Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About manikanta461
manikanta461
Explorer
Member since:
02-05-2018
04-12-2022
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 02-05-2018 |
Activity Feed
- Posted How to remove {} in Json extracted fields during search time without using rename in the search? on Getting Data In. 03-17-2022 09:29 AM
- Posted Re: How to deal with curly brackets in field names creating a data model on Getting Data In. 03-17-2022 08:56 AM
- Posted How to enable Splunk to set the time of an event based on a condition during indexation? on Splunk Enterprise. 07-23-2020 12:31 AM
- Karma Re: How to create a scheduled search to export results as a CSV file to an external share? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to split multiple lines of data into individual lines? for peter_krammer. 06-05-2020 12:47 AM
- Posted Why is time displayed always in 12 hour format in the events tab of Splunk? on Getting Data In. 09-17-2018 11:54 PM
- Tagged Why is time displayed always in 12 hour format in the events tab of Splunk? on Getting Data In. 09-17-2018 11:54 PM
- Tagged Why is time displayed always in 12 hour format in the events tab of Splunk? on Getting Data In. 09-17-2018 11:54 PM
- Posted Re: How to ingest PCAP files into Splunk? on All Apps and Add-ons. 07-27-2018 06:11 AM
- Posted Re: How to ingest PCAP files into Splunk? on All Apps and Add-ons. 07-26-2018 09:39 PM
- Posted Re: How to ingest PCAP files into Splunk? on All Apps and Add-ons. 07-25-2018 10:31 PM
- Posted How to ingest PCAP files into Splunk? on All Apps and Add-ons. 07-25-2018 04:58 AM
- Tagged How to ingest PCAP files into Splunk? on All Apps and Add-ons. 07-25-2018 04:58 AM
- Tagged How to ingest PCAP files into Splunk? on All Apps and Add-ons. 07-25-2018 04:58 AM
- Tagged How to ingest PCAP files into Splunk? on All Apps and Add-ons. 07-25-2018 04:58 AM
- Posted Re: How to filldown a value within a transacted event? on Splunk Enterprise. 03-06-2018 07:41 PM
- Posted How to filldown a value within a transacted event? on Splunk Enterprise. 03-06-2018 03:21 AM
- Tagged How to filldown a value within a transacted event? on Splunk Enterprise. 03-06-2018 03:21 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-17-2022
09:29 AM
Hello All, I have JSON data and sometimes it is nested and sometimes it is not, whenever it is a nested array I have a {} in the field name, and when it's not there is no {}. I'm trying to make a field alias to a common field name. But, I want to write a single alias to convert the field name if {} is present or not to a new name? Any leads on how can I do it? (Either remove {} before the fields are extracted at search time or aliasing in the props.conf to a new name.)
eg: items{}.description once, items.description the other other time --> rename to items.description during the search time without using rename command OR remove {} before fields are extracted on the search head. P.S: I don't want to do index time field extraction.
#fieldaliasing #json
... View more
- Tags:
- field-extraction
- json
Labels
- Labels:
-
field extraction
-
JSON
-
props.conf
03-17-2022
08:56 AM
what if sometimes, the items are not an array? How can we make it more generic? eg: for one event items is an array, and for another event items is not an array, how can we create an alias that would work for these two cases.
... View more
07-23-2020
12:31 AM
My event will be as follows: #2020-01-01;12:00:00#2020-01-01;12:00:00#content on the event. #2020-01-01;12:00:01#1970-01-01;00:00:00#content on the event. I have configured my sourcetype to pick the time highlighted in orange as the time of the event during indexation; however, sometimes in our logs we have the time recorded with a date starting with 1970, Splunk doesn't recognize it because of max days ago limit. In such cases, is there a possibility to add a condition to fetch the date in Blue as the date of the event? P.S: I can change the _time of the event in search head but, I'm trying for a solution that will index the events directly with Blue time as the time of the event, when there is 1970 in orange time.
... View more
Labels
09-17-2018
11:54 PM
Hello,
I have a proper extraction of my timestamp and when I print my _time, I can see the time in 24 hour format. But, when I visually see the data in the events tab, the time associated to my event is in 12-hour format.
eg: The time of my event 1 is 13:46.
When I give "table _time", I see 13:46 but when I see the event 1 under events tab, I see 1:46 PM. Is there a way to change the time format on how we look at it in the events tab?
... View more
07-27-2018
06:11 AM
Thanks for your comment, but that app needs Wireshark running on our server in order to index the Pcap files
... View more
07-26-2018
09:39 PM
Yeah, I tried the other two methods as well. But I'm not able to get my files to Splunk.
when I try the second method, this is the error which I get.
[root@fr0-1z00-10 bin]# ./streamfwd -r /mnt/Data/Pcapfiles/bfd-raw-auth-simple.pcap
08:01:15.421 INFO stream.CaptureServer - Found DataDirectory: /opt/splunk/etc/apps/Splunk_TA_stream/data
08:01:15.421 INFO stream.CaptureServer - Found UIDirectory: /opt/splunk/etc/apps/Splunk_TA_stream/ui
08:01:16.319 FATAL stream.main - Failed to start streamfwd, the process will be terminated: Unable to ping server (c060ec11-3abe-4858-bd1b-25edb89f02f5): U nable to establish connection to localhost: Connection refused
Regarding the third method, I've appended my streamfwd.conf with the following contents, and I've performed a restart, but there was no success
[streamfwd]
streamfwdcapture.0.offline = true
streamfwdcapture.0.interface = /mnt/Data/Pcapfiles
However, I suspect the issue might be in how I have installed my Stream App.
I haven't performed an SSL certification. Is it because of that? and moreover I have installed the app from my Splunk UI, which I run on my windows PC, but I have actually installed Splunk on my Linux machine.
I login to the Linux machine using ssh
... View more
07-25-2018
10:31 PM
Yeah, this is the file "bfd-raw-auth-simple.pcap" which I tried to index into Splunk using the first method mentioned here, https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/UseStreamtoparsePCAPfiles
This is my inputs.conf file present in the location: "#SPLUNK_HOME/etc/apps/splunk_app_stream/local"
[upload_pcap://PCAP]
index = 1_mani_test
pcap_file = FieldStorage('pcap_file', 'bfd-raw-auth-simple.pcap', '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00/w\x07\x00^@\x05\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x00\x00\x00\n\x11/X\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secretN\n\x90@/w\x07\x00\x9eM\x08\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x01\x00\x00\n\x11/W\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xc2\x82\xde\x8d/w\x07\x00\xdeZ\x0b\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x02\x00\x00\n\x11/V\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secretJ\xafP//w\x07\x00\x1eh\x0e\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x03\x00\x00\n\x11/U\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xcf\x90\xe7e0w\x07\x00\x1e3\x02\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x04\x00\x00\n\x11/T\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\x1b\xf2=\xb10w\x07\x00^@\x05\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x05\x00\x00\n\x11/S\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\x99\xa0\xdd\x860w\x07\x00\x9eM\x08\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x06\x00\x00\n\x11/R\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\x11\x8dS$0w\x07\x00\xdeZ\x0b\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x07\x00\x00\n\x11/Q\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\x94\xb2\xe4n0w\x07\x00\x1eh\x0e\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x08\x00\x00\n\x11/P\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xf8N\x96V1w\x07\x00\x1e3\x02\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\t\x00\x00\n\x11/O\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret)t\xf4\xb51w\x07\x00^@\x05\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\n\x00\x00\n\x11/N\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xa1Yz\x171w\x07\x00\x9eM\x08\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x0b\x00\x00\n\x11/M\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret$f\xcd]1w\x07\x00\xdeZ\x0b\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x0c\x00\x00\n\x11/L\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xf0\x04\x17\x891w\x07\x00\x1eh\x0e\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\r\x00\x00\n\x11/K\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secretrV\xf7\xbe2w\x07\x00\x1e3\x02\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x0e\x00\x00\n\x11/J\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xfa{y\x1c')
repeat = 0
systemTime = 1
I tried to find the data by searching in the index I mentioned above, which is "1_mani_test"
... View more
07-25-2018
04:58 AM
I tried to ingest the captured pcap files manually using the following documentation and I don't see that file being indexed.
https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/UseStreamtoparsePCAPfiles
When I try the first option mentioned in the above documentation, all I see is my inputs.conf growing in size with my pcap file data, but it is not indexed into Splunk.
When I try the second option, I don't see anything working.
Can you please give me some leads on how to index the Pcap files.
Thanks in advance
... View more
03-06-2018
07:41 PM
I want to find out the duration between y2, y1 and y3,y1.
... View more
03-06-2018
03:21 AM
I've transacted 3 events into 1 event based on my requirement.
let's say transacted event as X; y1,y2,y3 are the events transacted to form a transacted event X.
y1 has 1 start time, and y2 and y3 have individual end times.
In the transacted event, I find only one value under start time and two values under end time.
I want to fill down my start time with X so that it is filled two times totally within the transaction. so that ill get duration(end time-start time)
Any idea on how to filldown the start time value within the transacted event?
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-12-2022
07:32 AM
|
