Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About sajeshpp
sajeshpp
Path Finder
Member since:
05-08-2017
06-05-2020
Community Statistics
| Posts | 13 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 05-08-2017 |
Activity Feed
- Posted How to find user roles that have access to serachindexallowed * or _* on Security. 11-07-2017 09:43 PM
- Tagged How to find user roles that have access to serachindexallowed * or _* on Security. 11-07-2017 09:43 PM
- Tagged How to find user roles that have access to serachindexallowed * or _* on Security. 11-07-2017 09:43 PM
- Tagged How to find user roles that have access to serachindexallowed * or _* on Security. 11-07-2017 09:43 PM
- Tagged How to find user roles that have access to serachindexallowed * or _* on Security. 11-07-2017 09:43 PM
- Posted Re: How to check when the index is disabled/enabled on Splunk Enterprise. 07-26-2017 09:47 PM
- Posted Re: How to check when the index is disabled/enabled on Splunk Enterprise. 07-26-2017 09:41 PM
- Posted How to check when the index is disabled/enabled on Splunk Enterprise. 07-26-2017 07:31 AM
- Tagged How to check when the index is disabled/enabled on Splunk Enterprise. 07-26-2017 07:31 AM
- Posted Re: moving rex to props and transforms not woking on Splunk Search. 07-12-2017 05:16 AM
- Posted Re: Adding new SH cluster to existing splunk setup. on Deployment Architecture. 07-08-2017 09:51 AM
- Posted Adding new SH cluster to existing splunk setup. on Deployment Architecture. 07-07-2017 12:34 AM
- Tagged Adding new SH cluster to existing splunk setup. on Deployment Architecture. 07-07-2017 12:34 AM
- Posted Re: moving rex to props and transforms not woking on Splunk Search. 07-05-2017 02:47 AM
- Posted Re: moving rex to props and transforms not woking on Splunk Search. 07-04-2017 12:44 AM
- Posted Re: moving rex to props and transforms not woking on Splunk Search. 07-03-2017 11:53 PM
- Posted Re: moving rex to props and transforms not woking on Splunk Search. 07-03-2017 05:29 AM
- Posted Re: moving rex to props and transforms not woking on Splunk Search. 07-03-2017 05:26 AM
- Posted moving rex to props and transforms not woking on Splunk Search. 07-03-2017 03:30 AM
- Tagged moving rex to props and transforms not woking on Splunk Search. 07-03-2017 03:30 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-07-2017
09:43 PM
I need to find the user roles which has searchindexallowed = " * or _* "
The below command list all the roles with searchindexallowed details, but how do I get only roles which has permission to all indexes.
| rest /services/admin/roles | table title, srchIndexesAllowed | rename title as role.
Also, is there any way to find this with btool command ?
... View more
07-26-2017
09:47 PM
thanks for your response 🙂
yes. it shows the messages. But it won't tell you when the index was disabled.
We are not using/monitoring this server regularly as it is part of poc/testing activity and also logs are not pushed regularly to the index. Hence it will be difficult to find when was index disabled by whom.
... View more
07-26-2017
09:41 PM
thanks.. this worked out for me
... View more
07-26-2017
07:31 AM
We are seeing once of our index is disabled.
Is there any way to find when the index was disabled (date and time)?
Is this info logged in any log files ?
... View more
- Tags:
- splunk-enterprise
07-08-2017
09:51 AM
As per splunk documentation they says you can use same deployer for all clusters if it employ same configuration.
"
Deploy to multiple clusters
The deployer sends the same configuration bundle to all cluster members that it services. Therefore, if you have multiple search head clusters, you can use the same deployer for all the clusters only if the clusters employ exactly the same configurations, apps, and so on.
If you anticipate that your clusters might need different configurations over time, set up a separate deployer for each cluster "
http://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/PropagateSHCconfigurationchanges#Deploy_to_multiple_clusters
But I dont see the deployer configuration differences when it serves for single cluster and multiple cluster in splunk documentation.
... View more
07-07-2017
12:34 AM
Currently we have 1 multisite indexing cluster, 1 multisite search head cluster, a deployer and a master node.
Planning to add one more search head cluster which will have same configuration as existing SH cluster.
So we will be using same deployer and indexing cluster with this new cluster.
1. What are the configuration changes required in deployer If it manage multiple SH clusters. ?
2.What will be the deference in existing SH member and new cluster members ?
I could not find any splunk docs to find what is the difference in deployer configuration when it mange single cluster and multiple clusters.
Basically the requirement will be to have a splunk setup with
1 Multisite Indexing cluster, 2 Multisite SH cluster, 1 Master node and a deployer.
... View more
- Tags:
- splunk-enterprise
07-05-2017
02:47 AM
I suspect the issue with using transforms is, The filed "Message" that I am using as source key is extracted during search time. But you can use a field as source key if it is indexed field.
So, I got my requirement met by doing inline extraction instead of transforms.
I have used below settings in props to extract and it extracted required fields.
EXTRACT-printfields= Message="\w+\s\d+,\s(?.+)\sowned\sby\s(?\w+)\son.+printed\son\s(?\w+-\d+).+Size\s\w+\s\w+:\s(?\d+).\s\w+\s\w+:\s(?\d+)
... View more
07-04-2017
12:44 AM
I am using TA for windows. But that didn't help.
Tried field extractor with GUI. It did not create props and transforms instead it created inline field EXRACT entry in $SPLUNK_HOME/etc/users//search/local/props.conf.
EXTRACT-docname,user,printer,size,pages = \n(?:Message=")(?:\w+\s\d+,\s)(?.+)(?:\sowned\sby\s)(?\w+)(?:\son.+printed\son\s)(?\w+-\d+)(?:.+Size\s\w+\s\w+:\s)(?\d+)(?:.\s\w+\s\w+:\s)(?\d+)
The fields are extracting with this settings, but I am not sure if this the recommended method to use it.
Is there any way we can convert this into transforms ?
... View more
07-03-2017
11:53 PM
As I am using REPORT- in props.conf, it will do search time field extraction not index time ?
I am already using Windows TA. But it does not extract these fields.
... View more
07-03-2017
05:29 AM
-bash-4.1$ cat transforms.conf
[extfield]
SOURCE_KEY = Message
MV_ADD = true
REGEX = (?:\w+\s\d+,\s)(?.+)(?:\sowned\sby\s)(?\w+)(?:\son.+printed\son\s)(?\w+-\d+)(?:.+Size\s\w+\s\w+:\s)(?\d+)(?:.\s\w+\s\w+:\s)(?\d+)
... View more
07-03-2017
05:26 AM
I have removed the quotes from REGEX. still no luck.
here is my metadata.
local.meta
[]
access = read : [ * ], write : [ admin ]
export = system
... View more
07-03-2017
03:30 AM
Hi,
I am monitoring print events from windows event logs using WinEventLog:Microsoft-Windows-PrintService/Operational.
inputs.conf
[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0
index = index1
sourcetype = winprint
The events getting indexed and fields are extracted as key value pair in logs.
06/19/2017 09:56:22 AM
LogName=Microsoft-Windows-PrintService/Operational
SourceName=Microsoft-Windows-PrintService
EventCode=307
EventType=4
Type=Information
ComputerName=hostname.net
User=NOT_TRANSLATED
Sid=sid
SidType=0
TaskCategory=Printing a document
OpCode=Spooler Operation Succeeded
RecordNumber=541
Keywords=Document Print Job, Classic Spooler Event
Message="Document 4, TRAVEL EXPENSE STATEMENT.pdf owned by user1 on \host1 was printed on P-1234567 through port p-1234567.server.com. Size in bytes: 1695734. Pages printed: 3. No user action is required."
I need to extract the values from Message filed and assigned to new fields and it is working using below search with rex command.
index = index1| rex field=Message "(?:\w+\s\d+,\s)(?.+)(?:\sowned\sby\s)(?\w+)(?:\son.+printed\son\s)(?\w+-\d+)(?:.+Size\s\w+\s\w+:\s)(?\d+)(?:.\s\w+\s\w+:\s)(?\d+)"
I need this field extraction to be done with props and transforms instead of rex.
props.conf
[winprint]
REPORT-field_ext = extfield
transforms.conf
[extfield]
SOURCE_KEY = Message
MV_ADD = true
REGEX = "(?:\w+\s\d+,\s)(?.+)(?:\sowned\sby\s)(?\w+)(?:\son.+printed\son\s)(?\w+-\d+)(?:.+Size\s\w+\s\w+:\s)(?\d+)(?:.\s\w+\s\w+:\s)(?\d+)"
None of the fields are extracting with this props and transforms but works with rex.
Can some one please suggest what is the issue with this configuration and help to resolve the issue.
Thanks,
Sajesh
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
