Hello,
I will be using Splunk for non-streaming information. The reason I am using Splunk is a) my company already has licenses and b) the power of transforming data into visualizations.
I am using a Postgres database. I expect to update Splunk with new data 1-3 times a day, as the information does not change frequently. The biggest goal is visualization of employee timesheets and project man hours for executive decisions on ROI and financial considerations.
I am looking for recommended blogs/articles/documents/books on using Splunk for business analysis, but without the focus on streaming data.
Does anyone have any good resources, or can share their own insights?
↧
Splunk for non-streaming data (structured)
↧
Personal Dev License still out there?
Anyone know where to get the 10g personal dev license? I'm not talking about the 50g dev/test one. I was sent to a link via support but that seems to take me to the 50g one and is "pending review".
↧
↧
how to achieve this result by using for each command ?
so
serverlist splunk_server
A A
B B
C C
J D
I
K
here both are multivalued
I need to write a query to get the results as
serverlist splunk_server result
A A D
B B
C C
J D
I
K
I don't want these multi-values to be changed to non-multi values or mvexpanding , thank yoU!
↧
hard time reaching sales
with the difficulty of reaching sales i figured i would ask here. if i get a perpetual license, how long can i continue to use the software after the first year if i choose not to continue the support?
i mean.. can i just "go alone + public support" after the first year? or do i need to continue the support for ... something?
↧
How do I search a match a specific source against an input lookup
I am attempting to run the below, however I am not getting any results.
**source="source.tsv" [|inputlookup appname| fields inputfield AS "field"]**
I can search **source="source.tsv"** and get the fields displayed, and **|inputlookup appname| fields inputfield AS "field"** and displays fine, but when I attempt to combine them to get a match, I get no results. I understand that this only provides a result when there is a match but I have inserted a field that should trigger a match.
Can anyone please help point me in the right direction?
↧
↧
Is there a way to submit events with user 'nobody' ?
Hi.
I am trying to submit events, from a scripted input, with user 'nobody'
I am getting this error:
HTTP 403 Forbidden -- insufficient permission to access this resource
In order to submit my events I did the following:
Set tup my script in inputs.conf like this
[script://$SPLUNK_HOME/etc/apps/my_app/bin/my_script.py]
disabled = false
index = my_index
interval = * * * * *
sourcetype = generic_single_line
passAuth = nobody
As explained in the documentation, http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
I am getting an auth token for my script.
passAuth =
* User to run the script as.
* If you provide a username, the instance generates an auth token for that
user and passes it to the script via stdin.
I am using the generated auth_token on my script like this.
service = client.Service(token=auth_token, app='my_app')
index = service.indexes["my_index"]
index.submit("Test", sourcetype="my_sourcetype", host="my_host", source="my_source")
I also tried:
kwargs = {"owner":"nobody","app":"my_app","token":auth_token}
service = client.connect(**kwargs)
index = service.indexes["my_index"]
index.submit("Test", sourcetype="my_sourcetype", host="my_host", source="my_source")
None of them work, as soon as it reaches the line: index.submit(), it throws the HTTP 403 Forbidden error.
If I change the 'nobody' user to any other user, even a user with USER role, it works well. But I am required to make my script work with the 'nobody' one.
Any ideas on what I'm doing wrong ?
↧
How to Interpret License Usage Page - Splunk Enterprise
Hello Team Splunk!
I am having some trouble interpreting the license usage page in *Splunk Enterprise*. Figures 1 and 2 below show the parts I am confused about. Figure 1 shows that there was some type of license violation on July 25, 2018 while Figure 2 shows this date without any skyrocketing bar indicating that index went over its allowance of data, 500MB per day.
Also, does anyone know what "stack size" means in Figure 2?
Also, in Figure 1, how can a warning be generated if the poolsize is equal to zero? Seems like a warning would be generated if the poolsize is over 524288000 Bytes. I looked this up and found that 500 MB = 524288000 Bytes (in binary). Of course 500MB is the limit on the amount of data that the indexer can consume with the free license.
![alt text][1]
*Figure 1*: July 25, Poolsize = 0 bytes
![alt text][2]
*Figure 2*: Daily License Usage
[1]: /storage/temp/255688-splunk-license-warnings-8-13-2018-6-49-21-pm.png
[2]: /storage/temp/255689-splunk-license-8-13-2018-6-28-09-pm.png
↧
Inputlookup in dropdown to display different columns
Hi all, I'm creating a dashboard that contains drop downs that allow viewers to select a field `user_id` and the table will **display a list of user_ids and other columns' value** regarding the id. But due to security issues, I am only given a search `index=version_search` and when I edit dynamic options in drop downs, search strings return no result.
All information I have now is:
Index general settings:
/home/data/version_search/db
My source file:(pretty sure the `inputlookup search_version` is not correct because not sure if lookup tables being created)
All * user_id user_id | inputlookup version_search | dedup "user_id" | fields "user_id" 0
↧
compute the macro name to be used in a search
Hi Guys,
Is it possible to calculate the name of a macro to be used in a search from a token value?
I have a drop down list of system names that I have corresponding macros for.
eg
key = ABC - macro = ABC_hosts
key = DEF - macro = DEF_hosts
key = GHI - macro = GHI_hosts
When a user selects an item from the list I want to use the token in my search to compute which macro to use. Is there a way to compute the macro name in the search?
$system$_host
if the user selected ABC I would like the search to have the following calculated using the token
index="_main" `ABC_hosts`
Thanks :)
↧
↧
remove the first row in the search result
Hi splunkers,
i have a search result like **base_search |timechart count by filedname** and result displaying like mentioned below.
_time filedname1 fieldname2
2018-6-10 3 30
2018-7-10 150 12100
2018-8-10 3800 300
so i have to remove first row in the table. can you plz hlp
↧
Difficulty reaching splunk enterprise web interface from a cloud server public IP
I have an installation of splunk enterprise on a google cloud server, the server has an internal IP and an external IP, the installation was completed successfully with no errors and splunkd is running, but when i try to access the web interface via the public IP and port 8000, it is unavailable, i have tried binding splunk to the IP in splunk-launch.conf and web.conf but that didn't seem to work either, kindly assist with any information that could help solve this.
↧
How to fix one column in a table when using the scroll bar (moving left to right) and (moving right to left).
I have table having 34 columns, So I need to fix first column while scrolling bar left to right or vice versa.
↧
dashboard panel shown blank, on enabling search ,runs perfectly in search app in new tab
My panel in a dashboard is showing nothing,completely blank,no error nothing.However when I enable search in the panel and runs it in the search app,the query is showing proper result.
Any idea what is happening, leads would be helpful.
TIA.
↧
↧
HEC configuration
Hi,
Anyone tried Ryan site on HEC using rsyslog and HAproxy (https://www.rfaircloth.com/2017/02/10/building-perfect-syslog-collection-infrastructure/)
Any issue met? I tried and my HAProxy shows (Error code 400).
Thanks a lot
↧
Need to remove hand icon from a pie chart after drilldown
i have a pie chart with drilldown. When one value is chosen , the pie shows that value with 100% ( which is correct)
However,There is a hand icon which still shown on hovering that pie indicating further drilling(However, it doesn't drill down further).Can I change that to just mouse icon
↧
Can i truncate tsidx files as we are facing disk space issue ?If yes then what is impact ?
Can i truncate tsidx files as we are facing disk space issue ?If yes then what is impact ?
↧
how can I configure my transforms.conf to filter specific events
**Now here ,this is a test log**
Thu Jun 08 2017 03:06:50 www3 sshd[2294]: Failed password for beyonce from 10.1.10.172 port 3529 ssh2
host = node1 source =secure.log sourcetype =asd
Thu Jun 08 2017 03:06:33 www3 sshd[4541]: Failed password for myuan from 10.1.10.172 port 1511 ssh2
host = node1 source =secure.log sourcetype =asd
I want to configure my tansforms.conf to filter my events :Concretely,I only want to get the events with Failed password and ,I also want to delete some events with some specific users(the field define user is for 'myuan' ),for example,delete the user called myuan and beyonce .
↧
↧
error message from attach file
![alt text][1]
[1]: /storage/temp/255691-3.jpg
Hi
I Question error message from attach file.
↧
Field Extraction updated but how to activate in Data Modell?
I have updated the Field Extraktion for some fields but the Data Modell still use the old Definition.
How to make the new Definition activ in the Data Modell?
↧
how to merge this case
I have a table like this one, and I want to know how to merge different values based on one field.
example table)
[AS-IS]
![alt text][1]
[TO-BE]
![alt text][2]
ps. a/b/c is the value when at/bt/ct is "Y"
[1]: /storage/temp/255695-1.png
[2]: /storage/temp/255696-2.png
↧