Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Adam_Sealey
Adam_Sealey
Explorer
Member since:
10-21-2011
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 8 |
| Karma Received | 2 |
| Member Since | 10-21-2011 |
Activity Feed
- Karma Splunk 5 Clustering: Indexes not seen In clustering dashboard on the master node for dshakespeare_sp. 06-05-2020 12:46 AM
- Karma Re: Splunk 5 Clustering: Indexes not seen In clustering dashboard on the master node for dshakespeare_sp. 06-05-2020 12:46 AM
- Karma Re: App deployment in Splunk 5.0 clustering from a master node for hexx. 06-05-2020 12:46 AM
- Karma Re: EXTRACT from specific field (using 'in' syntax) doesn't work without forcing an extract reload=T for Ayn. 06-05-2020 12:46 AM
- Karma Re: Change sourcetype/index after data is indexed from forwarder for Drainy. 06-05-2020 12:46 AM
- Karma Re: Using indexed DHCPD logs to find MAC address for IP for yannK. 06-05-2020 12:46 AM
- Got Karma for Can eventtypes contain macro references. 06-05-2020 12:46 AM
- Got Karma for Re: Using indexed DHCPD logs to find MAC address for IP. 06-05-2020 12:46 AM
- Karma Re: Python scripted inputs run with the wrong version of Python in Splunk 4.1.2 for Jason. 06-05-2020 12:45 AM
- Karma Re: [Linux DHCPd] dhcpd_mac-vendorname warnings outside of dhcpd app for araitz. 06-05-2020 12:45 AM
- Posted Re: EXTRACT from specific field (using 'in' syntax) doesn't work without forcing an extract reload=T on Getting Data In. 03-14-2013 12:22 PM
- Posted EXTRACT from specific field (using 'in' syntax) doesn't work without forcing an extract reload=T on Getting Data In. 03-14-2013 08:48 AM
- Tagged EXTRACT from specific field (using 'in' syntax) doesn't work without forcing an extract reload=T on Getting Data In. 03-14-2013 08:48 AM
- Tagged EXTRACT from specific field (using 'in' syntax) doesn't work without forcing an extract reload=T on Getting Data In. 03-14-2013 08:48 AM
- Posted Re: Using indexed DHCPD logs to find MAC address for IP on Splunk Search. 02-21-2013 08:08 AM
- Posted Re: Using indexed DHCPD logs to find MAC address for IP on Splunk Search. 02-21-2013 07:30 AM
- Posted Re: Can eventtypes contain macro references on Knowledge Management. 02-12-2013 02:01 PM
- Posted Re: Can eventtypes contain macro references on Knowledge Management. 02-11-2013 05:13 PM
- Posted Can eventtypes contain macro references on Knowledge Management. 02-11-2013 03:11 PM
- Tagged Can eventtypes contain macro references on Knowledge Management. 02-11-2013 03:11 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 |
03-14-2013
12:22 PM
Exactly correct!
Using btool, I was able to see the order that the extractions are applied, and confirmed what you said.
EXTRACT-extractDomain = (?<domain>(?:(?:(?:[^\.]+\.)?(?<tld>(?:[^\.\s]{2})(?:(?:\.[^\.\s][^\.\s])|(?:[^\.\s]+)))))).$ in questionname
EXTRACT-opcode = (?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]
EXTRACT-protocol = (?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+
EXTRACT-question1 = \] (?<questiontype>\w+)\s+(?<questionname>.*)
EXTRACT-question2 = \] (?<questionname>[^\s]*)$
EXTRACT-threadid = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)
When I renamed to zzExtractDomain, it works great because the questionname has been filled at that point
Thanks!
... View more
03-14-2013
08:48 AM
I've been trying to do a search time field extraction, using the EXTRACT- stanza in props.conf.
From the props.conf docs (http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf), it appears that there are 2 ways to perform a search time extraction using EXTRACT; either on the _raw field, or on a specific field.
When I try to perform the field extraction on a specific field (using the 'in' syntax), the extraction doesn't run unless I specify '| extract reload=T'
EXTRACT-extractDomain = (?<domain>(?:(?:(?:[^\.]+\.)?(?<tld>(?:[^\.\s]{2})(?:(?:\.[^\.\s][^\.\s])|(?:[^\.\s]+)))))).$ in questionname
When I remove the 'in questionname' portion of the extraction (resulting in the extraction being run on _raw), the extraction runs all the time (doesn't require '| extract reload=T')
EXTRACT-extractDomain = (?<domain>(?:(?:(?:[^\.]+\.)?(?<tld>(?:[^\.\s]{2})(?:(?:\.[^\.\s][^\.\s])|(?:[^\.\s]+)))))).$
Has anyone else run into this problem? In this case, I can rewrite my extraction to work on _raw, but there are other cases that I'm also working with that it would be very convenient to have the regex be applied to only one field.
... View more
- Tags:
- extract
- props.conf
02-21-2013
08:08 AM
It's interesting..this seems to work for very recent events (with the last 8 hours), but when I got outside of that window, there are no results. I'm guessing it has something to do with the bucketing..Any other ideas?
... View more
02-21-2013
07:30 AM
1 Karma
That seems to work, and reasonably fast! Thanks for the help. I'm working through comparing to my other systems to make sure that everything lines up.
The one tweak is that you have an extra ) after src_hosts.
... View more
02-12-2013
02:01 PM
Yes, my macros are exactly this simple (some don't even have wildcards). Do you have any suggestions for troubleshooting where the processing of the eventtype is going south?
... View more
02-11-2013
05:13 PM
Yes, it's for different types of events that are within the same sourcetype. I plan to use these eventtypes several times
... View more
02-11-2013
03:11 PM
1 Karma
I'm working on an app, and have defined various macros to allow easier customization.
An example of my macros.conf
[fooBar]
definition = fooBar*
Then, in my eventtypes.conf, I the following does not work:
[myEventType]
search = sourcetype `fooBar`:risk
When I modify eventtypes.conf to remove the macro, it seems to work:
[myEventType]
search = sourcetype fooBar*:risk
Is there a limitation on eventtypes and macros that I am missing? I looked through all 46 apps that I have installed, 26 of which have eventtypes.conf specified, and none of them use macros.
find -L /opt/splunk/etc/apps -name eventtypes.conf -exec grep "\`" {} \;
My only thought is to define an eventtype that mirrors the macro functionality, although in my reading, it sounds like macros are generally preferred to eventtypes (reference this splunkbase article on eventtypes vs. saved searches)
... View more
01-29-2013
08:22 AM
The join/sub-search is my first method. The volume of DHCP Accept messages is high, so I quickly hit the max number of events.
... View more
01-29-2013
08:10 AM
I'm trying to leverage my indexed DHCPD logs to provide additional information about internal IP's that show up in other events. Specifically, I want to lookup the src_mac and src_host field and add them to the event (for example, a firewall event). This seems pretty easy with an external dynamic lookup, but since I've already indexed the data, I'd like to leverage it.
What I think I want is something like a correlated subquery in SQL (have the subsearch look for the src_ip specific for an event), but it sounds like Splunk search doesn't work that way.
I've tried a few different methods, but none seem to be quite right.
Join/Subsearch method (This is slow, and hits the subsearch limits, so doesn't seem to be the right way to do it):
sourcetype=someSourcetype | join src_ip usetime=true earlier=true [search eventtype="dhcpd_server_dhcpack" src_ip=* src_mac=* | fields _time src_ip src_mac src_host]
Appended search Transaction Method (Requires the ip looking up to be specified for both searches, which doesn't work for what I'm trying to do):
sourcetype=someSourceType src_ip=192.168.1.1 | append [search eventtype="dhcpd_server_dhcpack" src_ip=192.168.1.1 | fields src_ip src_mac src_host] | transaction src_ip
Combined Transaction Method (If I don't specify the src_mac , it doesn't detect device changes on the IP. If I do, it doesn't seem to work correctly either):
(sourcetype=someSourceType) OR (eventtype="dhcpd_server_dhcpack") | transaction src_ip src_mac | table src_ip threat_id _time src_mac src_host
Any suggestions?
... View more
- Tags:
- dhcpd
- join
- transaction
01-09-2013
02:16 PM
I had a similar issue, where after cleaning an index (and the associated fishbucket on the forwarder), the cluster-master cluster management page reported the index as non-searchable (and no replicated or searchable copies), just like your screen capture. This was interesting, because I was able to successfully run searches through the search head, and saw activity to the index in the splunkd.log.
I was able to clear it up by restarting splunk on the cluster master. It seems to be a UI bug in the cluster management screen.
... View more
12-04-2012
11:37 AM
You switched the labels for props.conf and transforms.conf. The second code block should be props (which is specifying to apply the specified transforms to the accesslog sourcetype).
Also, as an aside, per http://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf, setting the index requires a DEST_KEY = _MetaData:Index (note the prepended underscore)
... View more
