×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
jorjiana88
Path Finder
Member since: ‎10-29-2017
‎11-25-2020
Community Statistics
Posts 22
Solutions 0
Karma Given 2
Karma Received 5
Member Since ‎10-29-2017
Activity Feed
Topics I've Started
View All

Re: 8.0.4.1 on Ubuntu 20.04LTS: Why are emails fai...

by Splunk Employee in Alerting
‎03-10-2022 02:12 PM
‎03-10-2022 02:12 PM
Yes, permissions can get pretty messy. This also happens if Splunk is normally run by the Splunk user but is then started from root (usually using sudo). ... View more

Received malformed XML from external handler when ...

by in All Apps and Add-ons
‎11-13-2020 12:54 AM
‎11-13-2020 12:54 AM
I get this error when trying to launch the Atlassian JIRA Issue Alert App.. https://splunkbase.splunk.com/app/5037/ It works well on another server that I have though, but no idea why. Any ideas what to check?  The call triggering this is following: https://hostname:port/en-GB/splunkd/__raw/servicesNS/nobody/TA-atlassian-jira-issue-alerts/TA_atlassian_jira_issue_alerts_settings/proxy?output_mode=json&_=1605256012447  The error in splunkd.log:  ERROR AdminManagerExternal - Received malformed XML from external handler: hello world\n1267650600228229401496703205376\n<eai><eai_settings><ACTION_CRED>--cred--</ACTION_CRED><appName>TA-atlassian-jira-issue-alerts</appName><callerArgs><id>proxy</id><args/></callerArgs><capabilityRead></capabilityRead><capabilityWrite></capabilityWrite><context>2</context><customAction></customAction><customActionCap></customActionCap><didFilter>False</didFilter><didPaginate>False</didPaginate><docShowEntry>True</docShowEntry><endpoint>&lt;splunktaucclib.rest_handler.endpoint.MultipleModel object at 0x7f105c49a490&gt;</endpoint><handler>&lt;splunktaucclib.rest_handler.handler.RestHandler object at 0x7f105c3a3310&gt;</handler><maxCount>30</maxCount><payload></payload><posOffset>0</posOffset><requestedAction>2</requestedAction><requestedFilters></requestedFilters><restartRequired>False</restartRequired><shouldAutoList>True</shouldAutoList><shouldFilter>False</shouldFilter><shouldReload>False</shouldReload><sortAscending>true</sortAscending><sortByKey>name</sortByKey><supportedArgs><arg name="--cred--"><isRequired>False</isRequired></arg></supportedArgs><userName>nobody</userName></eai_settings><config_info><feed_name></feed_name></config_info></eai>\n ... View more

Re: Show results of stats count when result is 0

by in Splunk Search
‎08-24-2020 01:08 PM
‎08-24-2020 01:08 PM
wow that worked perfectly, thank you! 😀 ... View more

Re: Predicting when sourcetypes will send data - m...

by in Splunk Search
‎08-21-2020 06:44 AM
‎08-21-2020 06:44 AM
predict can predict 5 fields at the time. No matter how many source types there are, it's better to do a static search. You could make 20 reports, right? ... View more

Re: Perfmon counter "HTTP Service Request Queues" ...

by in Getting Data In
‎08-21-2020 05:42 AM
‎08-21-2020 05:42 AM
This is a bug that has to do with the content of the counters, some special characters, altough I forgot the details. Bug was reported in a ticket to splunk. ... View more

Re: Spath only extracts the first sublevel in Json...

by in Splunk Search
‎01-16-2019 04:05 AM
‎01-16-2019 04:05 AM
works great, and no need for regex.. thanks! ... View more

Re: how to use makecontinuous in combination with ...

by in Splunk Search
‎07-11-2019 11:48 AM
‎07-11-2019 11:48 AM
Thanks . I used time chart to fix my issue currently . please let me know if your soln is different , I will start off a new thread . ... View more

Re: Calculating outliers total for each user

by in All Apps and Add-ons
‎03-05-2018 11:08 PM
1 Karma
‎03-05-2018 11:08 PM
1 Karma
Because of the data, the result should be the same even if only searching for the string. Actually after removing the | sort _time , both queries result in the same, so the issue is solved. Thank you very much for the super fast response. ... View more

Re: Splunk takes the wrong timestamp from the log

by in Getting Data In
‎03-02-2018 02:43 PM
1 Karma
‎03-02-2018 02:43 PM
1 Karma
actually we made changes to the software that was generating the logs in order to fix it. ... View more

Re: Correlate logins outside of business hours wit...

by in Splunk Search
‎10-29-2017 11:48 AM
‎10-29-2017 11:48 AM
Like you said, there are LOTS of ways that would be just fine to do this. Here's one... (sourcetype=*:Security ((EventCode=4624 user32 ) OR EventCode=4625) host="*" user=$t_user$ ) OR (sourcetype="changes" changecoordinator=$t_user$) | rename COMMENT as "Eliminate all fields we don't need" | fields _time, user, src_nt_host, signature, changeid, startdate, enddate, changecoordinator, | rename COMMENT as "Kill logon records that are not off-hours" | eval hour = tonumber(strftime(_time,"%H")) | eval wknd = tonumber(strftime(_time,"%w")) | where (sourcetype="changes") OR (hour<=8 or hour>=19) OR (wknd==0 OR wknd==6 ) Now you have all the data in one file. You can take the user= and the changecoordinator= out of the two halves of the search if I've misunderstood the value there, leaving only the token. It seems like you are looking for the last off-hours logon for each change request. We can sort the records into _time order, and use streamstats to copy down the last logon within an arbitrary window, for instance 8 hours. But first, we need to establish a single field for the user for both kinds of records. In this case, we'll use user . | rename COMMENT as "sort records and propagate logon time" | eval user=coalesce(user,changecoordinator) | sort 0 user _time | streamstats time_window=8h last(eval(case(sourcetype!="changes",_time))) as lastLogon last(eval(case(sourcetype!="changes",signature))) as lastSignature by user | rename COMMENT as "roll together all change records" | stats count values(changeid) as changeid by user lastLogon lastSignature | rename lastLogon as _time It might be better practice to do the elimination of on-hours records AFTER rolling the records together. That would make the time_window unnecessary, since your changecoordinator would ALWAYS have to have logged on sometime, and we can just kill the on-hours ones all at the same time. (sourcetype=*:Security ((EventCode=4624 user32 ) OR EventCode=4625) host="*" user=$t_user$ ) OR (sourcetype="changes" changecoordinator=$t_user$) | rename COMMENT as "Eliminate all fields we don't need" | fields _time, user, src_nt_host, signature, changeid, startdate, enddate, changecoordinator, | rename COMMENT as "sort records and propagate logon time" | eval user=coalesce(user,changecoordinator) | sort 0 user _time | streamstats last(eval(case(sourcetype!="changes",_time))) as lastLogon last(eval(case(sourcetype!="changes",signature))) as lastSignature by user | rename COMMENT as "roll together all change records" | stats count values(changeid) as changeid by user lastLogon lastSignature | rename lastLogon as _time | rename COMMENT as "Kill logon records that are not off-hours" | eval hour = tonumber(strftime(_time,"%H")) | eval wknd = tonumber(strftime(_time,"%w")) | where (hour<=8 or hour>=19) OR (wknd==0 OR wknd==6 ) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-25-2020 08:55 AM
Karma given to
View All