Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About zapping575
zapping575
Explorer
Member since:
12-03-2021
2 weeks ago
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 12-03-2021 |
Activity Feed
- Got Karma for Re: Timestamp extraction in multiline event. 3 weeks ago
- Karma Re: Timestamp extraction in multiline event for gcusello. 3 weeks ago
- Posted Re: Timestamp extraction in multiline event on Getting Data In. 3 weeks ago
- Posted How to extract timestamp in multiline event? on Getting Data In. 3 weeks ago
- Tagged How to extract timestamp in multiline event? on Getting Data In. 3 weeks ago
- Tagged How to extract timestamp in multiline event? on Getting Data In. 3 weeks ago
- Tagged How to extract timestamp in multiline event? on Getting Data In. 3 weeks ago
- Tagged How to extract timestamp in multiline event? on Getting Data In. 3 weeks ago
- Posted Re: For each each host for each eventtype, chart the number of occurences including its respective threshold on Splunk Search. 05-03-2022 07:23 AM
- Posted Re: For each each host for each eventtype, chart the number of occurences including its respective threshold on Splunk Search. 05-03-2022 02:56 AM
- Karma Re: For each each host for each eventtype, chart the number of occurences including its respective threshold for ITWhisperer. 05-03-2022 02:56 AM
- Posted How to chart the number of occurrences including its respective threshold for each host and each eventtype? on Splunk Search. 05-02-2022 10:39 AM
- Posted Re: In an alert result, show only the most recent event(s) on Alerting. 03-24-2022 02:47 AM
- Posted In an alert result, how to show only the most recent event(s)? on Alerting. 03-23-2022 12:07 PM
- Posted Re: Alerts falsely show up as reports on Alerting. 01-26-2022 07:58 AM
- Posted Re: Alerts falsely show up as reports on Alerting. 01-25-2022 09:24 AM
- Posted Re: Alerts falsely show up as reports on Alerting. 01-25-2022 05:54 AM
- Posted Alerts falsely show up as reports on Alerting. 01-24-2022 08:35 AM
- Tagged Alerts falsely show up as reports on Alerting. 01-24-2022 08:35 AM
- Tagged Alerts falsely show up as reports on Alerting. 01-24-2022 08:35 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
3 weeks ago
1 Karma
Ciao @gcusello Yes, its working! Funnily enough, before I tried the RegEx shown in the OP, I tried one which is very close to yours, but didnt work :): ^Time:\s+ Thank you very much. While I know that this is an off topic question, a different problem has turned up now: The file contains a header that I cannot seem to get rid of. I tried setting FIELD_HEADER_REGEX = ==\[ but this again did not work. Here is the header: (notice the "==[", after which the first event begins) Info1: qwe
Info2: asd
Info3: yxc
Info4: foo
Info5: bar
Info6: baz
Info7: fizz
Info8: buzz
==[
... View more
3 weeks ago
Hi all,
can somebody please give me a hand w/ this. I would like to extract the timestamp from an Event like this:
Info1: ASDF
Info2: QWE
Info3: YXC
Time: MON JAN 01 00:00:00 2022
Here is what I am using in props.conf. According to regex101, my TIME_PREFIX should be good, but it doesnt work (splunk uses the current time in the _time field). The fact that weekday and month are capitalized should not be problem.
TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = ^.*\n^.*\n^.*\n^Time:\s+
... View more
Labels
- Labels:
-
props.conf
-
time
05-03-2022
07:23 AM
Acknowledged. thanks
... View more
05-03-2022
02:56 AM
Thank you very much. I got it working as expected like this: index="my_index" eventtype=* host="dropdown_value..."
| lookup my_lookup eventtype
| stats count values(alert_threshold) as alert_threshold by eventtype
| where alert_threshold > 0 AND count > alert_threshold
| sort count desc Now the only thing left is that the threshold value is drawn as a dot in the chart. I'd like it to be a line going across the entire bar. Is that possible?
... View more
05-02-2022
10:39 AM
Hi everybody,
I have the following problem and cannot seem to be able to wrap my head around it:
I have a bunch of eventtypes (close to 1000).
Some of those eventtypes have certain thresholds which are greater than zero. I look the values up from a csv
For a single host, I'd like to
Chart the number of occurrances for an eventtype IF
That number of occurrances is higher than the aforementioned threshold
The chart shall also contain a static line depicting the threshold value
Here is what I have so far. I believe I am always getting lost when using an aggregate function such as count() because added something to the result using eval just wont work.
index="my_index" eventtype=* host="$HOST_FROM_DROPDOWN$"
| lookup my-events eventtype
| eventstats count by eventtype
| where alert_threshold > 0 AND count > alert_threshold
| stats count by eventtype
| eval Threshold = alert_threshold
What I do understand is that I have to add the "Threshold" variable in the overlay Options of the chart.
Any help is much appreciated. Thank you
... View more
03-24-2022
02:47 AM
Thats a really good question. I have the alert setup to run every hour. The reason I am searching within the last 30 days is because I have some thresholds at hand for my alerts. Those thresholds are per host and per month. It just occurred to me that if the threshold for an alert is zero (which it is for the alert in question) I might as well ignore the per-month rule. So I could just search within the last hour instead while still suppressing previous alerts for the past hour and the field _time. This still isnt "perfect" but better than getting all events from the past 30 days listed in the alert results.
... View more
03-23-2022
12:07 PM
I am trying to figure out the following and would greatly appreciate some help:
I have an alert which's search query looks for a certain event within the last 30 days.
If the event of interest occurs, an alert shall be triggered. This is working fine.
Now, because I have to look for events in the last 30 days, I do not want the exact same event to trigger another alert. I do however, want to trigger another alert if the event occurs on say....a different host.
By my understanding, this can be acheived by the following
-Use trigger type "for each event"
-Suppress for 30 days: events with the field _time
When the event in question has triggered, we navigate to triggered alerts and select "show events" I want to be able to see only the very event that triggered that very same, recent alert. I want this because it helps the person who is investigating the issue to immediately see what asset is affected.
Is it possible to do this?
... View more
- Tags:
- alert
- splunk-search
Labels
- Labels:
-
alert action
-
alert condition
-
throttling
01-26-2022
07:58 AM
So I was using the exact same name for my alerts as I was using for the eventtypes that were used to generate them. Whats more is that because of the large number of alerts, splunk stated the following: The number of search artifacts in the dispatch directory is higher than recommended Thus I changed the alert type from real-type to planned. They are now appearing in the Alerts section as expected. Thanks @richgalloway for the help.
... View more
01-25-2022
09:24 AM
Thank you very much for the tip. For a single alert in savedsearches.conf, I changed counttype to always and restarted splunk. Unfortunately, the selected alert still doesnt show up where it should.
... View more
01-25-2022
05:54 AM
Thank you for the response. I did what you suggested (in a separate app for testing). The entry in savedsearches that you can find below will show up as an alert. However, I can see no difference to the entry in my first post. [test1]
alert.expires = 120d alert.suppress = 0 alert.track = 1 counttype = number of events cron_schedule = * * * * * description = test1 dispatch.earliest_time = rt-30d dispatch.latest_time = rt-0d display.general.type = statistics display.page.search.tab = statistics enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = test1 request.ui_dispatch_view = search search = index="_internal" | stats count by action, host | search count > 1 I did also compare the default.meta files. They are identical, so permissions shouldnt be an issue.
... View more
01-24-2022
08:35 AM
Hi, I have a bunch of alerts in my savedsearches.conf. I would like to configure the alert action "Add to triggered alerts" (as is offered when you add the alert using the ui). I am doing this programmatically. After restarting splunk, the alerts do not show up as alerts, but rather as reports (in the reports tab). Is this intended behaviour by splunk or am I missing out on something? An example alert can be found below [generic-alert-name]
alert.expires = 120d
alert.severity = 2
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = * * * * *
description =
dispatch.earliest_time = rt-30d
dispatch.latest_time = rt-0d
display.general.type = statistics
display.page.search.tab = statistics
enablesched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = my_app
request.ui_dispatch_view = my_app
search = eventtype = "some-eventtype" | stats count by id | search count >= 4711
... View more
Labels
- Labels:
-
alert action
12-03-2021
07:48 AM
Dear all, despite my best efforts, I was not able to find satisfactory information. Thus I would like to ask if anyone here can help me with this. We have the UF running in a docker container in a k8s environment. For getting data in, we are using batch/monitor on files stored on a persistant volume claim. Consider the following scenario: - The container the UF is running in gets restarted while the UF is processing a file. After booting back up, the UF re-processes the entire file, leading to duplicates on the indexer Is this something we need to consider, for example by checking that the UF is currently not processing anything before restarting? Or will the UF take care of all of this for us?
... View more
Labels
- Labels:
-
index
-
monitor
-
universal forwarder
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
