EPS by sourcetype
| append [ | tstats dc(source) as Sources, dc(sourcetype) as Sourcetypes, dc(host) as Hosts where index=* by _time | timechart partial=f sum(Sources) as Sources, sum(Sourcetypes) as Sourcetypes, sum(Hosts) as Hosts ]
| timechart partial=f first(*) as * | addtotals
| fields _time Total
| appendpipe [| stats count | where count=0 | eval Total="0"]
... View more
07-04-2022
04:34 AM
Hi, Did you get this to work?
... View more
03-30-2022
07:01 AM
Hi,
I have configured a Linux server to send events to Syslog-ng but now want to use the Splunk Add-on for Unix and Linux to make the parsing easier but looking at the inputs.conf it only seems relevant to a UF install. Has anyone manipulated it so the same results are achieved via a syslog ingest?
... View more
Labels
- Labels:
-
inputs.conf
-
intermediate forwarder
03-30-2022
06:55 AM
2 Karma
Hi, Apologies for the no reply, I figured it out. index="_internal" source="*metrics.log" group="per_host_thruput" | chart avg(eps) over series
... View more
03-02-2022
02:49 PM
Hi I need to calculate the EPS averaged over a month, any ideas?
... View more
- Tags:
- splunk-search
Labels
- Labels:
-
tstats
07-12-2021
02:53 AM
We are using Splunk Cloud and the Cloud Monitoring Console provides a graph showing the KB/s and Events/s per forwarding instance and I would like to manipulate this query to provide the total average per day across a number of different forwarders, does anyone know what the search being used is?
... View more
06-17-2021
07:26 AM
Does anyone have any experience of what will happen to a Heavy Forwarder configured as part Azure Site Recovery if a region fails, I will be installing a number of apps and wanted to know if they will continue to function without manual intervention?
... View more
Labels
05-10-2021
04:45 AM
Sure [fortigate_log] TRANSFORMS-Set-Host-By-DevName SHOULD_LINEMERGE = false
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-16-2023
10:29 AM
|
