Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About stefanlasiewski
stefanlasiewski
Contributor
Member since:
07-08-2010
06-05-2020
Community Statistics
| Posts | 101 |
| Solutions | 6 |
| Karma Given | 130 |
| Karma Received | 53 |
| Member Since | 07-08-2010 |
Activity Feed
- Got Karma for Is there a yum/rpm repo for Splunk?. 09-19-2023 11:20 AM
- Got Karma for Is there a yum/rpm repo for Splunk?. 06-29-2023 05:44 AM
- Got Karma for Is there a yum/rpm repo for Splunk?. 12-19-2022 02:16 AM
- Got Karma for Is there a yum/rpm repo for Splunk?. 09-15-2021 03:00 PM
- Got Karma for Is there a yum/rpm repo for Splunk?. 05-17-2021 10:12 AM
- Got Karma for Is there a yum/rpm repo for Splunk?. 12-02-2020 03:17 PM
- Got Karma for Is there a yum/rpm repo for Splunk?. 12-01-2020 09:57 AM
- Got Karma for Online, interactive regular expression tester for Splunk regular expressions?. 09-03-2020 01:09 AM
- Karma Re: Splunk creates field from from wrong string in my LDAP logs for aholzer. 06-05-2020 12:47 AM
- Karma How can I ignore internal splunk data when searching? for joseph_hazlett. 06-05-2020 12:47 AM
- Karma IP version agnostic regular expression for mikaelbje. 06-05-2020 12:47 AM
- Karma Re: Why does Splunk not recognize standard fields in my Apache data forwarded by syslog? for chanfoli. 06-05-2020 12:47 AM
- Karma How do i search for IPv6 addresses from my src_ip field. for cesaccenturefed. 06-05-2020 12:47 AM
- Karma Re: Can I accelerate a search which uses transactions? for musskopf. 06-05-2020 12:47 AM
- Karma Re: Can I accelerate a search which uses transactions? for lguinn2. 06-05-2020 12:47 AM
- Karma Why is my SEDCMD props.conf file not working? for cbou. 06-05-2020 12:47 AM
- Got Karma for Can I transform data and extract fields at once?. 06-05-2020 12:47 AM
- Got Karma for Why does Splunk not recognize standard fields in my Apache data forwarded by syslog?. 06-05-2020 12:47 AM
- Karma Re: Does Splunk support Redhat chkconfig? for dwaddle. 06-05-2020 12:46 AM
- Karma Syslog tcp forwarding and DNS resolution for ng1p. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 |
12-15-2015
12:53 PM
I downvoted this post because this doesn't work in newer splunk versions.
... View more
01-07-2015
05:45 PM
Second question: You mention ' schedule the searches to run in the background.' I would like to see these LDAP statistics for the last 4 hours, but I would also like the graph to update in real time afterwards. Can I do that if I schedule a search to run in the background? I want a single graph that can provide an instant snapshot of the recent and current health of the LDAP systems--- I want to show the last 4 hours of activity, and have the graphs be updated in real time.
... View more
01-07-2015
05:42 PM
Thanks @Iguinn. One of the reasons I used the transaction was because it kept the IP address in the data, and I use that later on. For example, this tells me the hosts which connect to our LDAP servers the most:
host=192.168.5.55/24 | transaction conn startswith="ACCEPT from" endswith="closed" maxspan=10m | top LDAP_SRC_IP
Can I do that with your second example using stats ?
However, we were hoping to adapt this so we can see find servers with long running queries, servers which are performing many activities within a session (All of which contain the same conn=1234 number).
... View more
01-07-2015
05:34 PM
Can you show me an example that you use for the FORMAT and DEST_KEY ? I'm confused by how those should be used.
... View more
01-07-2015
05:32 PM
I don't really care where this extraction is happening. I'm fine with anywhere, as long as it's fast and easy to do. I just want to use the fields. I'm only using the _raw data because that's what the Splunks docs suggest, and I'm using the default Transform named syslog-header-stripper-ts-host-proc from default/transforms.conf .
... View more
01-07-2015
03:17 PM
We use Splunk to monitor our LDAP Cluster which receives millions of requests per day. We use Splunk searches and Splunk dashboards to monitor the systems in real time, and to check historic events. The trouble is, these searches are very, very slow.
We use these searches and dashboards multiple times per day, and the slowness is frustrating. Is there any way to accelerate a dashboard that makes use of the transaction parameter?
LDAP requires the use of Transactions, because one request will always span multiple lines, like this:
slapd[9876]: conn=123456 fd=48 ACCEPT from IP=192.168.1.100:38958 (IP=0.0.0.0:636)
slapd[9876]: conn=123456 fd=48 TLS established tls_ssf=128 ssf=128
slapd[9876]: conn=123456 op=0 BIND dn="" method=128
slapd[9876]: conn=123456 op=0 RESULT tag=97 err=0 text=
slapd[9876]: conn=123456 op=1 SRCH base="ou=Group,ou=system,ou=Host,o=ldapsvc,dc=example,dc=org" scope=2 deref=0 filter="(uid=stefanl)"
...
slapd[9876]: conn=123456 op=2 UNBIND
slapd[9876]: conn=123456 fd=48 closed
slapd[46834]: conn=123456 fd=48 closed
Therefore, any useful searches needs to use a transaction , like this:
host=192.168.5.55/24 process=slapd | transaction conn startswith="ACCEPT from" endswith="closed" maxspan=10m
... View more
01-07-2015
11:42 AM
1 Karma
Our Splunk server receives data via syslog. As a result, I need to transform the syslog data using transforms.conf and props.conf (Details in the question "Why does Splunk not recognize standard fields in my Apache data forwarded by syslog?".
My question, can I transform the data and still do some field extraction on that data? I would like to preserve the process field. However, the default transform simply strips out the data. It doesn't save any of the fields.
So, given the following transformation in local/props.conf :
[syslog]
TRANSFORMS-strip-syslog-header = syslog-header-stripper-ts-host-proc
And this default transform from default/transforms.conf :
# This will strip out date stamp, host, process with pid and just get the
# actual message
[syslog-header-stripper-ts-host-proc]
REGEX = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s.*?:\s(.*)$
FORMAT = $1
DEST_KEY = _raw
Can I somehow preserve one of the fields and save it to the name of process ?
I have had some luck with the following pattern, saved at https://www.regex101.com/r/iK8iX5/1 . However, I am uncertain how to use this in a Splunk Transform.
^(?<SyslogPri><\d+>)(?<SyslogDate>[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+)\s(?<SyslogHost>.*)\s(?<process>.*):\s(?<SyslogMessage>.*)$
... View more
01-07-2015
08:36 AM
@chanfoli, do you think this would be better if I put a Splunk Forwarder on my syslog server instead? I imagine that this way, the data won't automatically get tagged with the syslog sourcetype and the fields might get extracted correctly. I would probably need to strip the Syslog header on the Splunk Forwarder, but I am not sure if that is possible.
... View more
01-07-2015
08:34 AM
However, my data does not normally use key=value pairs, nor is it XML or JSON based, and KV_MODE=auto is already the default. My log data is standard, Unix-type syslog data.
... View more
01-06-2015
10:08 AM
I'm not sure what KV_MODE has to do with my problem. Can you explain?
... View more
01-05-2015
04:51 PM
Thanks. These syslogs contain data from thousands of systems and contain more than just Apache log data. I'll take a look at your suggestion.
... View more
01-05-2015
03:12 PM
The sourcetype is still set to syslog . I'm not sure if or how I can change that.
... View more
01-05-2015
02:34 PM
Thanks for the help. I made progress, but I'm still not there yet.
I used transforms.conf and props.conf as described on that page to transform data from the old format:
Dec 16 10:29:59 192.168.99.100 httpd[10583]: site1.example.org 10.4.5.6 - - [16/Dec/2014:10:29:59 -0800] "GET /rest/somepath/12345" HTTP/1.1" 200 105066 "-" "-"
To the new format:
10.4.5.6 - - [16/Dec/2014:10:29:59 -0800] "GET /rest/somepath/12345" HTTP/1.1" 200 105066 "-" "-"
Splunk still doesn't recognize any of the Apache-specific fields such as clientip or status . Any ideas?
... View more
01-05-2015
01:00 PM
That's what I've been trying, but it's not updating in real time.
... View more
01-05-2015
12:54 PM
This isn't showing me data from the previous 24 hours. This seems to show me data from now on forward, and refreshes every 24 hours. Or at least, that is what my test with Earliest: rt-30m Latest=rt or with a "30 minute window" does.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma given to
