Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all 47296 articles
Browse latest View live

Anyone have a good alert to fire when data is injected by Splunk with a bad time stamp?

$
0
0
All, Say a log comes in dated 10 days older than today's date. I'd like a report or alert on that? Anyone have a good search for that handy?

Topology Visualization : Message Format

$
0
0
Hi, In order to achieve the Topology Visualization for my messages/alerts, Is there any specific message/fields that app is looking for? how the graph representing relationships between different nodes, is it automatic. Any documentation available ? Thanks.

course expiration

$
0
0
I was finishing up this course, Splunk 7.x Fundamentals Part 1 (eLearning) this morning. It is not to expire until 8/18/2018. I went to a meeting and came back and found I could not launch the course again? What can I do to finish up this course? Bob Poyer bob.poyer.cdh2@statefarm.com

Palo Alto Networks App for Splunk seems to ignore restrictions in user's role

$
0
0
We use custom-built roles for different groups who use Splunk. Typically the users in their role are restricted to certain indexes, and further restricted to what hosts they can see by using tags (hosts are tagged by the tags associated with the roles that are allowed to see them). Our Palo Alto logs are in their own pan_index and only certain people in our IT Security group are allowed access to that index with their role. However, it seems that this does not extend into the Palo Alto Networks app for Splunk. It seems that anyone that can login can open the app and see things in the Incident Investigation Feed (_time, log_subtype, threat_name, severity, action, app, client_ip). I'm wondering why that is so? Is there a way to restrict who can use the app?

How to re-index / sync new data from directories which are monitored?

$
0
0
Hi, each day, I download new logs in directories which are monitored. I would like to know how to force Splunk to add these new logs just after their downloading. PS : I don't want to re-index all my directory, just new logs, so please don't answer "splunk clean eventdata -index _thefishbucket"

How to get volume by indexer?

$
0
0
all, Is there a better way to get data by indexer than this search from the search head withouth access to the internal indexes/ index=* | fields _raw, volume, splunk_server | eval volume=len(_raw) | stats sum(volume) by splunk_server

How to return full count of field1, and a TRUE/FALSE field if 1 or more of the results in field1 match specific criteria

$
0
0
eventtype=X | iplocation ClientIP | where Country!="United States" | eval bad=if(match(Country,"Brazil|China|Vietnam|India|Thailand|Nigeria|South\sSudan|Russia|Ukraine|Turkey"), "TRUE","FALSE") | rex field=UserId "(?[\w\d]+(?=\@email))" | stats dc(Country) as Country_Count by Account, bad | sort - count With this search, I am attempting to find all users who are logging in from countries outside of the US, count how many of those countries are seen in those logins, and return a simple TRUE or FALSE if any 1 of those countries match the named countries. My issue is that each account is returning 2 separate stats results if anything matches both TRUE/FALSE, so for example if account=abc is seen logging in from 10 different countries, but 1 of them is Nigeria, it will return a stat showing 9 "FALSE", and a stat with 1 "TRUE". How can I modify this search to make it so account=abc would show up with a country count of 10, and the "bad" field will just show "TRUE"?

indexer configuation problem

$
0
0
Hi Team, I have below machines on AWS running currently in non cluster mode . I am able send data to main index but not able to send data to any newy created index. Please help . 1) Search Head 2) Indexer1 3) Indexer2 4)Forwarder 1 5) Forwarder 2 Much appreciated for your time and inputs ! Regards smdasim

Why am I getting "The lookup table does not exist. It is referenced by configuration" error though I haven't used in my dashboard?

$
0
0
I haven't used any lookup table in my dashboard. But still I am facing "The lookup table XXX does not exist. It is referenced by configuration YYY" error. I have checked the permission settings of XXX in Lookup definitions, Automatic lookup, Lookup table files & Configuration settings of YYY. Each one is been set as Global. What's wrong with my Splunk then?

forward specified events to reciever

$
0
0
i need only recieve events with action=blocked from farwrders, my logs are : Aug 18 12:56:13 192.168.X.X date=2018-08-18 time=12:50:36 devname="XXX" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1534580436 srcip=192.168.x.x srcname="SPLUNK" srcport=138 srcintf="internal" srcintfrole="lan" dstip=192.168.x.x dstport=138 dstintf=unknown-0 dstintfrole="undefined" sessionid=76899473 proto=17 action="deny" policyid=0 policytype="local-in-policy" service="udp/138" dstcountry="Reserved" i config my props.conf: [host::192.168.X.X] TRANSFORMS-null= setnull,setparsing and transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = (?m)^action=(blocked) DEST_KEY = queue FORMAT = indexQueue but when i do this forwarder doesn't receive any logs from my device,can you tell me where is my mistake?

Why are lookups loaded for sourcetypes that don't apply?

$
0
0
I noticed in search.log that there are "INFO LookupOperator - Loading lookup table=..." log events that don't apply to the sourcetypes specified in the search. Later there is another event that says "INFO LookupOperator - Disabling automatic lookup of table=..." Why is Splunk loading lookup tables that aren't used by any of the source types specified in the search?

Set Source Type preview blank

$
0
0
When I upload any new data to Splunk to review before index, the preview page is blank and no sample of data is generated Splunk Version: 7.1.2 Lab environment

Inputlookup and join searches

$
0
0
Hello I want to do an match between a CSV file and my SPLUNK search In the CSV file, i want that the field "host" which correspond to a list of computers name match with my searches It means that for every host i want to match the free disk space, the date of lastlogon and last reboot etc.... Could you help me please??? | join type=outer host [inputlookup append=t NZDL.csv] | (index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space") OR (index="windows-wmi" sourcetype="WMI:LastLogon") OR (index="windows-wmi" sourcetype="WMI:LastReboot" LastBootUpTime) OR (index="windows-wmi" sourcetype="wmi:MemorySize") OR (index=windows sourcetype=winregistry earliest=-120d key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry" OR key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" OR key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" OR key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel") OR (index="windows-wmi" sourcetype="WMI:PeriphIssue" Caption=Mobile ConfigManagerErrorCode)

Hiding input panels based on other input panels

$
0
0
As the title says, I am attempting to hide input panels based on the input provided in another input panel. As it stands, the tokens get set correctly, but the panels are still displayed. Been working on this a while now and still can not see what the issue is... Code : -4h@mnowWhole Range (noisy)Specific IP|search (("Stuff and Things"))1Known ServerManual Entry11IPIP| inputlookup NAME.csv-15mnow

For integrating Splunk into my own web app, what's the difference between SplunkJS Stack and Splunk SDK for javascript?

$
0
0
want to integrate the search and visualization functionalities into my own app, which one should I use?

check if stringa in stingb

$
0
0
how can i make a case condition to check if StingA is in StringB? for example StingA is "xxx.com." StingB is: "a.xxx.com."

Error while adding search peer to search head

$
0
0
I'm getting the below error when adding a distributed search peer to search head on CLI or GUI. /opt/splunk/bin/splunk add search-server x.x.x.x:8089 -auth admin:password -remoteUsername admin -remotePassword password Invalid action for this internal handler (handler: distsearch-peer, supported: list|edit|remove|_reload|new|disable|enable|doc, wanted: create). i'm able to connect to the indexer server via nc and there are no network or firewall blocks.

Inputlookup CSV two files, mapp table1 (file1) with table1 (file2) AND show the other information from file 2 in table 2,3,4....

$
0
0
Hi i`m new in splunk - i do not find the answer here in > answers as my list_2 do have some other account information, i need to compare two lists the search should be: - show me all identical numbers (accountId) from table 1 (field1) in list_1 and, in list_2 (also in table/field1 - accountId). file_1.csv accountId 123 234 345 file_2.csv accountId, Name, City, accountId2 123, John, Texas,BA001 999, Paul, Vienna,BA009 345, Emma, New York,BA008 567, Smith, Indiana,BA004 Result should be: Show me all customer, that are in file_1 AND file_2 (in table accountId). The result should show **also** the information like accountId, name, city - taken from the list_2 in this example: accountId, Name, City 123, John, Texas,BA001 345, Emma, New York,BA008

Is it possible for a search result to be manually added to a static HTML table on Dashboard?

$
0
0
I have a static table on a dashboard-panel. I was hoping someone could help me pass the result from a search into a`` tag. I have a sample code below *(sample only, my working search is much more complicated)* index=foo sourcetype=bar | eventstats count as SomeField | dedup SomeField | table SomeField Which results to SomeField 13993 I understand that Splunk's default input fields have this *Dynamic Options* where you write the *search string*, choose the *field for label* and then *field for value* and then use `$token$` to pass / append the result into a search string. Can I do the same programmatically on the source code of the dashboard and have the result appear on a `` or a particular cell of my static HTML table? Is this possible? If so, can I ask for like a working HTML code? Thanks in advance.

Break XML response in multi-line events

$
0
0
Hello , I am trying to break the XML response in multi line events but not able to do so. In attached URL,Ist highlighted "-1" is version id and 2nd highlighted "-1" is cycle id, and I want to get all the cycle id from the XML response. Please advise how I can achieve this. add https:// with imgur.com/j0db7gi ( don't have enough karma points to check URL) Thank you so much!
Viewing all 47296 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>