Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mrgibbon
mrgibbon
Contributor
Member since:
08-30-2012
06-05-2020
Community Statistics
| Posts | 114 |
| Solutions | 8 |
| Karma Given | 22 |
| Karma Received | 27 |
| Member Since | 08-30-2012 |
Activity Feed
- Got Karma for Re: Does Splunk support fields with whitespace from custom drill-down. 05-10-2022 06:34 AM
- Got Karma for Re: How to get Office 365 integrated as my SMTP server for Splunk alerting?. 06-24-2020 01:41 PM
- Karma Re: How to pass token during check and uncheck of the checkbox? for kyaparla. 06-05-2020 12:49 AM
- Karma Subsearch produced 50000 results, truncating to maxout 50000 for sureshwalmart. 06-05-2020 12:49 AM
- Karma Re: Indexing results from JKats Toolkit cURL for jkat54. 06-05-2020 12:48 AM
- Karma Re: What is the best practice for setting time zone? for jkat54. 06-05-2020 12:48 AM
- Karma Re: How to set a token in XML which is not displayed on table ?? for bruceclarke. 06-05-2020 12:48 AM
- Karma Adding Melbourne and Sydney Australia as available time zones in GUI. for Lucas_K. 06-05-2020 12:48 AM
- Karma Re: How to display 2 fields as a single field in Splunk with the greater value first? for MuS. 06-05-2020 12:48 AM
- Karma Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4? for o_calmels. 06-05-2020 12:48 AM
- Karma a couple of MS Windows AD Objects add-on macro fixes for mpf. 06-05-2020 12:48 AM
- Karma Re: Splunk Enterprise Security: How to troubleshoot why a Threat Intelligence download is failing for a single download source? for gjanders. 06-05-2020 12:48 AM
- Got Karma for Re: How to automatically log in to Splunk to display a dashboard on a TV screen with no interaction?. 06-05-2020 12:48 AM
- Got Karma for Re: how to show current ERROR trend as a single value. 06-05-2020 12:48 AM
- Got Karma for Re: Adding Melbourne and Sydney Australia as available time zones in GUI.. 06-05-2020 12:48 AM
- Got Karma for Re: Is it possible limit user access to an index on a Search Head level?. 06-05-2020 12:48 AM
- Got Karma for Cell value colours in 6.5, wildcards?. 06-05-2020 12:48 AM
- Got Karma for Re: If the Universal Forwarder doesn't do parsing, why do I see an abundance of "Failed to parse timestamp" errors in splunkd.log?. 06-05-2020 12:48 AM
- Got Karma for Re: How to search and table the retention time of each hot, warm, cold, and frozen bucket by each index?. 06-05-2020 12:48 AM
- Got Karma for Re: How to search and table the retention time of each hot, warm, cold, and frozen bucket by each index?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 |
06-06-2018
09:15 PM
Where is this logging.conf file?
Thanks
... View more
06-04-2018
03:52 AM
How did you go with this?
I'd be eager to hear how you implemented the status for an event as well.
Thanks
... View more
10-22-2017
06:35 PM
1 Karma
Still the same in v7.0.0
... View more
08-14-2017
08:58 PM
Same issue here.... 18,000 events, only 1,000 returned using loadjob.
... View more
08-13-2017
10:19 PM
Try:
| ldapsearch domain="abc" search="(&(objectClass=group)(cn=Privileged accounts))"
| mvexpand member
| table cn,member
| ldapfetch dn=member attrs="displayName, sAMAccountName"
,Try:
| ldapsearch domain="abc" search="(&(objectClass=group)(cn=Privileged accounts))"
| mvexpand member
| table cn,member
| ldapfetch dn=member attrs="displayName, sAMAccountName"
... View more
08-10-2017
08:38 PM
Thanks for the help and the code, it works, but the panel is on the screen all the time.
Cheers
... View more
08-10-2017
03:42 PM
Same thing happens when using preview as well.
... View more
08-10-2017
03:30 PM
Yes, the same thing happens when using form.
Im using Splunk 6.5.1612 in Splunk Cloud
... View more
08-09-2017
10:10 PM
This is a test dashboard Im working on :
<dashboard>
<label>Testing</label>
<row>
<panel depends="$hide_panel$">
<event>
<title>Test Panel</title>
<search>
<query>sourcetype=bluecoat:proxysg:access:syslog news | head 1</query>
<earliest>rt</earliest>
<latest>rt</latest>
<progress>
<condition match="'job.resultCount' == 0">
<unset token="hide_panel"></unset>
</condition>
<condition>
<set token="hide_panel">true</set>
</condition>
</progress>
</search>
<option name="table.sortDirection">asc</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="count">10</option>
</event>
</panel>
</row>
</dashboard>
when I edit it using the UI, for example the time period, then save it, some of the code gets deleted and it ends up like this:
<dashboard>
<label>Testing</label>
<row>
<panel depends="$hide_panel$">
<event>
<title>Test Panel</title>
<search>
<query>sourcetype=bluecoat:proxysg:access:syslog news | head 1</query>
<earliest>rt-30s</earliest>
<latest>rt</latest>
</search>
<option name="table.sortDirection">asc</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="count">10</option>
</event>
</panel>
</row>
</dashboard>
All the code for the panel hide/reveal has gone.
Anyone know why?
And also, I cant seem to get this to hide/reveal when using a 5 minute window either.
Thanks!
... View more
08-09-2017
09:12 PM
Wonderful!
This worked a treat:
| eval sevdesc='severity.description'
| stats count by "Custom Tag", sevdesc
| rex field=sevdesc mode=sed "s/(Critical Severity)/ \1/ s/(High Severity)/ \1/ s/(Medium Severity)/ \1/ s/(Low Severity)/ \1/"
| stats list(count), values(sevdesc) by "Custom Tag"
| sort values(sevdesc), -list(count)
| rename "Custom Tag" AS Application list(count) AS Count values(sevdesc) AS Severity
Thanks!
... View more
08-09-2017
03:43 PM
Hi All, Im working with some vulnerability data and I'm wondering if I can sort the list I have of different vulnerability ratings the way I want it to look. So far I have come up empty on ideas.
At the moment the data is being sorted alphabetically and looks like this:
Critical Severity
High Severity
Informative
Low Severity
Medium Severity
I'd like it to look like this:
Critical Severity
High Severity
Medium Severity
Low Severity
Informative
Possible?
Thanks!
... View more
07-19-2017
04:49 PM
2 Karma
Try with just $row.Network Location$
I have a similar issue, with needing the passed variable to appear in the new search as "just like this" and not just like this.
If that makes sense.
... View more
06-29-2017
05:25 PM
Is it:
earliest_time=earliest
OR
earliestTime=earliest
For this fix? There is a different post with that variation.
Thanks
... View more
03-26-2017
06:34 PM
How did that go?
... View more
03-14-2017
10:32 PM
I would log into the search head, remove the indexer as a search peer, then re-add it again. Sounds like something has become confused on the backend.
... View more
03-14-2017
10:29 PM
Sounds like you need to add Omaha as a search peer on the Jax machine.
... View more
03-14-2017
10:24 PM
Are you sending the deployment clients logs back to your indexer(s)?
If so, check the _internal index for clues.
"index=_internal error" might be a good start.
... View more
02-22-2017
02:28 PM
This is an example I have used before, you are correct the null goes first:
transforms.conf
[trash]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue
[whitelist]
REGEX = type=PATH|type=SYSCALL
DEST_KEY = queue
FORMAT = indexQueue
[blacklist]
REGEX = \/u0(1|2|3|4|5)\/blah\/|\/u01\/blah\/JDE_HOME\/logs|\/u01\/blah\/XXD_HOME\/data
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[source::/var/log/audit/audit.log*]
TRANSFORMS-set = trash,whitelist,blacklist
... View more
02-01-2017
05:56 PM
Ah you mean like you can in Excel. Hmm.
... View more
02-01-2017
05:55 PM
You mean through an alert? Or a report?
Or cut and paste a screenshot from Splunk into your email? 😜
I dont think you can currently do this through either reports or an email alert.
... View more
12-12-2016
04:27 PM
Hi, this is a format for props.conf I have used before, it might help.
# Props.conf
[source::udp]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRUNCATE = false
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %b %d %H:%M:%S
TZ = America/Chicago
set the host as from the incoming udp packet
TRANSFORMS-gethostfromdata = set_host
... View more
12-12-2016
02:35 PM
Im looking into this myself, and I stumbled upon this, it might give you another avenue to stroll down:
https://www.vaultproject.io/
... View more
12-07-2016
03:04 PM
1 Karma
Sounds like there has been a miscommunication when designing the system.
Is the Splunk system multi-tennant?
Looks like you are better off putting the data he requires in another index on a separate indexer machine.
If you don't have access to that search head, I don't know what you can do to restrict it otherwise.
... View more
12-06-2016
07:11 PM
This should do it:
rex "somestring :(?P<type>[^\n]+)"
... View more
12-05-2016
04:21 PM
1 Karma
I would start looking at add-ons / extensions for your browser of choice, you might be able to put together something that way, otherwise you might be able to run a script in the background that runs a command to open the browser and Splunk page if its not found or displaying something else like an error.
Cheers
... View more
