×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
pm2012
Explorer
Member since: ‎09-26-2022
Community Statistics
Posts 30
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎09-26-2022
Activity Feed
Topics I've Started
View All

Re: event breaking not happening

by SplunkTrust in Getting Data In
‎05-22-2024 11:39 PM
‎05-22-2024 11:39 PM
Hi @pm2012 , In the square brackets put the sourcetype you want to add to your data flow. Put the props.conf file on Search Heads and on the Forwarders they are coming, and (if present) on intermediate Heavy Forwarders. Ciao. Giuseppe ... View more

Re: event breaking not happening

by SplunkTrust in Getting Data In
‎04-26-2024 04:51 AM
1 Karma
‎04-26-2024 04:51 AM
1 Karma
Either regex should work.  BTW, it's not necessary to escape the colons. Any change to props.conf only affects new data.  Config changes made in the UI take effect immediately; changes made to .conf files take effect after a restart. ... View more

Re: How to calculate data ingestion from a specifi...

by in Installation
‎04-24-2024 01:49 PM
‎04-24-2024 01:49 PM
Don't you mean | rename licenseGB as GB ... View more

Re: Field extraction to capture hostname

by in Splunk Enterprise
‎04-01-2024 10:43 AM
‎04-01-2024 10:43 AM
@pm2012Try this. We can do it in multiple ways.           ... View more

Re: Log parsing - JSON

by SplunkTrust in Getting Data In
‎02-26-2024 11:40 PM
‎02-26-2024 11:40 PM
There has always been a problem with parsing a "headered" structured data. There is even an open idea about it. https://ideas.splunk.com/ideas/EID-I-208 The easiest way to go about it would be probably to parse the header into indexed fields if needed (most of it should already be parsed into _time and host; you could however want to have the process name and pid stored) and then strip the header completely with SEDCMD or INGEST_EVAL (I don't remember if SEDCMD works before or after transforms are called). This way you'd be left with an all-json event which Splunk can handle with proper KV_MODE. ... View more

Re: Multiline logs coming in single log

by SplunkTrust in Getting Data In
‎02-26-2024 11:33 PM
‎02-26-2024 11:33 PM
1. It's a linux auditd log so you might want to use an add-on for auditd. That will make everyone's lives easier 😉 2. How are you ingesting those logs? Locally by forwarder reading from /var/log/audit/auditd.log? Sent with syslog over the network? Whatever? ... View more

Re: Need to create splunk alert (Correlation searc...

by SplunkTrust in Alerting
‎10-30-2023 10:16 PM
‎10-30-2023 10:16 PM
Hi @pm2012  this is a decade old post, but this should give you some ideas..  https://community.splunk.com/t5/Getting-Data-In/How-do-I-tell-if-a-forwarder-is-down/m-p/10407   ... View more

Re: Lookup search query field comparison and outpu...

by SplunkTrust in Splunk Search
‎08-22-2023 02:16 AM
1 Karma
‎08-22-2023 02:16 AM
1 Karma
Hi @pm2012 , I suppose that you have the hostname field also in the main search, if not, you have to renabme that field. So if you want only the logs from hostnames that are in the lookup, you could try somethng like this: <your_search> [ | inputlookup customer_devices.csv | fields hostname ] | eval hostname=lower(hostname) | stats count BY hostname | append [ | inputlookup customer_devices.csv | eval hostname=lower(hostname), count=0 | fields hostname DeviceType count ] | stats sum(count) AS total values(DeviceType) AS DeviceType BY hostname | eval Status=if(total=0, "Non Active", "Active)  If instead you want to check also new hostnames that aren't in the lookup, you could try: <your_search> | eval hostname=lower(hostname) | stats count BY hostname | append [ | inputlookup customer_devices.csv | eval hostname=lower(hostname), count=0 | fields hostname DeviceType count ] | stats sum(count) AS total values(DeviceType) AS DeviceType BY hostname | eval Status=case(NOT DeviceType=*, "New hostname", total=0, "Non Active", total>0, "Active) Ciao. Giuseppe ... View more

Re: UNIX log parsing issue

by in Getting Data In
‎08-07-2023 04:24 AM
‎08-07-2023 04:24 AM
Based on the tagging of SYSLOG based on the front tag, I would assume that this is being ingested into a syslog server and then sent to an Indexer or Heavy Forwarder. If this is the case, the Splunk Add-on is not going to help you in this situation if this is the case. I usually ingest the data from SYSLOG and then use regex to extract the field names when I am conducting searches. If this is being monitored on the server that is using a Universal Forwarder, then ensure that you are monitoring the /var/log locations with the splunkbase app on the forwarder and on the indexer. ... View more

Re: Getting garbage HEXA ASCII logs from log sourc...

by SplunkTrust in Getting Data In
‎06-07-2023 05:34 AM
‎06-07-2023 05:34 AM
You can use command file in linux see: https://www.shellhacks.com/linux-check-change-file-encoding/ Usually Splunk wants to use UTF-8 encoding.   ... View more

Re: Auto Filed value extraction

by SplunkTrust in Splunk Search
‎04-20-2023 01:17 AM
‎04-20-2023 01:17 AM
Hi @pm2012, as I said a different order isn't the same, for this readon I asked a rule. Without a rule it's difficoult to create a regex for fields extraction. Ciao. giuseppe ... View more

Re: how to map extracted field name (e.g actual_ti...

by in Splunk Search
‎03-24-2023 03:20 AM
‎03-24-2023 03:20 AM
Hey! Try this out to search for a time interval based on the actual_time.  (your search) | eval _time=actual_time | search earliest=<epoch_time> latest=<epoch_time>   If the actual-time is not in epoch, you must convert it before the search command: | eval _time=strftime(actual_time, "%Y-%m-%d %H:%M:%S")   ------------ If this was helpful, some karma would be appreciated. ... View more

Re: Migration Qradar data to Splunk

by SplunkTrust in Splunk Search
‎03-21-2023 11:10 PM
‎03-21-2023 11:10 PM
Hi @pm2012 , I found only this marketing documentation, sorry! Ciao. Giuseppe ... View more

Re: Rule to detect known RHEL vulnerabilities

by SplunkTrust in Knowledge Management
‎11-16-2022 06:44 AM
1 Karma
‎11-16-2022 06:44 AM
1 Karma
Splunk is not a vulnerability scanner.  It can index and report on results produced by dedicated vulnerability tools, but doesn't detect vulnerabilities on its own.  That's not to say a Splunk query can't find anything with the right data (like, for instance, a running telnetd process) it's just typically not done that way. If you have a specific vulnerability you need help detecting then post a new question and perhaps someone can help with it. ... View more

Re: Attack surface management using Splunk- Is the...

by SplunkTrust in Knowledge Management
‎10-06-2022 10:33 AM
‎10-06-2022 10:33 AM
What exactly is the customer looking for Splunk to do?  Which attack surface do they want to manage, Splunk's or some other one?  Keep in mind that Splunk is a monitor, not a manager, but there may be a solution (perhaps using SOAR) depending what the customer is trying to do. ... View more
Contact Me
Karma given to