Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jdmclemore
jdmclemore
Path Finder
Member since:
10-25-2011
12-07-2023
Community Statistics
| Posts | 18 |
| Solutions | 0 |
| Karma Given | 8 |
| Karma Received | 2 |
| Member Since | 10-25-2011 |
Activity Feed
- Posted Re: field extraction working with rex but not props.conf on Getting Data In. 11-02-2020 01:03 PM
- Posted Re: field extraction working with rex but not props.conf on Getting Data In. 10-30-2020 09:39 AM
- Posted Re: field extraction working with rex but not props.conf on Getting Data In. 10-30-2020 09:19 AM
- Posted Re: field extraction working with rex but not props.conf on Getting Data In. 10-30-2020 09:15 AM
- Posted field extraction working with rex but not props.conf on Getting Data In. 10-29-2020 03:36 PM
- Posted Re: Forwarder/Indexer compatibility with Intermediate Forwarders on Splunk Enterprise. 10-26-2020 07:26 AM
- Karma Re: Forwarder/Indexer compatibility with Intermediate Forwarders for MuS. 10-26-2020 07:25 AM
- Posted Forwarder/Indexer compatibility with Intermediate Forwarders on Splunk Enterprise. 10-22-2020 11:26 AM
- Karma Re: Splunk relative time for gcusello. 10-06-2020 10:25 AM
- Karma Re: Splunk relative time for Nisha18789. 10-06-2020 10:25 AM
- Posted Re: Splunk relative time on Splunk Search. 10-06-2020 06:47 AM
- Karma Re: Splunk relative time for inventsekar. 10-06-2020 06:47 AM
- Got Karma for Splunk relative time. 10-03-2020 08:48 PM
- Got Karma for Re: Splunk relative time. 10-03-2020 08:48 PM
- Posted Re: Splunk relative time on Splunk Search. 10-03-2020 05:21 AM
- Posted Splunk relative time on Splunk Search. 10-02-2020 10:08 PM
- Karma Re: Renewing server.pem certificate for vishaltaneja070. 06-05-2020 12:49 AM
- Karma Re: Migrating hot/warm and cold buckets to separate drives for ejharts2015. 06-05-2020 12:48 AM
- Karma Re: SEDCMD not being applied? for MuS. 06-05-2020 12:48 AM
- Karma Re: How to send snmp traps from my Linux machine to a Splunk indexer server on threshold values? for dwaddle. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
11-02-2020
01:03 PM
Tried using REPORT and transforms, but still no good extraction...
... View more
10-30-2020
09:39 AM
Yes, extracting from the source field. I haven't tried going the REPORT route and using transforms.conf because its a simple inline extraction that shouldnt require transforms, per the documentation. Maybe worth giving it a shot though.
... View more
10-30-2020
09:19 AM
Thanks @amiftah_splunk - unfortunately, this isn't working either.
... View more
10-30-2020
09:15 AM
Thanks @richgalloway - yes I've tried that in props, but no extraction.
... View more
10-29-2020
03:36 PM
I am trying to extract a portion of the source as a field. Here's what the source looks like: D:\Host Logs\info.server.02.mfl I'm trying to extract "info" from the source filename and this works perfectly as a splunk search: search | rex field=source "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" But if I put this in props.conf for this sourcetype as a search-time extraction, it's not working: EXTRACT-sourcefield = "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source I've tried multiple versions of this, taking out the extra "\", removing the quotes, etc., but cant seem to get this field to extract. A "splunk btool props list..." shows that the props.conf file is being used. It's in an app in /opt/splunk/etc/apps. This is Splunk Enterprise 8.0.4.1. Edit: Here are all the versions I've tried so far... EXTRACT-sourcefield = D:\x5CHost Logs\x5C(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) in source
EXTRACT-sourcefield = D:\\Host Logs\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) in source
EXTRACT-sourcefield = "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source
EXTRACT-sourcefield = "D:\\Host Logs\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source
... View more
Labels
- Labels:
-
props.conf
10-22-2020
11:26 AM
I've read all the compatibility matrix docs, but I'm not sure how my situation fits into it. Specifically compatibility when sending data through intermediate Heavy Forwarders. Here's my current environment, and everything is working fine: UF's (6.3.x - 7.x) ---> Intermediate HF's (7.3.6) ---> Indexer cluster (7.3.6) I need to point my HF's at newly built 8.x indexers (not upgrading existing indexers - these are new indexers at a new location). Will I have a problem? I know that 6.x UFs cant send to 8.x indexers, but am I getting around the problem with a 7.x Intermediate HF? And yes, ideally I would like all UFs to be upgraded, but this situation is temporary. Thanks!
... View more
Labels
- Labels:
-
upgrade
10-03-2020
05:21 AM
1 Karma
Hi - thanks for the reply. No, not counting events, just doing regular searches. But I'm wondering how you would represent each of those time spans with relative time notation instead of using the actual time. I know, it's a strange request...but can it be done?
... View more
10-02-2020
10:08 PM
1 Karma
Today is 10/2/2020. I need to execute 6 searches using relative time for last month (earliest= & latest=) that are each 5 days in length. Specifically: 9/01/2020:00:00:00 - 9/05/2020:23:59:59 9/06/2020:00:00:00 - 9/10/2020:23:59:59 9/11/2020:00:00:00 - 9/15/2020:23:59:59 9/16/2020:00:00:00 - 9/20/2020:23:59:59 9/21/2020:00:00:00 - 9/25/2020:23:59:59 9/26/2020:00:00:00 - 9/30/2020:23:59:59 I'd love to use these exact times as earliest/latest, or even epoch times, but that won't work in my particular situation. How can I represent the 6 spans above in relative time?
... View more
Labels
- Labels:
-
other
02-14-2019
01:11 PM
I don't believe there is an add-on for DAM, I looked a while back. I ended up creating my own props/transforms to extract all the fields. The fields DAM includes in its events are configurable as well, so my DAM logs may not be the same as your DAM logs. But here's what I've been using:
props.conf:
[dam-2]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^"[^"]+?","
TIME_FORMAT = %s%3N
MAX_TIMESTAMP_LOOKAHEAD = 15
TRUNCATE = 0
KV_MODE = none
EXTRACT-mcafee_dam-2_fields = "(?<ruleNameRaw>[^"]+)","(?<execTime>\d+)","(?<id>\d+)","(?<sourceIP>[^"]+)","(?<osUser>[^"]+)","(?<execUser>[^"]+)","(?<execProgram>[^"]+)","(?<sid>[^"]+)"\."McAfee Database Security","(?<cmdType>[^"]+)","(?<sqlStmt>.+?(?=","))","(?<accessedObjectsRaw>[^"]+)","(?<clientId>[^"]+)","(?<module>[^"]+)","(?<action>[^"]+)","(?<spid>[^"]+)","(?<inflowSqlStmt>.+?(?=","))","(?<inflowObjectsRaw>[^"]+)","(?<database>[^"]+)","(?<agentHost>[^"]+)","(?<sourceHost>[^"]+)","(?<schema>[^"]+)"
REPORT-mcafee_dam-2 = mcafee_dam-2_ruleName, mcafee_dam-2_accessedObjects, mcafee_dam-2_inflowObjects
transforms.conf:
[mcafee_dam-2_ruleName]
SOURCE_KEY = ruleNameRaw
REGEX = (?<ruleName>[^\|]+)
MV_ADD = true
[mcafee_dam-2_accessedObjects]
SOURCE_KEY = accessedObjectsRaw
REGEX = (?<accessedObjects>[^\|]+)
MV_ADD = true
[mcafee_dam-2_inflowObjects]
SOURCE_KEY = inflowObjectsRaw
REGEX = (?<inflowObjects>[^\|]+)
MV_ADD = true
... View more
09-05-2017
03:58 PM
Thanks for the suggestions...turned out to be user error. 🙂 My wildcard DID match the file name.
... View more
09-01-2017
03:20 PM
I'm trying to monitor a catalina logs that look like this:
/home/loader/logs/catalina.2017-09-01.log
with this file monitor stanza:
[monitor:///home/loader/logs/catalina.*.log]
disabled = false
sourcetype = catalina
But I'm not seeing any data. Any reason why that wildcard would not match that file?
... View more
- Tags:
- splunk-enterprise
06-23-2017
12:59 PM
Thank you!
... View more
06-21-2017
05:10 PM
I have a 5 node indexer cluster and a 3 node SHC which are all physical servers, but the rest are VMs (Deployment server, License Server, Deployer, Master Cluster node, and DMC).
My VMs will be migrating to another network and will require downtime of about a day. I would like to leave the search heads and indexers up to continue collecting data during the outage. Is this possible? What impact will shutting down all those other servers have?
... View more
- Tags:
- splunk-enterprise
05-09-2017
09:19 PM
Thanks Mus - that did the trick. I included my SEDCMD stanza in a props.conf that gets distributed to my intermediate Heavy Forwarders and all is good.
... View more
05-09-2017
08:53 PM
Ah, that may be it - I do use Heavy Forwarders as my intermediate forwarders. I'll push props.conf out to them and report back.
... View more
05-09-2017
03:02 PM
I'm trying to do a seemingly simple SEDCMD replace of passwords in logs, but nothing is getting applied. I have pushed props.conf out to all the indexers in my cluster, but looking at new data nothing gets changed. Am I doing something wrong?
Sample log (sourcetype=access_log):
10.1.1.1 - - [09/May/2017:16:42:52 -0500] [GET /service/auth/login?user_name=JoeUser&password=realpassword HTTP/1.1] 200 2315 Cnt-Type=- Acc=- Resp-Cnt-Type=application/xml
Expected result:
10.1.1.1 - - [09/May/2017:16:42:52 -0500] [GET /service/auth/login?user_name=JoeUser&password=xxxxx HTTP/1.1] 200 2315 Cnt-Type=- Acc=- Resp-Cnt-Type=application/xml
In props.conf:
[access_log]
SEDCMD-replacepasswd = s/password=.+\s/password=xxxxx\s/g
... View more
- Tags:
- sedcmd
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-07-2023
07:13 PM
|
Karma given to
