Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About musskopf
musskopf
Builder
Member since:
11-19-2013
06-05-2020
Community Statistics
| Posts | 199 |
| Solutions | 36 |
| Karma Given | 19 |
| Karma Received | 122 |
| Member Since | 11-19-2013 |
Activity Feed
- Got Karma for Re: Splunk DB Connect: Why am I getting an error on my heavy forwarder trying to add a PostgreSQL database?. 04-30-2024 12:06 PM
- Got Karma for Re: How to retrieve all apps and reports from the backup after uninstalling and reinstalling Splunk?. 08-02-2022 02:10 PM
- Got Karma for Re: How to Script a Lookup in python. 02-28-2021 03:22 PM
- Got Karma for Re: How to display earliest and latest dates of searches in a dashboard and PDF report?. 10-17-2020 01:45 PM
- Karma Re: How can I save a query data so that it does not get loaded everytime for jimodonald. 06-05-2020 12:47 AM
- Karma Re: calculate baseline for chart in different time range for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: After indexing slowed down due to available space, how can I speed up Splunk forwarding and indexing to catch up? for yannK. 06-05-2020 12:47 AM
- Karma Re: Splunk DB Connect: Why Web Access data is being logged into jbridge.log? for mchang_splunk. 06-05-2020 12:47 AM
- Karma Re: Changing position of addtotals label Field for somesoni2. 06-05-2020 12:47 AM
- Karma Script error during SA-ldapsearch test connection for thebarryk. 06-05-2020 12:47 AM
- Karma Re: Has anybody been successful with configuring the Splunk Support for Active Directory app on Splunk 6.1.1? for johnjj7141. 06-05-2020 12:47 AM
- Karma Splunk Support for Active Directory: Why do I get an exception from the Python script for every ldapfilter command I try? for Othi. 06-05-2020 12:47 AM
- Karma Re: How many people login with the same IP in the same hour using stats? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: loadjob Encountered an error while reading file '/opt/splunk/var/run/splunk/dispatch/scheduler[...]/results.csv.gz' for Micmac. 06-05-2020 12:47 AM
- Karma Re: Why curl command for CSV output of top 20 error messages using regex returns error " -bash: syntax error near unexpected token `(' "? for Ayn. 06-05-2020 12:47 AM
- Karma Re: How to hide or grey out Clone option under Edit on Splunk dashboard? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: What are suggested approaches/steps for Syslog to switch to another heavy forwarder when primary goes down? for MuS. 06-05-2020 12:47 AM
- Karma Access Control: Is it possible to create views based on index name and/or sourcetype that we can set permissions for individually? for javiergn. 06-05-2020 12:47 AM
- Karma Re: return command works only with numeric values? for jrodriguezap. 06-05-2020 12:47 AM
- Got Karma for Re: How to customize the width of panels in an HTML dashboard?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 4 |
11-05-2014
02:32 PM
Could you pls provide an example how your MV field looks like?
... View more
11-05-2014
02:21 PM
10Mb/s should be fine but remember that Universal Forwarders are limited to use only 256Kbp/s of bandwidth. Ref.: http://answers.splunk.com/answers/29538/maxkbps-option-and-limiting-a-forwarders-rate-of-thruput.html
... View more
11-05-2014
01:47 PM
Inside Splunk, you'll have a folder named etc/apps/. Inside each App's Folder, go to the local/ folder and you should be able to find all configuration files, saved searches, reports, etc there. You might also be interested in the lookups/ folder as well.
... View more
11-05-2014
01:32 PM
1 Karma
That's good... now if you wish to make this lookup an automatic thing based on the sourcetype, just go to Settings -> Lookups and make sure you have the Lookup table files, Lookup definitions and Automatic lookups configured.
The Lookup tables file will basically list the files you have inside the local/lookup folder per app. Just define the correct permissions
The Lookup definitions is where you define the Name of a lookup, based on your requirements, if you just give it a name and select the right csv file you'll be OK
And finally the Automatic lookups you associate the definition you created with a sourcetype/host/source... To configure justgive it a name, select a lookup definition and indicate the field names on the event side and on the lookup table. In you case should be on input user=user output full_name=full_name
... View more
11-05-2014
01:24 PM
1 Karma
If you use a script like powershell, just make a loop and print everything as key="value", for example you data you look like:
2014-11-06T04:10:09.000+10:00, AppPoolName="TestApp", PrivateMemory=2000, State="Started",...
If you data is already a hash is very simple to make a loop, if the data is a single string, you might need to split by ":" to load it into a hash table first. As you are already using Scripted Input, a few more lines on your script will save heaps of time on the Splunk side.
... View more
11-04-2014
06:04 PM
3 Karma
You could use a Macro instead.
Just go to Settings -> Advanced Search and add a macro like that:
Name:
myMacro
Definition:
outputlookup coll_lookup append=True
After saved and configured the right permissions, just run you search:
| inputlookup coll_lookup | search "field1"="foo" | eval field1="bar" | `myMacro`
Yes, you need to use those *` ** to call the macro
Also, I've tested using | outputlookup TestFile.csv append=True` and not a lookup definition, but should work in the same way.*
... View more
11-04-2014
02:54 PM
Would eval + return work for you?
For example:
mysearch |timechart avg(secs) by city|eval baseline=[search mysearch earliest=-30d latest=now |stats avg(secs) as baseline|return $baseline]
The other option might be appendcols , but I never used it...
... View more
11-04-2014
02:46 PM
If that's a scripted input, I would suggest to code the script to format the content as key="value". I use a couple of Powershell scripts to collect data from different sources like Sharepoint, AD, EventLog, etc... and I even created a library to output each events in key=value format. Much easier!
... View more
11-04-2014
02:02 PM
Strange that Splunk haven't extract the fields automatically... anyway, try to run something like:
index=bla ... | rex field=_raw "^(?P<field1>.*) (?P<field2>.*) (?P<field3>.*) (?P<field4>.*) (?P<field5>.*) (?P<field6>.*) (?P<field7>.*) (?P<field8>.*) (?P<field9>.*) (?P<field10>.*) (?P<field11>.*) (?P<field12>.*) (?P<field13>.*)$" | table *
This is a very basic regex assuming the data will be always have 13 fields separated by "space".
... View more
11-04-2014
01:52 PM
1 Karma
Hello reswob4,
I normally use the GUI interface to define the lookups, but as you're using simple CSV files, you don't even need to configure anything to use it at search time. Here some commands to help you debugging it:
Run the search on the "Search App":
| inputlookup users.csv
If you get the lookup output, great, if you don't... something wrong with your CSV file, maybe permissions, character encoding, etc
Having the lookuptable readable do a bit more:
sourcetype="WMI:WinEventLog:Security" user=myusername | lookup users.csv user
Make sure the result from your search is returning a user value that is present in your users.csv
You should be able to see the event now with all additional fields extracted from the lookup table
Let me know the results from that basic test and we should be able to continue from there if you wish to make this an automatic thing to happen.
... View more
11-04-2014
01:41 PM
Just before assisting you, is that your raw data or those fields/columns have already been extracted? If you already have the fields extracted just use: search bla bla bla | table fieldABC , replacing by the correct field name. If you don't have the field extracted, you need first to solve that. Once fields are extracted, you can search using search fieldABC="bla"
If you're not familiar with Splunk GUI you can see which fields are extracted by simply running a search in verbose mode and expanding one event by clicking on the icon like > for any event in the results.
... View more
11-04-2014
01:35 PM
Have a look on the map command... Provide some additional event data and expected results as vasanthmss mentioned to help writing the search.
... View more
11-03-2014
05:14 PM
forgot to mention, the logfile also doesn't rotate. Here my jbridge_server.conf :
[log]
filename=jbridge.log
maxCount=3
fileSize=15000000
logLevel=info
It should rotate at 15Mb but my logfile keeps growing up to 1Gb and I need to remove/rotate manually.
... View more
11-02-2014
05:04 PM
2 Karma
Hello,
I noticed today that Web Access data is being logged inside the DB Connect Logfile $SPLUNK_HOME/var/log/splunk/jbridge.log . Apparently the Splunk Web server is logging the access to both files: jbridge.log and web_access.log . Is anybody experiencing the same?
If I run lsof jbridge.log I get:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
splunkd 5307 splunk 92u REG 253,2 7836435 138393 jbridge.log
python 5363 splunk 3w REG 253,2 7836435 138393 jbridge.log
python 5363 splunk 4w REG 253,2 7836435 138393 jbridge.log
java 5366 splunk 3w REG 253,2 7836435 138393 jbridge.log
java 5366 splunk 4w REG 253,2 7836435 138393 jbridge.log
python 5424 splunk 6w REG 253,2 7836435 138393 jbridge.log
Where the PID 6363 is python /apps/splunk/etc/apps/dbx/bin/jbridge_server.py and PID 5424 is python -O /apps/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py restart
Looks like the Webserver is sending the messages to both handlers.
Here my Software Versions:
RedHat EL 6.5
Splunk 6.1.1
Splunk DB Connect 1.1.4
Any help is appreciated!
Cheers,
Mike M.
... View more
10-30-2014
03:25 PM
1 Karma
Using somesoni2 example worked over here:
index=_internal | stats sum(bytes) as bytes by user | addtotals col=t row=f fieldname=bytes label="Total Bytes" labelfield="user" | rename user as "Splunk Users"
... View more
10-29-2014
03:21 PM
Would be easier to create the Regex by your self. If you have only this kind of event in your index you could use something like:
(?P<orderID>\d+)$
But if want to be safer, you might decide to include a bit more of the raw event:
\[INFO\].+Billing successful for order id (?P<orderID>\d+)$
Just go to Splunk Settings -> Fields -> Field Extraction -> "Select the App" and Create a New for the correct Sourcetype
Cheers,
... View more
Have a look at the transaction command. You might be able to build a transaction on each user, where the maxspan=10m .
Here the link for the command reference: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction
After that, just use the eventcount to evaluate the ones where are greater than 3. Here how I think it'll look:
tag=authentication sourcetype="juniper:sslvpn" | transacion user maxspan=10m | where eventcount>3 | table _time,user
Cheers
... View more
10-26-2014
07:36 PM
Hey logmar,
There is an app called S.o.S: https://apps.splunk.com/app/748/ it helps you monitoring the Splunk itself. I think the problem is that Splunk is designed to do not block data indexing, that's why it has the violation alerts instead... In a production environment blocking data indexing could prevent you to collect important information.
Anyway, have a look on this app and setup alerts! A good strategy to stop data from coming is to have multiple TCP INPUTs, so you give for example tcp port 10000 to a team, if they start to abuse, just disable temporally this input. You could even automate this process using alerting scripts.
Cheers
... View more
10-26-2014
02:27 PM
Same problems with the new version (v 2.0) over here... nothing works 😞
... View more
10-26-2014
02:09 PM
Same over here... 1.1.3 works fine but 2.0 I tried lots of different combinations and it doesn't work.
... View more
10-21-2014
05:01 PM
1 Karma
I believe that's because the Rising Column cannot be written as tableName.columnName , it needs to be only columnName . If you have the same column name in multiple tables because of a JOIN, just add something like:
SELECT RecordLog.RecordID AS RecordIDforTail (...continue you query)
and use the RecordIDforTail as you Rising Column
Also if it doesn't help, could copy here the output from splunkd.log and dbx.log just after you get the erro? Both are in $SPLUNK_HOME/var/log/splunk
Cheers.
... View more
10-21-2014
04:54 PM
4 Karma
Hi Rdunn,
I believe you're in the right way... join would be the command here. Let's see if I can build a search command using the information you provide in your question. First let's see if I'm taking the right assumptions:
The search below will list the DHCP events, containing the dest_ip(s) ** used by the Host(s) you're investigating:**
sourcetype=dhcpsrvlog description=Assign OR description=Renew [|inputlookup hostwatchlist] | dedup dest_host sortby -_time
Now to join it with the web_threat events you need first to have the a field name in common. Apparently the joining key here is the Host's IP, in this case dest_ip from DHCP log and src_ip from Webthreat logs.
Here how you could join both:
sourcetype=dhcpsrvlog description=Assign OR description=Renew [|inputlookup hostwatchlist] | dedup dest_host sortby -_time
| join type=inner max=0 dest_ip
[
search sourcetype=web_threat dst_hostname=badsite.com | rename src_ip AS dest_ip
]
| table _time, dest_host, dest_ip, dst_hostname
*Note that I renamed the field src_ip.
Just to give you a bit of explanation, the join command needs two things to match events between the searches: same field name and same field content - both are CASE-SENSITIVE! The type=right tells to list only values that have matches... you could use type=left if you wish to list events from DHCP logs independent if they have or don't have matching events from the join operation. The max=0 tells to match all events, the default is 1. Also the join command by default overwrite the fields, in other word, the search inside the join will return, for example _time field and this will be used at the output, overwriting the _time from the first search.
As a suggestion you might want have the dst_hostname as another lookup to make you like easier instead to add it directly to the search.
Anyway, hope I was able to help.
Cheers
... View more
10-21-2014
02:32 PM
I don't think Splunk cares about the file name at all... if a file is rename and the checksum still the same, it won't re-index the file... if it got renamed and the file receive more content, Splunk should grab only the deltas.
... View more
10-20-2014
05:31 PM
Hi Roman,
From my experience Splunk basically watch 2 things from the monitored files:
- checksum for the first bytes of the file;
- and the size of the file.
Based on that, every time the filesize changes or a new file appears, it'll check the beginning of the file to confirm the file is new or just the same file with more content. Being the same (same checksum and size bigger than last time), it'll go the the last line indexed and continue from there. If the Splunk identify the file as being new, it'll start from line 1. The filename doesn't matter much, it just need to match the naming filter you're monitoring.
In you case, if you monitor "access*.log" should do the trick. Make sure the compressed files get renamed to access-xxxxxxx.log.gz so they are not included.
Also, if you have too many days of logs in the same location, is recommended to include ignoreOlderThan = 2d , for example... so Splunk won't monitor the older files anymore.
Also, you mentioned MB/s... please note that Splunk Universal Forwarder is limited to 256kbps of throughput. You might need to increase that to keep up with the data volume you're generating.
Hope it helps!
Cheers
... View more
10-20-2014
04:46 PM
1 Karma
Do you already have the lookup working for the matching ones? If yes, just use a | fillnull -value "any_any" rule_name
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
