Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ttovarzoll
ttovarzoll
Path Finder
Member since:
03-04-2020
Wednesday
Community Statistics
| Posts | 40 |
| Solutions | 2 |
| Karma Given | 12 |
| Karma Received | 1 |
| Member Since | 03-04-2020 |
Activity Feed
- Karma Re: Is there anything comparable to SPL for offline use? for isoutamo. Wednesday
- Karma Re: Is there anything comparable to SPL for offline use? for richgalloway. Wednesday
- Posted Re: Is the Free license for home lab available? on Installation. Wednesday
- Posted Re: Is there anything comparable to SPL for offline use? on Splunk Search. Wednesday
- Karma Re: Is there anything comparable to SPL for offline use? for richgalloway. Wednesday
- Posted Is there anything comparable to SPL for offline use? on Splunk Search. Wednesday
- Tagged Is there anything comparable to SPL for offline use? on Splunk Search. Wednesday
- Posted Re: Are hidden characters breaking my joins? on Splunk Search. 03-23-2023 09:13 AM
- Karma Re: Are hidden characters breaking my joins? for yuanliu. 03-23-2023 09:03 AM
- Karma Re: Are hidden characters breaking my joins? for PickleRick. 03-23-2023 09:03 AM
- Posted Are hidden characters breaking my joins? on Splunk Search. 03-22-2023 11:08 AM
- Posted Re: Amazon AWS SQS Monitoring: Unable to ingest OversizedChangeNotification on All Apps and Add-ons. 03-13-2023 08:52 AM
- Posted Re: Amazon AWS SQS Monitoring: Unable to ingest OversizedChangeNotification on All Apps and Add-ons. 09-02-2022 08:07 AM
- Posted Re: filter on 'count' without losing original results? on Splunk Search. 08-09-2022 10:03 AM
- Karma Re: filter on 'count' without losing original results? for bowesmana. 08-09-2022 10:01 AM
- Karma Re: filter on 'count' without losing original results? for PickleRick. 08-09-2022 10:00 AM
- Posted Re: filter on 'count' without losing original results? on Splunk Search. 08-08-2022 04:58 PM
- Posted How to filter on 'count' without losing original results? on Splunk Search. 08-08-2022 01:43 PM
- Tagged How to filter on 'count' without losing original results? on Splunk Search. 08-08-2022 01:43 PM
- Tagged How to filter on 'count' without losing original results? on Splunk Search. 08-08-2022 01:43 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Wednesday
what does the "500 MB daily ingest limit" mean? I understand if I'm sending logs but what if I want to use it for adhoc review of large offline data-sets, e.g. VPC FlowLogs? Can I manually import a 1 GB .csv or does that count as part of the 500 MB/day? If so, could I break it up and import 500 MB today, then 500 MB tomorrow -- and then do my searches? Thank you for this detailed discussion!
... View more
Wednesday
Interesting! What are the rules or restrictions around a 'personal' install? I've mostly used Splunk Cloud so I have limited experience doing local installs. It seems like a lot of work to configure, and after the initial 30-day(?) trial expires, what can or can't you do? Also, btw, I found that I can duplicate a little of my SPL experience in Excel using the 'Text Filter' function. Still waaay more work then just writing a one-line SPL query but at least duplicates some of the power ...
... View more
Wednesday
I love love love Splunk and especially SPL! It makes it so easy to generate very granular and detailed reports on large data-sets. But is there anything comparable for offline data? In the past I've used Excel and both it's 'Data:Filter' function along with custom formulas. But that all seems so restrictive now, compared to SPL.
Any suggestions? (Aside from temporarily importing my offline data into Splunk which I cannot do for various reasons...)
... View more
- Tags:
- spl
Labels
- Labels:
-
eval
03-23-2023
09:13 AM
Aha! yes, that's a good trick. At first I didn't understand how that would fix the problem but then I realized that it was the perfect troubleshooting step -- and it demonstrated that there was a trailing space. So, I have now modified my eval statement and confirmed that I am now receiving the missing events | eval user_IP = username . trim(src_ip) I also had to add matching trim() statements to several other references to 'username' throughout the SPL query.
... View more
03-22-2023
11:08 AM
I am trying to build an Alert for login failures in AWS CloudTrail. In general I have it working -- but my joins are missing some of the desired events. Specifically, I am building an 'index' value consisting of the username+IP, e.g. | eval user_IP = username + src_ip but I now see that some seemingly-identical values are being evaluated as separate. For instance, when you click on the Selected Values view (left-side in the results) there will be 2 separate entries which -- at least on-screen -- appear to be identical. WHAT THE POPUP SHOWS user_IP 2 Values, 100% of events Values Count firstuser172.31.1.1 2 firstuser172.31.1.1 1 I suspect there is a hidden character in the second Value. Or, maybe a trailing space (though there is none when I try adding each to the search). ---- How can I modify my 'eval' to generate values without hidden characters? (I already tried adding a lower() function but without success)
... View more
Labels
- Labels:
-
eval
03-13-2023
08:52 AM
Are you using the legacy TA or the new Data Manager?
... View more
09-02-2022
08:07 AM
Has anyone tried the SQS input on the new Data Manager Add-On? Instead of directly pulling (like the legacy AWS Add-On) the new DM creates a Firehose 'push'. Also, re the legacy Add-On's issue, I know that I previously posted about my own experience (circa 2019) but now my recollection is that this was only/ever a cosmetic issue, i.e., that there was no actual data-loss. Is that correct? Or, am I maybe confusing this issue with another?
... View more
08-09-2022
10:03 AM
Thank you! Both of those solutions worked. I decided to use the 'stats count values() by' as my solution because I liked how it created a single multi-value result.
... View more
08-08-2022
04:58 PM
I'm surprised, I honestly thought I provided enough details. I really don't see how this will help but here it is: index=os sourcetype="xmlwineventlog" ``` extract and normalize the Domain name ``` | rex field=source "/aws/directoryservice/(?<ds_name>.+):" | eval Domain = if( lower( substr(ds_name,0,2))="zo", lower( substr(ds_name, 0, 8)), lower( substr(ds_name, 14, len(ds_name) - 12))) ``` extract and normalize the Domain Controller hostname ``` | rex field=Computer "(?<DC_extract>.+).z" | eval DC_hostname = if( isnull( DC_extract ), upper(Computer), upper( DC_extract ) ) ``` count how many messages from each DC ``` | stats count by Domain, DC_hostname ``` now count how many DCs per-domain | stats count by Domain `` finally, notify of any domains with more than 2 DCs ``` | where count>2
... View more
08-08-2022
01:43 PM
I am trying to build an Alert which will trigger whenever one of our AWS-hosted Active Directory domains get replacement Domain Controllers, i.e., we don't control if/when they replace the servers. I already have a simple Alert which counts how many unique DCs it sees per-hosted domain, and then I can do a simple:
index=os sourcetype="xmlwineventlog # here I perform some clean-up to identify the 2 desired fields... # stats count Domain, DC_hostname stats count Domain where count>2
(and where the default number of DCs = 2, i.e., if there are more than that, AWS is in the process of replacing one or both.)
The problem is that I lose the list of DCs.
How can I filter-out all the domains that just have the typical 2 DCs while still keeping the complete list of DCs from the non-typical domain?
-------------------------
FYI - this is what the search looks like before my final filter:
Domain DC_hostname ---------- ----------------------------- domain1 DC1 domain1 DC2 domain2 DC3 domain2 DC4 domain2 DC5
My current Alert returns simply: domain2
whereas I want it to return:
domain2 DC3 domain2 DC4 domain2 DC5
... View more
Labels
- Labels:
-
count
05-10-2022
10:05 AM
oh! wow, I didn't know you could do that -- list one of the original fields twice in the stats command 😁 I was seeing the dc(SecondaryField) and assumed that was the only/last reference to that field. You've unlocked a whole new wave of discovery for me!
... View more
05-09-2022
11:10 AM
Giuseppe, Thanks, that's a great trick! But wouldn't it lose the original values of SecondaryField?
... View more
05-06-2022
02:51 PM
I am trying to create a Splunk Alert which -- well, the details will take too long to explain 🙂
The issue is that I'm generating a stats list where some of the results have a single value while others have multiple, e.g.
PrimaryField
SecondaryField
resultToKeep
result1 result2
resultToToss
result1
How do I filter-out the 'resultToToss' based on the fact there's only 1 'SecondaryField' result for it?
... View more
Labels
- Labels:
-
stats
04-06-2022
05:16 PM
FYI - still replying to my own question ... I would still like to know how to specify an individual Key/Value pair but I finally found another posting which showed me how to accomplish my real objection -- extracting the 'Name' fields. (I use the IP/Name info to label my VPC Flowlogs.) index=aws sourcetype=aws:description:metadata source="us-west-2:ec2_instances "Tags{}.Value"=prod PrivateIpAddress="10.10.*" | spath Tags{} | mvexpand Tags{} | spath input=Tags{} | table PrivateIpAddress, Key, Value | where Key="Name" | fields - Key
... View more
04-06-2022
02:03 PM
ok, so I think I've partially answered my question: the first version is a nested-JSON and, since it has unique paths, it is trivial to specify a filter (also to extract the result) the second version is -- I believe... -- a nested multi-value array. I've dealt with MV arrays before but this time I'm defeated by the nesting. FYI - the official Splunk doc re MV arrays only has examples where you pick the values by position-ID, e.g. [0], rather than by associated 'Key' https://docs.splunk.com/Documentation/SCS/current/Search/Arrayandobjectexpressions ----------------------------------- I found the following StackOverflow discussion which seemed to answer this exact issue ... except that I can't get the 'mvzip' command to accept the Tags{}.Name multi-value? https://stackoverflow.com/questions/61646035/get-specified-element-in-array-of-json-splunk Their solution was basically a hack where you combine the 'name' and 'value' arrays, then filter for your target key, and finally re-extract the target value. For the AWS Description Metadata JSON, I'm trying the following -- except that it returns the error, "arguments to mvzip function are invalid" | eval combined = mvzip( "Tags{}.Key", "Tags{}.Value" ) P.S. I tried the Tags{}.Key both with and without double-quotes around it ...
... View more
04-06-2022
11:03 AM
The latest version of the Splunk Add-on for AWS has changed the JSON for the "AWS Description" ingest; see examples below. My question is about selecting values from this new 'type' of array. Before, you could select particular values with the following search syntax: tags.Name = "server1" QUESTIONS 1. How do I make the same search with the newer JSON? 2. What is the technical description for these 2 different forms of arrays? BEFORE tags: { [-] Environment: test Name: server1 AFTER Tags: [ [-] { [-] Key: Environment Value: test } { [-] Key: Name Value: server1 }
... View more
Labels
- Labels:
-
search
10-12-2021
09:43 AM
This is really a log4net question but I'm hoping the folks here can help; I have been unsuccessful at searching online for a solution. ----------------- We have a custom application which generates local logs in JSON format via the log4net module. We then have a Splunk UF installed to collect said logs. In general that all works fine. The problem is that some log messages include a nested JSON 'message' field -- but log4net is misformatting it as a string and so Splunk doesn't parse the nested part. You can see the issue (below) where log4net is unnecessarily adding quote-marks around the nested part: CURRENT/INVALID "message":"{"command":"Transform271ToBenefitResponse","ms":1}" PROPER "message":{"command":"Transform271ToBenefitResponse","ms":1} -------------------------- I'm not entirely sure of the log4net configuration but here's what I was told by one of our developers: ORIGINAL LOG4NET CONFIG <conversionPattern value="%utcdate [%property{CorrelationId}] [%property{companyId}] [%property{userId}] [%thread] [%level] %logger - %message%newline" /> UPDATED CONFIG; STILL FAILS <conversionPattern value="{"date":"%date{ISO8601}", "correlationId":"%property{CorrelationId}", "companyId":"%property{companyId}", "userId":"%property{userId}", "thread":"%thread", "level":"%level", "logger":"%logger", "message":"%message"}%newline" />
... View more
- Tags:
- log4net
Labels
- Labels:
-
JSON
05-06-2021
10:19 AM
I am using the standard 'Splunk_TA_nix' deploy-app on all of my Linux agents. Now, we are starting to deploy Cortex XDR and the local /var/log/traps/traps.pmd log is extremely verbose and unnecessary to collect in Splunk; it's already being collected by the Cortex XDR console. How do I blacklist that one log-file without editing the original deploy-app? I have tried creating an additional deploy-app which specifies that folder, then blacklists that file, but it doesn't work. Maybe I have a typo (see below) but my suspicion is that there's a precedence issue, i.e., I can't modify the input stanza from the first deploy-app? MY NEW DEPLOY-APP's INPUT.CONF [monitor:///var/log/traps/]
blacklist = traps.pmd
recursive=false
disabled = false
index = os
sourcetype = syslog
... View more
Labels
- Labels:
-
inputs.conf
04-06-2021
11:53 AM
Did you recreate the Input(s) in the Okta TA? It's simple enough to configure, I would do that just to ensure there wasn't something borked in the original Input, i.e., after the original token failed. Also, for what user-account is the new token? Currently, I'm using my own admin-equiv Okta user but I'm trying to recreate it with a 'service-account' with only the required log-access permissions. The "no logs found" might be a misleading error if the token is for a user without log-access?
... View more
03-09-2021
03:15 PM
1 Karma
I am experiencing this error, too, and two years after it was apparently recognized as an issue in the AWS TA. Surely there's some workaround? If I manually delete the 'oversize' files from the S3 bucket, will that stop the error-logging ... or will it simply substitute a new different error, e.g. "object not found"? Or, will the SQS message eventually time-out? (I don't think I have the ability to selectively delete SQS messages?)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Wednesday
|
Karma given to
