Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About michaelnorup
michaelnorup
Communicator
Member since:
08-19-2021
03-30-2023
Community Statistics
| Posts | 50 |
| Solutions | 1 |
| Karma Given | 18 |
| Karma Received | 1 |
| Member Since | 08-19-2021 |
Activity Feed
- Posted Re: Why is loadjob not getting all results? on Splunk Search. 03-29-2023 11:09 PM
- Posted Re: Why is loadjob not getting all results? on Splunk Search. 03-28-2023 04:00 AM
- Posted Re: Regex not matching on Splunk Search. 03-28-2023 03:17 AM
- Posted Re: loadjob not getting all results on Splunk Search. 03-28-2023 02:57 AM
- Posted Why is my regex not matching? on Splunk Search. 03-28-2023 02:45 AM
- Posted Why is loadjob not getting all results? on Splunk Search. 03-23-2023 03:06 AM
- Posted Re: Search empties during run on Splunk Search. 03-02-2023 12:55 AM
- Karma Re: Search empties during run for ITWhisperer. 03-02-2023 12:46 AM
- Posted Why does my search empty during run? on Splunk Search. 03-01-2023 11:57 PM
- Posted Re: Join searches to search for inactive splunk users on Splunk Search. 02-20-2023 11:12 PM
- Karma Re: Join searches to search for inactive splunk users for scelikok. 02-20-2023 11:11 PM
- Posted How to join searches to search for inactive Splunk users? on Splunk Search. 02-16-2023 03:25 AM
- Posted Location of props.conf and transforms.conf in a distributed setup on Getting Data In. 12-08-2022 01:58 AM
- Karma Re: Migrating from windows to linux for gcusello. 08-30-2022 04:56 AM
- Posted Re: Migrating from windows to linux on Deployment Architecture. 08-30-2022 02:08 AM
- Karma Re: Migrating from windows to linux for gcusello. 08-30-2022 02:08 AM
- Posted Re: Migrating from windows to linux on Deployment Architecture. 08-30-2022 01:39 AM
- Posted Re: What's best practice for monitoring bash_history of all users in the system? on All Apps and Add-ons. 08-25-2022 02:12 AM
- Posted Re: Help comparing outputcsv to inputcsv on Splunk Search. 05-24-2022 11:37 PM
- Karma Re: Help comparing outputcsv to inputcsv for ITWhisperer. 05-24-2022 11:36 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-28-2023
04:00 AM
If i remove the dedup on servername in the second search (because its already there in the main search) It disregards my time picker, and shows my data from the last 14 months i think
... View more
03-28-2023
03:17 AM
It was because "Version" was empty. Fixed that in the script that populated the fields outside of splunk
... View more
03-28-2023
02:57 AM
There were no issues related to this unfortunately. And if there were issues in the first search, wouldnt that one also not be able to show all the results?
... View more
03-28-2023
02:45 AM
My regex from the message field looks like this.
| rex field=Message "\W(?<Hostname>\S+)\s\w+\W(?<Build>\S+)\s\w+\W(?<CpuCount>\S+)\s\w+\W(?<CpuTotalMhz>\S+)\s\w+\W(?<CpuUsageMhz>\S+)\s\w+\W(?<MemoryTotalMB>\S+)\s\w+\W(?<MemoryUsageMB>\S+)\s\w+\W(?<Version>\S+)" |
For some reason it matches and pulls out all the fields from this entry:
Message=Hostname=esx-pod1-nprd-112.mad.local Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=142 MemoryTotalMB=1048094.5625 MemoryUsageMB=9086 Version=7.0.3
But not from any other entries which could looks like this:
Message=Hostname=10.241.192.46 Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=8186 MemoryTotalMB=1048094.55859375 MemoryUsageMB=198624 Version=
or
Message=Hostname=esx-cl6-184.mad.local Build=19195723 CPUCount=20 CpuTotalMhz=49880 CpuUsageMhz=672 MemoryTotalMB=294587.2578125 MemoryUsageMB=52530 Version=
... View more
Labels
- Labels:
-
regex
03-23-2023
03:06 AM
Hi everyone. I am trying to create historical capacity data over some servers. I have 1 search that will return all the data i need. This search runs with a timepicker of 14 months(unlike the picture here for speed) and the last part ( | search Customer="*****") is not part of the scheduled report
As you can see this returns 46 servers as expected. Then, when i try to load the search later on to create dashboards it now only returns 23 servers...
The fact that it returns SOME of the servers but not all is confusing me. I have triple checked that the Customer="***" is correct in both searches. Does anybody have ideas? It makes no sense to me
... View more
Labels
- Labels:
-
subsearch
03-02-2023
12:55 AM
So this was the solution. Can you explain to me why the sorting would just hide ALL the results, instead of showing the last 10.000 like it says it does?
... View more
03-01-2023
11:57 PM
Hi all. I have a search that searches a large amount of events. Its run on fast mode, on the statistics page. When i start the search it slow starts populating the fields, but then at one point it just empties all the results and says "No results found", even thought they were there at the beginning of the search running... Any ideas what could be the issue here? Never had anything like this before on other large searches though Some setting in limits.conf or something? All i get is this, which makes no sense since data is there at the start of the search
In the beginning it shows data:
... View more
Labels
- Labels:
-
search job inspector
02-20-2023
11:12 PM
Hi unfortunately this still shows users that have logged in within the last couple of days. They dont show the same amount of users, but still "active" ones It also only shows real name and username. Would like it to show time aswell *EDIT So i have changed it to this | rest /services/authentication/users splunk_server=local
| fields realname, title, last_successful_login type
| rename title as user
| fillnull value=-
| where last_successful_login<relative_time(now(),"-6mon") OR last_successful_login="-"
| convert ctime(last_successful_login) But unfortunately all LDAP users have an empty "last_successful_login" field =( Do you have a way to change that?
... View more
02-16-2023
03:25 AM
So i am trying to get a list of inactive splunk users. I have first tried just grabbing a list of all the users with the last login older than 6 months, but that gives me a list of users that has already been deleted in splunk, like this:
index=_audit action="login attempt" | where strptime('timestamp',"%m-%d-%Y %H:%M:%S")<relative_time(now(),"-6mon") | stats latest(timestamp) by user
Then i tried joining it with a list of the current users from the rest api like this:
| rest /services/authentication/users splunk_server=local
| fields realname, title
| rename title as user
| join user type=left [
search index=_audit action="login attempt" | where strptime('timestamp',"%m-%d-%Y %H:%M:%S")<relative_time(now(),"-6mon") | stats latest(timestamp) by user
]
This doesnt work and just outputs a list of current users. What i want: List of current splunk users with last login attempt older than 6 months with realname username, last login time. I have tried this solution from javiergn, but i cannot get last login time on that https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-identify-inactive-users-over-the-last/m-p/285256
... View more
Labels
- Labels:
-
join
12-08-2022
01:58 AM
Hi Guys. I have a distributed setup consisting of 1 search head, 1 deployment/license server, 1 indexer. And a whole bunch of universal forwarders. I am trying to filter out some of the data coming in with transforms.conf: [setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = "name":"System availability"
DEST_KEY = queue
FORMAT = indexQueue and a props.conf [Zabbix-history]
SHOULD_LINEMERGE = falde
MAX_TIMESTAMP_LOOKAHEAD = 300
detect_trailing_nulls = auto
TIME_PREFIX = \"clock\":
KV_MODE = json
AUTO_KV_JSON = true
TRANSFORMS-set = setnull,setparsing A log example that i would like to index, matching the regex in transforms.conf {"host":{"host":"xxxxx","name":"xxxx"},"groups":["xxxx Prod","xxxx","Windows servers"],"item_tags":[{"tag":"SAP Basis","value":""},{"tag":"System availability","value":""},{"tag":"SID1","value":""},{"tag":"Product","value":"Web Server"},{"tag":"SID","value":"WSP"}],"itemid":900162,"name":"System availability","clock":1670486400,"count":13,"min":1,"avg":1,"max":1,"type":3} Currently the props.conf and transforms.conf are on the indexer in the designated app. Its currently filtering out all the logs with the sourcetype Zabbix-history, and not indexing the "name":"System Availability" Does the props/transforms also need to be on the searchhead, or pushed to the universalforwarder with the deployment server?
... View more
Labels
08-30-2022
02:08 AM
Alright. /system/local/authorize.conf and /passwd should also come if i just copy the entire /etc/ folder though right? Good idea to change the hostname there aswell ;D One last question. Is it possible to first migrate the Search Head and the Deployment server to Linux and keep the indexer on windows? Just to test if users, roles, dashboards etc still work, before migrating the indexer aswell? Or is that a big ol mess, with having windows/linux mixed like that? Thanks !
... View more
08-30-2022
01:39 AM
I should be able to just copy the ENTIRE splunk/etc/ folder right? Then just change all the \ to / and be good? About about users and roles? That should be good aswell? Some of them come from AD, but if the new server has an AD connection it should assign the roles fine right?
... View more
08-25-2022
02:12 AM
How did you get the permissions to work? Having to trouble allowing the splunk user to read all other users bash_history
... View more
05-24-2022
11:37 PM
Hey ITWhisperer, thanks for replying. Think you could spell it out for me? 😐
... View more
05-20-2022
02:07 AM
Hi Team. I have a big ol search that tables a bunch of resource usage data. Now i smack and outputcsv on that badboy, and schedule it to run once a month. Before it runs next month i would like to run the search again , drag in the old search with inputcsv and then compare the two, and maybe only list the changes (And maybe how much it changes?)
(index="redacted" OR index="redacted2") EventCode=1011 | rex field=Message "\W(?<ServerName>\S+)\s\w+\W(?<PowerState>\S+)\s\w+\W(?<CpuCount>\S+)\s\w+\W(?<CoresPerSocket>\S+)\s\w+\W(?<GuestHostName>\S+)(:)(?<GuestOS>.+)(MemoryMB)\W(?<MemoryMB>\S+)\s\w+\W(?<ResourcePool>.+)(Version)\W(?<Version>\w+)\s\w+\W(?<UsedSpaceGB>\S+)\s\w+\W(?<ProvisionedSpaceGB>\S+)\s\w+\W(?<VMHost>\S+)\s\w+\W(?<Folder>.+)" | eval UsedSpaceGB = round(UsedSpaceGB,2) | eval ProvisionedSpaceGB = round(ProvisionedSpaceGB,2) | search VMHost="***" | table ServerName PowerState CpuCount CoresPerSocket GuestHostName GuestOS MemoryMB ResourcePool Version UsedSpaceGB ProvisionedSpaceGB VMHost Folder | dedup ServerName | search ServerName="*" | search VMHost="*" PowerState="*" ResourcePool="redacted "| outputcsv redacted_filename.csv
New search: inputcsv redacted_filename.csv lists the old search just fine, except it sorted the tablenames alphabetically, but whatever. Is there an easy way to compare the two, or will i have to extract all fields and compare manually?
... View more
Labels
- Labels:
-
eval
04-26-2022
04:43 AM
It randomly works now. I guess it was just super slow at catching up
... View more
04-26-2022
04:18 AM
I am recieving internal logs from the syslog server. I am recieving other logs( for example the cisco logs) from the syslog server I am NOT recieving logs from the fortigate input from the syslog server (Deployed with the same app as the cisco input) The user running splunk is root on the syslog server I am ecen seeing both inputs correctly here on the deployment server Am i reading these entires correct in that it IS in fact transmitting data from the fortigate input? Can it be because the logs are so many and big that it simply hasnt caught up yet?
... View more
04-26-2022
03:59 AM
Hey Giuseppe, thanks for stopping in I am NOT recieving logs from the host, which is the entire problem right? The host however can be both the syslog server(which i am recieving plenty of logs from, just not this particular input), and the FW-XXX-FG in from the inputs.conf, which isnt working Splunk forwarder is running as root, so should have access to read all On the deploymentserver i can even see the folder and sourcetype under settings -> data inputs -> file and directories
... View more
