Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Peter
Peter
Path Finder
Member since:
03-29-2010
06-05-2020
Community Statistics
| Posts | 22 |
| Solutions | 0 |
| Karma Given | 9 |
| Karma Received | 7 |
| Member Since | 03-29-2010 |
Activity Feed
- Got Karma for How do I set a timerange to be the last full 7 days?. 12-16-2021 01:42 PM
- Karma Re: How can I track user activity trending via searches? for Simeon. 06-05-2020 12:45 AM
- Karma Re: How can I track user activity trending via searches? for Lowell. 06-05-2020 12:45 AM
- Karma Re: How can I track user activity trending via searches? for Simeon. 06-05-2020 12:45 AM
- Karma Re: How do I set a timerange to be the last full 7 days? for hulahoop. 06-05-2020 12:45 AM
- Karma Re: How do I set a timerange to be the last full 7 days? for gkanapathy. 06-05-2020 12:45 AM
- Karma Re: Export a csv of all hosts and their sources? for oreoshake. 06-05-2020 12:45 AM
- Karma Re: Export a csv of all hosts and their sources? for Simeon. 06-05-2020 12:45 AM
- Karma Re: Field extraction efficiency improvements for gkanapathy. 06-05-2020 12:45 AM
- Karma Re: Field extraction efficiency improvements for Lowell. 06-05-2020 12:45 AM
- Got Karma for Filter syntax options in serverclass.conf. 06-05-2020 12:45 AM
- Got Karma for How can I track user activity trending via searches?. 06-05-2020 12:45 AM
- Got Karma for How do I set a timerange to be the last full 7 days?. 06-05-2020 12:45 AM
- Got Karma for Field extraction efficiency improvements. 06-05-2020 12:45 AM
- Got Karma for Check Point object name resolution. 06-05-2020 12:45 AM
- Got Karma for Check Point object name resolution. 06-05-2020 12:45 AM
- Posted Re: Check Point object name resolution on Splunk Search. 05-17-2011 10:41 AM
- Posted Check Point object name resolution on Splunk Search. 05-09-2011 07:39 AM
- Posted Re: 4.2 search head - Asynchronous bundle replication error on Deployment Architecture. 03-23-2011 01:57 PM
- Posted Re: 4.2 search head - Asynchronous bundle replication error on Deployment Architecture. 03-18-2011 08:27 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 2 | |||
| 1 | |||
| 1 |
05-09-2011
07:39 AM
2 Karma
Just finished configuring the lea-loggrabber to get logs from some Check Point hosts. All is working correctly except I want to turn object name resolution off. Looks like it might be a command line parameter (--noresolve), but I can't get it to run successfully (http://www.sourcefiles.org/Miscellaneous/fw1-loggrabber-1.9.2.tar.gz.shtml)
Anyone done this?
... View more
03-23-2011
01:57 PM
I still see errors in the logs such as:
Most recent bundles for search peer went missing: /opt/splunk/var/run/searchpeers/splunk.domain.com-1300878227
Failed to create a bundles setup with server name 'splunk.domain.com'. Using peer's local bundles to execute the search, results might not be correct
Could it be a naming problem? Splunk host is splunk1.city and splunk URL is splunk.domain.com.
... View more
03-18-2011
08:27 PM
I'm actually getting this same alert with two 4.2 indexers running distributed search. Same advice to set sync_bundle_replication = true ?
... View more
06-28-2010
06:34 PM
I see that PCRE expressions have been added as of 4.1, but the mappings confuse me. My current serverclass.conf has name8., which mean to match name8.blah and name8.bleh. It would be easier for me to match name[0-9]+.., but the docs seem to indicate that '.' is converted to '.' and '' is converted to '.' Can you add clarity to this?
... View more
05-03-2010
06:13 PM
That works to get the current average for the timeframe, but I need to compare it to the most recent day's count to know if I need to generate an alert. So if I take the average of the last 8 days (earliest=-8d@d latest=-2d@d) I need to compare that average to the DC from earliest=-1d@d so that I can determine the diff from normal.
... View more
05-03-2010
06:07 PM
I'm first tried the search you suggested, but have now tried index=summary search_name="Summary - cID by username" | stats max(psrsvd_ct_sec_cardID) by username. This gives me 378 results in the last 7 days, but the table generated only lists the username and no data for the max(field).
... View more
04-29-2010
12:39 PM
Simeon - The field settings appear to store a static value, rather than allowing me to name the field that the dc(cID) is stored in and I can't seem to actually report on the data. I see that a field "psrsvd_ct_cID" is populated with the relevant data, but I can't actually chart/report on it? Any thoughts or should I open a splunk trouble ticket at this point? I appreciate your help.
... View more
04-27-2010
02:47 PM
Simeon - do I need to save the sistats "dc(cID)" data as a new field? The range(cID) command seems to not pull any data (even for the 1 day I have).
... View more
04-26-2010
06:11 PM
All good help. I've read up on the docs and have populated the search. Giving it a few days to populate and validate. Thank you!
... View more
04-26-2010
01:14 PM
And another question: when saving the sistats search, do I need to enable the "Enable Summary Indexing" action checkbox?
... View more
04-26-2010
12:39 PM
For the sistats scheduled search do I need to specify a time range (e.g. earliest=-1d@d)?
... View more
04-26-2010
12:25 PM
Thanks so much! I'll try this and get back to you.
... View more
04-08-2010
12:45 PM
I am using event hashing for all of my events. How would I disable the display of the valid/tampered _decoration icon for users based on their role?
... View more
- Tags:
- events
04-01-2010
02:22 PM
Wow - quite a complete answer - THANKS! I did the quick field::value test and it would appear that this is a search time extraction. What I had to do in 3.x to get this working was a messy combination of props/transforms/fields/eventtypes. I knew that eventtypes are search-time, but still can't understand why props sets the DEST_KEY=_meta and fields sets INDEXED=true. You and gkanapathy have confirmed that what I am doing now is a mess that I will be glad to remove. I appreciate your response.
... View more
04-01-2010
02:11 PM
I can understand your confusion. I originally set this up on 3.x, but am now on 4. I noticed that I couldn't do a field extraction based on an eventtype with 4, which led me to dig deeper into the work I had done previously and prompted me to ask this question. I guess I am looking for an opinion on the most efficient way to extract a field and you've generally answered that with your last paragraph. I will remove the reliance on the eventtype and switch to sourcetype with a search-time extraction.
... View more
03-31-2010
10:08 PM
1 Karma
I am currently extracting 3 fields at index-time based on a custom eventtype. I did this a while ago and realize that this is probably less than efficient. Searches on this data are rather slow. I have the capability to remove the reliance on the custom eventtype and switch to a new sourcetype dedicated to these events. I was also planning on moving from index-time field extractions to search-time field extractions based on the new sourcetype.
Does this sound like it will yield a significant search speed improvement? Is there something else I can do to improve the efficiency of these data searches?
... View more
03-31-2010
10:02 PM
I need to generate a splunk coverage report that shows all of the hosts and all of the sources they are sending from. What would this search look like and how can I export it? I've tried chart commands, but the "Other" section and the matrix format makes this incomplete for my purposes.
... View more
- Tags:
- search-help
03-30-2010
07:17 PM
2 Karma
I have a script that populates the previous day's data early in the following morning. How do I set a time range such that I get results from the past 7 full days? Setting "earliest=-7d" still relies on the current time. So if today is Tuesday the 30th, I want to search from midnight last Tuesday to midnight on the 29th.
... View more
- Tags:
- search-help
03-30-2010
04:09 PM
Thanks - I'll look into those. The problem I hit with most of these commands is that I am trying to apply them to distinct_count(cID), rather than take the average or trendline of the cID values themselves. cID are unique identifiers, so they have no numeric meaning.
... View more
03-29-2010
08:16 PM
1 Karma
I am attempting to write a search that can alert if a user deviates from some normal data viewing pattern. The event log in question records every time a user sees a bit of information, identified by the cID. Sometimes they view the same cID multiple times per day, but I only care about the distinct number they view in some time period. Ultimately, I would like to determine the average number of unique cIDs each user views over some time period (maybe daily, maybe weekly) so that I can look for exceptions and trigger an alert automatically.
So if userA views 150 unique cIDs on average each day (over a 30 day span), and one day they view 400 unique cIDs, I would like an alert to be triggered. I have looked at the "anomalies", "delta", and "outlier" commands, but can't seem to get a working search. I am working on a search that takes the avg(dc(cID)) by username, but that seems to be a dead end due to some Splunk restrictions. I'm not set on using avg() as the determining parameter, I just need something that can detect anomalous behavior.
Anyone have a better approach?
... View more
- Tags:
- search-help
03-29-2010
12:50 PM
1 Karma
Is it possible to use regular expressions for the whitelist/blacklist filters in serverclass.conf? For example:
whitelist.0=mail[0-9]+.*
... View more
- Tags:
- regex
