Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jchampagne
jchampagne
Path Finder
Member since:
01-27-2012
06-05-2020
Community Statistics
| Posts | 30 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 14 |
| Member Since | 01-27-2012 |
Activity Feed
- Got Karma for In-Page Drilldown - How to hide input using javascript?. 06-05-2020 12:47 AM
- Got Karma for In-Page Drilldown - How to hide input using javascript?. 06-05-2020 12:47 AM
- Got Karma for In-Page Drilldown - How to hide input using javascript?. 06-05-2020 12:47 AM
- Got Karma for Custom Dashboard/Form - Don't require all input fields to search. 06-05-2020 12:47 AM
- Got Karma for Custom Dashboard/Form - Don't require all input fields to search. 06-05-2020 12:47 AM
- Karma Re: Conditional Alert - Minimum Results AND Rises By for jcoates_splunk. 06-05-2020 12:46 AM
- Karma Re: When logging in, an error appears: "The splunkd daemon cannot be reached by splunkweb" for ChrisG. 06-05-2020 12:46 AM
- Karma Re: When logging in, an error appears: "The splunkd daemon cannot be reached by splunkweb" for ii_splunk. 06-05-2020 12:46 AM
- Karma Re: Why are there decommissioned instances listed in the S.o.S. pulldown for "server to query?" for hexx. 06-05-2020 12:46 AM
- Got Karma for Return a set of events that occur after a specific event. 06-05-2020 12:46 AM
- Got Karma for Return a set of events that occur after a specific event. 06-05-2020 12:46 AM
- Got Karma for Re: Return a set of events that occur after a specific event. 06-05-2020 12:46 AM
- Got Karma for Re: how to update the geoip database for the Geo Location lookup script?. 06-05-2020 12:46 AM
- Got Karma for Re: how to update the geoip database for the Geo Location lookup script?. 06-05-2020 12:46 AM
- Got Karma for Re: how to update the geoip database for the Geo Location lookup script?. 06-05-2020 12:46 AM
- Got Karma for Re: how to update the geoip database for the Geo Location lookup script?. 06-05-2020 12:46 AM
- Got Karma for Re: how to update the geoip database for the Geo Location lookup script?. 06-05-2020 12:46 AM
- Got Karma for Remove group name showing in panel headers when using tabs and switcher module. 06-05-2020 12:46 AM
- Posted Re: When logging in, an error appears: "The splunkd daemon cannot be reached by splunkweb" on Security. 07-03-2014 06:25 AM
- Posted Custom Dashboard/Form - Don't require all input fields to search on All Apps and Add-ons. 07-02-2014 02:16 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 |
07-02-2014
02:16 PM
2 Karma
I've created a custom dashboard with a search form. I've got several input fields for users to search with, however I cannot set the default value to * because not every field appears in every row.
If I leave the fields blank, Splunk will leave out the token from my search string...which is what I want. However, the first time I try to run a search, my results panel sits at "Search is waiting for input..." until I fill in all of my input fields. All subsequent searches don't require a value in every field.
If I use * in each field, events that are missing a field are omitted from the results. The only other way I can think to get around this is to use fillnull on my result set. However, that seems like an intense search to me, as Splunk would need to grab all my results, fill in the null values, and then do a second search.
... View more
07-02-2014
01:24 PM
3 Karma
I'm trying to follow the "In-Page Drilldown with Perma-linking" example in the 6.x Dashboard Examples App.
In the XML, an input is created to store the drill-down value. In the comments it says that you need to use javascript to then hide the input. There is no example of this in the corresponding Javascript, it only hides the detail panel. How do I hide the input?
... View more
07-01-2014
09:50 AM
I am having the same problem
... View more
10-21-2013
09:03 AM
I've having a problem with S.O.S. where one of my two indexers (in a cluster) is getting listed twice in the deployment topology view and various pull-downs. It is listed once with all uppercase letters and a second time with all lowercase letters.
How do I fix this?
... View more
05-10-2013
10:59 AM
That works perfectly! I'm going to go with this solution, as this particular log has less than 5k events per day and only a handful of login events. Thanks for your help!
... View more
05-10-2013
08:33 AM
If I'm understanding the logic, you're saying to run a periodic search that looks for the first login and outputs that value to a table. Then in in second search, read the time of that event back in and exclude it?
... View more
05-10-2013
08:09 AM
I like the logic of this query, however it isn't working for me. When I run it with both piped sections, I get a number of matching events, but no results are displayed.
If I take off the where clause, I see all of my matching events, however the firsttime field is different for each result. In each row, firsttime is matching the _time for that row...it isn't a global value for the entire resultset. I think this is why the where clause is failing to return any results.
... View more
05-09-2013
02:47 PM
I need to setup a conditional alert with the following criteria:
- The number of results returned from my search must be greater than 1
- Only generate a new alert if the result count increases by 1
For example, in my log, it is normal to see a login event at the beginning of each day. However, if I see more than one login event, I want to get an alert because this means the client is getting disconnected. This is where the event count is greater than 1 kicks in.
I want to receive an alert upon each occurence of this login event beyond the first event. This is where the result count increases by 1 kicks in.
How can I create a custom alert condition that uses both the "Number of events is greater than" as well as the "Number of events rises by" conditions?
... View more
02-20-2013
01:45 PM
I've implemented this change, hoping to get the local splunk logs from my heavy forwarders into my main indexer. However, I'm still not seeing anything. After doing some more checking, I've noticed that the _internal index on the heavy forwarders has no events.
Why would my heavy forwarders not be indexing their splunk log files by default?
... View more
02-07-2013
10:46 AM
The way I implemented this was to create a new App that contained my lookup csv as well as the tranforms.conf that references the lookup file. We'll call this "App-syslog-lookup". The permissions on that app were set to allow the files to be shared with all other Splunk apps. This allows me to reference the same lookup file from multiple apps.
I then edited the props.conf inside each app that I want to do a lookup with. As long as you have "App-syslog-lookup" shared with other apps, you can reference the stanza, syslog_facility_severity_codes, from your props.conf and do a lookup.
... View more
02-07-2013
10:42 AM
You must already be extracting the syslog code from your events as a field called "syslog_code". I added the following lines to my files to make that happen:
PROPS.conf
- Under the stanza for my sourcetype:
REPORT-ExtractSyslogCode = extract_syslog_code
TRANSFORMS.conf
- New stanza called [extract_syslog_code]
[extract_syslog_code]
REGEX = ^<(\d+)>
FORMAT = syslog_code::$1
... View more
02-07-2013
10:41 AM
Create a tranforms.conf that references your lookup:
[syslog_facility_severity_codes]
filename = syslog-codes.csv
In props.conf, add the following line to the stanza of any sourcetype that you want to do the lookup for:
LOOKUP-SyslogCode = syslog_facility_severity_codes code AS syslog_code OUTPUTNEW facility AS facility, severity AS severity
... View more
02-07-2013
10:37 AM
There is definitely a more "fancy" way of doing this via a scripted lookup that does a matrix search, but I didn't want to spend the time doing that...so here is what I did...
I created a CSV that contains all of the Syslog codes as well as two corresponding columns, one for the facility, and one for the severity. I'll see if I can post the whole thing in another message, but this is basically what it looks like:
code,facility,severity
0,kernel,emergency
1,kernel,alert
2,kernel,critical
... View more
10-18-2012
07:43 AM
Thanks Nick!
I think I want to go the CSS route. Is is possible to add code to the dashboard header tag using Sideview?
Jeff
... View more
10-17-2012
11:20 AM
1 Karma
I'm using the tabs and switcher module in Sideview utils to control other modules on the page. However, the default group is being shown as a header for every panel. How can I remove this?
... View more
10-17-2012
07:30 AM
5 Karma
If you want to upgrade the database:
1. Go to: http://www.maxmind.com/en/geolite
2. Download the GeoLiteCity database in binary format
3. Unzip the package
4. Replace the existing database file in $SPLUNK_HOME\etc\apps\MAXMIND\bin\
... View more
10-03-2012
03:56 PM
I'm having an issue renaming column headers with the SimpleResultsTable in Sideview Utils. If I use a PostProcess module and add:
| rename _time as "Time", src_user as "User", Client_Friendly_Name as "Access Point"
I can then push that to my table and see the columns. However, they aren't in the order I want. If I specify the order in the "fields" parameter of the SimpleResultsTable module, only the columns without spaces in the names are displayed...even if I use quotes.
How can I rename the column headers (fields) and choose the order I want them displayed in?
... View more
09-17-2012
12:35 PM
I was having this same problem on my Windows hosts, I tried to manually run splunk-perfmon.exe to see what the issue was. It turns out SPLUNK_HOME was not set. I set the system variable and it started working.
... View more
08-08-2012
08:06 AM
I'm having the same problem, but only on a heavy forwarder that is acting as a gateway between our DMZ and internal network. All of the servers using the deployment client that are internal are fine.
I've opened firewall port 8089 between the gateway and internal indexer, but am still receiving: Unable to send handshake message to deployment server
... View more
08-02-2012
12:34 PM
Thanks for the help!
I ended up using the following line, which seems to work.
EXTRACT-ClientIP = (? \b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b)
... View more
08-02-2012
10:03 AM
In some of our event logs, the client IP address is recorded with leading information (::ffff:). I would like to trim this data and create a new field, which I can then do a reverse dns lookup on using a scripted lookup.
I'm not looking to modify the index, I'd like all of this to happen at search time.
The field I'm looking to modify is called Client_Address and a sample value would be:
::ffff:192.168.207.88
If I use the following REX at search time, I get a new field called Client_IP that looks good:
rex field=Client_Address "(? \b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b)"
However, I'd like to use props.conf so this all happens automatically. If I add the following line to my WinEventLog:Security stanza, it doesn't work.
EXTRACT-ClientIP = rex field=Client_Address "(? \b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b)"
... View more
07-23-2012
07:05 PM
Upon logon, multiple events with the same data are generated on our active directory domain controllers for a single user logon. We'd like to filter out the duplicate events (which occur within seconds of each other) so that only one logon event is indexed by Splunk.
Is this possible?
... View more
05-17-2012
03:10 PM
I saw that as a possible solution on the Wiki and I tried to implement it....but it didn't seem to work for me.
This server has a Universal forwarder installed and didn't have a props.conf file by default. I created one for my source type and added the no binary check, but I got the same result.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
