Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About nishan_perera
nishan_perera
Explorer
Member since:
09-08-2014
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 09-08-2014 |
Activity Feed
- Got Karma for Re: How to get a specific country,state geoip results and ignore everything else. 06-05-2020 12:47 AM
- Posted Re: Strip "Original Address" text in splunk on Getting Data In. 01-14-2015 08:38 PM
- Posted Strip "Original Address" text in splunk on Getting Data In. 01-14-2015 07:42 PM
- Tagged Strip "Original Address" text in splunk on Getting Data In. 01-14-2015 07:42 PM
- Tagged Strip "Original Address" text in splunk on Getting Data In. 01-14-2015 07:42 PM
- Posted Re: How to get a specific country,state geoip results and ignore everything else on Splunk Search. 11-26-2014 08:16 PM
- Posted How to get a specific country,state geoip results and ignore everything else on Splunk Search. 11-26-2014 04:43 PM
- Tagged How to get a specific country,state geoip results and ignore everything else on Splunk Search. 11-26-2014 04:43 PM
- Tagged How to get a specific country,state geoip results and ignore everything else on Splunk Search. 11-26-2014 04:43 PM
- Tagged How to get a specific country,state geoip results and ignore everything else on Splunk Search. 11-26-2014 04:43 PM
- Tagged How to get a specific country,state geoip results and ignore everything else on Splunk Search. 11-26-2014 04:43 PM
- Posted How to extract Application Security Manager (ASM) fields in Splunk for F5 Security App? on All Apps and Add-ons. 11-19-2014 03:35 PM
- Tagged How to extract Application Security Manager (ASM) fields in Splunk for F5 Security App? on All Apps and Add-ons. 11-19-2014 03:35 PM
- Tagged How to extract Application Security Manager (ASM) fields in Splunk for F5 Security App? on All Apps and Add-ons. 11-19-2014 03:35 PM
- Posted Re: How to count each tupple values by day of the week on Splunk Search. 11-17-2014 04:13 PM
- Posted Re: How to count each tupple values by day of the week on Splunk Search. 11-17-2014 04:11 PM
- Posted Re: How to count each tupple values by day of the week on Splunk Search. 11-17-2014 04:11 PM
- Posted How to count each tupple values by day of the week on Splunk Search. 11-17-2014 02:42 PM
- Tagged How to count each tupple values by day of the week on Splunk Search. 11-17-2014 02:42 PM
- Tagged How to count each tupple values by day of the week on Splunk Search. 11-17-2014 02:42 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-14-2015
08:38 PM
when i check the syslog before it gets forwarded to splunk it looks like this.
2015-01-14 00:00:06 Local0.Info xx.xx.xxx.xx 1 2015-01-13T23:59:04.196+11:00.............
So splunk basically append "Original Address=" infront of the Source IP
... View more
01-14-2015
07:42 PM
Hi,
i would like to strip the "Original Address" Text that splunk appends. How do i do this ?
Original Address=xx.xx.x.x 1 2015-01-15T14:28:51.341+11:00.........................................
Cheers
... View more
11-26-2014
08:16 PM
1 Karma
Got it sorted.
host="x.x.x.x"| iplocation c_ip |search Country=Country Name AND Region!=""|timechart span=1h count by Region
... View more
11-26-2014
04:43 PM
Hi im running the following query,
host="x.x.x.x" XXXXXX | iplocation c_ip |geostats count by City
I want to get state by state for a specific country and ignore everthing else. I'm able to do this this eval Region="xx", but since i have around 10 states in the country it dosent work. It only works if only one eval is there.
what i want ot get is something like below
e.g: Country Region
CountryName region1
region2
region3
region4
region5
Any help would be much appreciated.
... View more
11-19-2014
03:35 PM
HI ,
I got asm logs coming from F5 to the kiwi syslog server and forwarding it to splunk server. Below is the asm message sample i get from the kiwi.
Nov 19 21:08:40 x.xx.xx.xx Original Address=xx.x.x.xx Nov 19 10:08:40 ASM:"2014-11-19 10:08:39","x.x.xx.xxx","Response logging disabled","Error","Session Hijacking","","<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>54</viol_index><viol_name>VIOL_COOKIE_MODIFIED</viol_name><referrer_obj>1229782938247303441</referrer_obj><cookie><cookie_name>SlNFU1NJT05JRA==</cookie_name><cookie_value>MjgzNkU3NEMzRUVBMTA5RDRGRTlBNTdBMTJBNjRGMTk=</cookie_value><is_new_cookie>1</is_new_cookie><staging>0</staging></cookie></violation></request-violations></BAD_MSG>"
Nov 19 23:16:31 xx.x.x.xx Original Address=x.x.x.xx Nov 19 12:16:30 ASM:"2014-11-19 12:16:30","xx.xxx.xx.xx","Response logging disabled","Error","Forceful Browsing","","<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>38</viol_index><viol_name>VIOL_URL</viol_name></violation></request-violations></BAD_MSG>"
But in F5 security app, the fields are not extracting. I havent set a profile in F5 since its send to kiwi. How do i extract the fields? I'm using splunk 6.2 and f5 latest versions.
... View more
11-17-2014
04:13 PM
this is also works, but you need to click the day inorder to go to the view i want. but yeah i can reuse your query to get the values i'm after and saving into a CSV file. thanks for the help
... View more
11-17-2014
04:11 PM
true , i should get rid of that
... View more
11-17-2014
04:11 PM
this works , but the day get repeated for each value. but i think this is what i after. Cheers for the help
... View more
11-17-2014
02:42 PM
I got a query like this,
%asa deny OR denied | eval dest_port = if(isnum(dest_port),dest_port,00)| eval denyTuppleValue = src_ip."-".dest_ip."-".dest_port | stats values(denyTuppleValue),count(denyTuppleValue) by date_wday
Result
date_wday values(denyTuppleValue) count(denyTuppleValue)
wednesday xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx 520
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
thursday xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx 10
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
But i need to get the count for each denyTuppleValue not the count for the day. Which would look like
date_wday values(denyTuppleValue) count(denyTuppleValue)
wednesday xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx 110
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx 20
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx 130
Any ideas would be much apprecieated.
... View more
