Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Utkc137
Utkc137
Explorer
Member since:
09-30-2023
12-04-2024
Community Statistics
| Posts | 15 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 09-30-2023 |
Activity Feed
- Posted Re: Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 06:50 AM
- Posted Re: Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 06:39 AM
- Posted Re: Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 05:48 AM
- Posted Re: Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 05:38 AM
- Posted Re: Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 04:23 AM
- Posted Re: Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 04:17 AM
- Posted Re: Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 04:13 AM
- Posted Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 04:04 AM
- Tagged Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 04:04 AM
- Tagged Props not parsing the timestamp for TCP input logs on Getting Data In. 12-04-2024 04:04 AM
- Posted Splunk HF Parallel Pipelines not balanced on Monitoring Splunk. 10-29-2023 08:39 AM
- Tagged Splunk HF Parallel Pipelines not balanced on Monitoring Splunk. 10-29-2023 08:39 AM
- Posted Where does the persistent queue fit in the data pipeline? on Getting Data In. 10-26-2023 01:02 PM
- Tagged Where does the persistent queue fit in the data pipeline? on Getting Data In. 10-26-2023 01:02 PM
- Tagged Where does the persistent queue fit in the data pipeline? on Getting Data In. 10-26-2023 01:02 PM
- Karma Re: How to use stats with condition from multiple fields? for gcusello. 09-30-2023 08:31 AM
- Karma Re: How to use stats with condition from multiple fields? for Thulasinathan_M. 09-30-2023 08:30 AM
- Posted Re: How to use stats with condition from multiple fields? on Splunk Search. 09-30-2023 08:29 AM
- Posted Re: How to use stats with condition from multiple fields? on Splunk Search. 09-30-2023 08:22 AM
- Posted Re: How to use stats with condition from multiple fields? on Splunk Search. 09-30-2023 08:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-04-2024
06:50 AM
This the configuration I have as of now .. I am out of reasons on why this would not work. Am I missing something very basic here? Inputs: ./splunk btool inputs list --debug splunktcp://2514
/opt/splunk/etc/system/local/inputs.conf [splunktcp://2514]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/system/local/inputs.conf disabled = false
/opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup
/opt/splunk/etc/system/local/inputs.conf index = mmsproxy
/opt/splunk/etc/system/local/inputs.conf source = tcp.bluecoat
/opt/splunk/etc/system/local/inputs.conf sourcetype = bluecoat:proxysg:access:syslog Props: ./splunk btool props list --debug bluecoat | grep -ie local
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf [bluecoat]
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_PREFIX = ^
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf rename = bluecoat:proxysg:access:syslog
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf [bluecoat:proxysg:access:syslog]
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf EVENT_BREAKER_ENABLE = true
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf KV_MODE = none
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf MAX_DAYS_AGO = 10951
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf SHOULD_LINEMERGE = false
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_PREFIX = ^
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TRUNCATE = 64000
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf category = Network & Security
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog
/opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf pulldown_type = true
... View more
12-04-2024
06:39 AM
Switched the inputs to 2154 .. still no luck.
... View more
12-04-2024
05:48 AM
For testing, I tied the props you provided along with these inputs.conf Test 1: [splunktcp://9997]
index = mmsproxy
source = tcp.bluecoat
sourcetype = bluecoat:proxysg:access:syslog
disabled = false Test 2: [splunktcp://9997]
index = mmsproxy
source = tcp.bluecoat
sourcetype = bluecoat
disabled = false Restarted Splunk on both these tests. Still no luck.
... View more
12-04-2024
05:38 AM
Yes, I did restart splunk after each conf change 🙂 Here's the inputs.conf [splunktcp://9997]
index = mmsproxy
source = tcp.bluecoat
sourcetype = bluecoat:proxysg:access:syslog
disabled = false Will check you props too and respond back in a few min
... View more
12-04-2024
04:23 AM
Just tested with bluecoat sourcetype .. no luck. It's a standalone splunk instance (dev env).
... View more
12-04-2024
04:17 AM
Also, the sourcetype I used originally is also mentioned in the inputs.conf .. and remains the same until the logs are ingested
... View more
12-04-2024
04:13 AM
Just tested using source in the props stanza name (source is define in inputs.conf) and it's still picking up the index time as the timestamp 😞
... View more
12-04-2024
04:04 AM
Hi All, I have a bluecoat proxy log source for which I am using the official splunk addon. However, I noticed that the timestamp is not being parsed for from the logs and instead the index time is being taken. To remedy this, I added a custom props in ../etc/apps/Splunk_TA_bluecoat-proxysg/local, with the following stanza: [bluecoat:proxysg:access:syslog]
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^ Rest of the configuration is the same as it is in the base app (Splunk_TA_bluecoat-proxysg). During testing, when I upload logs through Add Data, the the time stamp is being properly parsed. However when I start using SplunkTCP to ingest the data, the timestamp extraction stops working. Note that in both of the scenarios, the rest of the parsing configurations (field extraction and mapping is working just fine). Troubleshooting: 1. I tried to check with btool for props .. I can see the custom stanza I added there. 2. Tried putting the props in ../etc/system/local 3. Restarted Splunk multiple times. Any ideas that I can try to get this to work? or where should I look at? Sample Log: 2024-12-03 07:30:06 9 172.24.126.56 - - - - "None" - policy_denied DENIED "Suspicious" - 200 TCP_ACCELERATED CONNECT - tcp beyondwords-h0e8gjgjaqe0egb7.a03.azurefd.net 443 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 172.29.184.14 39 294 - - - - - "none" "none" "none" 7 - - 631d69b45739e3b6-00000000df56e125-00000000674eb37e - - Splunk Search (Streaming data): Splunk Search (uploaded data):
... View more
Labels
- Labels:
-
props.conf
10-29-2023
08:39 AM
We have configured parallelIngestionPipelines as 2 in Splunk HF as we were facing congestion in the TypingQueue while our CPU was underutilized (~2 Cores used/12). However, the load in the pipelines are not balanced. Pipeline 0 is still congested while Pipeline 1 is barely utilized. Digging around, this seems to be because 80% of our input is on a single UDP port. Will splitting the UDP ports on the source itself solve this issue? i.e. having multiple UDP Inputs on the HF instead of one?
... View more
- Tags:
- pipelines
Labels
- Labels:
-
forwarder
10-26-2023
01:02 PM
Was just going through the ‘Masa diagrams’ link: https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774 If you look at the "Detail Diagram - Standalone Splunk" , the queues are laid out like this (one example): (persistentQueue) + udp_queue --> parsingQueue --> aggQueue --> typingQueue --> indexQueue So lets say we have UDP input configured and some congestion occurs in typingQueue, the persistentQueue should still be able to hold the data until the congestion is cleared up. This should be able to prevent the data loss.. right? Sorry for this loaded assumption based question.. I am trying to figure out what we can do to stop UDP input data from getting dropped due to the typingQueue being filled. (P.S. adding an extra HF is not an option right now). Thanks in advance!
... View more
Labels
- Labels:
-
heavy forwarder
-
inputs.conf
09-30-2023
08:29 AM
Hey thanks a ton! Been breaking my head on this issue.
... View more
09-30-2023
08:22 AM
The idea is to find discrete count of id's where A=1, B=1. Not the count of events where these values are 1.
... View more
09-30-2023
08:11 AM
Yes, they are individual field values.
... View more
09-30-2023
08:09 AM
This isn't the case, all columns are individual fields values. The original log is of the following format: <date_time> <month> <id> A=1 B=0 C=0 ...
... View more
09-30-2023
07:44 AM
Greetings, I am struggling with creating a table in splunk which would do the following transformation: Find the discrete count of id for A, B, and C where value the is 1, by month. Currently, I am calculating values for each column individually using eventstats and combining the results. However, we have a lot of columns (a,b,c,d.....) and thus the SLP does not preform efficiently. Looking for a more efficient approach to this. Thanks in advance!
... View more
Labels
- Labels:
-
stats
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-04-2024
08:02 AM
|
