Question1. I have a dashboard with multiple timecharts type query running with different logic and different preset times.
I want to know how many events were processed as a part of that chart to run. And if possible can I have that value see in that same dashboard?
Question2. I want a query that should be able to tell me how many events are there in a specific time period I choose. e.g. 25th Aug from 10 to 14 or something like 15th August all day. possibly in a timechart visualization like monday = 30000 events, tuesday = 45666 events .....etc.. in a line chart
↧
How to know the number of events processed in a dashboard?
↧
Timechart with multiple rows
I am trying to setup a timechart and I am a beginner in Splunk. I'd like to show a timechart with two rows, i.e., two sets of data for a week).
I have below query:
`index=myindx "Box Sales Job:" "Total number of boxes sold" earliest=-7d@d latest=@d | rex field=_raw "Total number of boxes sold:(?.+) for (?.+)" | table BoxType, BoxCount, _time`
that produces
`
+---------+----------+-------------------------+
| BoxType | BoxCount | _time |
+---------+----------+-------------------------+
| Small | 45 | 2018-08-28 16:27:35.649 |
| Small | 17 | 2018-08-28 13:27:35.649 |
| Large | 65 | 2018-08-28 16:27:34.142 |
| Large | 10 | 2018-08-28 13:27:34.142 |
| Small | 66 | 2018-08-24 16:59:55.100 |
| Large | 12 | 2018-08-24 16:59:54.288 |
| Small | 60 | 2018-08-24 09:38:01.101 |
| Large | 12 | 2018-08-24 09:38:00.373 |
| Small | 45 | 2018-08-27 16:44:28.652 |
| Large | 56 | 2018-08-27 16:44:28.168 |
| Small | 12 | 2018-08-25 16:31:32.386 |
| Large | 34 | 2018-08-25 16:31:31.931 |
| Small | 98 | 2018-08-23 16:33:43.708 |
| Large | 12 | 2018-08-23 16:33:43.092 |
+---------+----------+-------------------------+
`
What I am trying to show is such as below: Please note box sales happened twice on 28th.
`
| Box | 7days_before | 6days_before | 5days_before | 4days_before | 3days_before | 2days_before | 1days_before | latest |
|-------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------|
| Small | 45 | 49 | 98 | 12 | 45 | 60 | 66 | 45 |
| Large | 75 | 11 | 12 | 34 | 56 | 12 | 12 | 65 |
| Small | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 17 |
| Large | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 10 |
`
I tried below query and a couple other ways.
`index=myidx "Box Sales Job:" "Total number of boxes sold" earliest=-7d@d latest=@d | rex field=_raw "Total number of boxes sold:(?.+) for (?.+)" | table BoxType, BoxCount, _time | timechart span=24h count | timewrap 1d`
but it ends up showing the count of rows rather than the desired format. I am not sure what am I missing. Any ideas?
↧
↧
Why does my sed replace command replace too much?
I need some help figuring out why my sed replace command is replacing all of the text to the end of the event in Splunk rather than just the specific text I had it look for. As part of a GDPR-compliance project, I was tasked with anonymizing personal names that come through Splunk, which my solution does. But I'm finding that everything after the replaced text is being cut off as well.
In my props.conf file, I've added this section to do the replace.
[host::...*]
SEDCMD-GDPR-anonymize-firstname = s/\"FirstName\"[=:].*\".*?\"/"FirstName":"######"/g
These are JSON messages, so I have Splunk looking for the "FirstName":"Billy", and want it to replace whatever it finds between the double-quotes with the pound signs, which it does.
Here's a sample message that I want to anonymize:
"Beneficiary_LocalID":"TZ056500190",**"FirstName":"Billy"**,"Location":"Tanzania"
**Desired result:**
"Beneficiary_LocalID":"TZ056500190","FirstName":"######","Location":"Tanzania"
**Actual result:**
"Beneficiary_LocalID":"TZ056500190","FirstName":"######"
Do I have something wrong in my regex statement that is causing the rest of the event to be included in the replacement? Any help would be greatly appreciated.
↧
Splunk_TA_nix: why are my reports showing "No results found"?
Hi,
I'm having troubles with TA_nix application installed in RHEL 7, Splunk version 7.1.1 . I'm getting the data from my server that have TA_nix installed; also my Splunk server (single instance) has TA_nix and app_for_nix to monitor RHEL 7 server, but the reports are showing "No results found".
Data is there, if I look for *index=os or index=df* it shows from the host I want to monitor, but the dashboards are dead.
Can you help me? Maybe I can look to some logs or something?
Gracias,
↧
Splunk App for AWS: Availability timeline for 7.1.2
When will the Splunk App for AWS be available for Splunk Enterprise 7.1.2? Thanks!
↧
↧
Custom alert script fails with sendalert
I'm trying to create a custom alert application. All I want to do right now is to see what kind of parameters I can pull and utilize. So I'm just doing a simple print into a file. I created an app called say, test. And the script is called showconfiguration. This is my first time making a custom app.
Here's what the directory structure looks like under /opt/splunk/etc/apps/test:
test/
├── appserver
│ └── static
│ └── icon.png
├── bin
│ └── showconfiguration.py
├── default
│ ├── alert_actions.conf
│ ├── app.conf
│ └── data
│ └── ui
│ └── alerts
│ └── showconfiguration.html
├── metadata
│ ├── default.meta
│ └── local.meta
└── README
└── alert_actions.conf.spec
Here's alert_actions.conf contents:
> [showconfiguration]>is_custom = 1>label = Testing Splunk alerting capability>description = Testing>icon_path = icon.png>payload_format = json>param.trigger_reason = Saved Search [test] number of events ($job.resultCount$)>param.result_count = $job.resultCount$>param.one = two
Contents of app.conf:
> [ui]>is_visible = 0>label = Alert Tests>>[launcher]>author = Me>description = Testing splunk alert capability>version = 0.1>>[install]>state = enabled>is_configured = 1
And everything is owned by splunk:splunk and I think has the correct permissions.
So I create an alert and set it to run this custom alert. It never runs and I see this error in the splunkd.log:
> 08-29-2018 15:10:40.746 -0400 ERROR sendmodalert - Error in 'sendalert' command: Alert action "showconfiguration" not found.
I don't know what I did wrong here. How do I get sendalert to recognize the showconfiguration script??
↧
Alert on different cron schedules
We have 4 tasks that run on different schedules and log an event in the application logs when the job starts. The task is to alert if the job doesn't run on a prescribes schedule. Can this be done with a single search command ?
JobA 0 02 * * *
JobB 0 2/4 * * *
JobC 0 03 * * *
JobD . 0 0/2 * * *
Event produced in Log -
[2018-08-29 06:00:00,912] {Worker #04283bd8} INFO JobA::Execute - ********************** Job Name : AgedApplicationNotificationJob - started at : 8/29/2018 6:00:00 AM **********************
Thanks
↧
why no passwd file
Hi,
I had to recover a passd for splunk, and deleted the passwd file and then restarted splunk, but no new passwd file is generated. I thought Splunk auto-generated this file when this happens? I am looking in /opt/splunk/etc, and permissions/space... look fine. Splunk is running.
↧
How to set the order of queries to be run in a Splunk dashboard
We have 2 different searches which interrelated.
1st search is called through a macro which publishes its result into a lookup file.
while 2nd search uses the data from the lookup file(result of macro) to get the desired result.
Currently we are calling the macro in 1st panel, while the 2nd panel has the 2nd search.
Issue:
When we refresh the dashboard both the 1st and 2nd panel are running in parallel because of which we are getting the desired result.
Resolving requirement:
When the dashboard is refreshed, 2nd panel must wait till the search query of 1st panel is complete.
↧
↧
How do you set up a timechart with multiple rows?
I am trying to setup a timechart and I am a beginner in Splunk. I'd like to show a timechart with two rows, i.e., two sets of data for a week).
I have below query:
`index=myindx "Box Sales Job:" "Total number of boxes sold" earliest=-7d@d latest=@d | rex field=_raw "Total number of boxes sold:(?.+) for (?.+)" | table BoxType, BoxCount, _time`
that produces
`
+---------+----------+-------------------------+
| BoxType | BoxCount | _time |
+---------+----------+-------------------------+
| Small | 45 | 2018-08-28 16:27:35.649 |
| Small | 17 | 2018-08-28 13:27:35.649 |
| Large | 65 | 2018-08-28 16:27:34.142 |
| Large | 10 | 2018-08-28 13:27:34.142 |
| Small | 66 | 2018-08-24 16:59:55.100 |
| Large | 12 | 2018-08-24 16:59:54.288 |
| Small | 60 | 2018-08-24 09:38:01.101 |
| Large | 12 | 2018-08-24 09:38:00.373 |
| Small | 45 | 2018-08-27 16:44:28.652 |
| Large | 56 | 2018-08-27 16:44:28.168 |
| Small | 12 | 2018-08-25 16:31:32.386 |
| Large | 34 | 2018-08-25 16:31:31.931 |
| Small | 98 | 2018-08-23 16:33:43.708 |
| Large | 12 | 2018-08-23 16:33:43.092 |
+---------+----------+-------------------------+
`
What I am trying to show is such as below: Please note box sales happened twice on 28th.
`
| Box | 7days_before | 6days_before | 5days_before | 4days_before | 3days_before | 2days_before | 1days_before | latest |
|-------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------|
| Small | 45 | 49 | 98 | 12 | 45 | 60 | 66 | 45 |
| Large | 75 | 11 | 12 | 34 | 56 | 12 | 12 | 65 |
| Small | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 17 |
| Large | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 10 |
`
I tried below query and a couple other ways.
`index=myidx "Box Sales Job:" "Total number of boxes sold" earliest=-7d@d latest=@d | rex field=_raw "Total number of boxes sold:(?.+) for (?.+)" | table BoxType, BoxCount, _time | timechart span=24h count | timewrap 1d`
but it ends up showing the count of rows rather than the desired format. I am not sure what am I missing. Any ideas?
↧
How do you create an alert for different cron schedules?
We have 4 tasks that run on different schedules and log an event in the application logs when the job starts. The task is to alert if the job doesn't run on a prescribed schedule. Can this be done with a single search command ?
JobA 0 02 * * *
JobB 0 2/4 * * *
JobC 0 03 * * *
JobD . 0 0/2 * * *
Event produced in Log -
[2018-08-29 06:00:00,912] {Worker #04283bd8} INFO JobA::Execute - ********************** Job Name : AgedApplicationNotificationJob - started at : 8/29/2018 6:00:00 AM **********************
Thanks
↧
Password Recovery: Why was a new passwd file not generated?
Hi,
I had to recover a password for Splunk and deleted the passwd file and then restarted Splunk but no new passwd file is generated. I thought Splunk auto-generated this file when this happens? I am looking in /opt/splunk/etc, and permissions/space... it lookas fine. Splunk is running.
↧
How do you set the order of queries to be run in a Splunk dashboard?
We have 2 different searches which are interrelated.
1st search is called through a macro which publishes its result into a lookup file.
While 2nd search uses the data from the lookup file(result of macro) to get the desired result.
Currently we are calling the macro in 1st panel, while the 2nd panel has the 2nd search.
Issue:
When we refresh the dashboard both the 1st and 2nd panel are running in parallel. Because of which, we are getting the desired result.
Resolving requirement:
When the dashboard is refreshed, 2nd panel must wait till the search query of 1st panel is complete.
↧
↧
Unable to monitor logs from windows machine.
Hi,
I am struggling to monitor files from a windows machine.
Below is my inputs.conf file
[default]
index=maspat
[monitor://C:\MASPAT\Results]
sourcetype=mas
crcSalt=
ignoreolderThan=1d
Not sure why I see an unknown log like below getting logged instead of the actual files.
LogName=Application
SourceName=SecurityCenter
EventCode=15
EventType=4
Type=Information
ComputerName=AZP*******.wm.com
TaskCategory=The operation completed successfully.
OpCode=Info
RecordNumber=72097
Keywords=Classic
Message=Updated Symantec Endpoint Protection status successfully to SECURITY_PRODUCT_STATE_SNOOZED.
↧
App pushed to Universal Forwarder from D.S except inputs.conf. Please advise.
I have created a custom app on D.S and pushed it on the U.F.
The app got pushed successfully except only the inputs.conf
I have tried everything from `splunk reload deploy-server` to reloading the U.F, but nothing seems to work.
This is the first time I have ever faced such issue. How do I push the .conf file ?
Please advise.
↧
Please help me identify why Splunk is omitting extracting milliseconds from my JSON
Hi folks, running into a strange issue here. Taking the following json:
{
@timestamp: 2018-08-29T13:07:10.508997+00:00
component: auth-proxy-
event: Health Call
eventdetails: Health check call is good : status 200
level: info
message: Health check ok
outcome: pass
step: healthCheck
}
The data comes in as a sourcetype of 'fluentd_json' and comes into my HF. I have tried the following as a props.conf:
[ fluentd_json ]
TIMESTAMP_FIELDS = @timestamp
as well as
[ fluentd_json ]
TIMESTAMP_FIELDS = @timestamp
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%N%Z
but it doesn't seem to work fully. I have tried to use that props on both my indexer cluster as well as my HF. Both restarted as well.
For some reason it omits the milliseconds
↧
Use Font Splunk 6 for Splunk 7
Hi All!
i want use font splunk 6 for splunk 7.
How can i do?
↧
↧
Audit who disable Data Input
recently we found one data input for receiving syslog was stop
we dont know is the service issue auto stop or someone who disable it, i tried to search index=_audit,
also even i saw some log edit server, only see the action is edit server but didnt mention what setting had been changed
↧
How to rewite query to change columns to rows, rows to columns
How to convert below query such that rows are converted to columns
index=data earliest=-1w@w latest=now |eval requestcount=1 | timechart per_second(requestcount) AS RequestPerSec
| eventstats max(RequestPerSec) as peakRequestPerSec | timechart span=1w avg(RequestPerSec) as avgRequestPerSec max(RequestPerSec) as peakRequestPerSec p99(RequestPerSec) as p95RequestPerSec
| fieldformat peakTime=strftime(peakTime,"%m/%y %H:%M") | eval avgRequestPerSec=round(avgRequestPerSec,2) | eval peakRequestPerSec=round(peakRequestPerSec,2)| eval p95RequestPerSec=round(p95RequestPerSec,2)|rename avgRequestPerSec as "Average Requests/Sec" peakRequestPerSec as "Max Requests/Sec" p95RequestPerSec as "P95 Requests/Sec"
And also have additional column added to the converted table which is to calculate/show the Percentage of increase/decrease compared to previous week data ? Please let me know.
↧
How to Remove Token Name on When Token Has No Value
We're working on an HTML table with `` that displays value of token (such that ` $token1$ `). We don't know how to remove the token name `$token1$` when we deselect from the inputfield. Here's a clearer picture:
![alt text][1]
But when we deselect, the token name appears! How do we solve this?
![alt text][2]
Thanks in advance!
[1]: /storage/temp/255858-select-something.png
[2]: /storage/temp/255860-select-none.png
↧