×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
98123722
Explorer
Member since: ‎07-20-2017
‎06-05-2020
Community Statistics
Posts 5
Solutions 1
Karma Given 1
Karma Received 3
Member Since ‎07-20-2017
Activity Feed
View All

Re: Deploy custom script, then upload the results

by in Getting Data In
‎11-19-2017 04:08 PM
1 Karma
‎11-19-2017 04:08 PM
1 Karma
The easiest ways I can think that would solve this for you (If I understand the question correctly), would be to either monitor stdout of the netstat script, or write the results to a file and monitor that file. Here are some suggested steps: -Create a new app. Follow the instructions for Scripted Inputs. In general: Under /etc/deployment-apps/ , create a new app, for example: myapp . Under /etc/deployment-apps/myapp/bin , place your .sh script. Out of the box, Splunk should be able to run it. Make sure to add the correct interpreter in the first line (usually /bin/bash). You can output the script to a file, and have Splunk monitor that file (“Writing data to a file for indexing”). Another – quick – alternative would be to echo your netstat results to stdout (“Streaming data”). The Splunk service, which runs your script, will watch stdout and will send it back to the indexer as a single event. ... View more

Re: Fields Extraction Issue - CSV file Batch Uploa...

by in Getting Data In
‎11-19-2017 12:21 PM
‎11-19-2017 12:21 PM
I've gone into a bit of a rabbit hole here. I'll update this answer until this task is complete. For now: it IS possible to extract at the source (i.e. the server on which the UF is deployed). I've successfully used INDEXED_EXTRACTIONS for this, as explained here. The problem is that only the first field of the CSV is extracted. I'll keep this post updated. ... View more

Re: Avoiding a double-lookup for an efficient sear...

by in Splunk Search
‎11-09-2017 07:10 AM
‎11-09-2017 07:10 AM
Thanks! worked perfectly. ... View more

Fields Extraction Issue - CSV file Batch Upload vi...

by in Getting Data In
‎11-09-2017 07:09 AM
2 Karma
‎11-09-2017 07:09 AM
2 Karma
This is driving me nuts 🙂 Trying to index a CSV file which a server creates once an hour (in this case this is DHCP assignment, but can be anything else -- note that I'm not looking for a specific info on bringing in DHCP data, but rather a general answer on CSV indexing). I've created a deployment app for it, with the following conf files. The data is uploaded and is indexed, but the fields aren't extracted in the search (see below screenshot). local\inputs.conf: [batch://C:\users\batchUser\Survery\computer_information.csv] sourcetype = ADSurvey disabled = false index = wineventlog move_policy = sinkhole interval = 5 local\props.conf: [ADSurvey] SHOULD_LINEMERGE = false TRANSFORMS-ADSurvey = dhcp_csv CHECK_METHOD = entire_md5 local\transforms.conf: [dhcp_csv] DELIMS = "," FIELDS = "DNSHostName","IPv4Address","OperatingSystem","SamAccountName","whenCreated","whenChanged","Modified","objectSid","IPv6Address","OperatingSystemVersion" My search doesn't seem to recognize the extracted fields: ... View more

Avoiding a double-lookup for an efficient search

by in Splunk Search
‎07-20-2017 07:49 AM
‎07-20-2017 07:49 AM
A user is only allowed to log in from one of their AllowedPlatform: userAllowedPlatform.csv | User | AllowedPlatform | +----------+-----------------+ | Mike | PC | +----------+-----------------+ | Mike | iPad | +----------+-----------------+ | Andrew | PC | +----------+-----------------+ | Jennifer | iPad | +----------+-----------------+ | Jennifer | iPhone | The following datasets shows all user activities: | User | PlatformUsed | +----------+--------------+ | Mike | PC | +----------+--------------+ | Mike | iPad | +----------+--------------+ | Mike | iPhone | +----------+--------------+ | Jennifer | iPad | +----------+--------------+ | John | iPhone | To find out who uses a platform that's not AllowedPlatform, I run a simple lookup for Users in the dataset against userAllowedPlatform.csv: index="userLogs" | lookup userAllowedPlatform.csv User AS User, AllowedPlatform as PlatformUsed OUTPUT AllowedPlatform as PlatformUsed_Violation | eval description=if(isnull(PlatformUsed),PlatformUsed_Violation,description) | where NOT len(PlatformUsed_Violation) >1 Which gives me ALL unmatching results: | User | PlatformUsed_Lookup | +------+---------------------+ | Mike | iPhone | +------+---------------------+ | John | iPhone | My goal is perform this but exclude entries that are not part of userAllowedPlatform.csv (John, in this case). I can take the above results and match them again against userAllowedPlatform.csv, this time to remove entries with users that are not in userAllowedPlatform.csv, but this seems to me inefficient and over-complicated. Looking for a simple and efficient way of solving this. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All