Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About gooza
gooza
Communicator
Member since:
07-14-2010
12-11-2024
Community Statistics
| Posts | 44 |
| Solutions | 7 |
| Karma Given | 56 |
| Karma Received | 29 |
| Member Since | 07-14-2010 |
Activity Feed
- Karma Re: how can we get Splunk license % usage data over long period of time? (>60 days) for jtuchscherer_sp. 11-24-2022 04:21 AM
- Karma Re: Button to run splunk query for chrisyounger. 06-05-2020 12:50 AM
- Karma Re: How do I run a script from a button on a dashboard? for sdchakraborty. 06-05-2020 12:50 AM
- Karma Re: Clickable hyperlink in search result for renjith_nair. 06-05-2020 12:49 AM
- Karma Monitor Role Changes in _Audit Trail for lathwal. 06-05-2020 12:49 AM
- Karma Re: Splunk Admin Password for wrangler2x. 06-05-2020 12:49 AM
- Karma Re: How do I find the delta between sum of values for two days with below query? for rjthibod. 06-05-2020 12:48 AM
- Karma Re: DIsplay 0 when no results returned in single value for dbcase. 06-05-2020 12:48 AM
- Karma Re: How to get a single value visualization to display "0" instead of "N/A" when there is no matching event? for bandit. 06-05-2020 12:48 AM
- Karma Re: How to customize or change the default footer in Splunk Web? for MuS. 06-05-2020 12:47 AM
- Karma Re: symantec Brightmail gateway- SBG field extraction for sorenmaigaard. 06-05-2020 12:47 AM
- Karma Re: cmd splunkd clean-dispatch error for MuS. 06-05-2020 12:47 AM
- Karma Re: Lookup File Editor Feature Request: Have the app create a backup before modifying the lookup file for LukeMurphey. 06-05-2020 12:47 AM
- Karma Re: How to configure the sort order of apps in the drop-down navigation menu? for tom_frotscher. 06-05-2020 12:47 AM
- Karma Re: iframes and views broken after Splunk 6 upgrade for hexx. 06-05-2020 12:46 AM
- Karma Re: Splunk App for Windows Infrastructure dashboards are blank, no errors, nothing? Thoughts? for dlofstrom. 06-05-2020 12:46 AM
- Karma Re: Splunk App for Windows Infrastructure dashboards are blank, no errors, nothing? Thoughts? for dlofstrom. 06-05-2020 12:46 AM
- Karma Re: SA LDAP Search password in base 64 for Jason. 06-05-2020 12:46 AM
- Karma Re: Where can I find documentation for splunkd clean-dispatch command? for the_wolverine. 06-05-2020 12:46 AM
- Karma Re: How to compare fields over multiple sourcetypes without 'join', 'append' or use of subsearches? for MuS. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 4 |
12-05-2016
12:23 AM
I agree with lguinn , white listing will solve the problem ( it did for me , the only thing I need to make sure is that the monitored folder is a little bit different
for example - input.conf:
[monitor:///home/gcaaxfer/data/]
disabled = false
host_segment = 3
index = my_index
sourcetype = my_request
whitelist = (sm_nr_.*\.csv)
crcSalt = <SOURCE>
[monitor:///home/gcaaxfer/data]
disabled = false
host_segment = 3
index = my_index
sourcetype = my_request
whitelist =(sm_.*tickets\.csv)
crcSalt = <SOURCE>
notice that one of the monitored path has '/' at the end and one without.
this enabled me to monitor easily different files in the same directory
... View more
04-23-2014
11:37 PM
ok ,thanks for the replay, I hope splunk will add it in the future.
if anyone else need this feature please vote up this question so splunk can see the need.
... View more
04-23-2014
08:47 PM
1 Karma
Hi
we have many sources that sends us a lot of similar events (DNS for example)
a.host.com 1.1.1.1
a.host.com 1.1.1.1
a.host.com 1.1.1.1
Is there a way for me to aggregate the events to one single event and just add the count of events that happened (lets say in one minute) ? so I will only index:
a.host.com 1.1.1.1 count=3
Is it possible to do this in splunk ( maybe with regex in transforms)?
For now we are depended on 3rd party agents like arcsight in front of splunk to do the aggregation - I would really like to see this feature in splunk
Any ideas?
... View more
07-24-2013
10:11 PM
Can you find the AfterGlow.py file in your Splunk directory? It's in your $SPLUNK_HOME/etc/apps/afterglow/appserver/modules/AfterGlow directory.
make sure that line 88: neato = os.path.join(neato_path,"neato") is the following:
neato = os.path.join(neato_path,"neato.exe")
... View more
05-04-2013
11:32 PM
correct. just paste it in,
you can always ask an enhancement request that someone will just add a button for it 🙂
... View more
05-02-2013
11:14 PM
have you tried adding showsource=t in the url
http://splunk-base.splunk.com/answers/1/how-can-i-convert-simple-view-xml-to-advanced-xml
... View more
04-25-2013
03:56 AM
What about filtering the messages in the relevant apps with application.js as suggested in:
http://splunk-base.splunk.com/answers/3123/message-module-filter-values
... View more
12-11-2012
12:01 AM
Thanks , I moved it to the linux machine and it worked from there
... View more
12-10-2012
04:28 AM
Hi,
I'm trying to use the splunk for netwitness app (I'm using splunk on windows) but it is not working with the following error messages:
ERROR: Couldn't execute summary query. Existing...
ERROR: urlopen error [Error 10060] A connection attempt failed because the connected party did not properly respond after a period of time...
took 6.125 seconds to run, 0 bytes read
No New sessions to read
nwsdk.conf file in the local directory configuration:
[rest]
top_level_url=http://10.10.10.1:50105
username=myusername
password=mypassword
last_sid_file=c:\.last_sessionid
no_sid_file=-2 (tried also using 0 here )
no_sid_seconds_back=300
max_meta=50000
write_to_file_every_x=500
I have no problems connecting the netwitness via the web
anyone had any luck with this app ?
... View more
08-14-2012
01:49 AM
2 Karma
install it on the search head since it reports the fields you want,
on the indexer (OR splunk forwarder if you use one) you make the necessary changes to the relevant stanza for time recognition.
[stanzaname]
TIME_PREFIX = \s(end|rt)=
TIME_FORMAT = %10S%3n
MAX_TIMESTAMP_LOOKHEAD = 350
the max timestamp lookahead length changes according to the CEF data received
... View more
05-31-2012
01:02 AM
do you mean:
enabling-real-time-backfill
more can be found on :
Real-time_backfill
... View more
05-31-2012
12:42 AM
Yes , just make sure you mark the "Enable summary indexing" when you schedule the saved search
Setting up summary index searches in splunk web
... View more
05-30-2012
11:58 PM
1 Karma
What I do is create the saved search ,schedule it from now on and use the backfill only once with the earliest time I want ( use the -et ) and the latest (the -lt) is just before the time I started the schedule search, add the -j switch to speed things up with the Maximum number of concurrent searches to run ..and that is it I don't use the backfill again.
more on backfill
... View more
05-15-2012
11:20 PM
1 Karma
OK , did you succeeded in running the script manually via the CLI splunk cmd python .bin\heartbeat.py maybe that will give you some errors to follow on ...
... View more
05-03-2012
04:07 AM
have you tried collecting the syslogs and using
splunk cisco-security-suite
... View more
04-03-2012
11:44 PM
use lookup tables , list the product id you're looking for in csv and add a seen field to it:
productid,seen
645,1
423,1
and so on
then run the search
activated=true | lookup yourlookuptable productid OUTPUT seen | Where seen!=1
you can read more on lookup tables at:
docs.splunk.com
... View more
03-29-2012
05:36 AM
add to your props.conf file under the relevent stanza the row:
REPORT-cefevents = cefHeaders,cefKeys
you can read more on props.conf at
splunk Documentation
... View more
02-23-2012
11:24 PM
no , the tcpout redirect the data to different TCP ports on the indexer and each port has its own source type and index
... View more
02-23-2012
04:38 AM
1 Karma
also there is a newer script by zpavic:
see his answer to my question : link:remove duplicates on specific dates
... View more
02-23-2012
03:56 AM
3 Karma
try this :
http://splunk-base.splunk.com/apps/22899/remove-duplicate-event-data-from-index
... View more
02-23-2012
03:53 AM
I'm trying to use the heavy forwarder to route data to different indexes based on values in _raw , is this possible ?
the configuration files are:
inputs.conf:
[tcp://9997]
sourcetype = FromFooandBarbysinglehost
props.conf:
[FromFooandBarbysinglehost]
BREAK_ONLY_BEFORE = ^
TRANSFORMS-routing = FromFoo,FromBar
transforms.conf:
[FromFoo]
REGEX = (?i) From|.+?Foo
DEST_KEY = _TCP_ROUTING
FORMAT = outtoFoo
[FromBar]
REGEX = (?i) From|.+?Bar
DEST_KEY = _TCP_ROUTING
FORMAT = outtoBar
outputs.conf:
[tcpout:outtoFoo]
server = 10.10.10.10:1111
sendCookedData = false
[tcpout:outtoBar]
server = 10.10.10.10:2222
sendCookedData = false
in the indexer 10.10.10.10 the TCP port 1111 is indexed to foo index , and 2222 is indexed to Bar index)
me problem is that I see both foo data and bar data in both indexes , it is like there is no termination to the transforms process and both are sent to both ports.
I double checked my REGEX in the search bar in splunk and it does show only the relevant data
what am I missing ?
... View more
I solved it by role mapping via the authentication.conf file.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-11-2024
06:35 AM
|
Karma given to
