×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Abass42
Communicator
Member since: ‎02-24-2023
a week ago
Community Statistics
Posts 56
Solutions 1
Karma Given 38
Karma Received 1
Member Since ‎02-24-2023
Activity Feed
Topics I've Started
View All

Re: Editing the other value for a pie chart

by in Dashboards & Visualizations
a week ago
a week ago
I am working on implementing this query, but I need to rename and standardize the output to the C_Label values so i can stats count on those. I need a count per source. I dont think i cram my eval statements with the OR statements. Ill try to incorporate this in my query   Thanks ... View more

Editing the other value for a pie chart

by in Dashboards & Visualizations
a week ago
a week ago
I have a query that is executing a stats count by source type, as we want to see how many sensitive files leave our firm and the quantity. I am doing an appendcols and then transposing In the dashboard, the pie chart look like:     index=fortinet dlpextra IN (WatermarkBlock1,Log_WatermarkBlock2,Log_WatermarkBlock3,Log_WatermarkBlock4) | lookup DataF.csv dlpextra OUTPUT C_Label as C_Label | stats count as Proxy | appendcols [search index=iron AutomaticClassification | lookup IPort_Class.csv DLP_Class OUTPUT C_Label as C_Label | stats count as Email] | appendcols [search index=035 "Common.DeviceName"="p151.d.com" OR Common.DeviceName="p1p71.c.com" "SensitiveInfoTypeData{}.SensitiveInfoTypeName"=* | table SensitiveInfoTypeData{}.SensitiveInfoTypeName | stats count as SFTP ] | appendcols [search index=testing sourcetype="net:alert" dlp_rule="AZ C*" | eval dlp_rule=replace(dlp_rule, "AB", "") | stats count as Netskope] | transpose | rename "row 1" as Count My question is, how would you edit the Splunk query to rename the column name to the value I provided instead of Other.  DO i even need a transpose? That has been the best way I have found for creating a pie chart out of different data sources.  Preferably, id like to understand how to do that with the JSON formatting I get with Dashboard studio, as well as figure out how to do it inline, within the query.    Thanks   ... View more
Labels

Re: Missing Fields in data set

by in Splunk Search
a month ago
a month ago
Hey, thanks for your answer. After i posted this, i went to investigate the source of the data and any props or transforms set up for it.  I ran the following from our forwarder, the server that has the netskope TA app installed on it.   ./splunk btool props list --debug | grep "netskope:application"   I dont have any transforms with that tag.  Here is the output of the default netskope application inputs: [source::...netskope_file_hash_modalert.log*] SHOULD_LINEMERGE = true sourcetype = tanetskopeappforsplunk:log TZ = UTC [source::...netskope_url_modalert.log*] SHOULD_LINEMERGE = true sourcetype = tanetskopeappforsplunk:log TZ = UTC [source::...ta-netskopeappforsplunk*.log*] SHOULD_LINEMERGE = true sourcetype = tanetskopeappforsplunk:log TZ = UTC [source::...ta_netskopeappforsplunk*.log*] SHOULD_LINEMERGE = true sourcetype = tanetskopeappforsplunk:log TZ = UTC [netskope:event:v2] SHOULD_LINEMERGE = 0 category = Splunk App Add-on Builder pulldown_type = 1 [netskope:alert:v2] SHOULD_LINEMERGE = 0 category = Splunk App Add-on Builder pulldown_type = 1 [netskope:web_transaction] INDEXED_EXTRACTIONS = W3C TIME_FORMAT = %Y-%m-%d %H:%M:%S TZ = Etc/GMT SHOULD_LINEMERGE = 0 TRUNCATE = 999999 EXTRACT-from_source = .*[\\\/](?<input_name>.*)_(?<bucket_name>\d{8})_(?<bucket_file_name>.*) in source EVAL-vendor_product = "Netskope" FIELDALIAS-app = x_cs_app AS app FIELDALIAS-timestamp = _time as timestamp FIELDALIAS-bytes_in = cs_bytes AS bytes_in FIELDALIAS-bytes_out = sc_bytes AS bytes_out FIELDALIAS-category = x_category AS category FIELDALIAS-dest = s_ip AS dest EVAL-http_content_type = coalesce(cs_content_type, sc_content_type) FIELDALIAS-http_method = cs_method AS http_method FIELDALIAS-http_referrer = cs_referer AS http_referrer FIELDALIAS-http_user_agent = cs_user_agent AS http_user_agent FIELDALIAS-response_time = time_taken AS response_time FIELDALIAS-src=c_ip AS src FIELDALIAS-status = sc_status AS status FIELDALIAS-uri_path = cs_uri AS uri_path FIELDALIAS-uri_query = cs_uri_query AS uri_query FIELDALIAS-user = cs_username AS user EVAL-fullurl = cs_uri_scheme . "://" . cs_dns . cs_uri . if(isnull(cs_uri_query), "", "?") . coalesce(cs_uri_query,"") EVAL-x_c_browser=if(isnull(x_c_browser),"N/A",x_c_browser) EVAL-x_c_device=if(isnull(x_c_device),"N/A",x_c_device) FIELDALIAS-dest_port = cs_uri_port AS dest_port EVAL-url = cs_uri_scheme . "://" . cs_dns . cs_uri . if(isnull(cs_uri_query), "", "?") . coalesce(cs_uri_query,"") FIELDALIAS-duration = time_taken AS duration FIELDALIAS-http_referrer_domain = cs_referer AS http_referrer_domain EVAL-site = replace(cs_host, "^([^\.]+).*", "\1") [source::netskope_events_v2_connection] KV_MODE = json sourcetype = netskope:connection TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s SHOULD_LINEMERGE = false TRUNCATE = 999999 [source::...*events_iterator_page*.csv] INDEXED_EXTRACTIONS = CSV sourcetype = netskope:connection TIMESTAMP_FIELDS=timestamp TIME_FORMAT = %s SHOULD_LINEMERGE = false TRUNCATE = 999999 [netskope:connection] FIELDALIAS-src_ip = srcip AS src_ip FIELDALIAS-src=srcip AS src FIELDALIAS-dest_ip = dstip AS dest_ip FIELDALIAS-dest = dstip AS dest EVAL-dvc = coalesce(hostname, device) EVAL-app_session_key = app_session_id . "::" . host EVAL-vendor_product = "Netskope" FIELDALIAS-page_duration = page_duration AS duration FIELDALIAS-bytes = numbytes AS bytes FIELDALIAS-in_bytes = client_bytes AS bytes_in FIELDALIAS-category = appcategory AS category FIELDALIAS-out_bytes = server_bytes AS bytes_out FIELDALIAS-http_referrer = useragent AS http_user_agent EVAL-http_user_agent_length = len(useragent) FIELDALIAS-page = page AS url FIELDALIAS-src_location = src_location AS src_zone FIELDALIAS-dest_location = dst_location AS dest_zone EVAL-url_length = len(page) # from netskope:web EVAL-action = if(isnotnull(action),action,"isolate") FIELDALIAS-oc = object_type AS object_category FIELDALIAS-fu = from_user AS src_user [netskope:audit] SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s TRUNCATE = 999999 KV_MODE = json EVAL-vendor_product = "Netskope" # acl_modified, cleared, created, deleted, modified, read, stopped, updated EVAL-action = case(match(audit_log_event,"create|Create"),"created", match(audit_log_event,"granted"), "acl_modified", match(audit_log_event, "ack|Ack"), "cleared", match(audit_log_event, "delete|Delete"), "deleted", match(audit_log_event,"edit|Edit|Add"),"modified",match(audit_log_event,"Push|push|Reorder|update|Update"),"updated",match(audit_log_event,"Disable|disable"), "stopped",1=1,"unknown") EVAL-status = case(match(audit_log_event,"success|Success"),"success",match(audit_log_event,"fail|Fail"),"failure",1=1,"unknown") FIELDALIAS-severity_id = severity_level AS severity_id FIELDALIAS-data_type = supporting_data.data_type AS object FIELDALIAS-date_type_attr = supporting_data.data_values{} AS object_attrs FIELDALIAS-object_cat = category AS object_category FIELDALIAS-result = audit_log_event AS result [source::netskope_events_v2_application] KV_MODE = json TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s sourcetype = netskope:application SHOULD_LINEMERGE = false TRUNCATE = 999999 [source::...*events_iterator_application*.csv] INDEXED_EXTRACTIONS = CSV sourcetype = netskope:application TIMESTAMP_FIELDS=timestamp TIME_FORMAT = %s SHOULD_LINEMERGE = false TRUNCATE = 999999 [netskope:application] FIELDALIAS-src_ip = srcip AS src_ip FIELDALIAS-src=srcip AS src FIELDALIAS-dest_ip = dstip AS dest_ip FIELDALIAS-dest = dstip AS dest EVAL-dvc = coalesce(hostname, device) FIELDALIAS-src_location = src_location AS src_zone FIELDALIAS-dest_location = dst_location AS dest_zone FIELDALIAS-signature = policy AS signature EVAL-file_hash = coalesce(local_sha256, local_md5) FIELDALIAS-file_name = filename AS file_name EVAL-app_session_key = app_session_id . "::" . host EVAL-vendor_product = "Netskope" FIELDALIAS-oc = object_type AS object_category FIELDALIAS-fu = from_user AS src_user [source::netskope_events_v2_network] KV_MODE = json TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s sourcetype = netskope:network SHOULD_LINEMERGE = false TRUNCATE = 999999 [source::...*events_iterator_network*.csv] INDEXED_EXTRACTIONS = CSV sourcetype = netskope:network TIMESTAMP_FIELDS=timestamp TIME_FORMAT = %s SHOULD_LINEMERGE = false TRUNCATE = 999999 [netskope:network] FIELDALIAS-src_ip = srcip AS src_ip FIELDALIAS-src=srcip AS src FIELDALIAS-dest_ip = dstip AS dest_ip FIELDALIAS-dest = dstip AS dest EVAL-dvc = coalesce(hostname, device) EVAL-vendor_product = "Netskope" FIELDALIAS-bytes = numbytes AS bytes FIELDALIAS-in_bytes = client_bytes AS bytes_in FIELDALIAS-out_bytes = server_bytes AS bytes_out FIELDALIAS-packets_in = client_packets AS packets_in FIELDALIAS-packets_out = server_packets AS packets_out FIELDALIAS-src_port = srcport AS src_port FIELDALIAS-dest_port = dstport AS dest_port FIELDALIAS-session_id = network_session_id AS session_id FIELDALIAS-duration = session_duration AS duration [netskope:incident] SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s TRUNCATE = 999999 KV_MODE = json FIELDALIAS-signature_id = internal_id AS signature_id FIELDALIAS-action = dlp_match_info{}.dlp_action AS action FIELDALIAS-object_path = url AS object_path FIELDALIAS-object_category = true_obj_category AS object_category FIELDALIAS-signature = title AS signature FIELDALIAS-src=src_location AS src FIELDALIAS-src_user = from_user AS src_user FIELDALIAS-dest = dst_location AS dest # FIELDALIAS-user = to_user AS user EVAL-user = coalesce(user, to_user) EVAL-vendor_product = "Netskope" [source::netskope_alerts_v2] KV_MODE = json TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s sourcetype = netskope:alert SHOULD_LINEMERGE = false TRUNCATE = 999999 [source::...*alerts_iterator*.csv] INDEXED_EXTRACTIONS = CSV SHOULD_LINEMERGE = false TIMESTAMP_FIELDS=timestamp TIME_FORMAT = %s sourcetype = netskope:alert TRUNCATE = 999999 [netskope:alert] EVAL-dvc = coalesce(hostname, device) EVAL-vendor_product = "Netskope" EVAL-severity_id = coalesce(severity_id, severity_level_id) EVAL-severity = coalesce(severity_level, dlp_rule_severity, dlp_severity, mal_sev, malware_severity, severity, severity_level) EVAL-object_path = if(file_path="NA", object, coalesce(file_path, object)) FIELDALIAS-id = internal_id AS id FIELDALIAS-srcip = srcip AS src FIELDALIAS-dstip = dstip AS dest EVAL-file_hash = coalesce(local_sha256, local_md5) FIELDALIAS-signature = alert_name AS signature FIELDALIAS-oc = object_type AS object_category FIELDALIAS-fu = from_user AS src_user FIELDALIAS-src_location = src_location AS src_zone FIELDALIAS-dest_location = dst_location AS dest_zone FIELDALIAS-file_name = filename AS file_name [netskope:infrastructure] SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s TRUNCATE = 999999 KV_MODE = json FIELDALIAS-device = device_name AS device EVAL-app = "Netskope" EVAL-vendor_product = "Netskope" [netskope:endpoint] SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s TRUNCATE = 999999 KV_MODE = json EVAL-vendor_product = "Netskope" [netskope:clients] KV_MODE = json FIELDALIAS-make = attributes.host_info.device_make AS make FIELDALIAS-model = attributes.host_info.device_model AS model FIELDALIAS-os = attributes.host_info.os AS os FIELDALIAS-ver = attributes.host_info.os_version AS version FIELDALIAS-name = attributes.host_info.hostname AS dest FIELDALIAS-user = attributes.users{}.username AS user EVAL-vendor_product = "Netskope" SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 35 TIME_FORMAT = %s TRUNCATE = 999999 [netskope:api] KV_MODE = json EVAL-vendor_product = "Netskope" [netskope:alertaction:file_hash] FIELDALIAS-action_status = status AS action_status FIELDALIAS-action_name = orig_action_name AS action_name [netskope:alertaction:url] FIELDALIAS-action_status = status AS action_status FIELDALIAS-action_name = orig_action_name AS action_name # For proper ingestion of Alert action events used in Splunk ES App [source::...stash_common_action_model] sourcetype=stash_common_action_model [stash_common_action_model] TRUNCATE = 0 # only look for ***SPLUNK*** on the first line HEADER_MODE = firstline # we can summary index past data, but rarely future data MAX_DAYS_HENCE = 2 MAX_DAYS_AGO = 10000 # 5 years difference between two events MAX_DIFF_SECS_AGO = 155520000 MAX_DIFF_SECS_HENCE = 155520000 TIME_PREFIX = (?m)^\*{3}Common\sAction\sModel\*{3}.*$ MAX_TIMESTAMP_LOOKAHEAD = 25 LEARN_MODEL = false # break .stash_new custom format into events SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = false LINE_BREAKER = (\r?\n==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==\r?\n) TRANSFORMS-0parse_cam_header = orig_action_name_for_stash_cam,orig_sid_for_stash_cam,orig_rid_for_stash_cam,sourcetype_for_stash_cam TRANSFORMS-1sinkhole_cam_header = sinkhole_cam_header     Looking and running your suggested command (Good command btw), i get the following output: I don't see any evidence of us modifying or creating a dlp_rule value. I had specifically mapped the dlp_rule to these values below: These are the values I was seeing. I was using this mapping and values in every other query as well, so i must have seen them.  This is the default netskope app. I also looked at any possible sourcetypes or transforms via the gui, and I didn't see any. I am working on this data with a coworker that has insight into the Netskope portal, and he said that the dlp_role field is blank there as well. If the data had changed, the old data shouldn't have changed. I haven't updated the netskope app.    There are too many fields to paste in here for the logs themselves, but here are the fields we are looking at: dlp_fail_reason: dlp_file: dlp_incident_id: 0 dlp_is_unique_count: dlp_mail_parent_id: dlp_parent_id: 0 dlp_profile: dlp_rule: dlp_rule_count: 0 dlp_rule_severity: dlp_scan_failed: dlp_unique_count: 0 dst_country: US dst_geoip_src: 0 dst_latitude: 7.40594 dst_location: Mow dst_longitude: -1.1551 dst_region: C dst_timezone: America/ dst_zipcode: N/A dsthost: dstip: 1.5.5.5 dstport: 455   With this specific dashboard and use case, I am searching for all time. And the field in general is blank. We only get 3 dlp_rule values, and the rest, 99% are blank.  Not sure how to track down if the data set changed due to me searching for all time right now.    Thanks for any guidance  ... View more

Re: Trimming data and sending it through Cribl and...

by in Getting Data In
a month ago
a month ago
Ingest actions are exactly what I am looking for. While not as intuitive as an entire tool dedicated to modifying data, I think this would do the trick, as long as i can trim out field values before forwarding them to an indexer for ingestion.    I am looking for docs explaining how to do just that, but I am struggling to find step by step instructions. Can you send me some good docs that show how to use expressions to do what I want.    Thank you. This may be my ticket to saving us hundreds of thousands of dollars in licensing costs.  ... View more

Missing Fields in data set

by in Splunk Search
a month ago
a month ago
I have some Netskope data. Searching it goes something like this: index=testing sourcetype="netskope:application" dlp_rule="AB C*" | lookup NetSkope_test.csv dlp_rule OUTPUT C_Label as "Label Name" | eval Date=strftime(_time, "%Y-%m-%d"), Time=strftime(_time, "%H:%M:%S") | rename user as User dstip as "Destination IP" dlp_file as File url as URL | table Date Time User URL File "Destination IP" User "Label Name"   I am tracking social security numbers and how many times one leaves the firm. I even mapped the specific dlp_rule values found to values like C1, C2, C3... When I had added this query, I had to update the other panels accordingly to track the total number of SSN leaving firm through various methods. On all of them, I had the above filter: index=testing sourcetype="netskope:application" dlp_rule="AB C*" And I am pretty sure I had results. Pretty much, for the dlp_rule value, I had strings like AB C*, and I had 5 distinct values I was mapping against.  Looking at the dataset now, a few months later, I dont see any values matching the above criteria, AB C*. I have 4 values, and the dlp_rule that has a null value appears over 38 million times. I think the null value is supposed to be the AB C*. I dont have any screen shots proving this though.  My question is, after discussing this with the client, what could have happened? When searching for all time, the above SS is what I get. If I understand how splunk works even vaguely, I dont believe Splunk has the power to go in and edit old ingested logs, in this case, go through and remove a specific value from all old logs of a specific data source. That doesnt make any logical sense. Both the client and I remember seeing the values specific above. They are going to contact netskope to see what happened, but as far as i know, I have not changed anything that is related to this data source.  Can old data change in Splunk? Can a new props.conf or transforms apply to old data?    Thank you for any guidance.  ... View more
Labels

Re: Trimming data and sending it through Cribl and...

by in Getting Data In
a month ago
a month ago
Thanks for the response. I was able to get everything sorted. We are trying to reduce our license, so if we can trim up data and remove unwanted fields and then ingest it, that would be ideal. Where in the pipeline does data count towards the splunk license? Can we apply props.conf and transforms.conf to modify and trim the data? If i wanted to remove 5 fields from a log being ingested, would the above approach apply? And if so, if I trim it up before ingesting, would that save on our license?    Thanks ... View more

Trimming data and sending it through Cribl and Dat...

by in Getting Data In
‎04-08-2025 02:50 PM
‎04-08-2025 02:50 PM
So the title is pretty self explanatory. I have been approached and requested to trim logs. I had initially installed and tested Cribl, but fast forward later, I am still doing a bit of testing. I am now also using Data dog, A tool that we already have installed and are already paying for. They approached me with a similar proposition and use cases.  I am having issues sending data to both sources and they both appear. I have been able to get only one tool to work at any given time.  I guess my question is, as a forwarder that forwards all of the data it takes in, can it send all of the data to two different sources to be parsed and passed back in.    Currently, this is what I have.  1 indexer 1 forwarder 1 search Head Currently, I have some data being monitored locally on the forwarder, and it sends it over to the indexer. Currently, any data the forwarder sends needs to be sent to and modified by Cribl and DataDog. I have this as my outputs.conf currently:   When I have the configuration like this, Through the forwarder I get: I guess its too much to send.    For datadog, we are sending data from the Forwarder to the DataDog agent (Installed on the Indexer) over Splunk TCP, and then uses the HEC endpoint as the destination.    I am trying to understand the Indexing Queues on the Forwarder. Currently, I am sending data to the Indexer, and it is searchable through the Search Head, but I do not see any indexing or anything happening on the Forwarder.  How do i read and understand exactly what is happening and where I need to investigate to see what is happening to the data as I send it out. Any docs or assistance is greatly appreciated.    Thank you ... View more
Labels

Re: In dashboard studio, how do I change time form...

by in Splunk Search
‎02-07-2025 09:09 AM
‎02-07-2025 09:09 AM
This is exactly what I was looking for. Really nice doc linked. Thanks ... View more

Re: How do I change time format in dashboard?

by in Splunk Search
‎02-07-2025 09:05 AM
‎02-07-2025 09:05 AM
I signed in just to say I had this exact problem, and your question was exactly what I was looking for. Thank you. This forum post helped answer my issue.  jowenssi Reply was what I was looking for.      ... View more

Issue with StateSpaceForecast from the MLTK app

by in Splunk Search
‎10-02-2024 07:14 AM
‎10-02-2024 07:14 AM
I have a dashboard that a specific team uses. Today, they asked about why one of the panels was broken. Looking into it, we were receiving this error from the search:     Error in 'fit' command: Error while fitting "StateSpaceForecast" model: timestamps not continuous: at least 33 missing rows, the earliest between "2024-01-20 07:00:00" and "2024-01-20 09:00:00", the latest between "2024-10-02 06:00:00" and "2024-10-02 06:00:01"     That seemed pretty straight forward, I thought we might be missing some timestamp values. This is the query we are running:     |inputlookup gslb_query_last505h.csv | fit StateSpaceForecast "numRequests" holdback=24 forecast_k=48 conf_interval=90 output_metadata=true period=120     Looking into the CSV file itself, I went to look for missing values under the numRequests column. We have values for each hour going back for almost a year. The timestamps mentioned in the error look like: Looking at that SS now, There is an hour missing there. The timestamp for 08:00. That may be the cause. How would I go about efficiently finding the 33 missing values? Each value missing would be in-between any two hours. Will I have to go through and find skipped hours among 8k results in the CSV file?    Thanks for any help.  ... View more
Labels

Ingesting Data into the Correct Splunk Index

by in Getting Data In
‎09-23-2024 11:39 AM
‎09-23-2024 11:39 AM
I have had a few issues ingesting data into the correct index. We are deploying an app from the deployment server, and this particular app has two clients. Initially, when I set this app up, I was ingesting data into our o365 index. This data looked somewhat like: We have a team running a script that tracks all deleted files. We were getting in one line per event. And at the time, I had the inputs.conf that looked like: [monitor://F:\scripts\DataDeletion\SplunkReports] index=o365 disabled=false source=DataDeletion It would ingest all CSV files within that DataDeletion Directory. In this case, it ingested everything under that directory. This worked.  I changed the index to testing so i could manage the new data a bit better while we were still testing it. One inputs.conf backup shows that i had this at some point: [monitor://F:\scripts\DataDeletion\SplunkReports\*.csv] index=testing disabled=false sourcetype=DataDeletion crcSalt = <string>   Now months later, I have changed the inputs.conf to ingest everything into the o365 index, and i have applied that change and pushed it out to the class using the Deployment server, and yet the most recent data looks different. The last events we ingested went into the testing index and looked like: This may be due to how the script is sending data into splunk, but it looks like its aggregating hundreds of separate lines into one event. My inputs.conf looks like this currently: [monitor://F:\scripts\DataDeletion\SplunkReports\*] index = o365 disabled = 0 sourcetype = DataDeletion crcSalt = <SOURCE> recursive = true #whitelist = \.csv [monitor://F:\SCRIPTS\DataDeletion\SplunkReports\*] index = o365 disabled = 0 sourcetype = DataDeletion crcSalt = <SOURCE> recursive = true #whitelist = \.csv [monitor://D:\DataDeletion\SplunkReports\*] index = o365 disabled = 0 sourcetype = DataDeletion crcSalt = <SOURCE> recursive = true #whitelist = \.csv   I am just trying to grab everything under D:\DataDeletion\SplunkReports\ on the new windows servers, and ingest all of the csv files under there, breaking up each line in the csv into a new event. What is the proper syntax for this inputs, what am i doing wrong, I have tried a few things and none of them see to work. Ive tried adding a whitelist, adding a blacklist, I have recursive and crcSalt there just to grab anything and everything.  and if the script isnt at fault at sending in chunks of data in one event, would adding a props.conf fix how Splunk is ingesting this data? Thanks for any help.  ... View more

Search Bar when searching by app

by in Splunk Enterprise
‎08-12-2024 09:11 AM
‎08-12-2024 09:11 AM
I was wondering if there was a splunk app or a feature available to have a search bar when filtering by Splunk App.    Every time, you have to scroll for a bit just looking for the correct Splunk app, even if its just the search app. Is there a way to add a search bar for the apps? We have on for other pages and options.     I may be overlooking something.  ... View more
Labels

splunkd_ui_access logs

by in Splunk Search
‎08-02-2024 02:56 PM
‎08-02-2024 02:56 PM
Im trying to create some dashboards to make reading _internal logs easier. I'm trying to figure out what all for the fields we are getting in are. This Splunk Doc has the gist of what I am looking at, but we have more fields than that.    In the doc it mentions something about apache and its logs, and whereas we do use apache, im not well versed in it enough to understand what i was looking at fully. I think we are adding in extracted fields, or adding in values in the processing that Splunk does. How can i track down what .conf file is adding the fields. Id like to have a better understanding of where these values come from. There are a lot more fields than the _raw logs seem to have. Like metadata.  ... View more
Labels

Re: Newly added monitor only ingests some of the d...

by in Security
‎07-31-2024 11:03 AM
‎07-31-2024 11:03 AM
That makes sense. I was able to find some errors in Splunk _internal index   DO i just need to salt every file? How would i re-ingest those, or why are those not ingesting, but the other ones are?    ... View more

Re: Newly added monitor only ingests some of the d...

by in Security
‎07-31-2024 10:49 AM
‎07-31-2024 10:49 AM
For a pickle, that was a very fast response.  But running those commands looks like it outputs the internal logs. All of the logs monitored at /export/opt/splunk.  Doesn't really show anything other than those directories.    ... View more

Newly added monitor only ingests some of the data

by in Security
‎07-31-2024 10:40 AM
‎07-31-2024 10:40 AM
SO the other day, I was asked to ingest some data for jenkins, and Splunk has seemed to only ingest some of that data.  I have this monitor installed on both the Production and Development remote instances:       [monitor:///var/lib/jenkins/jobs.../log] recursive = true index = azure sourcetype = jenkins disabled = 0 [monitor:///var/lib/jenkins/jobs] index = jenkins sourcetype = jenkins disabled = 0 recursive = true #[monitor:///var/lib/jenkins/jobs/web-pipeline/branches/develop/builds/14] #index = testing #sourcetype = jenkins #recursive = true #disabled = 0         Pretty much, I have most of the data ingested, but for whatever reason, I cant find any data for  /var/lib/jenkins/jobs/web-pipeline/branches/develop/builds/14, or other random paths that we spot check.  For that bottom commented out input, I specify the entire path and I even added a salt so we could re ingest it.  Its commented out rn, but i have tried different iterations for that specific path.    It has and continues to ingest everything under that /var/lib/jenkins/jobs, but i do not see some of the data.  Based on this input, should i be doing something else? Could it be an issue with having the same sourcetype as the data that is funneled to the azure index? Is the syntax incorrect? I want to ingest EVRYTHING, including files within subdirectories into splunk. Thats why i used recursive, but is that not enough?    Thanks for any help.  ... View more
Labels

Re: Setting up a Splunk Dev Environment

by in Deployment Architecture
‎07-26-2024 02:53 PM
‎07-26-2024 02:53 PM
Just to follow up with what my problem was, I had a license set for an individual instance. I thought distributed meant multiple instances of each type of Splunk Server, ie, multiple indexers, SH, forwarders, etc. I didnt realize one SH, one Indexer, and one Forwarder counted as a distributed. Either way, putting the 10 GB/day distributed license did the trick.   Now dev works 🙂  ... View more

Azure Servers not powerful enough

by in Deployment Architecture
‎06-25-2024 12:56 PM
‎06-25-2024 12:56 PM
I had a quick question about the resources on my indexer. I have a dev environment with a forwarder, indexer, and SH. On all of the servers, I have an IO Wait error. Investigating, I could turn that alert off, or I could look at the actual resources available on the machine. Looking through it, it looks as if i may need more resources. Looks like i only have 2 cores? and about7 GB of ram.    Min Specs recommended by Splunk are: An x86 64-bit chip architecture. 12 physical CPU cores, or 24 vCPU at 2 GHz or greater per core. 12 GB RAM. This is what i have: Would this explain these errors:   System iowait reached red threshold of 3 Maximum per-cpu iowait reached red threshold of 10 Sum of 3 highest per-cpu iowaits reached red threshold of 15   Before I started trying to re do our Dev env from the ground up, we were receiving these errors and they haven't gone away.    Thanks for any help ... View more

Connecting the SH to the Indexer

by in Deployment Architecture
‎06-14-2024 01:33 PM
‎06-14-2024 01:33 PM
I have this question as a reference: Splunk Question  I have one indexer, SH, and one forwarder. At some point, I had sent data from the Forwarder to the indexer and it was searchable from the SH. After a few runs, I had received this error:      Search not executed: The minimum free disk space (5000MB) reached for /export/opt/splunk/var/run/splunk/dispatch. user=admin., concurrency_category="historical", concurrency_context="user_instance-wide", current_concurrency=0, concurrency_limit=5000     This was because our root filesystem was only 20 gigs and after a few searches it had dropped below 5 gigs. So at this point i was wanting to remount and move around a few things and move splunk into a larger FS. So i did, and since then, I have fully removed and reinstalled splunk and remounted it multiple times on each server, and some of these issues persist. Currently, The search Head isnt wanting to connect and search the indexer. Storage and server resources are fine, and i can connect through telnet over port 8089, but the replication keeps failing.  I keep receiving error:     Bundle replication to peer named dc1nix2dxxx at uri https://dc1nix2dxxx:8089 was unsuccessful. ReplicationStatus: Failed - Failure info: failed_because_BUNDLE_DATA_TRANSMIT_FAILURE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information. Expected common latest bundle version on all peers after sync replication, found none. Reverting to old behavior - using most recent bundles on all     I can connect and do everything else on the server through the backend, and i can telnet between the two, so im not sure what to do. Most everything i keep seeing has me check settings under distributed environment. And most of the time, under those setting, it says due to our license we arent allowed to access those settings. All i have set is one search peer, dc1nix2pxxx:8089.   Some sources say its an issue with the web.conf settings, but i dont have a web.conf under my local, and if i did, what should that look like? I just have three servers im working with.  Id appreciate any help or guidance in the right direction.    Thank you ... View more

Reinstalling Splunk

by in Installation
‎06-14-2024 12:57 PM
‎06-14-2024 12:57 PM
I have been working on our Splunk Dev environment, and since then, I have reinstalled and uninstalled Splunk many times. I had a question as to why even on a fresh install, the apps, and a few other artifacts remain? Once i wipe all traces of splunk off a server, I would think that upon reinstall, it would be a fresh start. yet, some of the GUI settings remain, and even some apps on the specific servers remain.  I have one dev indexer, SH, and Forwarder. We have specific apps that i have installed for people months ago, and since then, have rm -rf all traces that I could find of splunk, and yet, upon reinstall of splunk, I still see those apps under /SPLUNK_HOME/etc/apps. I have the same tar that i am unzipping on each server. yet, things like that persist across the servers.    My question is, what is storing that info? For example, the app BeyondTrust-PMCloud-Integration/, located under /export/opt/splunk/etc/apps, persists throughout two or three reinstalls of splunk. Is the FS storing data about the Splunk install even after i rm -rf all of /export/opt/splunk?  Im trying to fix some annoying issues for replication and such by just resetting the servers, since i am building them from ground up, but these servers are still retaining some stuff. I decided to redo Splunk dev after we kept having issues with the old Dev environment. I was wanting a completely fresh start, but it seems as if Splunk retains some things even after a full reset. So im not sure if some problems are still persisting because something from a previous install is still floating around somewhere. Thanks for any help ... View more
Labels

Re: Index.conf error

by in Getting Data In
‎06-13-2024 09:44 AM
‎06-13-2024 09:44 AM
I was able to solve this halfway through writing this.  For future reference, you cant have the $SPlunk_HOME referenced in the $SPLUNK_DB. At least for me, the server hadnt restarted and updated the value, so it didnt recognize it.   I had to set the path manually,  $SPLUNK_DB=/export/opt/splunk/data Don't forget to leave the trailing / out.  The you can have your indexes.conf look like: homePath = $SPLUNK_DB/hot/$_index_name/db coldPath = $SPLUNK_DB/cold/$_index_name/colddb   ... View more

Index.conf error

by in Getting Data In
‎06-13-2024 09:41 AM
‎06-13-2024 09:41 AM
Hey, I am setting up a Splunk Dev env. I have one indexer, one SH, and one forwarder. I have uninstalled and reinstalled the Dev Indexer. I am trying to set it up to use two different filesystems as cold/hot data.  The error im receiving when i restart Splunk is     Problem parsing indexes.conf: Cannot load IndexConfig: Cannot create index '_audit': path of homePath must be absolute ('$SPLUNK_HOME/data/audit/db') Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue       Im not sure how to set this up correctly. I reinstalled the indexer so i could fix the mounts and storage.  For the /export/opt/splunk/etc/system.local/indexes.conf, i have something like:     [default] homePath = $SPLUNK_DB/hot/$_index_name/db coldPath = $SPLUNK_DB/cold/$_index_name/colddb       For my Splunk_DB, I have tried to set it in the Splunk-Launch.conf, as shown below:     # Version 9.2.0.1 # Modify the following line to suit the location of your Splunk install. # If unset, Splunk will use the parent of the directory containing the splunk # CLI executable. # SPLUNK_HOME=/export/opt/splunk/ # By default, Splunk stores its indexes under SPLUNK_HOME in the # var/lib/splunk subdirectory. This can be overridden # here: # SPLUNK_DB=$SPLUNK_HOME/data/ # Splunkd daemon name SPLUNK_SERVER_NAME=Splunkd # If SPLUNK_OS_USER is set, then Splunk service will only start # if the 'splunk [re]start [splunkd]' command is invoked by a user who # is, or can effectively become via setuid(2), $SPLUNK_OS_USER. # (This setting can be specified as username or as UID.) # # SPLUNK_OS_USER PYTHONHTTPSVERIFY=0 PYTHONUTF8=1 ENABLE_CPUSHARES=true     ... View more
Labels

Move over indexes and their data to another mount

by in Deployment Architecture
‎06-12-2024 02:57 PM
‎06-12-2024 02:57 PM
I have a new indexer set up for dev, and I need to move its default SPLUNK_DB path to the mountpoints we have set up for its cold/data   Currently, we have storage allocated on drives for the cold and hot data. We have storage allocated at /export/opt/slunk/data/<cold|hot> Currently, I have ingested some test data with eventgen, and it ended up in /export/opt/splunk/var/lib/splunk/   I would just copy everything over and update the splunk-launch.conf and edit the $SPLUNK_DB to be /export/opt/splunk/data, but there are a lot of files under the /export/opt/splunk/var/lib/splunk/.   I really only have one index with data in it, the testindex index.  What would be the best way to go about migrating all of the data from /export/opt/splunk/var/lib/splunk/ while making sure that future events get sent to the correct hot/cold databases.  The files under /export/opt/splunk/var/lib/splunk/ dont specify hot or cold until i get into the specific directories. At this point, all of the data could be considered hot as its new, but id like to confirm that any future events get sent to the correct index.  When i run echo $SPLUNK_DB, i do not get any output. When i run printenv, I do not see $SPLUNK_HOME or $SPLUNK_DB and their values. WIthin the SPlunk-launch.conf, the $SPLUNK_DB is commented out, and there isnt one set in local to specify it. So why does it default to  /export/opt/splunk/var/lib/splunk/?  I saw this Splunk DOC:https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Moveanindex But I already have a directory i want, would i have to move each folder under the current db directory individually to ensure they land in the right place?  Id just like some guidance on best practice for this indexer. I just have one SH, one Indexer, and one Forwarder.    Thanks for any help    ... View more
Labels

Re: Setting up a Splunk Dev Environment

by in Deployment Architecture
‎06-12-2024 10:47 AM
‎06-12-2024 10:47 AM
I was testing out a lot of different things. I know I def did edit the distsearch manually. I did most everything from the CLI. Redoing and moving the License Manager through the GUI fixed some of the issues, as i can now search the data.    Thanks ... View more

Re: Setting up a Splunk Dev Environment

by in Deployment Architecture
‎06-12-2024 09:17 AM
‎06-12-2024 09:17 AM
After a bit of work, I made the indexer the License Master. I already wanted the SH to also server as the DMC, and im not sure what was happening, but i made the indexer the License master, confirmed a few settings, and I was able to add a new search peer. That window now allows me to see search peers under Distributed peers:   Not entirely sure what the problem was.  But in this instance, I am trying to get one indexer, one SH, and one forwarder working. i made the indexer the License master, the forwarder just a forwarder, and hopefully the SH as a SH and DMC.   Thanks for the help.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
a week ago
Karma from
View All
Karma given to