Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About martaBenedetti
martaBenedetti
Path Finder
Member since:
04-30-2021
07-14-2022
Community Statistics
| Posts | 39 |
| Solutions | 0 |
| Karma Given | 14 |
| Karma Received | 0 |
| Member Since | 04-30-2021 |
Activity Feed
- Posted Re: How to configure Splunk Enterprise Security drill-down earliest offset? on Splunk Enterprise Security. 07-14-2022 05:51 AM
- Posted Re: How to configure Splunk Enterprise Security drill-down earliest offset? on Splunk Enterprise Security. 07-14-2022 05:49 AM
- Posted Re: How to configure Splunk Enterprise Security Drill-down Earliest Offset on Splunk Enterprise Security. 07-14-2022 12:17 AM
- Posted How to configure Splunk Enterprise Security drill-down earliest offset? on Splunk Enterprise Security. 07-13-2022 01:00 AM
- Karma Re: Determining Logging Lag (and Device Feed Monitoring) for Lowell. 05-25-2022 07:41 AM
- Posted Re: Why do we have the --not exporting configurations globally to system-- message? on Splunk Search. 05-25-2022 01:38 AM
- Karma Re: Why do we have the --not exporting configurations globally to system-- message? for PranaySompalli. 05-25-2022 01:37 AM
- Karma Re: Error stopping service Splunkd (1053) for markfocella. 05-20-2022 06:14 AM
- Posted Re: How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App f on Splunk Enterprise Security. 05-18-2022 02:46 AM
- Karma Re: How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App for Enterprise Security? for jravida. 05-18-2022 02:45 AM
- Posted Re: Upgraded Splunk DB Connect V3.2.0 to V3.3.0 seeing metrics-logger-reporter errors on All Apps and Add-ons. 05-17-2022 03:40 AM
- Karma Re: Upgraded Splunk DB Connect V3.2.0 to V3.3.0 seeing metrics-logger-reporter errors for ericnewman. 05-17-2022 03:40 AM
- Karma Re: Upgraded Splunk DB Connect V3.2.0 to V3.3.0 seeing metrics-logger-reporter errors for williaml_splunk. 05-17-2022 03:40 AM
- Posted Re: Route and filter data from HEC on Getting Data In. 05-11-2022 07:25 AM
- Posted Re: Route and filter data from HEC on Getting Data In. 05-11-2022 07:25 AM
- Karma Re: Route and filter data from HEC for PickleRick. 05-11-2022 07:21 AM
- Karma Re: Route and filter data from HEC for somesoni2. 05-11-2022 07:21 AM
- Posted How to route and filter data from HEC? on Getting Data In. 05-11-2022 06:36 AM
- Karma Re: Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1. for rahmatn. 04-07-2022 01:14 AM
- Posted Re: Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1. on All Apps and Add-ons. 03-31-2022 05:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-14-2022
05:51 AM
Hi @VatsalJagani , I've tried setting in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down. Thanks anyway
... View more
07-14-2022
05:49 AM
Hi @harishalipaka I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞
... View more
07-14-2022
12:17 AM
Hi @VatsalJagani , it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$. On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search with no success since when I click on drill-down t his error appears:
... View more
07-13-2022
01:00 AM
Hi,
I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.
I'd like to run the Drill-down search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes.
I'm trying this configuration but seems not to work properly.
Is there a way to do so? Is there a way to set earliest in the Drill-down search?
Thanks a lot
Marta
... View more
05-25-2022
01:38 AM
Thank you! Worked for me!
... View more
05-18-2022
02:46 AM
Worked for me, thanks!
... View more
05-17-2022
03:40 AM
worked for me, thanks!
... View more
05-11-2022
07:25 AM
The source stanza was just a typo, I've corrected it 🙂 Thank you Marta
... View more
05-11-2022
07:25 AM
I was afraid the solution couldn't work with HTTP event collector since I've only used this configuration with classic monitor inputs. The source stanza was just a typo, I've corrected it 🙂 Thank you Marta
... View more
05-11-2022
06:36 AM
Hi Community,
I have the need to filter data based on a specific field value and route to a different group of indexers.
Data is coming through HEC configured on a Heavy Forwarder like this:
[http://tokenName]
index = main
indexes = main
outputgroup = my_indexers
sourcetype = _json
token = <string>
source = mysource
I'd like to use props.conf and transforms.conf as suggested here like this:
props.conf
[source::mysource]
TRANSFORMS-routing=otherIndexersRouting
transforms.conf
[otherIndexersRouting]
REGEX=\"domain\"\:\s\"CARD\"
DEST_KEY=_TCP_ROUTING
FORMAT=other_indexers
In outputs.conf I'd add the stanza [tcpOut:other_indexers]
Is this possible? Is there another way to achieve this goal?
Thank you
Marta
... View more
Labels
03-31-2022
05:48 AM
Same problem, worked for me! Thanks a lot rahmatn !
... View more
03-02-2022
06:01 AM
Thanks a lot somesoni2 , now is working fine!
... View more
03-02-2022
12:34 AM
somesoni2 the configurations are kept on Heavy Forwarders, data ingestion is done through monitoring of files written by rsyslog. On Heavy Forwarder is installed also the Splunk Add-On for Cisco ASA that performs a sourcetype rename (from cisco_asa to cisco:asa) : c ould this be the reason why the configurations are not working? Thanks for your help Marta
... View more
03-01-2022
08:55 AM
Hi,
I'm trying to route data to a specific index based on a value in a field.
I have a series of data that look like this:
Mar 1 16:26:52 xxx.xxx.xxx.xxx Mar 01 2022 16:26:52 hostname : %FTD-6-113008: AAA transaction status ACCEPT : user = username
Mar 1 17:42:18 xxx.xxx.xxx.xxx Mar 01 2022 17:42:18 hostname : %ASA-6-611101: User authentication succeeded: IP address: xxx.xxx.xxx.xxx, Uname: username
My props.conf on indexer looks like this:
[cisco:asa]
TRANSFORMS-01_index = force_index_asa_audit
My transforms.conf on indexer looks like this:
[force_index_asa_audit]
DEST_KEY = _MetaData:Index
REGEX =(?:ASA|FTD)-\d+-(?:113008|113012|113004|113005|611101|605005|713166|713167|713185|716038|716039|713198|502103|111008|111010)
FORMAT = asa_audit
But unfortunatly nothing happens.
I've tryed also using source in props.conf with no successful result.
Do you have any idea?
Thank a lot
Marta
... View more
Labels
- Labels:
-
indexer
-
props.conf
-
transforms.conf
07-07-2021
12:25 AM
@ITWhisperer on HFW there is Splunk Enterprise 7.1.3. Thought you were thinking about something 🙂 Thanks anyway!!
... View more
07-06-2021
08:49 AM
@ITWhisperer Do you have suggestion on how to do so? That is filter out the first kind of log? Thanks
... View more
07-02-2021
02:19 AM
@ITWhisperer that's right: the first one should be excluded with nullQueue and the second one should be indexed. The problem though is that all logs are excluded.
... View more
- Tags:
- yes
07-02-2021
01:16 AM
Hi community, I have the need to exclude AIX logs containing a certain field value. This is the regex the parser is using to extract vendor_action filed: ^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+(?<pid>\d+)\s+(?<ppid>\d+)\s+(?<user>\S+)\s+(?<process>\S+)\s+(?<vendor_action>\S+)\s+(?<status>\S+) I'm trying to exclude events that contain vedor_action=FILE_Unlink and these are my conf file located on Heavy Forwarder: props.conf [aix:audit]
TRANSFORMS-null= setnull transforms.conf [setnull]
REGEX = ^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+\d+\s+\d+\s+\S+\s+\S+\s+FILE_Unlink\s+\S+
DEST_KEY = queue
FORMAT = nullQueue There are sample logs: the first one should be excluded while the second one no: Fri Jul 02 10:01:49 2021 34078844 8520050 dbloader rm FILE_Unlink OK Not supported
filename /tmp/CSI_ODS_M_SIA__INFO_RILANCIO.txt
Fri Jul 02 10:01:46 2021 34930828 4587668 root root lsvg FILE_Unlink OK
filename /dev/__pv17.0.34930828 When I restart spunk all logs are excluded, so I think something is wrong with my REGEX even if on regex101 seems to work fine. Any ideas? Thanks a lot Marta
... View more
Labels
- Labels:
-
field extraction
-
regex
-
rex
06-30-2021
08:22 AM
Thanks a lot kamlesh!!! Never though about it, you made my day 🙂
... View more
06-30-2021
07:32 AM
Hi community, I have the need to store encrypted password used in a python script. I've created the app with its setup.xml page and the app is deployed on a search head cluster. The problem is that under Manage Apps I cannot see "Set Up" button and if I click on "Launch App" I get 404 - not found. This is my setup.xml file <setup>
<block title="New Crdential" endpoint="storage/passwords" entity="_new">
<input field="name">
<label>Username</label>
<type>text</type>
</input>
<input field="password">
<label>Password</label>
<type>password</type>
</input>
</block>
</setup> This is my app.conf file: [install]
is_configured = 0
[ui]
is_visible = 1
label = my app
[launcher]
author = Marta Benedetti
description = my app
version = 1.0.0 Any idea? Thanks a lot Marta
... View more
Labels
- Labels:
-
encryption
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-14-2022
09:12 AM
|
Karma given to
