Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About aalanisr26
aalanisr26
Path Finder
Member since:
12-11-2013
06-05-2020
Community Statistics
| Posts | 32 |
| Solutions | 2 |
| Karma Given | 7 |
| Karma Received | 25 |
| Member Since | 12-11-2013 |
Activity Feed
- Karma Re: OPSEC LEA lea-loggrabber is giving a Segmentmention Error for rbell54. 06-05-2020 12:49 AM
- Karma Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field? for richgalloway. 06-05-2020 12:47 AM
- Karma Re: Query changes dynamically with selected index names? for stephane_cyrill. 06-05-2020 12:47 AM
- Karma Re: Is it possible to use an extracted field inside a regex? for rsennett_splunk. 06-05-2020 12:47 AM
- Karma Re: Work out the duration between two fields for woodcock. 06-05-2020 12:47 AM
- Karma Captain Skipping Configuration Replication for rafamss. 06-05-2020 12:47 AM
- Got Karma for Re: When is Cheryl's Bday?... According to Splunk. 06-05-2020 12:47 AM
- Got Karma for Re: Search for value in field after stripping characters. 06-05-2020 12:47 AM
- Got Karma for Re: Search Head Cluster: How to manage new roles between Search Head Cluster Members?. 06-05-2020 12:47 AM
- Got Karma for Re: Search Head Cluster: How to manage new roles between Search Head Cluster Members?. 06-05-2020 12:47 AM
- Got Karma for Re: Search Head Cluster: How to manage new roles between Search Head Cluster Members?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create an average on the position for each value in events (ex: Dog = position 1 and 5, Average for Dog = 3)?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create an average on the position for each value in events (ex: Dog = position 1 and 5, Average for Dog = 3)?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create an average on the position for each value in events (ex: Dog = position 1 and 5, Average for Dog = 3)?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create an average on the position for each value in events (ex: Dog = position 1 and 5, Average for Dog = 3)?. 06-05-2020 12:47 AM
- Got Karma for Re: When is Cheryl's Bday?... According to Splunk. 06-05-2020 12:47 AM
- Got Karma for Re: When is Cheryl's Bday?... According to Splunk. 06-05-2020 12:47 AM
- Got Karma for Re: When is Cheryl's Bday?... According to Splunk. 06-05-2020 12:47 AM
- Got Karma for Re: When is Cheryl's Bday?... According to Splunk. 06-05-2020 12:47 AM
- Got Karma for Re: Urgent !! Complex case statements in eval. 06-05-2020 12:47 AM
Topics I've Started
02-22-2018
12:24 PM
did you downgrade to version 3.x?
or you are still using version 4.x?
Part of the functionality we want was enabled after 4.0, but if they told you to go back to three it is not an option for us.
... View more
02-22-2018
08:45 AM
I'm experiencing the exact same behavior, did you find a solution to this?
... View more
11-17-2015
09:36 AM
same issue here
... View more
05-28-2015
12:10 PM
1 Karma
Ok assuming the following dataset:
05/28/2015 1:00PM User=A Usage=10 Status=Start
05/28/2015 2:00PM User=A Usage=15 Status=In progress
05/28/2015 3:00PM User=A Usage=25 Status=In progress
05/28/2015 4:00PM User=A Usage=30 Status=Stop
05/28/2015 2:00PM User=B Usage=15 Status=Start
05/28/2015 3:00PM User=B Usage=20 Status=In Progress
05/28/2015 4:00PM User=B Usage=25 Status=Stop
try the following query:
source="sample.log" sourcetype="sample" |stats sum(Usage) as Usage1 by _time |streamstats max(Usage1) as Usage2 current=f |eval TotalUsage=Usage1-coalesce(Usage2,0)
... View more
04-29-2015
07:41 AM
Try This: use "range"
<single>
<search>
<query>index = main mysearchcriteria|stats count by host | rangemap field=count low=0-10 high=50-96 default=severe</query>
<earliest>-24h</earliest>
</search>
<option name="field">host</option>
<option name="classField">range</option>
</single>
... View more
04-28-2015
01:42 PM
yes, you can enable the index and forward option but this will work to forward to another splunk indexer because the data has been already cooked. The alternative is to use props and transfrorms to change the routing to use syslog to avoid additional splunk headers.
... View more
04-24-2015
09:53 AM
Alternative would be to use regular expression:
index="test" regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.+)\?"
stats count by url | sort -count
... View more
04-24-2015
09:50 AM
1 Karma
have you try
faup app:
https://splunkbase.splunk.com/app/1545/
this my help you handling urls
... View more
04-22-2015
02:43 PM
3 Karma
This is a tricky one, the authorize.conf is where the roles are defined, so what we do is create an application called
auth_dev
and we include in the default folder two files:
authorize.conf
authentication.conf
in authorize.conf we define the role:
[role_somethingnew]
srchIndexesAllowed = mynewindex
srchIndexesDefault = mynewindex
srchMaxTime = 0
in authentication.conf we define the map for ldap group:
[roleMap_MYCOMPANY-LDAP-DEV]
somethingnew = SOME_AD_GROUP
Then we push this app from the deployer.
The thing you need to consider is local authentication.conf on each SH should contain the LDAP strategy definition, and because the password is hashed we cant update this file form the deployer, but once we set it up the first time, we dont need to modify it anymore:
so in your etc/system/local/authentication.conf for all your search heads you will have something like:
[authentication]
authSettings = MYCOMPANY-LDAP-DEV
authType = LDAP
[MYCOMPANY-LDAP-DEV]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = cn=somuser,ou=people,dc=mycompanydomain,dc=com
bindDNpassword = ****$1$H#shedPasword=****
charset = utf8
groupBaseDN = ou=groups,dc=mycompanydomain,dc=com
groupBaseFilter = (cn=SOME_AD*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.mycompany.com
nestedGroups = 1
network_timeout = 20
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = ou=people,dc=mycompany,dc=com
userNameAttribute = cn
emailAttribute = mail
bindDN password will be different on each SH.
next time you need to add another role just modify the auth_dev app and that is it
... View more
04-22-2015
02:29 PM
The easiest way would be to change the external script to include the header, but if this is not an option we need to fix the lookup to force "host" header, this is what I would do:
|inputlookup puppet_results.csv | transpose|transpose|eval host='row 1'| fields - "row 1",column | outputlookup puppet_resultswithheader.csv
that would fix the column name as host and use the first value you had before as a value not as a header.
then you can run your query:
index=_internal | dedup host | inputlookup append=t puppet_resultswithheader.csv | stats count by host | where count < 2
... View more
04-21-2015
12:48 PM
index=blah HOST1 OR HOST2 pam_unix session opened
|rex field=_raw "\d+\sPM\s(?\w+)"
|rex field=_raw "for\suser\s(?\w+)"
|transaction startswith=HOST1 endswith=HOST2 maxevents=2 keepevicted=true
|where closed_txn==0
this will give you any user that opened a session in host2 but not in host1
... View more
04-20-2015
11:43 AM
the index=win|head 2|
was just for testing purposes but I get the idea right?
... View more
04-20-2015
11:31 AM
4 Karma
index=win |head 2| eval animals="Dog,Dog,Dog,Cat,Horse,Rabbit,Zebra"|eval animals= split(animals,",") |eval eventno=1 |accum eventno |mvexpand animals |streamstats count by eventno |stats avg(count) by animals
... View more
04-16-2015
01:37 PM
if for example you have:
First Kind of event,Some More field,Authentication,7,More,More
Second Kind of event,Data,Data,Data,Data,Data,Data,LogOFF,7,More,More
if you want to get the 7
(Authentication\,\d+|LogOFF\,\d)
... View more
04-16-2015
11:30 AM
Probably when you installed the UF on that server all options were checked durting the installation, so that UF is trying to collect information from Active Directory, Peformance monitor, Network etc.
If you just want to enable windows event logs : System, Security and Application, you need to make sure the rest of the inputs are disabled
go to apps/Splunk_TA_Windows/local/inputs.conf and make sure the additional ones are disabled=true
... View more
04-16-2015
08:30 AM
check the tailing status of that directory:
Open a browser to:
https://serverwithuniversalforwarder:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus
... View more
04-16-2015
07:59 AM
It should work on windows as well, the call is made through the pyton script.
One thing you need to check is if there is a proxy setting on your infrastructure. In our case we needed to change the python script for that purpose:
conn = httplib.HTTPSConnection("myproxyservername",8080,timeout=3600)
conn.set_tunnel(restUri,443)
params = urllib.urlencode({"startDate": lastTime['splunk'],"limit":settings['limit']})
conn.request("GET",settings['endpoint'] + '?' + params,"",headers)
response = conn.getresponse()
... View more
04-16-2015
07:44 AM
6 Karma
Well I think this is a perfect question for Splunk! you have 2 different sources: Albert and Bernard and you need to figure out a way of correlating the information of these two sources so I decided to give it a try and this is what I got:
1)First I created a CSV file with the dates Cheryl provided as input for them:
Month,Day
5,15
5,16
5,19
6,17
6,18
7,14
7,16
8,14
8,15
8,17
2)The first clue is that Albert (who only knows the Month) Knows that Bernard doesn't know. This means that we need to discard months with a unique day otherwise Bernard would know. This translate to splunk to:
|inputlookup dates.csv|stats count by Day |where count=1 | lookup dates.csv Day OUTPUT Month|fields Month
this will give us the Months we need to discard (May,June)
3)Now we can get a reduced list of the potential valid dates once we remove the dates from May and June:
|inputlookup dates.csv
|search NOT [|inputlookup dates.csv|stats count by Day |where count=1 | lookup dates.csv Day OUTPUT Month|fields Month]
4)From that reduced list Bernard was able to figure out the month because the Day he knew appeared only once in either July or Aug:
So we want this additionally reduced list:
|inputlookup dates.csv
|search NOT [|inputlookup dates.csv|stats count by Day |where count=1 | lookup dates.csv Day OUTPUT Month|fields Month]
|stats values(Month) AS Month,count by Day| where count=1
Now we have reduced the list to three potential dates: 7/16, 8/15 and 8/17
4)If Albert was able to figure out the date because the month he knew only gave him 1 option, so we need to get the month with only one possible date:
|inputlookup dates.csv
|search NOT [|inputlookup dates.csv|stats count by Day |where count=1 | lookup dates.csv Day OUTPUT Month|fields Month]
|stats values(Month) AS Month,count by Day| where count=1
|stats values(Day) as Day,count by Month |where count=1
So Cheryl's Bday is July 16th
is this the best way to correlate the information?
Best Regards
... View more
04-16-2015
07:24 AM
1 Karma
I have removed the answer from the question and I will put it on the answer now
... View more
04-15-2015
04:43 PM
9 Karma
Well this is interesting, as you know there is a logic problem posted in many sites about the age of a girl named Cheryl:
The problem goes like this:
Albert and Bernard just met Cheryl.
“When’s your birthday?” Albert asked Cheryl. Cheryl thought a second
and said, “I’m not going to tell you, but I’ll give you some clues.”
She wrote down a list of 10 dates:
May 15, May 16, May 19 June 17, June 18 July 14, July 16 August 14, August 15, August 17
“My birthday is one of these,” she said.
Then Cheryl whispered in Albert’s ear the month — and only the month — of her birthday.
To Bernard, she whispered the day, and only the day.
“Can you figure it out now?” she asked Albert.
Albert: I don’t know when your birthday is, but I know Bernard doesn't know, either.
Bernard: I didn't know originally, but now I do.
Albert: Well, now I know, too!
When is Cheryl’s birthday?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
