Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gerrysr6
gerrysr6
Explorer
Member since:
07-05-2023
01-15-2024
Community Statistics
| Posts | 17 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 07-05-2023 |
Activity Feed
- Posted Re: Ingest actions in version 8.1.5 on Getting Data In. 01-14-2024 02:49 PM
- Posted Re: Ingest actions in version 8.1.5 on Getting Data In. 01-13-2024 10:05 AM
- Posted Re: Ingest actions in version 8.1.5 on Getting Data In. 01-12-2024 04:48 PM
- Posted Re: Ingest actions in version 8.1.5 on Getting Data In. 01-12-2024 04:41 PM
- Posted Re: Ingest actions in version 8.1.5 on Getting Data In. 01-12-2024 10:02 AM
- Posted Ingest actions in version 8.1.5 on Getting Data In. 01-12-2024 09:31 AM
- Posted Re: Need to create summary index on Splunk Search. 01-11-2024 12:56 PM
- Posted Why doesn't my Ingest Action work? on Getting Data In. 01-10-2024 09:56 AM
- Karma Re: When was a Report last run? for dtburrows3. 12-19-2023 11:54 AM
- Posted When was a Report last run? on Reporting. 12-19-2023 09:10 AM
- Posted eventtype=A eventtype=B is this an OR or an AND? on Splunk Search. 10-26-2023 02:19 PM
- Posted Re: Can't figure out how to POST a Report on Getting Data In. 07-13-2023 08:34 AM
- Posted Re: How to export reports using the REST API? on Other Usage. 07-10-2023 11:16 AM
- Posted Re: How do you create saved search using REST API call? on Getting Data In. 07-10-2023 10:48 AM
- Posted Can't figure out how to POST a Report on Getting Data In. 07-10-2023 10:29 AM
- Posted Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance? on Alerting. 07-06-2023 12:54 PM
- Posted Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance? on Alerting. 07-05-2023 04:25 PM
- Posted Re: How to di get a list of Search Heads in my Splunk Environment. on Deployment Architecture. 07-05-2023 09:04 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-14-2024
02:49 PM
I don't want to learn regex, I want to replace personal information with fixed strings. Can someone at Splunk give me the correct expression to use? Since testing in other environments doesn't help, and Splunk needs a Restart just to try out a rule this is really painful.
... View more
01-13-2024
10:05 AM
So would this work? [address_masking] REGEX = (\\"addressLine1\\":\\")([^\\"]+)(\\") FORMAT = $1(masked)$3
... View more
01-12-2024
04:48 PM
according to regex101 my regex is correct, so the problem must be in the FORMAT
... View more
01-12-2024
10:02 AM
How does this look? [address_masking] REGEX = (\\\"addressLine1\\\":\\\")([^\\\"]+)(\\\") FORMAT = $1(masked)$3
... View more
01-12-2024
09:31 AM
We have two indexers, one version 8.1.5 (which will not be updated soon) and version 9.1.0.1 I see 9 has a nice feature "Ingest actions" which is exactly what I need to mask some incoming Personal Information (PI). It is coming in JSON and looks something like: \"addressLine1\":\"1234 Main Street\", I need to find some fields and remove the content. Yes I believe there are backslashes in there. I tested a regex on 9 and added to the transforms.conf and props.conf files on our 8.1.5 indexer but the rules didn't work. In one of my tests the rule caused an entire log entry to change to "999999999", not quite what I was expecting but now we know Splunk was applying the rule. This is one of my rules that had no affect: [address_masking] REGEX = (?<=\"addressLine1\":\")[^\"]* FORMAT = \"addressLine1\":\"100 Unknown Rd.\" DEST_KEY = _raw Found docs, looking at them now: Configure advanced extractions with field transforms - Splunk Documentation Can I get someone point out what is wrong with the above transform? Thanks!
... View more
Labels
- Labels:
-
transforms.conf
01-11-2024
12:56 PM
more screen shot sure would help - where is that? I can see stuff like Edit Description/Permissions/etc. but not Edit Summary Indexing
... View more
01-10-2024
09:56 AM
I have written and tested some rules using "Ingest Actions". I used the "Sample" indexed data and everything seems fine, so I saved my rules. There is a button "Deploy" with one option, Export for Manual Deployment. Do I have to do that?
... View more
Labels
- Labels:
-
data
-
inputs.conf
-
props.conf
-
transforms.conf
12-19-2023
09:10 AM
Our system has a lot of Reports defined and I'm tasked with cleaning them up. The first thing I want to do is determine when each was last used. I found some searches that are supposed to help, but they are too old or something, results are invalid (e.g. I am getting back Alerts and Searches when I want only Reports). Out of 199 Reports 7 are scheduled so I can guess when they ran last. Can someone show me a search that returns Reports each with their last run date? thanks!
... View more
Labels
- Labels:
-
other
10-26-2023
02:19 PM
As I understand the documentation ANDs are implied, so "eventtype=A eventtype=B" is the same as "eventtype=A AND eventtype=B" Also, if the tag names are the same like in this case it is interpreted as "eventtype=A OR eventtype=B". So my question is "eventtype" a tag name or not? If I do a search the search results say eventtype is both A and B! I don't understand.
... View more
Labels
- Labels:
-
subsearch
07-13-2023
08:34 AM
Does anyone have a working example? Some of the parameters of the URL I don't understand 'App' (what is an example of an App?); why is it being uploaded to "search" when it's an alert? Where are these stored in the file system? I can't find them.
... View more
07-10-2023
10:48 AM
what the heck is a stanza?
... View more
07-10-2023
10:29 AM
I'm stuck with an old Splunk system 8.1.5 and trying to move Alerts and Reports to a new system (9 something). I figured maybe I could use the API, GET works: curl -k -u myusername:mypassword https://vs-iapp001.local:8089/services/saved/searches/GerrysTestReport -H "Authorization: Bearer mytoken" which returns a lot of XML that I save in a file called GerrysTestReport.xml Then I deleted my report and now I'm trying to recreate it using POST curl -X POST -k -u myusername:mypassword https://vs-iapp001.local:8089/servicesNS/splunk/App/saved/searches/_new/GerrysTestReport -H "Authorization: Bearer mytoken" --data-urlencode @GerrysTestReport.xml Unfortunately it just returns errors like "Action forbidden" The parameters URL are just too complicated to figure out, and I have tried many, many combinations. Nothing works. My account is an admin account and I have every available privilege
... View more
Labels
- Labels:
-
XML
07-06-2023
12:54 PM
I'm trying to export and import alerts from one search head to a new search head. Can transfersplunkknowledgeobjects.py be used for this? I don't know what to use for "-srcApp" so I am trying "alerts" (without the quotes) Right now I'm getting 404 errors. I do have a Bearer Token but where to put it? I looked at "Version Control for Splunk" but that is even harder to figure out how to use it.
... View more
07-05-2023
04:25 PM
App Exporter looks promising... how to use it to export Alerts and Reports as requested by Daniel?
... View more
07-05-2023
09:04 AM
I tried both commands and they return different servers. The first command seems to return indexers (don't care) the second command lists one server and it's roles, which includes search_head (good). Why would I care about schedulers? Are you saying the scheduler might also be the search head?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-15-2024
11:36 AM
|
