I am having trouble finding data that I can learn from with the Cisco security suite. I want to populate the dashboard and study what each one shows so that I can apply it to an environment with real data and be able to see what is going on.
↧
How to get sample data for Cisco Security Suite?
↧
split one field in two column
Hi,
How can we split Time in two different column.
![alt text][1]
[1]: /storage/temp/235579-split.png
↧
↧
Monitor a log file
Hi
I want to monitor a log file in "C:\\Windows\\Logs\\CBS.log" in an SPL command
Is it possible with wineventlog or with anotherway please?
regards
↧
How to write queries for below condition ?
Hi,
we have hosts a,b,c,d,e,f hosts
looking for visualizations ?
1)Trend count of all "filedname " per week for last 3 months?
2)Trend of "filedname 2" 5 or 50 on a weekly basis with filters applied on event=AuthAccept
Both the above have filters applied on the 6 servers listed above
please help ?
Thanks,
Splunker969
↧
Is it posssible to use EMC Isilon App with Syslog data?
Hi,
We are working on implementing the EMC Isilon App/Add-on in our environment. All NAS devices are currently sending data via UDP and the inputs are configured for `index=isilon` and `sourcetype=emc:isilon:syslog`. We are using App Version 2.3.0 and Add-on Version 2.3.
Even though the Index and Sourcetypes are set as per requirement, none of the Dashboards load any data. When I checked the macro's, it looks like all dashboards & panels are configured only for the REST API, i.e. `sourcetype=emc:isilon:rest`.
Is there any way of using this App with the Syslog data as well? Are there any special dashboards/panels which can make use of the syslog data being sent via UDP?
Splunk Version = 7.0.1
EMC Add-on Version 2.3. Deployed on Indexers and Search-Head
EMC App Version 2.3.0. Deployed on Search-Head.
Thanks,
~ Abhi
↧
↧
Splunk Rest Modular Input
I'm attempting to get some data out of an EMC Unity Array. Using the Restlet Chrome Extension, I can get valid data back with this URL:
https://IP/api/types/metricValue/instances?filter=path eq "sp.*.cpu.summary.utilization" &per_page=1
When I configure the REST Modular Input the same way, I get no data basically. Here is what I receive:
The documentation is pretty slim, so I'm assuming I'm doing it wrong. Any ideas?
↧
Display panels in email as pdf
I am trying to send the 3 panels I have on my dashboard as a pdf. I know they will be as one per page but how do I write the sear for the three queries.
Should it be 3 separate search strings in the saved search.conf or is there a better way?
↧
APPlication radius_auth
Hello Everybody
I installed the radius_auth application and I followed the procedure correctly. But when I try to log in with IDs radius it does not pass.
I have this error message :Invalid username or password.
But in parallel I use wireshark to capture logs from my splunk to the radius server and I see that the request passes and is accepted.
can anyone tell me what is the problem?
↧
Splunk for Microsoft Azure
Hello,
I have some questions regarding Splunk I am new at this.
The first one is: is The add on for Azure Cloud available on SPlunk On Prem? if no How can we do it ?
The second question when Splunk collect Custom Logs on an Azure Storage Blob does he copy them or just Read the Logs
and finally Can We send alerts to the Splunk API How can we do it Thank you.
Thank you for your answers.
↧
↧
Transaction Question
Trying to calculate the duration between two log messages, have found many resources online but nothing seems to work quite right...
This is what I am trying:
host=ns2 I move from | transaction Restart_status startswith="I move from normal to communications-interrupted" endswith="I move from startup to normal" | timechart avg(duration) by Restart_status
Basically I want to know how long it for the server to restart its DHCP service. I defined 'Restart_status' as a custom field.
Currently this search ends up with 0 results.
Thanks for your help!
↧
Is it possible to change color of table cell depending on the dropdown input?
In my dashboard, I have to highlight the cells that have a value greater than the value selected by the user. I am not sure how to do it. Please help.
Thanks in advance!
↧
Is there a way to figure out the host and the sourcetype for the log going to null queue
We are using regex rule to send specific logs to nullQueue. We use universal forwarders to send the logs to the indexer from different hosts. is there a way to list all the hosts and sourcetypes that are sending logs to nullQueue?
↧
Dynamically created columns with totals
Hello,
I'm looking to accomplish a couple of things with the same query and am getting a little stuck. One search looks for all the SSO errors. Those results don't give me a way to see which customer is having issues so I piped that to a different search to be able to lookup the district name. (i'm sure there may be a easier more efficient way to do this and if you can help that would be awesome but is secondary to the next request)
Based on those results, I want to show district name, the number if times each error occurs, and the total number of errors.
Here's what I have so far...
host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS
This gives me a table that looks like:
|District_Name | S601 | S602 | S603 | etc. (dynamically expands)
|UniqueDistrict1| 1 | | |
I would like to be able to add a total to the last column to tally up the total number of errors.
↧
↧
Use ldap search to get computers from 2 groups
I would like to user an ldap search to find computers located in multiple groups. I tried something like this, but I cant get the syntax correct of even know if it's possible. I'm trying to find all computers in the patch1 and patch2 groups.
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch1, OU=Patches,OU=Wintel,DC=Mydomain,DC=com) AND (memberOf="CN=Patch2, OU=Patches,OU=Wintel,DC=Mydomain,DC=com) ) attrs=name
↧
How to configure the Splunk Rest Modular Input to get data?
I'm attempting to get some data out of an EMC Unity Array. Using the Restlet Chrome Extension, I can get valid data back with this URL:
https://IP/api/types/metricValue/instances?filter=path eq "sp.*.cpu.summary.utilization" &per_page=1
When I configure the REST Modular Input the same way, I get no data basically. Here is what I receive:
The documentation is pretty slim, so I'm assuming I'm doing it wrong. Any ideas?
↧
What is the difference between PercentIdleTime and pctIdle when looking at CPU (index=os)?
What is the difference between PercentIdleTime and pctIdle when looking at CPU (index=os)?
I have looked up for answers and this is the closest but does not explain the difference:
http://docs.splunk.com/Documentation/SplunkLight/7.0.1/Examples/Createsearch
index=os sourcetype=cpu host=* | multikv fields PercentIdleTime | eval Percent_CPU_Usage = 100 - pctIdle | where Percent_CPU_Usage > 75
↧
How to log in with IDs radius in the radius_auth application?
Hello Everybody
I installed the radius_auth application and I followed the procedure correctly. But when I try to log in with IDs radius it does not pass.
I have this error message: Invalid username or password.
But in parallel, I use Wireshark to capture logs from my Splunk to the radius server and I see that the request passes and is accepted.
Can anyone tell me what is the problem?
↧
↧
How to use ldap search to get computers from multiple groups?
I would like to use an LDAP search to find computers located in multiple groups. I tried something like this, but I cant get the syntax correct or even know if it's possible. I'm trying to find all computers in the patch1 and patch2 groups.
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch1, OU=Patches,OU=Wintel,DC=Mydomain,DC=com) AND (memberOf="CN=Patch2, OU=Patches,OU=Wintel,DC=Mydomain,DC=com) ) attrs=name
↧
How to avoid duplicates values based on multiple values?
I need to find:
first report:
total successes (number of test *runs* that succeeded)
total failures (number of test *runs* that failed)
second report:
successCases (number of test *cases* that succeeded)
failureCases (number of test *cases* that failed)
average total run time
output I am getting as:
![alt text][1]
Some of the fields are duplicated in each tests such as testRunStartTime/testRunEndTime in each Test "cases"
How to avoid duplicates and find total success/failure based on a number of test run cases and number of test run? also, average total run time?
Here my log file
}{
"env":{
"GIT_COMMIT":"afc6d7ccb12e0a18c4205b9e98634507",
"XFILESEARCHPATH":"/usrapp-defaults/%L/Dt",
"GIT_PREVIOUS_COMMIT":"901d39e8483d043cf9b100947939",
"JOB_NAME":"myoffice-coa-target-adapter_ctest",
"HOME":"/home/svc_ei",
"CDC_PREW2KHOST":"jenks-lp001",
"HUDSON_SERVER_COOKIE":"2aa027d5e58c7",
"LESSOPEN":"||/usr/bin/lessp.sh %s",
"HUDSON_COOKIE":"b0553050-636c-4f7323a270e1457",
"LANG":"en_US.UTF-8"
.. some other info
},
"projectName":null,
"projectVersion":null,
"testRunStartTime":"2018-03-10T10:28:38.010",
"testRunEndTime":"2018-03-10T10:39:10.865",
"testFileName":"myoffice-coa-ctest.xml",
"testCaseName":"testCase04AddUpdateCCByFunc",
"testCaseId":"04",
"exceptionMessage":null,
"testCaseStartTime":"2018-03-21T06:33:38.962",
"testCaseEndTime":"2018-03-21T06:39:04.839",
"status":"FAILURE"
}{
"env":{
"GIT_COMMIT":"afc6d7ccb12e0a18c4205bae98634507",
"XFILESEARCHPATH":"/usrapp-defaults/%L/Dt",
"GIT_PREVIOUS_COMMIT":"901d39e8483d043cf100b9500390947939",
"JOB_NAME":"myoffice-coa-target-adapter_ctest",
"HOME":"/home/svc_ei_cicd",
"CDC_PREW2KHOST":"jenks-001",
"HUDSON_SERVER_COOKIE":"2aa023d5e58c7",
"LESSOPEN":"||/usr/lesspipe.sh %s",
"HUDSON_COOKIE":"b0553050-636ca3d-323a270e1457",
"LANG":"en_US.UTF-8"
.. some other info
},
"projectName":null,
"projectVersion":null,
"testRunStartTime":"2018-03-11T10:28:38.010",
"testRunEndTime":"2018-03-11T10:39:10.865",
"testFileName":"myoffice-coa-ctest.xml",
"testCaseName":"testCase04AddUpdateCCByFunc",
"testCaseId":"04",
"exceptionMessage":null,
"testCaseStartTime":"2018-03-21T06:33:38.962",
"testCaseEndTime":"2018-03-21T06:39:04.839",
"status":"FAILURE"
}
more json contents
[1]: /storage/temp/236590-screen-shot-2018-03-28-at-111623-am.png
↧
What windows logs, event codes are accurate to decide power off?
Hello,
I would like to prepare a dashboard which shows status(power on/off) off devices in retails store, we have POS,MPOS devices. My question is on what basis(windows logs) I would assume a device powers off?? Could you please explain what windows logs, event codes are accurate to decide power off? Any help would be appreciated.
Thanks in advance
↧