×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- About tjago11
tjago11
Communicator
Member since:
06-01-2017
07-21-2021
Community Statistics
| Posts | 54 |
| Solutions | 6 |
| Karma Given | 0 |
| Karma Received | 11 |
| Member Since | 06-01-2017 |
Activity Feed
- Got Karma for Re: How to get the top 10 max values for each field value?. 03-02-2022 03:00 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Re: Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Re: Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Posted Re: Splunk Stream Case Insensitive Extraction on Splunk Search. 01-23-2020 06:31 AM
- Posted Re: Finding the Duration between two timestamps on Splunk Search. 10-10-2019 09:28 AM
- Posted Re: Constant re-authentication after SSO migration on Security. 10-10-2019 09:18 AM
- Posted Re: Keep track of max count. on Splunk Search. 10-01-2019 07:59 AM
- Posted Re: Constant re-authentication after SSO migration on Security. 09-27-2019 06:16 AM
- Posted Re: Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 10:10 AM
- Posted Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 07:33 AM
- Tagged Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 07:33 AM
- Posted Re: How to view raw events in Stream?? on Getting Data In. 09-12-2019 07:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-10-2019
09:28 AM
Easiest way is to use strptime to format your time into epoch and then do the math to convert to minutes/hours/days whatever. Here is a run anywhere example using your date format:
| makeresults
| eval beginTime="2019-07-28T04:01:22.041Z"
| eval endTime="2019-07-28T05:01:22.041Z"
| eval beginTimeEpoch=strptime(beginTime, "%Y-%m-%dT%H:%M:%S")
| eval endTimeEpoch=strptime(endTime, "%Y-%m-%dT%H:%M:%S")
| eval durationInMinutes=(endTimeEpoch-beginTimeEpoch)/60
If you have multiple events then you'll need to do a stats with min/max on the epochs before you calculate the duration, something like:
| stats min(beginTimeEpoch) as beginTimeEpoch, max(endTimeEpoch) as endTimeEpoch by yourField
Enjoy!!
... View more
10-10-2019
09:18 AM
Updated date from Splunk is 2020-Q2:
https://jira.splunk.com/issues/?jql=project+%3D+CAUTO+AND+fixVersion+%3D+FY20-Q2
... View more
Success!! Well, at least an answer if not a solution...yet.
Got this note from Splunk regarding case number 1394793 :
Hey Tyler,
Update for you here dev is working on a fix that will:
"set the X-Splunk-Form-Key header directly reading from the splunkweb_csrf_token_ cookie every time instead of storing it in the variable."
They are building and testing this out currently and I will let you know which upcoming version this will be released in once i get a hard commitment.
While it was fun to tell the support folks, "I told you so", it is far better to see that the issue was reproducible and is being fixed. When I get word on the version of Splunk that contains the fix I'll post back. Progress!!
... View more
09-12-2019
10:10 AM
Ick, I feel dirty but this works.
[xX][-_][fF][oO][rR][wW][aA][rR][dD][eE][dD][-_][fF][oO][rR][:\s]+([\d\.:\s,]+)
I'll not accept this answer yet because it feels gross.
... View more
09-12-2019
07:33 AM
Doing an extraction in Splunk Stream and get an error when trying to use (?i) in my regex:
(?i)x-forwarded-for([:\s]+[\d\.:\s,]+)
Gives this error:
Invalid regex Expression
This works fine in a rex command, not sure what the Splunk Stream syntax is for case insensitive. Thanks.
... View more
09-12-2019
07:23 AM
That's the problem, I don't have sample data. 😉
My data is getting fed from a Gigamon tap at the LTM level. I don't have visibility into the raw tap data and I don't want to log it because it has authentication tokens and other scary stuff.
Working with the OTB HTTP Stream Protocol:
https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/FileTransfer#HTTP
The field that I want to build an extraction for is src_headers:
src_headers All HTTP headers sent from client to server http.cs-headers
I was able to extract a known header element that is added by an application team using this:
x-parentspantoken[\s:=]+(.{36})
The one I'm struggling with is the x-forwarded-for that is added by our F5 devices. I have this regex:
x-forwarded-for([:\s]+[\d.:\s,]+)
Which is just a guess because I can't see the actual raw header to know if that is right. Possibly a casing issue?? Tried adding (?i) to the front and it gave me an error:
Invalid regex Expression
Poop.
... View more
09-11-2019
12:59 PM
So, if you are trying to find the sum of values for the given years you'll need to get pretty creative. The way I read your question means you want results for each of the years selected, so if they pick 2018 and 2019 then you'll have two results.
Here is something that runs against the main index, the top section you would have to fix for using your Multi-Select. Should work:
| makeresults
| eval firstDay= "09/09/2019"
| eval secondDay= "09/10/2019"
| eval thirdDay="09/11/2019"
| eval daysCombined = firstDay.",".secondDay.",".thirdDay
| makemv daysCombined delim=","
| fields daysCombined
| eval groupBy="foo"
| append
[| tstats count where index=main earliest=-3d@d by _time span=1d
| eval formattedTime = strftime(_time, "%m/%d/%Y")
| eval groupBy="foo"
| eval {formattedTime}Count = count
| stats first(*Count) as *Count by groupBy
]
| stats list(*) as * by groupBy
| mvexpand daysCombined
| foreach *Count [eval <<MATCHSTR>>Included = if(strptime("<<MATCHSTR>>", "%m/%d/%Y") >= strptime(daysCombined, "%m/%d/%Y"), '<<FIELD>>', 0)]
| stats sum(*Included) as *
Enjoy!!
... View more
09-09-2019
11:43 AM
Getting a Splunk Stream feed from a Gigamon tap for HTTP.
I can see all the default fields to pull from the HTTP stream, including the one I care about "src_headers". However, I can't log the full src_headers because it potentially contains authentication tokens and other stuff I don't want to log. I have been able to extract a couple fields successfully by guessing at the regex, but been thrashing on the rest.
Is there some way to view the data that is coming to Stream without being forced to log all of it?? Something like a preview??
Would be nice to see a sample event before logging everything. Thanks.
-Tyler
... View more
09-09-2019
11:33 AM
Quick update, working on the version update from 6.8 to 7.2. Got the dev cluster done a couple weeks ago, unfortunately no help with this issue. Still gets the funky continuous re-authentication when multiple tab/windows are left open and then expire.
Also, the case is still being worked by Splunk. They increased the debugging on our dev cluster and are working on analyzing the data.
... View more
09-09-2019
11:16 AM
Yes on the proxy, but watching the network trace on the browser that doesn't look like a culprit. The tab sends the wrong token...so it will never work.
... View more
09-09-2019
11:13 AM
You are correct about the cookie changing, you can see this behavior in the original post where there are a lot of messages like "sent 1234, had 0987, expected xyz". I very much believe there is a JS variable that holding the token and not going to the cookie every time. This means if the cookie changes under your tab, the JS variable will be out of synch with the cookie and cause another re-authentication.
... View more
07-26-2019
08:36 AM
Yep, that is janky. 😉
Our users are pretty resilient to the abuse and have found ways around it. By increasing timeouts, the issue has been limited to just those people that leave sessions open overnight.
What I can't stomach, is as a web developer I know that the issue is bad session management and should be relatively easy to fix.
... View more
07-26-2019
08:29 AM
No, this is still a problem. Things we've done so far:
Increase ADFS Timeout to 9hrs
Increase SAML Timeout to 9hrs
Increase Web Timeout to 9hrs
Provide SAML Logout URL
Recently I recorded a video of the issue happening and did a network capture with Fiddler. The Case Worker was pretty confused about what is happening and escalated to the Developers.
I still very much believe that there is something with the tab session caching the Token Value instead of dynamically retrieving it from the cookie every time.
Also, we have this issue across both our Search Head Cluster and single Search Head instances, so that is not a factor.
... View more
06-21-2019
06:28 AM
Just confirmed that if I limit the results by the user, the search data does not come back. Did a search with a guid and then went to the internal indexes to see all the places it showed up. When I add in the user restriction it finds nothing, which is good.
index=_* "ec840050-a53f-4b0e-af5a-5f0678bfbcb5" user!=123456
Pretty sure this will work, thanks for the help.
... View more
06-21-2019
06:21 AM
Ahhhh, crap. Totally forgot about the indexer logs that will contain the searches ran there as well, ugh. Okay sounds like I'll need to create some search term restrictions to get a semblance of security around that data.
Do you think it is sufficient to do something like this??
NOT (user=123456 OR user=abcdefg)
I'll know who the security people are so building that restriction will be pretty easy. Heck, if I want to get fancy I can likely resolve the security people by role and gen a lookup table to use as the restriction.
... View more
Happens regardless of the browser, so definitely a Splunk issue.
Opened a case and they said that in our SSO configuration we didn't supply a SAML logout URL. Working on adding that and will update with result. Thanks.
... View more
06-20-2019
05:34 AM
We have Enterprise Security installed for a specific Search Head and would like the _audit logs in a different location than the main Search Heads.
The ES SH is used for doing security investigations and we do not want the searches executed readable by the masses.
However, we don't want to lock down everything in _audit.
I'd think the simplest thing to do is have the _audit logs for that one SH sent to a different index??
Is that even possible??
Thanks.
... View more
05-17-2019
01:07 PM
3 Karma
After our SSO migration, users have reported instances where a single tab will re-authenticate which causes a cascading re-authentication across all tabs.
This wouldn't be so bad if it happened once, but for some reason the re-authentication cycles between the tabs and happens continually. Here is a sample of the events that show up in the audit log:
5/15/19 9:52:05.198 AM 127.0.0.1 - 111111 [15/May/2019:15:52:05.198 +0000] "GET /en-US/splunkd/__raw/services/authentication/users/111111?output_mode=json&_=111222333 HTTP/1.0" 200 1904 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.111.111.111 Safari/537.36" - 111aaa222bbb333ccc 0ms
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd_ui_access.log sourcetype = splunkd_ui_access
5/15/19 9:52:05.160 AM 127.0.0.1 - 111111 [15/May/2019:15:52:05.160 +0000] "GET /en-US/splunkd/__raw/services/authorization/roles?output_mode=json&count=0&_=111222333 HTTP/1.0" 200 6593 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.111.111.111 Safari/537.36" - 111aaa222bbb333ccc 0ms
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd_ui_access.log sourcetype = splunkd_ui_access
5/15/19 9:52:05.039 AM Audit:[timestamp=05-15-2019 15:52:05.039, user=111111, action=change_authentication, info=denied ][n/a]
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = audittrail sourcetype = audittrail
5/15/19 9:51:57.179 AM 05-15-2019 15:51:57.179 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/servicesNS/111111/aaabbbcccddd/search/jobs" failed CSRF validation -- expected "111aaa222bbb333ccc444ddd", but instead cookie had "111aaa222bbb333ccc444ddd" and header had "555eee666fff777ggg888hhh"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
5/15/19 9:51:57.123 AM 05-15-2019 15:51:57.123 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/servicesNS/111111/aaabbbcccddd/search/jobs" failed CSRF validation -- expected "111aaa222bbb333ccc444ddd", but instead cookie had "111aaa222bbb333ccc444ddd" and header had "555eee666fff777ggg888hhh"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
5/15/19 9:51:57.071 AM 05-15-2019 15:51:57.071 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/servicesNS/111111/aaabbbcccddd/search/jobs" failed CSRF validation -- expected "111aaa222bbb333ccc444ddd", but instead cookie had "111aaa222bbb333ccc444ddd" and header had "555eee666fff777ggg888hhh"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
5/15/19 9:49:49.400 AM Audit:[timestamp=05-15-2019 15:49:49.400, user=111111, action=change_authentication, info=denied ][n/a]
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = audittrail sourcetype = audittrail
5/15/19 9:49:42.259 AM 05-15-2019 15:49:42.259 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/services/search/jobs/111111__111111__aaabbbcccddd__search3_111111111.145588_0000-000-000-000/control" failed CSRF validation -- expected "999iii000jjj111kkk222lll", but instead cookie had "999iii000jjj111kkk222lll" and header had "333mmm444nnn555ooo666ppp"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
5/15/19 9:49:42.252 AM 05-15-2019 15:49:42.252 +0000 ERROR UiAuth - Request from 127.0.0.1 to "/en-US/splunkd/__raw/services/search/jobs/111111__111111__aaabbbcccddd__search9_222222222.145594_0000-000-000-000/control" failed CSRF validation -- expected "999iii000jjj111kkk222lll", but instead cookie had "999iii000jjj111kkk222lll" and header had "333mmm444nnn555ooo666ppp"
host = sh-i-111aaa222bbb.aaabbbccc.splunkcloud.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
This cycle of Change Auth -> Fail -> CSRF Validation -> Change Auth will just repeat continually until the user closes all tabs and starts over. Somehow one of the tabs gets a new token and stores it in the cookie without telling his friends. Then, instead of reusing the updated token, the other tabs all try to get their own token and store it in the cookie.
Certainly sounds like a defect, but looking for guidance. Thanks.
-Tyler
... View more
11-21-2018
11:51 AM
Okay, so ended up having to change how the grouping worked and used a bit of trickery to preserve the granularity I wanted. In essence I pulled stuff out of the "by" clause and put them into "values" columns. The part that gave me grief was being able to get back to the granular counts.
So I took this query:
index=logging sourcetype=mylogs
| sistats count by application, eventcode, eventtext, host
Then moved a couple of the "by" grouping to be a "values" like this:
index=logging sourcetype=mylogs
| sistats count, values(host) as host, values(eventcode) as eventcode by application, eventtext
This caused a problem though because now I can't get the count by host easily. I did notice that the SI contained a private field called prsvd_vm_host that has field values like this:
server1 ; 2 ; server2 ; 4 ; server3 ; 6 ;
I'm pretty sure I could use that field to get back to the original counts by host, but what I need is a combination of the host AND the eventcode. The SI fields work individually but not in tandem. Ended up modifying the query to look like this:
index=logging sourcetype=mylogs
| eval errorLocation_{host}_{eventcode} = 1
| sistats sum(errorLocation_*) as *, values(host) as host, values(eventcode) as eventcode by application, eventtext
By doing this I'm able to get back to the host+eventcode counts, so far working well. The number of events has decreased dramatically and on querying back the data the performance seems good. Looks like having fewer events that are wider performs better than more events that are narrow. Thanks.
... View more
11-09-2018
09:10 AM
I think your suggestion to split up the data by application and run separate jobs and separate sources is a good option. Thanks.
... View more
11-09-2018
09:07 AM
We used datamodels before with not much success. The jobs to build them took a long time and the results were not that fast. Though admittedly we were not using tstats to select the data back and were on version 6.4.x.
Do you know if there have been any data model acceleration improvements up to our current version of 7.0.5?? Also, it is possible that this problem would be a good fit for the metrics index?? Don't have much experience there either. Thanks.
... View more
11-02-2018
11:05 AM
Currently, we have about 100 applications writing about 50 million events to a logging index/sourcetype per day. It works fine when you are looking for the specific application at specific times, which is the most common scenario. It works okay when you want to get a more a general view of the application over the course of about week. Much beyond that and things start to get slow and annoying.
I tried setting up a summary index that would only pull unique combinations of logging events — something like this:
index=logging sourcetype=mylogs
| sistats count by application, eventcode, eventtext, host
The summary ran daily and brought the events from ~50 million to a little over 1 million. Success!! Now the users can run queries like this:
index=summary source=loggingSummary application=myApplication
| bin _time span=1d
| stats sum(count) by _time
This worked just fine for the first couple weeks of data but then things got slow again. Also, the summary job that runs takes over an hour and we get warnings in the audit log like this:
11-02-2018 00:33:32.701 +0000 WARN AggregatorMiningProcessor - Too many events (1200K) with the same timestamp: incrementing timestamps 12 second(s) into the future to insure retrievability - data_source="loggingSummary", data_host="mySearchHead", data_sourcetype="stash_new"
Also, because the job takes so long to complete, the last time we did a search head restart the job got killed and the data lost.
Ultimately the users want to know the following:
When was the first time this event happened?
When was the most recent time this event happened?
What is the total count of these events (daily count is a nice to have)?
Keep at least one year of data
Be able to compare current data with historical data to find new events that have never happened before
Thought about maintaining a running total of the events and the dates in a lookup, but seems like we have way too many rows for a CSV. Also considered a KV store, but haven't tried that yet.
Might also need to just give up on putting all the application data in one spot and find a way to divide it up. Could be that 1 million+ rows of summary data per day is just too much. Thanks.
... View more
09-25-2018
06:20 AM
I'm hoping to get a single summary index query that I can then use to pull data in different ways. I would prefer to roll the data up daily but there are about 150 million events in a day. Normally that wouldn't be an issue but I'm also wanting to group the data by lots of different fields like this:
index=cif
| fields ApplicationName, DataCenter, Environment, ServerType, host, ErrorCode, MessageText, _time
| eval dateOnly = strftime(_time, "%x")
| fields dateOnly, ApplicationName, DataCenter, Environment, ServerType, host, ErrorCode, MessageText
| fillnull value=""
| stats count as messageCount by dateOnly, ApplicationName, DataCenter, Environment, ServerType, host, ErrorCode, MessageText
The goal is to count the number of times a particular message occurs. On the backside, when this summary is done the user would select the data back like this:
index=summary source=mySource ApplicationName=foo DataCenter=foo Environment=bar ServerType=bar host=*
| stats count as by dateOnly
On retrieval the user will know the various filter fields which is a much smaller set of data. So if I group by the filter fields when building the summary index then I can use them to filter later. I like that this gets me a single summary index job but the query takes like 2.5 hours to complete.
Am I better off running more summary jobs and filtering up front?? Will mean more Summary Index sources and more jobs, which is annoying but maybe necessary?? Thanks.
... View more
