Hi,
i want to compare event count today with yesterday,last week and prior week using timewarp complete day like day starting to till now
↧
compare event count today vs yesterday vs last week vs prior week
↧
Could you make a table over or by the fields being represented or the statistical functions being used?
With the "chart" or other functions, could you make a table over or by the fields being represented or the statistical functions being used? The result of which I'm thinking would have rows saying "min," "avg," "sum," and so on, or they would have the same headers for the columns with the field being summarised as the title of the other axis. Is this possible in Splunk?
↧
↧
Any way to distribute local system files (conf) to search heads?
I want to make changes to web.conf and distribute them. Any way to do it for search heads? Thanks.
↧
Splunk VNX App for VNXe Devices
Trying to integrate VNXe devices(VNX3200 series) using Splunk Add-on for VNX, where it uses naviseccli commands to run on the VNX boxes. However, its throwing error "CLI commands are not supported by the target storage system". As per this "https://community.emc.com/thread/227349?start=0&tstart=0" and "https://community.emc.com/thread/234942?start=0&tstart=0" UEMCLI commands are used for VNXe instead of naviseccli . Can anyone help to clarify this and also if the splunk Addon supports UEMCLI also ?
↧
how to drilldown an event to see data 15 minutes before that events time and 15 minutes after
Can we drilldown an event to see data 15 minutes before that events time and 15 minutes after
For example the event in is..
[8/16/18 6:49:41:163 EST] Website crashed Error : 404
[8/16/18 6:58:41:163 EST] Website crashed Error : 404
[8/16/18 7:25:41:163 EST] Website crashed Error : 404
[8/16/18 8:15:41:163 EST] Website crashed Error : 404
So i have drop-down to select error code and see it's events, above user has selected **error 404** for time which lists all 404 events in last 30 minutes..
if user selects first event with [8/16/18 6:49:41:163 EST] they should be able to see 15 minutes before and after..
↧
↧
The request was aborted: Could not create SSL/TLS secure channel.
Dear Team,
I am new to Splunk and trying to create one same for hitting the Splunk endpoint from the c# Code. I have configured in my localhost.
When i access the below URL, i am getting **Login failed**, from the code i am getting **The request was aborted: Could not create SSL/TLS secure channel.**, kindly advice on this. Thanks in advance.
https://localhost:8089/services/auth/login?username=admin&password=admin123
↧
Splunk SDK for Java
Hello Guys,
As we know, we can connect to splunk from java using SDK for java on port 8089 and running over https.
But now i want to connect to splunk running on http over 8089 port. How to achieve this?
in server.conf, protocol is http and in web.conf, protocol is https.
How can i connect to splunk in this situation?
Many Thanks.
↧
Is it possible to containerize Splunk in Azure Cloud for an on-Premise environment
hi All,
Is it possible to containerize Splunk in Azure Cloud for ON-Premise environment like backend servers , Master, SH's , Indexers, Deployment server, Depoloyers, HF's . If supported, would it provide any benefit or only added complexity?
Thanks,
Sree
↧
Error with Splunk Stream: Unable to initialize modular input "streamfwd" defined inside the app "Splunk_TA_stream"
Hi All,
We are receiving below error in Splunk Stream App
we have installed a separate Universal forwarder and installed the Stream Add-on on it to read PCAP files. Any help on the same would be helpful.
Unable to initialize modular input "streamfwd" defined inside the app "Splunk_TA_stream": Introspecting scheme=streamfwd: script running failed (exited with code 1).
↧
↧
heavy forwarder does not forward data from db connect
Hello,
I have set up a heavy forwarder with DBX. The connection to my sample database (mySQL) works, but the data is not forwarded to my indexer.
I tested the connection by forwarding the syslog from the machine to my indexer, this worked fine.
I read SPLUNK answers up and down but cannot find the solution to my problem.
According to other answers, it should be enough to have setup outputs.conf correctly, which I think I proved by forwarding syslog.
I searched metrics.log to find any hint of forwarding my data, but did not find any (searched for "test" which is the index the data should be stored in)
db_inputs.conf:
[all_testtable]
batch_upload_size = 1000
connection = testconnect
disabled = 0
fetch_size = 300
index = test
index_time_mode = current
interval = 1200
max_rows = 0
max_single_checkpoint_file_size = 10485760
mode = rising
query = SELECT * FROM `testbase`.`testtable` where ID > ? order by ID
query_timeout = 30
sourcetype = Standard
tail_rising_column_number = 1
Splunk version (both forwarder and indexer) is 7.1.2
DB Connect Version is 3.1.3
Any help appreciated
↧
Search SPL to show messages menu
Can someone tell me the Splunk query to match the contents of the "Messages" menu item? As an example, i see the following message in my messages drop down from the menu but I want the Splunk query that shows the same:
"Search peer redacted.server.com has the following message: Indexer Clustering: Too many bucket replication errors to target peer=10.1.2.3:9887. Will stop streaming data from hot buckets to this target while errors persist. Check for network connectivity from the cluster peer reporting this issue to the replication port of target peer. If this condition persists, you can temporarily put that peer in manual detention."
↧
Developer License Extension
Dears,
I have requested for the developer license extension last week but haven't seen any reply from Splunk.
Requested for the license again today. Sent an email to devinfo@splunk.com. Any chances of free license extension for my app implementation.
Thanks,
Ramu Chittiprolu
↧
Splunk Query
Hi Splunkers,
Need a help in forming a splunk query.
Requirement: Find the time difference (delta1, delta2,delta3.......) between events by specific field.
Example: User A eventcount =5 [delta1, delta2, delta3, delta4,]
User B eventcount= 3 [delta1, delta2]
Thanks for the help.
Regards,
Ankith
↧
↧
datamodelsimple returned error code 1
Ran the simple command below
| datamodelsimple
External search command 'datamodelsimple' returned error code 1.
Splunk version 7.1.1
CIM 4.11
↧
Detect password in username field followed by successful logon
To detect a failed login following by successful login (within a 60 second) period, I run:
index=myindex sourcetype=wineventlog:security (EventCode=4624 OR EventCode=4625)
| transaction Account_Name, host startswith="EventCode=4625" endswith="EventCode=4624" maxspan=60s
| eval baduser = mvindex(Account_Name,2)
| eval nextsuccess = mvindex(Account_Name,1)
| table baduser nextsuccess host _time
To detect a username that looks like a password (14+ characters and 3 of 4 character classes), I run:
index=myindex sourcetype="wineventlog:security" EventCode=4625
| eval Account_Name = mvindex(Account_Name,1)
| search Account_Name!="*$"
| rex field=Account_Name "(?<"pass">(?=^.{14,}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*)"
| stats count by pass
| fields - count
The question is how do I combine these searches? For each bad `Acount_Name` in the second search, I would like to find the next successful logon in a 60 second period. My end goal is a table containing 2 fields: failed login `Account_Name` and next successful login `Account_Name`. The input is the standard Windows security event log. For example:
Possible_Password | Next_success
oopsTh1sismypassw0rd!! | msmith67
↧
find max length where field name is firstName_1,firstName_2...
My splunk entry is firstName_1="Tom" firstName_2="Jerry" firstName_3="Tom1" firstName_4="Jerry1"
I would like to find max length of firstName. Answer for above entry should be 6 as firstName_4 length is Jerry1 (6)
Tried | table firstName_* but getting all the values in table and to find max length, I need to find the length manually.
Tried | eval len (firstName_*) but getting error.
Can you please help me with this. Thanks
↧
Splitting columns into rows
Hi Splunk Gurus,
I have an unusual requirement where I need to create two rows from one:
A | B | C |D | E
to
Row 1 - A | B | C | D
Row 2 - A | B | C | E
I think i could achieve this by using APPEND but the query is very complex so I dont want to have to run it twice unless maybe it can be referenced and then queried twice if that makes sense ?
Apologies in advance if I haven't made myself clear !
Thanks in advance,
Greg
↧
↧
Regex command to remove the special character
I want to remove the special character after number .. pls help
data : 7.62\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
i want : 7.62. the number is not constant it will keep changing so i need to remove only special character
↧
KVStorageProvider --- saveBatchData:upsert --- No collection available
i keep seeing this error in the internal logs
kvstorageprovider - an error occurred during the last operation ('savebatchdata:upsert', domain: '0', code: '0'): No collection available.
we aren't using KVStores, i've enve gone in and disabled the kvstore via web.conf. it's still kicking this error. i found a similar post about empty bulk data and tried the recommended query against splunkd_access sourcetype. i have ZERO with code 500 as the other post indicates to check for.
also, no servers in the cluster have the KVStore role.
↧
What does the view Settings -> Sourcetypes (Under Data Section) tells us?
Hi,
I am working on troubleshooting one issue where data from a particular sourcetype is not getting parsed correctly. Came across this page under Settings -> Sourcetypes and want to understand what exactly is it tell us? When I see the sourcetypes listed on this page, there are several missing even though we can see data in Splunk for those sourcetypes. If I do `index=* | stats count by sourcetype` all of them are listed but many from that list wont show up on that page. Check on both searchhead & indexer but same results.
e.g. We are getting Windows Event log data from the 4 common sources, i.e. Application, Security, System and Setup. But When I check under Settings -> sourcetypes, only Application and Security are listed and the app assigned to them is splunk_app_windows_infrastructure. What happened to the other two sourcetypes (System/Setup) for which we are getting data?
![alt text][1]
But we are getting data for all the sources.
![alt text][2]
Thanks,
~ Abhi
[1]: /storage/temp/254716-wineventlog-splunk1.png
[2]: /storage/temp/254717-wineventlog-splunk2.png
↧