Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Robbie1194
Robbie1194
Communicator
Member since:
06-22-2017
06-05-2020
Community Statistics
| Posts | 59 |
| Solutions | 2 |
| Karma Given | 4 |
| Karma Received | 10 |
| Member Since | 06-22-2017 |
Activity Feed
- Karma Re: What is the regex needed to extract the field "FileImported" field format? for 493669. 06-05-2020 12:49 AM
- Karma Re: What is the regex needed to extract the field "FileImported" field format? for richgalloway. 06-05-2020 12:49 AM
- Karma Re: What is the regex needed to extract the field "FileImported" field format? for mayurr98. 06-05-2020 12:49 AM
- Karma input lookup get values for the lookup only for Chandras11. 06-05-2020 12:49 AM
- Got Karma for What's the best way of getting data from our Splunk servers?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I incorporate Sophos Central data in Splunk ES?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I incorporate Sophos Central data in Splunk ES?. 06-05-2020 12:49 AM
- Got Karma for Re: How can I incorporate Sophos Central data in Splunk ES?. 06-05-2020 12:49 AM
- Got Karma for Issues with the Qualys TA were not ALL scan information is pulled.. 06-05-2020 12:49 AM
- Got Karma for Qualys Technology Add-on (TA) for Splunk: How can I get the full knowledge base downloaded from Qualys onto my search heads?. 06-05-2020 12:49 AM
- Got Karma for Re: How to count the number of each distinct Product in the subsearch Splunk example?. 06-05-2020 12:49 AM
- Got Karma for Re: input lookup get values for the lookup only. 06-05-2020 12:49 AM
- Got Karma for Getting custom fields to appear in OpsGenie alerts. 06-05-2020 12:49 AM
- Got Karma for Re: Adding lookup files for tuning purposes. 06-05-2020 12:48 AM
- Posted SHC Deployer not showing up in the Monitoring Console overview on Deployment Architecture. 10-31-2018 07:26 AM
- Posted Re: Monitoring Console (MC) not recognizing Search Head Cluster (SHC) Label on Monitoring Splunk. 10-31-2018 02:37 AM
- Posted Re: What have people's experiences been setting up Splunk in Azure? on Getting Data In. 08-29-2018 07:26 AM
- Posted What have people's experiences been setting up Splunk in Azure? on Getting Data In. 08-29-2018 06:20 AM
- Posted How to append data to a lookup without overwriting anything AND also not adding duplicate data entries into the lookup? on Splunk Search. 08-08-2018 02:38 AM
- Tagged How to append data to a lookup without overwriting anything AND also not adding duplicate data entries into the lookup? on Splunk Search. 08-08-2018 02:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-31-2018
07:26 AM
Hi guys,
I've just set up a new SHC with the label shcluster1. Each search head and the deployer have this label. I've checked server.conf and can see it's definitely on all components of the SHC, yet the MC still doesn't pick this label up or display the Deployer on the overview screen.
I've added the deployer (and all search heads) as search peers of the MC so it knows the deployer's there as it lists it in the set up, however, it doesn't appear as a panel in the overview still! I can manually assign it the tag in the MC but it still won't display the machine in the overview.
Has anyone else ever had this problem or know what I can do to fix it?
Thanks,
... View more
10-31-2018
02:37 AM
Was a solution ever found for this because I'm getting the exact same issue.
... View more
08-29-2018
07:26 AM
Hi @pyro_wood,
I have looked at the conf presentation a few times but I noticed it's slightly old now so I was looking for some slightly newer opinions.
I know Azure has changed a lot in the last two years so I thought there could be some notable differences between then and now. The main one that springs to mind is Azure's introduction of managed data disks.
Cheers,
Robbie
... View more
08-29-2018
06:20 AM
Hi guys,
just a general question asking about what people's experiences have been when setting up a clustered splunk environment in Azure? (Or AWS as I imagine it's very similar).
Are there any things I specifically need to watch out for or any performance related things I should know about?
Cheers
... View more
08-08-2018
02:38 AM
Hi guys,
I was wondering if anyone knew of a method of appending data to a lookup, but not overwriting anything in the lookup AND also not adding duplicate data entries into the lookup?
Any suggestions would be helpful.
Cheers,
Robbie
... View more
06-13-2018
07:37 AM
1 Karma
Hi Chandras11
I don't know if I fully understand your question buuuuut I think what you need is:
index= "index1" sourcetype="ST1"
| search
[| inputlookup Mylookup.csv
| rename LUFieldA as fieldA
| fields FieldA]
| table fieldA, fieldB, fieldC
This will show you only the values (and all your tabled fields) that are in the lookup. If you wanted to exclude everything in the lookup from appearing in your search, you could use "| search NOT" instead of "| search"
Hope this helps.
... View more
06-13-2018
07:28 AM
1 Karma
Hi guys,
I am using the Splunk app for OpsGenie to allow me to send alerts directly to OpsGenie, however, I can't seem to get any custom fields to show in my alerts?
I've looked at: https://docs.opsgenie.com/docs/splunk-integration
I've tried adding:
Whatever:{{result.customfield}} into the description field in OpsGenie but still no luck.
Has anyone done this before that can advise me on the syntax I'm using? The custom field I'm trying to show is not an indexed field but a field generated from an eval statement in the alerting search, if that makes any difference.
Cheers,
Robbie
... View more
05-02-2018
06:59 AM
Hi xpac,
Thanks for trying to help but I don't think theres anything wrong with the log format. I think changing the logging settings on multiple domain controllers would be harder than just figuring out how to fix this timestamp issue.The TA deals with all field extractions fine, it's only failing on the timestamp.
Thanks!
... View more
05-02-2018
06:39 AM
Hi guys,
I've posted a sample DNS log with some random data:
02/05/2018 14:15:24 1264 PACKET 0000008AE9170080 UDP Rcv 0.0.0.0 7c4d Q [0001 D NOERROR] SRV (16)_kerberos-master(4)_tcp(3)RANDOM(3)CA0)
We're trying to ingest these logs into Splunk which has been partially successful. We began to ingest the data, however, the timestamps are taken incorrectly.
As we are in the UK 02/05/2018 should be the 2nd of May 2018 but it's only searchable as the 5th of February 2018. We are using the Microsoft DNS TA on a UF send the data via a heavy forwarder and then to the indexers. I've tried adding the below stanza to props.conf on the UF and the heavy forwarder but still the date only shows as the American Format. Anyone got any ideas on how to fix this?
[MSAD:NT6:DNS]
TIME_FORMAT = %d/%m/%Y
The default props.conf in the DNS TA doesn't have anything relating to timestamps which is also very confusing?
Any advice would be appreciated.
Cheers!
... View more
04-27-2018
02:55 AM
I'm not too sure about the specific roles you require but when I created my identity list in Splunk ES I followed the following steps:
http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Configurenewassetoridentitylist
I was also ESS_admin when I done this so that role should be enough I would think.
If this doesn't help you then any further info on your problem might help in trying to assist you.
Cheers!
... View more
03-14-2018
04:20 AM
If you wanted to do this for the top 10 customers then you could just change the limit to 10 in the top command etc etc.
... View more
03-14-2018
04:19 AM
1 Karma
You can try use the MAP command like this:
index=whatever sourcetype=whatever status=200 action=purchase
| top limit=1 clientip
| map search="search index=whatever sourcetype=whatever clientip=$clientip$ | stats count as totalPurchased by productId"
What this does is it will find out the top client IP and then pass that value to the map search and run that and get the info you want. This might not work as I've not tested the logic or anything yet but even if it doesn't, hopefully it points you in the right direction or something.
... View more
03-08-2018
01:52 AM
1 Karma
Hi guys,
This is a bit of a generic question but I thought I'd ask in case anyone had ever seen issues from Qualys like this before.
We currently ingest our data from Qualys 3 times a day (every 8 hours) using the Qualys TA, but I've found that sometimes in our data we just don't have certain scan results. For example, a scan runs from 1pm-3pm on a Friday and it scans 2000 hosts (as seen in qualys) but splunk only has data on 1500 hosts over that time frame,
Anyone seen anything like this before?
Any help/suggestions would be appreciated.
Cheers!
... View more
02-07-2018
06:07 AM
I want to find out which UF's have stopped logging in my estate, and while I try fix these UF's, I don't want a daily alert with the same results.
I only want to see any alerts if it's different UF's that have stopped reporting, I don't want to see any old results with the new results either as it might get difficult to track what is resolved and what isn't.
The end result is that a separate alert is created every time a new forwarder stops logging. I know how to write the search to find missing forwarders, does anyone know how I should compare results to only generate on new values?
Cheers.
... View more
02-05-2018
08:46 AM
Hi guys,
My goal is to remove part of my value to create a new value.
For example, I have a field called created_time = 1517789420.357994 . Does anyone know a way of getting newCreatedTime = 1517789420 ?
I basically just want the .* to go away!
Any help would be appreciated.
Cheers!
... View more
02-05-2018
07:25 AM
Although I did think the script looked okay at first because I was of the understanding that you don't typically use headers in get requests.
... View more
02-05-2018
07:24 AM
Yeah i see what you mean!
I'm new to Python so it might take me a while to work out how but I'll attempt to add the authorisation headers in the same way the POST commands did.
... View more
02-05-2018
07:08 AM
Okay, done 🙂
... View more
02-05-2018
07:08 AM
import urllib
import httplib2
import time
import re
from time import localtime,strftime
from xml.dom import minidom
import json
baseurl = 'splunkserver:8089'
username = 'user'
password = 'password'
# Step 1: Get a session key
servercontent = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/auth/login', 'POST',
headers={}, body=urllib.urlencode({'username':username, 'password':password}))[1]
sessionkey = minidom.parseString(servercontent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
print "====>sessionkey: %s <====" % sessionkey
# Step 2: Create a search job
searchquery = 'search index=notable | top limit=5 _time unique_id'
searchjob = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/search/jobs','POST',
headers={'Authorization': 'Splunk %s' % sessionkey},body=urllib.urlencode({'search': searchquery}))[1]
sid = minidom.parseString(searchjob).getElementsByTagName('sid')[0].childNodes[0].nodeValue
print "====>sid: %s <====" % sid
#Step 3: Get the search status
httplib2.Http(disable_ssl_certificate_validation=True).add_credentials(username, password)
servicessearchstatusstr = '/services/search/jobs/%s/' % sid
isnotdone = True
while isnotdone:
searchstatus = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + servicessearchstatusstr, 'GET')[1]
isdonestatus = re.compile('isDone">(0|1)')
isdonestatus = isdonestatus.search(searchstatus).groups()[0]
if (isdonestatus == '1'):
isnotdone = False
print "====>search status: %s <====" % isdonestatus
# Step 4: Get the search results
services_search_results_str = '/services/search/jobs/%s/results?output_mode=json&count=0' % sid
searchresults = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + services_search_results_str, 'GET')[1]
print "====>search result: [%s] <====" % searchresults
... View more
02-05-2018
06:02 AM
I've posted the full script in the answers.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
