Activity Feed
- Posted Re: Maximun disk usage quota- Why are alerts not sending? on Splunk Search. 08-09-2022 12:37 AM
- Posted Maximun disk usage quota- Why are alerts not sending? on Splunk Search. 06-21-2022 07:28 AM
- Karma Re: Field does not appear in the list of available fields for gcusello. 06-13-2022 06:47 AM
- Posted Re: Field does not appear in the list of available fields on Splunk Search. 06-13-2022 06:46 AM
- Posted Re: Field does not appear in the list of available fields on Splunk Search. 06-13-2022 05:46 AM
- Posted Re: Field does not appear in the list of available fields on Splunk Search. 06-13-2022 03:43 AM
- Posted Why does field not appear in the list of available fields? on Splunk Search. 06-13-2022 03:25 AM
- Karma Re: Problem with the creation of an alert for ITWhisperer. 06-13-2022 03:00 AM
- Posted Re: Problem with the creation of an alert on Splunk Search. 06-09-2022 07:05 AM
- Posted How to create and alert that pops up from search? on Splunk Search. 06-09-2022 04:10 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
08-09-2022
12:37 AM
Hi @effem2, Thank you for your response! The truth is that I already solved the problem and I forgot that I had this question open. The reason this happened was that the alerts not having an owner was using the default maximum disk usage quota. It was solved by adding an owner to the alerts. Regards
... View more
06-21-2022
07:28 AM
Hello,
I have a Splunk Cloud deployment and the alerts are not firing. I have searched for information and using the search index=_internal sourcetype=scheduler status="skipped" savedsearch_name="search_name" you can see why the alerts are not going off. It says that the maximum disk usage quota for this user has been reached. The thing is that these alerts have no owner, the owner is "nobody", so if I am not mistaken the maximum disk usage quota is the default one. I think they don't recommend to change the default maximum disk usage quota.
I need these alerts to trigger, what can I do to fix this problem?
Thanks in advance and best regards.
... View more
06-13-2022
06:46 AM
Hi @gcusello I have deleted the status field and created another one with another name that contains the same information and now it appears in the list. I tried this some time ago and it still didn't work, so I don't really understand why it didn't appear before. In any case, thank you very much for your help!!!!
... View more
06-13-2022
05:46 AM
Hi @gcusello This is what appears in the Field extractions, as you can see it is in Global already, and it was shared like that since the beginning and it was not appearing. As I'm new to Splunk, can you explain what do you mean when you say "move the extraction field in your App", please? Thank you in advance.
... View more
06-13-2022
03:43 AM
Hi @gcusello, Thank you for your early response!! I have tried the search using my_field=* and it doesn't appear in the list. If I search using the rex command the field appear more than 100 times. In response to the fact that it may be in another application, when I go to look at the extracted fields in "Settings > Fields > Field extractions" that field appears as "EXTRACT-status", since status is the name of the field, and it says that the App is "search". So, what can be done to solve the problem?
... View more
06-13-2022
03:25 AM
Hello,
I have a field that does not appear in the list of fields on the left when doing a search. I have looked for information on the internet about what could be the cause and the solution to this problem, but in my case it is not because I do not make the search in "Verbose mode", it does not appear in less than 1% of events and it is not because I have not chosen All Fields in the "X more fields" section, which apparently are the reasons why most people have this problem. What surprises me is that when I create another "Extraction field" the field I need appears in the list of available fields, so I can't create another field that collects the same as the field in question (from the GUI). The only solution I have found, which in principle does not work for me because I need it to be visible in the list I mentioned before, is to do the search using the rex command or the extract reload=T command.
So, my question is, do I have to make any changes in any configuration file or could I do something to make the field I need available in the list of available fields I mentioned above (the one in the left when you make a search)? Thanks in advance and best regards.
... View more
- Tags:
- field
- splunk-search
Labels
- Labels:
-
field extraction
06-09-2022
04:10 AM
I want to create an alert that pops up when the events match at least 500 times the same source IP address, same destination address and different destination ports in 1 minute. The search I've come up with so far is as follows, although I'm not sure it's what I really need:
index=net-fw (src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 OR src_ip=192.168.0.0/16) AND (dest_ip=172.16.0.0/12 OR dest_ip=10.0.0.0/8 OR dest_ip=192.168.0.0/16) action IN (allowed blocked)
| stats first(_time) as date dc(dest_port) as num_dest_port by src_ip, dest_ip | where num_dest_port >500 | convert ctime(date) as fecha
I think what I am missing to achieve is "with the same source IP and the same destination IP in one minute".
Could someone help me with this problem? Thanks in advance and best regards.
... View more
- Tags:
- splunk-search
