Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About iiooiiooiioo
iiooiiooiioo
Explorer
Member since:
04-01-2020
01-05-2021
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 12 |
| Karma Received | 2 |
| Member Since | 04-01-2020 |
Activity Feed
- Posted How does one post a link to a Splunk report to a Slack Channel? on Reporting. 01-05-2021 11:22 AM
- Karma Re: Why is host=myhost giving no results? for mguhad. 06-05-2020 12:51 AM
- Karma Re: Why is host=myhost giving no results? for woodcock. 06-05-2020 12:51 AM
- Karma Re: Why is host=myhost giving no results? for manjunathmeti. 06-05-2020 12:51 AM
- Karma Re: Why doesn't my rename work? Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+. for richgalloway. 06-05-2020 12:51 AM
- Karma Re: Is there a "zip_longest" like function in Splunk? for to4kawa. 06-05-2020 12:51 AM
- Karma Re: Why do I not see data in my search's visualization? for mitag. 06-05-2020 12:51 AM
- Got Karma for Re: Why do I not see data in my search's visualization?. 06-05-2020 12:51 AM
- Got Karma for Re: Why do I not see data in my search's visualization?. 06-05-2020 12:51 AM
- Karma What are the basic troubleshooting steps in case of universal forwarder and heavy forwarder not forwarding data to Splunk? for dkolekar_splunk. 06-05-2020 12:50 AM
- Karma Re: What are the basic troubleshooting steps in case of universal forwarder and heavy forwarder not forwarding data to Splunk? for dkolekar_splunk. 06-05-2020 12:50 AM
- Karma Why is my search not populating the visualization tab with data? for rwells. 06-05-2020 12:48 AM
- Karma Re: Why is my search not populating the visualization tab with data? for sundareshr. 06-05-2020 12:48 AM
- Karma sort by Time desc for shangshin. 06-05-2020 12:46 AM
- Karma Re: sort by Time desc for Ayn. 06-05-2020 12:46 AM
- Posted Re: Why do I not see data in my search's visualization? on Dashboards & Visualizations. 04-09-2020 11:35 AM
- Posted Re: Why do I not see data in my search's visualization? on Dashboards & Visualizations. 04-09-2020 11:27 AM
- Posted Why do I not see data in my search's visualization? on Dashboards & Visualizations. 04-09-2020 10:43 AM
- Tagged Why do I not see data in my search's visualization? on Dashboards & Visualizations. 04-09-2020 10:43 AM
- Tagged Why do I not see data in my search's visualization? on Dashboards & Visualizations. 04-09-2020 10:43 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-05-2021
11:22 AM
Hi, I am an occasional splunk developer. Its seems like maybe once a year management ask me to do something with Splunk so I don't get to use Splunk enough to be proficient at all. Today I got assigned a task where management wants a particular report posted to a slack channel. After about 2 hours of doing web searches and reading on line documentation I still have no clue how I would go about getting a link to this Splunk report posted to a slack channel. Please any help will be appreciated.
... View more
Labels
- Labels:
-
saved search
-
scheduled search
04-09-2020
11:35 AM
1 Karma
I am using this search now:
host=app-dev-001 rehire OR terminating OR new_hire OR "changes supervisor" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | stats count(rehire) count(term_user) count(newhire) count(super_change) by date
... View more
04-09-2020
11:27 AM
1 Karma
Doh you are exactly right. I will modify my search to generate numerical counts.
... View more
04-09-2020
10:43 AM
I have this search:
host=app-dev-001 rehire OR terminating OR new_hire OR "changes supervisor" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS date | sort date | table date rehire term_user new_hire super_change
and I get results:
date rehire term_user new_hire super_change
4/9/20 17:31 okaalsnd
4/9/20 17:31 nineanls
4/9/20 17:31 mcahmcui
4/9/20 17:31 ogrga
4/9/20 17:31 arjsgasp
4/9/20 17:31 cbldenia
4/9/20 17:31 rekenid
4/9/20 17:31 luchgoja
4/9/20 17:31 uhsig
4/9/20 17:31 huanecdc
4/9/20 17:31 erni
4/9/20 17:31 stlieez.
4/9/20 17:31 tmaonlhe.
4/9/20 17:31 joedbers.
4/9/20 17:31 inbhdrre.
4/9/20 17:31 grarcacm.
4/9/20 17:31 2loj.
4/9/20 17:31 vavmeass.
4/9/20 17:31 wuelnjoo.
4/9/20 17:31 mhabin
4/9/20 17:31 cleadmra
4/9/20 17:31 nenahna
4/9/20 17:31 nbveteen
4/9/20 17:31 (sonaliue) changes supervisor from enfkaoi/id=83802 to fakesuper/id=42
4/9/20 17:31 (adkcuohh) changes supervisor from mhanaesr/id=134685 to fakesuper/id=42
4/9/20 17:31 (kvganeng) changes supervisor from nbynae/id=88564 to fakesuper/id=42
4/9/20 17:31 (ccncecpo) changes supervisor from hkdywaav/id=68086 to fakesuper/id=42
4/9/20 17:31 (jefai) changes supervisor from gawzignh/id=1163 to fakesuper/id=42
4/9/20 17:31 (uralsa) changes supervisor from rjajaaay/id=527197 to fakesuper/id=42
But when I click on the visualization table I get an empty graph.
... View more
04-08-2020
01:37 PM
awesome thanks! That's just what I needed.
... View more
04-08-2020
12:37 PM
I have this search/report:
host=app-dev-001 terminating OR rehire | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table date rehire term_user
This gives me this result:
I would like to get term_user values to start showing up on row 1.
Is there something like python's zip_longest function?
import itertools
for u1, u2 in itertools.zip_longest(l1, l2):
... print(u1, u2)
...
omikusarl ahubshs
chasinnb egathnls
yeanvked mfdhaaar
kkldjuga iuvdcahe
aarehdv swusrbib
vikdho3n rcathrki
None jduakdf
None loidjht
... View more
- Tags:
- splunk-enterprise
Labels
- Labels:
-
table
04-08-2020
11:29 AM
I have a script that writes data that looks like this to a log file.
I have this search:
host=sfo-app-dev-001 terminating OR new_hire OR rehire OR "changes supervisor"
and I get these results:
"2020-04-08 17:34:53,589:INFO: User id 135062 (hgevpsar) changes supervisor from klaurns/id=14654 to fakesuper/id=42", ...
...
"2020-04-08 17:34:53,574:INFO: User id 854526 (loovkosg) changes supervisor from eisetpl/id=446070 to fakesuper/id=42", ...
"2020-04-08 17:34:52,892:INFO: rehire pabisanh.", ...
...
"2020-04-08 17:34:52,891:INFO: rehire dadhre.", ...
"2020-04-08 17:34:52,214:INFO: new_hire grdorimg.", ...
...
"2020-04-08 17:34:52,214:INFO: new_hire bokdtaua.", ...
"2020-04-08 17:34:51,514:INFO: terminating hluhsha", ...
...
"2020-04-08 17:34:51,496:INFO: terminating auamjmo", ...
I would like to generate a report that puts the all the terminated users, new hire users, re-hired users and supervisor changes into a report that has columns for the terminated users, new hire, re-hires and supervisor changes.
(Sorry for the crappy formatting)
Terminations New Hires Re-hires Super Changes
| hluhsha | grdorimg | pabisanh | (hgevpsar) changes supervisor from klaurns/id=14654 to fakesuper/id=42 |
| auamjmo | bokdtaua | wjtorkuo | (forecscf) changes supervisor from bucreah/id=62931 to fakesuper/id=42 |
| arkgmu2i | tsoh | - | (kaprsaer) changes supervisor from cstiobs/id=127168 to fakesuper/id=42 |
| ivargda | lkrnluei | | (nfntecoo) changes supervisor from arhreinn/id=561422 to fakesuper/id=42 |
| | ontaguh | | |
| | oaomkha | | |
I have tried this search:
host=sfo-app-dev-001 terminating OR new_hire OR rehire OR "changes supervisor" | table term_users newhires rehires super_changes
But I really do not understand how to create custom fields. I have tried to use the "Extract New Fields" wizard but cannot seem to get it to do what I need.
... View more
Labels
- Labels:
-
other
04-07-2020
10:36 AM
I have this splunk search:
host=app-dev-001 terminating | convert timeformat="%Y-%m-%d" ctime(_time) AS date | sort term_user | rename term_user AS 'Terminated User'
When I run it I get this error:
Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+.
This search works:
host=app-dev-001 terminating | convert timeformat="%Y-%m-%d" ctime(_time) AS date | sort term_user | table term_user
I get results that look like:
... View more
04-01-2020
01:33 PM
Here is an update to my original post. Here are the locations of the inputs.conf and outputs.conf file I have on "myhost":
[root@myhost splunkforwarder]# pwd
/apps/splunkforwarder
[root@myhost splunkforwarder]# find . -name inputs.conf
./etc/system/default/inputs.conf
./etc/system/local/inputs.conf
./etc/apps/search/local/inputs.conf
./etc/apps/SplunkUniversalForwarder/default/inputs.conf
./etc/apps/introspection_generator_addon/default/inputs.conf
./etc/apps/splunk_httpinput/default/inputs.conf
[root@myhost splunkforwarder]# find . -name outputs.conf
./etc/system/default/outputs.conf
./etc/apps/SplunkUniversalForwarder/default/outputs.conf
./etc/apps/fwd-2-dev-indexers/default/outputs.conf
... View more
04-01-2020
01:27 PM
Thanks for the reply!
Here's what I tried:
[root@myhost bin]# ./splunk show default-hostname
Default hostname for data inputs: myhost.
Then I tried this search:
index=main host=myhost
But I still got no results.
... View more
04-01-2020
01:24 PM
Thanks for the reply. But I do not seem to have the varlog_input directory on my server:
[root@myhost etc]# pwd
/apps/splunkforwarder/etc
[root@myhost etc]# ls -l | grep varlog
[root@myhost etc]#
[root@myhost etc]# env | grep -i SPLUNK_HOME
[root@myhost etc]#
... View more
04-01-2020
12:26 PM
Sorry for the complete noob question. But I have had this splunk project dropped on me and I need to spin up fast.
I have added a monitor on "myhost" like so:
[root@myhost bin]# pwd
/apps/splunkforwarder/bin
[root@myhost bin]# ./splunk add monitor /var/log/foo/
Your session is invalid. Please login.
Splunk username: admin
Password:
Added monitor of '/var/log/foo'.
That was yesterday.
I executed a script that writes data to a log file that is in the /var/log/foo directory on myhost.
But when I execute this search host=myhost I get zero results.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-05-2021
11:04 PM
|
