How to put query result in token ?

August 27, 2018, 4:17 am

≫ Next: How to put result of query in token ?

≪ Previous: Calculate median values for the column for 7 weeks

Hi, I want to out result from query into token. How can I do that. ` |inputlookup SourceType_Attributes | where Sourcetype=$source_type$ | table field1 $'result.field1'$ ` I am not sure I have a right syntax

↧

How to put result of query in token ?

August 27, 2018, 4:20 am

≫ Next: Assign input text value depending on input checkbox

≪ Previous: How to put query result in token ?

Hi, I want to out result from query into token. How can I do that. |inputlookup SourceType_Attributes | where Sourcetype=$source_type$ | table field1 $'result.field1'$ I am not sure I have a right syntax

↧

Assign input text value depending on input checkbox

August 27, 2018, 6:05 am

≫ Next: I need to monitor IsmServ and Kdc services on active directory

≪ Previous: How to put result of query in token ?

Hi, We want to assign a value to input text box depending on checkbox values selected in the dashboard. User should also able to update the values in text box. ![alt text][1] [1]: /storage/temp/255819-search-condition.jpg We want user able to update the search condition, depending on attributes selected. Search results will be displayed depending on the search condition. Is it possible with splunk dashbord ?

↧

I need to monitor IsmServ and Kdc services on active directory

August 27, 2018, 5:24 am

≫ Next: timechart based on index time

≪ Previous: Assign input text value depending on input checkbox

HI Team, I am looking for monitoring the smServ and Kdc services from AD what are the changes we need to do on input.conf to collect these changes Thanks and Regards, Jagadish Pullappa

↧

timechart based on index time

August 27, 2018, 7:20 am

≫ Next: Splunk _internal call without data for Splunk DB Connect

≪ Previous: I need to monitor IsmServ and Kdc services on active directory

I'm trying to create a timechart to show when logs were ingested. Trying to use _indextime but it doesn't seem to be working. What am I missing on my SPL? Current query index=web | eval _time=strptime(_indextime, "%d-%b-%y %H:%M:%S") | timechart span=1h count by index

↧

Splunk _internal call without data for Splunk DB Connect

August 27, 2018, 7:30 am

≫ Next: Why would Splunk be grouping events together when I haven't told it to?

≪ Previous: timechart based on index time

Hello, I am trying to enable/disable any input of the Splunk app DB Connect. To do that I found the internal call `POST /servicesNS/nobody/Splunk_TA_microsoft-sqlserver/configs/conf-db_inputs/MYINPUT/enable` `POST /servicesNS/nobody/Splunk_TA_microsoft-sqlserver/configs/conf-db_inputs/MYINPUT/disable` But, I cannot find a way to do it with the _internal call ` sudo -H -u splunk /opt/splunk/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_microsoft-sqlserver/configs/conf-db_inputs/MYINPUT/enable` is there an easy way to do it (with the _internal call feature) ? Thank you

↧

Why would Splunk be grouping events together when I haven't told it to?

August 27, 2018, 7:49 am

≫ Next: Qualys Technology Add-on (TA) for Splunk stops fetching data after 503-errors

≪ Previous: Splunk _internal call without data for Splunk DB Connect

Wow, so finding any related questions on this has proven very difficult as any searches for "Splunk grouping events together" all points to transactions, etc. Splunk is grouping events together for some reason into single events and I cannot seem to find a pattern as to why it is doing this. Here is an example of our events that are grouped together: 2018-08-27T14:23:32.345136+00:00 host01 FOO[28683]: FOO6004: SMS from for MDN=00000000 being dispatched to SMSC XYZA for delivery 2018-08-27T14:23:32.483302+00:00 host01 FOO[28683]: FOO6002: Received SMS request from HTTPD @ for destination MDN=00000000000 2018-08-27T14:23:32.483325+00:00 host01 FOO[28683]: FOO6004: SMS from for MDN=00000000 being dispatched to SMSC XYZA for delivery 2018-08-27T14:23:32.483302+00:00 host01 FOO[28683]: FOO6002: Received SMS request from HTTPD @ for destination MDN=00000000 2018-08-27T14:23:32.483325+00:00 host01 FOO[28683]: FOO6004: SMS from for MDN=00000000 being dispatched to SMSC XYZA for delivery Then that grouping ends and then this is the start of the next one... As you can see its not grouped by second. Anyone ever see anything like this? Got any hints? 2018-08-27T14:23:28.325135+00:00 host01 FOO[5060]: FOO6002: Received SMS request from HTTPD @ for destination MDN=00000000 2018-08-27T14:23:28.325157+00:00 host01 FOO[5060]: FOO6004: SMS from for MDN=0000000 being dispatched to SMSC XYZA for delivery 2018-08-27T14:23:28.325135+00:00 host01 FOO[5060]: FOO6002: Received SMS request from HTTPD @ for destination MDN=00000000

↧

Qualys Technology Add-on (TA) for Splunk stops fetching data after 503-errors

August 27, 2018, 7:50 am

≫ Next: column with incremental change based on another column

≪ Previous: Why would Splunk be grouping events together when I haven't told it to?

Apparently the Qualys Technology Add-on (TA) for Splunk stops fetching data after 503-errors. First it will try 3 times and after the third 503 (Service Unavailable) it starts redirecting and to unclear where. The redirected request are tried for an infinite number of times. The only way out is to kill the python-script. At the next fetch-interval it will start automatically and continues collecting data without problems. This happens for all three input-types (host_detection, was_findings, policy_posture). Any idea how to solve this? Thanks! Here is the logging for host_detection only: TA-QualysCloudPlatform: 2018-08-23 22:00:14 PID=16129 [MainThread] INFO: TA-QualysCloudPlatform [host_detection] - Making request: https://qualysapi.qualys.eu/msp/about.php with params={} TA-QualysCloudPlatform: 2018-08-23 22:00:15 PID=16129 [MainThread] ERROR: TA-QualysCloudPlatform [host_detection] - Unsuccessful while calling API [503 : Service Unavailable]. Retrying: https://qualysapi.qualys.eu/msp/about.php with params={}. Retry count: 1 Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 253, in get request = urllib2.urlopen(req, timeout=timeout) # timeout set to bail in case of timeouts File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/opt/splunk/lib/python2.7/urllib2.py", line 475, in error return self._call_chain(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 558, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) HTTPError: HTTP Error 503: Service Unavailable TA-QualysCloudPlatform: 2018-08-23 22:05:15 PID=16129 [MainThread] ERROR: TA-QualysCloudPlatform [host_detection] - Unsuccessful while calling API [503 : Service Unavailable]. Retrying: https://qualysapi.qualys.eu/msp/about.php with params={}. Retry count: 2 Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 253, in get request = urllib2.urlopen(req, timeout=timeout) # timeout set to bail in case of timeouts File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/opt/splunk/lib/python2.7/urllib2.py", line 475, in error return self._call_chain(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 558, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) HTTPError: HTTP Error 503: Service Unavailable TA-QualysCloudPlatform: 2018-08-23 22:10:15 PID=16129 [MainThread] ERROR: TA-QualysCloudPlatform [host_detection] - Unsuccessful while calling API [307 : Temporary Redirect]. Retrying: https://qualysapi.qualys.eu/msp/about.php with params={}. Retry count: 3 Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 253, in get request = urllib2.urlopen(req, timeout=timeout) # timeout set to bail in case of timeouts File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/opt/splunk/lib/python2.7/urllib2.py", line 469, in error result = self._call_chain(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 635, in http_error_302 new = self.redirect_request(req, fp, code, msg, headers, newurl) File "/opt/splunk/lib/python2.7/urllib2.py", line 596, in redirect_request raise HTTPError(req.get_full_url(), code, msg, headers, fp) HTTPError: HTTP Error 307: Temporary Redirect TA-QualysCloudPlatform: 2018-08-23 22:15:15 PID=16129 [MainThread] ERROR: TA-QualysCloudPlatform [host_detection] - Unsuccessful while calling API [307 : Temporary Redirect]. Retrying: https://qualysapi.qualys.eu/msp/about.php with params={}. Retry count: 4 Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 253, in get request = urllib2.urlopen(req, timeout=timeout) # timeout set to bail in case of timeouts File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/opt/splunk/lib/python2.7/urllib2.py", line 469, in error result = self._call_chain(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 635, in http_error_302 new = self.redirect_request(req, fp, code, msg, headers, newurl) File "/opt/splunk/lib/python2.7/urllib2.py", line 596, in redirect_request raise HTTPError(req.get_full_url(), code, msg, headers, fp) HTTPError: HTTP Error 307: Temporary Redirect TA-QualysCloudPlatform: 2018-08-27 13:58:33 PID=16129 [MainThread] ERROR: TA-QualysCloudPlatform [host_detection] - Unsuccessful while calling API [307 : Temporary Redirect]. Retrying: https://qualysapi.qualys.eu/msp/about.php with params={}. Retry count: 1056 Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 253, in get request = urllib2.urlopen(req, timeout=timeout) # timeout set to bail in case of timeouts File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/opt/splunk/lib/python2.7/urllib2.py", line 469, in error result = self._call_chain(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 635, in http_error_302 new = self.redirect_request(req, fp, code, msg, headers, newurl) File "/opt/splunk/lib/python2.7/urllib2.py", line 596, in redirect_request raise HTTPError(req.get_full_url(), code, msg, headers, fp) HTTPError: HTTP Error 307: Temporary Redirect

↧

column with incremental change based on another column

August 27, 2018, 6:29 am

≫ Next: How to check if Field exists or not and extract value?

≪ Previous: Qualys Technology Add-on (TA) for Splunk stops fetching data after 503-errors

Hello everyone, I am new to splunk world and stuck with a query, Can you please help me find the solution for following problem. I am trying to create a new column with a values which is increased by 1 if there is any change in limit column. Here is the code that I tried :- | sort localisation _time | streamstats range(_time) as Duration window=2 | eval Duration1 = Duration/60 | eval limit = if(Duration1 < 1,1,2) | autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change "Changes i get" is the column which is getting populated and "Expected changes" is what i am looking for. Evertime the value in limit column changes i want column to increase values by 1 else stay same. I tried the answer from this [Post][2] but its is not working for me Limit Change I get ExpectedChange 1 0 1 0 0 2 1 1 2 0 1 1 1 2 2 1 3 1 1 4 2 1 5 1 1 6 2 1 7 1 1 8 2 1 9 2 0 9 2 0 9 2 0 9 2 0 9 Thank you in advance. [1]: https://answers.splunk.com/answers/675583/how-to-increment-the-field-based-on-the-previous-v-1.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev [2]: https://answers.splunk.com/answers/675583/how-to-increment-the-field-based-on-the-previous-v-1.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev

↧

How to check if Field exists or not and extract value?

August 27, 2018, 7:53 am

≫ Next: Windows Security logs

≪ Previous: column with incremental change based on another column

Hi. I need to use IP Address in iplocation, but O365 returns 2 different logs. one with "ClientIP" field and others with "ClientIPAddress" field. The issue is that in the logs only one of them exist. If there was null value for one of them, then it would be easy, I would have just checked for null value. Search looks like this: mysearch |eval IPs= if(ClientIP "exists", ClientIP, ClientIPAddress) |iplocation IPs |stats ... I can't do the "ClientIP exists" part. maybe this is not correct and other approach should be used. Does anyone know the solution?

↧

Windows Security logs

August 27, 2018, 8:21 am

≫ Next: Send email to different groups based on search result contents for host field.

≪ Previous: How to check if Field exists or not and extract value?

I can't seem to figure out why i am not getting all of the Security logs.. I have checked the Blacklists. I can see event id 5136 and 5141 but I am missing 4720. These events are coming from the DC. 4720 is creating an Account 5136 is Mod an Account 5141 delete an Acccount