Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nickhills
nickhills
Ultra Champion
Member since:
10-10-2011
4 weeks ago
Community Statistics
| Posts | 1772 |
| Solutions | 265 |
| Karma Given | 147 |
| Karma Received | 383 |
| Member Since | 10-10-2011 |
Activity Feed
- Got Karma for Re: Request for splunk upgrade shell script for Linux/Unix. 3 weeks ago
- Got Karma for Re: Restarting Splunk triggers all my alerts (and floods my inbox). 4 weeks ago
- Got Karma for Re: Could not load lookup=LOOKUP-browser ???. 01-12-2021 03:20 PM
- Got Karma for Re: dashboards fail to load in mobile app. 01-12-2021 06:13 AM
- Got Karma for Re: Fundamentals 2 Mistake. 01-05-2021 06:41 AM
- Got Karma for Re: Is it an issue to follow Fundamentals 2 7.x if my company is on 8.1. 12-24-2020 05:39 PM
- Posted Re: Datamodels with Smartstore on Getting Data In. 12-22-2020 01:14 AM
- Posted Re: Splunk can't get data from remote machines on Splunk Enterprise. 12-21-2020 07:28 AM
- Posted Re: Fundamentals 2 Mistake on Training + Certification. 12-21-2020 05:17 AM
- Posted Re: How to Exclude private IP range from transforms on Splunk Search. 12-21-2020 01:15 AM
- Posted Re: How to Exclude private IP range from transforms on Splunk Search. 12-20-2020 01:10 AM
- Got Karma for Re: edit fields with eval expressions. 12-18-2020 11:20 AM
- Posted Re: edit fields with eval expressions on Splunk Search. 12-18-2020 09:44 AM
- Posted Re: edit fields with eval expressions on Splunk Search. 12-18-2020 09:11 AM
- Karma Re: How to Calculate SLA of Different Teams for a Specific Ticket for scelikok. 12-18-2020 06:42 AM
- Posted Re: How to Calculate SLA of Different Teams for a Specific Ticket on Splunk Search. 12-18-2020 06:41 AM
- Got Karma for Re: How add stats table to each row in a stats table. 12-18-2020 12:51 AM
- Got Karma for Re: Is it an issue to follow Fundamentals 2 7.x if my company is on 8.1. 12-16-2020 02:26 PM
- Posted Re: Is it an issue to follow Fundamentals 2 7.x if my company is on 8.1 on Training + Certification. 12-16-2020 03:02 AM
- Got Karma for Re: License Usage Calculation for a Particular Event ID. 12-15-2020 11:52 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 7 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 1 | |||
| 0 |
12-22-2020
01:14 AM
I think the wording is a little confusing, but "tstatsHomePath" allows you to dictate where this data is stored if you wanted to separate it from the rest of your index data, but importantly you do not have to specify a "tstatsHomePath"! The wording in the spec file says that you should not configure this value for an index with remote storage, so this just means for a Smartstore index do not define "tstatsHomePath" - the cachemanager will handle this for you.
... View more
12-21-2020
07:28 AM
If the syslog receiver is using UDP you can't test it with telnet, instead try netcat. nc -z -v -u <your_IP> <your_port_number> Although, a good start is to use netstat on the recieving host and confirm the host is listening on the right interface/port/proto! netstat -ln|grep <your_port_number>
... View more
12-21-2020
05:17 AM
1 Karma
You will need to contact the Splunk Education team on one of the below addresses and see if they can help you. Americas: education_amer@splunk.com Europe: education_emea@splunk.com Asia/Japan/Australia: education_apac@splunk.com
... View more
12-21-2020
01:15 AM
I made a minor change to the answer above, but I can not reproduce the scenario you describe. https://regex101.com/r/FXD0Q4/2
... View more
12-20-2020
01:10 AM
Splunk will not perform CIDR matches against regular expressions. You will need to construct your regex to match the range of addresses you need (10\.)
(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)
(192\.168\.) But you should be able to do this in one stanza if you wish [internal_IPs]
REGEX = dst\=((?:10\.)|(?:172\.1[6-9]\.)|(?:172\.2[0-9]\.)|(?:172\.3[0-1]\.)|(?:192\.168\.)).+
DEST_KEY = queue
FORMAT = nullQueue
... View more
12-18-2020
09:44 AM
1 Karma
Where are you seeing this? Inside the web datamodel? In which case, the action field should look like this (see attached) If you really want to include that additional logic into the datamodel (which I am reluctant to advise) you will need to change it to a "case" statement, you cant just layer up additional "if()"s. case(action="File quarantined","blocked", isnull(action) OR action="","unknown", 1=1, action)
... View more
- Tags:
- Where a
12-18-2020
09:11 AM
try changing it to if(action="File quarantined","blocked",action) That looks to me like the intent is to re-write the action to be "blocked" for a quarantine message, otherwise leave action as it was if (action = quarantine, re-write it as action="blocked", otherwise set action=action( i.e whatever it already was) )
... View more
12-18-2020
06:41 AM
@gozdeyildizz Thats great news! Don't forget to accept an answer and upvote posts that helped you!
... View more
12-16-2020
03:02 AM
2 Karma
There are additional features included in 8.x, but nothing major from a "user" perspective. There is nothing you would learn on fun2 7.x that is not applicable to 8.x
... View more
12-15-2020
01:24 PM
I am pleased you have it working, but for the record, chmod'ding to 777 is not a sensible fix for a production system. 🙂
... View more
12-15-2020
12:59 PM
In that case, unless you set up the splunk user by hand, it wont exist. At a guess you were therefore running Splunk as root. If root has permission issues then you probably have bigger problems! Can you access the contents of /opt/splunk?
... View more
12-15-2020
10:26 AM
How was splunk installed? rpm/deb or from the tar.gz? Who owns files in /opt/splunk?
... View more
12-15-2020
09:25 AM
1 Karma
Thats odd. Can you run "sudo id splunk" It should return something like uid=xxx(splunk) gid=xxx(splunk) group=xxx(splunk) or does it report "splunk" no such user
... View more
12-15-2020
08:20 AM
Splunk only allow you to download currently supported versions, since 6.6 has fallen out of support that's why it is not available for download. Raise a support ticket via the support portal, or if you have no access you should speak to your reseller/account manager.
... View more
12-15-2020
08:09 AM
2 Karma
Was Splunk configured to run as "root"? If you configured Splunk to run as "splunk" (recommended) you should not start it as root. If you do, it may mess about with the folder permissions, which means the next time you start it as "splunk" you get permission errors. If this is what happened, you should stop Splunk (if running) then (assuming linux) sudo chown -R splunk:splunk /opt/splunk Then start Splunk as "splunk" - probably easier to reboot the system and let the Splunk boot-start process handle it.
... View more
12-15-2020
07:52 AM
1 Karma
Did you set ratio to match the search sample ratio? I am guessing you are not using sampling, so set the ratio=1
... View more
12-15-2020
07:24 AM
1 Karma
I think ( @priyastalin correct me if wrong) it looks like this is just so you can filter on the groupId? I'm not sure if seeing the contents of the macro would help to understand if its doing a simple filter or if there is something more complex going on to get the set of results. If this is something you run frequently, I think a lookup might be a far simpler (and faster) approach.
... View more
12-15-2020
07:17 AM
1 Karma
First, a correction. In my final query I should have removed " earliest=-24h latest=now" Please run the query again without those time constraints. (I have updated the original post) Second, did you set a value for X? If you don't use sampling then ratio should be "ratio=1", if you used a 1:100,000 sampling ratio, then "ratio=100000" Next, as I mentioned, Splunk measures volume licence against sourcetypes. It does not break licence usage down on a per field basis, hence the reason for the estimated calculation I have provided above. If you want daily consumption, you can make a simple change to produce these values for each day. index=wineventlog sourcetype=winlog EventCode=4688
| eval bytes=len(_raw)
| timechart avg(bytes) as avg_bytes count span=1d
| eval ratio=10000
| eval consumptionBytes=((avg_bytes*count)*ratio)
| eval consumptionKB=((avg_bytes*count)*ratio)/1024
| eval consumptionMB=((avg_bytes*count)*ratio)/1024/1024
| eval consumptionGB=((avg_bytes*count)*ratio)/1024/1024/1024
... View more
12-15-2020
06:01 AM
1 Karma
Splunk does not record licence consumption per event but you can make a good guess on this yourself. Build a search which includes your events, and calculate the size in bytes of each event over 24 hours index=wineventlog sourcetype=winlog EventCode=4688 earliest=-24h latest=now|eval bytes=len(_raw) Splunk uses UTF-8, so its 8bits, 1 byte per character. Each event will be slightly different with varying hostnames and other parameters etc so calculate an average. |stats avg(bytes) as avg_bytes Now you need to know how many events there have been - I presume its a lot - a.) because you are asking, and b.) because 4688 is common and noisy! You could run a |stats count over 30 days, but that may take some time. (Im also working on the assumption you don't have an accelerated datamodel for this) This is a good use case for a sampled search, set a sample rate that matches your dataset. 1:10,000 or 1:100,000 is probably the ballpark. To calculate the volume, you need to multiply the number of events the samples search returns by the avg_bytes and then multiply that by the ratio you choose. So the complete search would be: index=wineventlog sourcetype=winlog EventCode=4688
| eval bytes=len(_raw)
| stats avg(bytes) as avg_bytes count
| eval ratio=10000
| eval consumptionBytes=((avg_bytes*count)*ratio)
| eval consumptionKB=((avg_bytes*count)*ratio)/1024
| eval consumptionMB=((avg_bytes*count)*ratio)/1024/1024
| eval consumptionGB=((avg_bytes*count)*ratio)/1024/1024/1024 remember to set "|eval ratio=x" to the sample ratio you use for the search
... View more
12-15-2020
05:35 AM
It might help if you can also post the contents of the macro last_np_sourcetype()
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
4 weeks ago
|
Karma from
