Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About JohnnyMnemonic
JohnnyMnemonic
Explorer
Member since:
03-08-2022
11-09-2023
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 03-08-2022 |
Activity Feed
- Posted How did you integrate your Radware CWAF in Splunk? on Getting Data In. 11-09-2023 03:18 AM
- Karma Re: Extract a threshold from lookup and create a default value for gcusello. 09-05-2023 08:49 AM
- Posted Re: Extract a threshold from lookup and create a default value on Splunk Search. 09-05-2023 08:19 AM
- Posted How to extract a threshold from lookup and create a default value? on Splunk Search. 09-05-2023 07:49 AM
- Posted Re: Merge all values in two fiels in a new one on Splunk Search. 11-16-2022 05:46 AM
- Posted Merge all values in two fields in a new one? on Splunk Search. 11-16-2022 05:16 AM
- Posted Re: Do you know of a way to assign an increasing numerical value to each new event sent to the index? on Splunk Search. 10-14-2022 06:21 AM
- Posted Re: Do you know of a way to assign an increasing numerical value to each new event sent to the index? on Splunk Search. 10-14-2022 04:16 AM
- Karma Re: Do you know of a way to assign an increasing numerical value to each new event sent to the index? for johnhuang. 10-14-2022 02:46 AM
- Posted Do you know of a way to assign an increasing numerical value to each new event sent to the index? on Splunk Search. 10-13-2022 08:31 AM
- Posted Re: Table with vertical title on Splunk Search. 09-29-2022 03:12 AM
- Karma Re: Table with vertical title for ITWhisperer. 09-29-2022 03:12 AM
- Posted How to display table with vertical title? on Splunk Search. 09-29-2022 02:16 AM
- Karma Re: Fast timecharts counting events per day for gcusello. 07-04-2022 05:10 AM
- Posted Is there any way to speed up timecharts counting events per day? on Splunk Search. 07-04-2022 03:41 AM
- Karma Re: How to calculate the percent of a value from total for SanjayReddy. 03-08-2022 06:13 AM
- Posted Re: How to calculate the percent of a value from total on Dashboards & Visualizations. 03-08-2022 03:57 AM
- Posted How to calculate the percent of a value from total? on Dashboards & Visualizations. 03-08-2022 03:34 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-09-2023
03:18 AM
I am trying to integrate this solution into Splunk but I am finding problems. The most relevant as far is the number of retrieved events. I use the official event collector app Radware CWAF Event Collector | Splunkbase It works via API user and I found that the number of events in Splunk doesn't match with the events in cloud console. After opening a support ticket with Radware they told me that the problem is the "pulling rate" for API configuration in my Splunk. I have been trying to find how to configure this "pulling rate" in Splunk but I found nothing. Do you know how to solve this parameter or how do you solve this integration? This is exactly what they told me: Our cloudops team checked to see if there are any differences between the CWAF and the logs that are sent to your SIEM. They found that there is a queue of logs that are waiting to be pulled by your SIEM. Therefore, we do not have any evidence that the issue is with the SIEM infrastructure. For example, if we send 10 events per minute and the SIEM is pulling 5 per minute, this will create a queue of logs. Unfortunately, we cannot support customer-side configuration. It might be more helpful to consult with the support team for the SIEM you are using, as the interval might be the "Pulling Rate."
... View more
Labels
- Labels:
-
HTTP Event Collector
-
source
-
syslog
09-05-2023
08:19 AM
EDIT: Nevermind, I had an issue in my splunk server that was returning incorrect results, the solution works perfect! Thanks!
... View more
09-05-2023
07:49 AM
Hi,
I'm trying to create a filter based on a threshold value that is unique for some objects and fixed for the others.
index=main | loopup thresholds_table.csv object output threshold | where number > threshold
The lookup contains something like:
object
threshold
chair
20
pencil
40
The problem here is that no all objects are inside the lookup, so I want to fix a threshold number for all other objects, for example I want to fix a threshold of 10 for every object except for those inside the lookup.
I tried these things without success:
index=main | loopup thresholds_table.csv object output threshold | eval threshold = coalesce(threshold, 10) | where number > threshold
index=main | fillnull value=10 threshold | loopup thresholds_table.csv object output threshold | where number > threshold
index=main | eval threshold = 10 | loopup thresholds_table.csv object output threshold | where number > threshold
The objective is identify when an object reach an X average value, except for those objects that have a higher average value.
... View more
- Tags:
- splunk search
Labels
- Labels:
-
lookup
11-16-2022
05:46 AM
Sorry I modified the question and didn't noticed that keep IPs as part of it. Actually I have events where the field Action is "act" and other events where the same values are inside the field "actResult" but both fiels are never togheter in the same event, I mean, both fields are actually the same. Then, I want to obtain a table with the Action in a column. My real query: index=my_index sourcetype=my_source | eval Action = coalesce("act","actResult") | stats values(createdTime) as EventTime, values(Action) by id | table EventTime Action id But the result is a column named "Action" where all rows have the value "act" I know that the best option is to correct the parsing but I am not the administrator, I just can work with transformation commands.
... View more
11-16-2022
05:16 AM
I have read all the posts about "merging fields" and none of the options work for me.
I have events where the same value can come in fields with different names. For example, one has the Action in a field called "act" and another the field is "actResult".
I tried to use:
|eval Action = coalesce("act","actResult") |eval Action = mvappend("act","actResult")
But both optiones is generating a field with "act" and "actResult" as value, removing all actual values.
And also tried:
|rename act as Action actResult as Action
But it doesn't work 😞
Any ideas?
... View more
10-14-2022
06:21 AM
I have a search saved as an alert in Splunk, every time this alert has a match it generates an event that is added to an index and sends an email with the event to the web app. In the same search the MD5 is added as a new field and value to the generated event, then the indexed event saves that "hash" as a unique identifier. I actually call it ID. If someone in the web app asks me about the ID-X alert, I can search the index for the event with ID-X and find it. It works 🙂 EDIT: I had to add a field to avoid coincidences: | eval event_hash=md5("earliest". random())
... View more
10-14-2022
04:16 AM
I have solved the problem with this command: | eval event_hash=md5("". random()) It generates a random number as reference for creating the MD5 hash, then I have a kind of ID for this new event.
... View more
10-13-2022
08:31 AM
Hi eveybody,
I have a series of alerts that generate new events that are sent to a specific index and also send an email to a web application, but there is no way to identify these "correlated events" by unique id.
My goal is to be able to relate these indexed events to the event created in the web application using only a number, but this number must be assigned by splunk.
Do you know of a way to assign an increasing numerical value to each new event sent to the index?
... View more
09-29-2022
02:16 AM
I'm sure this must be possible, but I can't find a way, unfortunately there are a couple of threads on this with no solution 😞
I just want to display a table vertically, with titles as column 1 and values as column 2, like a bullet list.
All the information I found suggests that the "transposse" command is the way to go, but I don't know how to achieve it.
Any suggestion?
Field 1
Field 2
Field 3
Value
Value
Value
And this is how I'd like to express the table:
Fields
Values
Field 1
Value
Field 2
Value
Field 3
Value
... View more
07-04-2022
03:41 AM
Hi,
I need to validate que total number of events received each day from my sources to find gaps during the last 60 days, but this query is too heavy as we are talking about thousand of millions of logs. Is there any trick to speed up this kind of queries? My queries are being stopped by the system as they are too heavy.
I just need to count events and print them in a chart.
index=main_index AND source=main_source_* | timechart span=1d count by source
... View more
03-08-2022
03:57 AM
I am currently using this query but it seems a bit hard for the search head: index=logs sourcetype=more_logs dest_ip=* | eval address=IF(LIKE(dest_ip, "0.0.0.0"), "YES", "OTHER") | stats count by address
... View more
03-08-2022
03:34 AM
Hi splunkers,
I thought it would be easier, but now I need to ask you for help.
I need to make a simple tart chart with the percent of an IP Address and the percent of all other together as "Other".
How can I group all values in a single value "other" but leaving out just the value I want to analyze?
Thanks!
... View more
- Tags:
- splunk-search
Labels
- Labels:
-
chart
-
single value
-
table
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-09-2023
06:39 AM
|
