Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About himynamesdave
himynamesdave
Contributor
Member since:
11-13-2013
12-21-2021
Community Statistics
| Posts | 125 |
| Solutions | 4 |
| Karma Given | 39 |
| Karma Received | 28 |
| Member Since | 11-13-2013 |
Activity Feed
- Posted Re: TAXII 2.1 Inputs (Without Splunk Enterprise Security) on Getting Data In. 12-21-2021 09:50 AM
- Posted TAXII 2.1 Inputs (Without Splunk Enterprise Security) on Getting Data In. 12-20-2021 12:38 PM
- Got Karma for Re: indexes.conf and setting volumes globally. 04-20-2021 05:43 AM
- Got Karma for Using Python SDK to run search against data model -- permissions issues. 06-05-2020 12:49 AM
- Karma Re: Joining accelerated data models using tstats for esix_splunk. 06-05-2020 12:48 AM
- Karma Re: Joining accelerated data models using tstats for starcher. 06-05-2020 12:48 AM
- Karma Re: Joining accelerated data models using tstats for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: Moving 3 day count - any built in search commands for this? for rjthibod. 06-05-2020 12:48 AM
- Karma Re: How do I assign a single timestamp to multiple events in one XML document at index-time? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: How do I assign a single timestamp to multiple events in one XML document at index-time? for woodcock. 06-05-2020 12:47 AM
- Karma Re: How to configure SEDCMD in props.conf to delete XML event content at index-time? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Who can tell me why the API POST for JSON doc times out - for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: How to build a search to compare this year's data with previous years without using timechart? for aljohnson_splun. 06-05-2020 12:47 AM
- Karma Re: Must break event after x characters for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Event break regex - match 19 digit number for MuS. 06-05-2020 12:47 AM
- Karma Re: How to calculate speed (distance/time) from latitude and longitude fields? for jbjerke_splunk. 06-05-2020 12:47 AM
- Karma Re: How to calculate speed (distance/time) from latitude and longitude fields? for gfuente. 06-05-2020 12:47 AM
- Karma Re: Fixed Format Records - Timestamp Extraction Issues for gwiley_splunk. 06-05-2020 12:47 AM
- Karma Re: What are the minimum Splunk capabilities I need to assign a user role to send data into an index via REST API POST request? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: How to split events from the same log into different indexes based on content? for Jason. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-21-2021
09:50 AM
Thanks, yep, understood @PickleRick I was wondering if anything existed before building anything. e.g. https://splunkbase.splunk.com/app/2637/ for 2.x versions I guess I'll take a deeper look at building something new then. Give this post an upvote if you're looking for something similar, and I'll bump it up in terms of my priorities.
... View more
12-20-2021
12:38 PM
Hi all! I know ES ships with a TAXII client to ingest threat intel over TAXII. Does anything exist for users who do not have ES? I am trying to ingest intel (in STIX 2.1) being distributed via a TAXII 2.1 server to Splunk. Thanks!
... View more
Labels
- Labels:
-
modular input
01-17-2019
05:45 AM
Hi @rogerblanc
Check out the TAXII Connect App for Splunk. You can connect it to any TAXII feed and it will pull intel into Splunk KVStores. The app also ships with some saved searches to match logs and intel:
https://splunkbase.splunk.com/app/4352/
... View more
01-22-2018
11:52 PM
1 Karma
All I'm running a query using python SDK against a data model stored in a custom app. I get the response:
FATAL: Error in 'TsidxStats': Could not find datamodel: MYDATAMODEL
I know this error is caused because the DM is set to App level permissions. It appears the search via the SDK is being dispatched from a default location (maybe search app?).
Can someone let me know if it's possible to explicitly set the dispatch app when running requests through the SDK?
... View more
09-11-2017
10:28 AM
All - I need someone to bring me sanity with a regex I am trying to write.
Essentially I want to capture everything after "username=" up to either "&" or "\s"
Two sample events:
Ex. 1
username=test%40bmcm%2ecom&version=5%2e4%2e0
Ex. 2
username=test%40bmcm%2ecom next_field
Right now my regex looks like this:
username=(?P[^&|^s]+)
Though I can get it to break on spaces, the regex will not break on "&". Can someone tell me where I'm going wrong, I'm sure it's embarrassingly simple!
Thanks!
... View more
07-31-2017
05:07 AM
The streamstats example worked perfectly!
The global=t current=t for streamstats worked a treat. I should really get more familiar with this function 🙂
Thank you!
... View more
07-31-2017
01:16 AM
Hi all -
I have a dataset that tracks server access. Every time a server makes a request an event is generated. A very simple example:
01/01/01 00:00:00 server_id=server_1
01/01/01 00:00:00 server_id=server_2
01/04/01 00:00:01 server_id=server_1
01/04/01 00:00:00 server_id=server_2
In this case server_id=1 AND server_id=2 first and last logons were exactly on 3 months apart, therefore the average age of server_id = 3 months. This is calculated by taking the first time an instance is seen and last time an instance is seen.
My problem is, some servers are seen daily, others days apart, etc. Essentially these servers represent customers and I want to track the average age of all servers over time (to measure wether customer (server) lifespan is increasing or decreasing).
I initially thought this would be simple using first and last times:
| eventstats last(_time) as first_time, first(_time) as last_time by server_id
| eval lifespan_days=(last_time-first_time)/86400
| timechart avg(lifespan_days)
Now I am doubting, given the results, the logic behind the query. My thinking is, when the search is set to "all time", the eventstats function will always look for the most recent "last" time of an event, versus the relative last time of the event (the day the event was generated).
Can anyone confirm this thinking or better still; offer any advice on crafting a query?
-dave
... View more
05-17-2017
05:23 AM
Hi all,
I have some data like so
Day | Count
1 | 200
2 | 200
3 | 300
4 | 100
5 | 200
... | ...
I can graph a timechart in normal way: SEARCH | timechart span=1d count
However, I now want a bar graph with a rolling count for 3 days
e.g
1 + 2 + 3 | 700
2 + 3 + 4 | 600
3 + 4 + 5 | 600
Is there any built in Splunk commands that can do this? How can I go about building a search for this use-case?
Thanks!
... View more
- Tags:
- stats
04-29-2017
04:50 AM
I have 3 indexers (A, B, C)
A and B are in one zone, C in another zone.
From my forwarders I want to load balance data to indexers A + B (50% data to A / 50% to B). I also want to send 100% of my data to indexer C. Essentially creating 2 copies of my data (1 split between A+B, 1 on C)
My outputs.conf currently accounts for A+B use case (below), how would I add in C to the stanza?
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server=A:9997,B:9997
... View more
04-13-2017
10:48 AM
1 Karma
Is there anyway to set the path to the volumes globally for each indexer, so that each index uses these volumes by default for the appropriate bucket?
... View more
04-13-2017
05:34 AM
Hi -
I am re-architecting our Splunk environment. I have mounted various volumes to each of my indexers (3 total) for hot, warm and cold buckets.
To do this I have set volumes in an indexes.conf file I will deploy via Deployment Server to the 3 indexers.
/deployment-apps/myapp/default/indexes.conf
[volume:hot_warm]
path = /splunk_data/hot_warm
#DISK SIZE = 2.9TB
maxVolumeDataSizeMB = 2800000
[volume:cold]
#DISK SIZE = 8.8TB
path = /splunk_data/cold
maxVolumeDataSizeMB = 8700000
My question is, will this config set volumes globally for all indexes on the indexer? That is, if another app has an index=x, will that index write hot data to the path; "/splunk_data/hot_warm", for example?
... View more
03-27-2017
02:04 PM
RE:
I recently switched our forwarders from being individually managed to deployment clients (as per question here) and encountered one issue: Splunk changed the host value for each event coming from a forwarder to "ID" with all events (indexed as host=ID).
Note, we did not use the deployment server to push down any apps yet, we've only pointed the forwarder at the deployment server (set deploy-poll)
Any ideas as to why this behaviour might happen? I cannot see anything in docs.
... View more
03-27-2017
01:53 PM
To follow up on this, I recently switched our forwarders and encountered one issue: Splunk changed the host value for each forwarder to "ID" with all events, from all forwarders being indexed as host=ID
... View more
03-24-2017
01:51 PM
Thank you, sir!
... View more
03-24-2017
12:51 PM
Ah, good to know. Im running on Linux so should be OK to turn Forwarder into a Deployment Client then? I am worried about current inputs.conf / outputs.conf in search app /local directory being affected by change. So setting Forwarder as Deployment Client this won't be an issue? Thanks for your help!
... View more
03-24-2017
12:30 PM
I have an existing Splunk Forwarder currently forwarding data to an indexer.
I have a new deployment server I want to connect Splunk Forwarder to as deployment client.
Should I need to know anything before pointing Splunk Forwarder at deployment server? I cannot find any warnings in the docs. Will this interrupt current forwarding rules (and apps) currently installed on Forwarder?
... View more
02-22-2017
02:37 AM
Yes. Looking back this is a silly question. I was confusing every command with OUTPUT 🙂 It was a long day!
... View more
02-22-2017
02:36 AM
Thanks, Martin. Works perfectly.
... View more
02-21-2017
08:54 AM
Hi Martin - thanks for taking the time to answer my question. I think I have an issue with field extraction which might be causing a problem, one event (e.g event 1 above) reports a count of 2 for each integration.* value.
When I run SPATH it duplicates events:
Which results in 3 values in each row
And now reports a count of 6 (vs 2)
Now I'm really confused!
... View more
02-21-2017
08:22 AM
Of course, question now updated
... View more
02-21-2017
08:02 AM
I have nested json events indexed in Splunk. Here's an example of 2 (note confidence value differs):
Event 1:
{ [-]
email: hidden@hidden.com
filter: confidence >= 60
id: 2087
integrations: [ [-]
{ [-]
name: nitro
product: nitro
product_version: 9.3
}
{ [-]
name: paloaltonetworks
product: paloaltonetworks
product_version: 3020
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Raw E1:
{"username": " hidden@hidden.com", "user_id": 8721, "title": "hidden", "integrations": [{"product": "nitro", "product_version": "9.3", "name": "nitro"}, {"product": "paloaltonetworks", "product_version": "3020", "name": "paloaltonetworks"}], "email": " hidden@hidden.com", "filter": "confidence >= 60", "id": 2087, "last_intelligence": "2017-02-21T11:54:39.260329+00:00"}
Event 2:
{ [-]
email: hidden@hidden.com
filter: confidence >= 50
id: 2087
integrations: [ [-]
{ [-]
name: nitro
product: nitro
product_version: 9.3
}
{ [-]
name: paloaltonetworks
product: paloaltonetworks
product_version: 3020
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Raw E2
{"username": " hidden@hidden.com", "user_id": 8721, "title": "hidden", "integrations": [{"product": "nitro", "product_version": "9.3", "name": "nitro"}, {"product": "paloaltonetworks", "product_version": "3020", "name": "paloaltonetworks"}], "email": " hidden@hidden.com", "filter": "confidence >= 50", "id": 2087, "last_intelligence": "2017-02-21T11:54:39.260329+00:00"}
Fields are extracted into fields integration{}.name , integration{}.product , integration{}.product_version . i.e integration{}.product_version=9.3 , integration{}.product_version=3020 .
I want to have each nested value for each represent a single event for each "integration{}.*". If we imagine this as events:
Event 1A:
{ [-]
email: hidden@hidden.com
filter: confidence >= 60
id: 2087
integrations: [ [-]
{ [-]
name: nitro
product: nitro
product_version: 9.3
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Event 1B:
{ [-]
email: hidden@hidden.com
filter: confidence >= 60
id: 2087
integrations: [ [-]
{ [-]
name: paloaltonetworks
product: paloaltonetworks
product_version: 3020
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Event 2A:
{ [-]
email: hidden@hidden.com
filter: confidence >= 50
id: 2087
integrations: [ [-]
{ [-]
name: nitro
product: nitro
product_version: 9.3
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Event 2B:
{ [-]
email: hidden@hidden.com
filter: confidence >= 50
id: 2087
integrations: [ [-]
{ [-]
name: paloaltonetworks
product: paloaltonetworks
product_version: 3020
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
I am experimenting with spath and mvexpand searches but I am getting some odd results and behaviour using examples from previous answer threads (lots of duplicated events, mvfields, etc).
Ultimately I want to graph these events as tables like:
username, user_id, id, email,title,name,product,product_version,last_intelligence,filter
hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, nitro, nitro, 9.3, 2017-02-21T11:54:39.260329+00:00, confidence >= 60
hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, paloaltonetworks, paloaltonetworks, 3020, 2017-02-21T11:54:39.260329+00:00, confidence >= 60
hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, nitro, nitro, 9.3, 2017-02-21T11:54:39.260329+00:00, confidence >= 50
hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, paloaltonetworks, paloaltonetworks, 3020, 2017-02-21T11:54:39.260329+00:00, confidence >= 50
One note which might be pertinent: all my events have the same timestamp (using DATETIME_CONFIG=CURRENT)
Can anyone give me any pointers? Thanks!
... View more
02-16-2017
06:04 AM
I have a saved search that generates a table of users each day:
search "my users" | table username, id
I want to turn this search into a lookup file (users.csv) in my app on a daily basis. Each time the search runs it will overwrite data in lookup containing only results from latest search.
I know outputcsv can create a lookup file, but it there anyway to set the destination to my apps lookup directory?
... View more
02-16-2017
05:46 AM
I have some JSON events, with fields extracted correctly.
Inside the JSON event is a key value dictionary like so
"integrations": ["product=splunk, product_version=6.5, name=splunk"]
The resulting JSON extracted field / value -- intgrations=["product=splunk, product_version=6.5, name=splunk"]
As a regex n00b having relied on IFX in the past, I'm now trying to split product, product_version, and name into fields too.
How would I form a regular expression to use as a field extraction to specify these 3 fields (i.e field starts with "product=" and ends with either "," or """ (not all fields are always in dictionary)?
... View more
02-15-2017
07:33 AM
This solution also works (cannot mark 2 answers as correct, sadly). Thanks to the awesome Answers Community, as always.
... View more
02-15-2017
07:33 AM
This solution also works (cannot mark 2 answers as correct, sadly). Thanks to the awesome Answers Community, as always.
... View more
