I have the following Splunk query that produces the following visualization:
![alt text][1]
I would like to embed this exact visualization into a web app using an iframe. How can I do this?
Currently, I am using the Splunk HTTP REST API and can submit & get the results back from this search using the following endpoint:
`/servicesNS/nameofmyapp/nameofmynamespace/search/jobs/1535641234.45678?output_mode=json`
However, I would like a src URL to the visualization that can be embedded in an iframe. Is there an endpoint that I can query instead that will give the URL to the visualization?
[1]: /storage/temp/254826-sf.png
↧
How to embed a timechart visualization from a Splunk query into a web app?
↧
Time chart display question
Just want to ask why sometimes there is a dot in my time chart graph? and how to erase that? The dot looks like picture attached.
![alt text][1]
[1]: /storage/temp/255864-screen-shot-2018-08-30-at-114501-am.png
↧
↧
Transforms.conf REGEX issue
8/30/18 9:38:51.000 AM **rec_type=71** dns_query=s3.amazonaws.com dns_record_name=A src_tos=0 ssl_expected_action=Unknown ...
8/30/18 9:14:19.000 AM **rec_type=109** id=185 rec_type_desc="Web Application" name="Google Translate" rec_type_simple=PAYLOAD
8/30/18 9:13:55.000 AM **rec_type=520** id=600 rec_type_desc="Geolocation Data" name=paraguay rec_type_simple=GEOLOCATION
8/30/18 9:13:55.000 AM **rec_type=63** id=1033 rec_type_desc="Server Metadata" name=Youku rec_type_simple=SERVICE
props.conf
[cisco:estreamer:data]
TRANSFORMS-send-data-to-null-queue = setnull_2
transforms.conf
[setnull_2]
REGEX = (rec_type=(?
↧
Has the TA Metricator prevented cluster peer restart for anyone else?
We have the metricator TA deployed in our cluster and when performing a rolling restart, the process is held up by the various metricator scripts not shutting down.
Manually killing the TA python processes allows the restart to complete.
Has anyone else experienced this?
↧
Automatic lookups not working
Hey Splunk, long time lurker, first time poster.
I am attempting to perform an automatic CIDR lookup from a CSV file on a specific sourcetype. I can manually perform the lookup and get data back, but can't figure out what is wrong with my props.conf configuration for automatic results. I appreciate any advice provided. This app is running in Splunk 6.6.3 in a Search Head Cluster.
props.conf
[rfc5424_syslog]
LOOKUP-check = IP_Ranges ip_range AS host OUTPUT range_name
transforms.conf
[IP_Ranges]
filename = ips.csv
match_type = CIDR(ip_range)
fields_list = ip_range, range_name
ips.csv
ip_range,range_name
10.0.0.0/8,"US Generic One"
10.10.10.0/24,"US Generic Two"
When I perform the following search, I see the expected results
sourcetype=rfc5424_syslog | head 20 | lookup IP_Ranges ip_range AS host OUTPUT range_name | table host, range_name
When I perform the following search, I am not seeing range_name fields added automatically
sourcetype=rfc5424_syslog
↧
↧
how to check the earliest event can be queried from a index
My understanding is Splunk will purge old data for an index when the disk usage limit is reached.
Is there an easy/fast way to track what is the earliest event a query can trace back at all time?
Thanks in advance.
↧
how to find the earliest event a query can search in an index?
my understanding is splunk will purge old data in an index when the disk limit is reached.
what is the easy/fast way to find out the earliest available event in an index?
Thanks in advance
↧
How do you calculate average time between transactions group by two fields?
I have logs from a SIP proxy server and I'm trying to get metrics from SIP transactions metrics from a SIP proxy server logs.
I have the following events:
Peer AAA events:
Time, call id A, message A.1, peer_name "AAA", resource "111"
Time, call id A, message A.2, peer_name "AAA", resource "111"
Time, call id A, message A.3, peer_name "AAA", resource "111"
Time, call id C, message C.1, peer_name "AAA", resource "112"
Time, call id C, message C.2, peer_name "AAA", resource "112"
Time, call id C, message C.3, peer_name "AAA", resource "112"
Time, call id I, message I.1, peer_name "AAA", resource "111"
Time, call id I, message I.2, peer_name "AAA", resource "111"
Time, call id I, message I.3, peer_name "AAA", resource "111"
Time, call id J, message J.1, peer_name "AAA", resource "112"
Time, call id J, message J.2, peer_name "AAA", resource "112"
Time, call id J, message J.3, peer_name "AAA", resource "112"
(...)
----------
Peer BBB events:
Time, call id B, message B.1, peer_name "BBB", resource "111"
Time, call id B, message B.2, peer_name "BBB", resource "111"
Time, call id B, message B.3, peer_name "BBB", resource "111"
Time, call id D, message D.1, peer_name "BBB", resource "112"
Time, call id D, message D.2, peer_name "BBB", resource "112"
Time, call id D, message D.3, peer_name "BBB", resource "112"
Time, call id F, message F.1, peer_name "BBB", resource "111"
Time, call id F, message F.2, peer_name "BBB", resource "111"
Time, call id F, message F.3, peer_name "BBB", resource "111"
(...)
----------
Peer CCC events:
Time, call id E, message E.1, peer_name "CCC", resource "113"
Time, call id E, message E.2, peer_name "CCC", resource "113"
Time, call id E, message E.3, peer_name "CCC", resource "113"
Time, call id G, message G.1, peer_name "CCC", resource "114"
Time, call id G, message G.2, peer_name "CCC", resource "114"
Time, call id G, message G.3, peer_name "CCC", resource "114"
Time, call id H, message H.1, peer_name "CCC", resource "113"
Time, call id H, message H.2, peer_name "CCC", resource "113"
Time, call id H, message H.3, peer_name "CCC", resource "113"
(...)
----------
Notes:
- All peer can have N resources.
- Different peers can have the same name resource
- Exists N different peers.
- In the timeline, messages from different peers may be mixed.
Order in Timeline (only show AAA and BBB messages to simplify):
1. Time, call id A, message A.1, peer_name "AAA", resource "111"
2. Time, call id B, message B.1, peer_name "BBB", resource "111"
3. Time, call id C, message C.1, peer_name "AAA", resource "112"
4. Time, call id A, message A.2, peer_name "AAA", resource "111"
5. 7. Time, call id A, message A.3, peer_name "AAA", resource "111"
6. Time, call id D, message D.1, peer_name "BBB", resource "112"
7. Time, call id I, message I.1, peer_name "AAA", resource "111"
8. Time, call id B, message B.2, peer_name "BBB", resource "111"
9. Time, call id I, message I.2, peer_name "AAA", resource "111"
10. Time, call id C, message C.2, peer_name "AAA", resource "112"
11. Time, call id C, message C.3, peer_name "AAA", resource "112"
12. Time, call id J, message J.1, peer_name "AAA", resource "112"
13. Time, call id B, message B.3, peer_name "BBB", resource "111"
14. 4. Time, call id F, message F.1, peer_name "BBB", resource "111"
15. Time, call id F, message F.2, peer_name "BBB", resource "111"
16. Time, call id I, message I.3, peer_name "AAA", resource "111"
17. Time, call id J, message J.2, peer_name "AAA", resource "112"
18. Time, call id D, message D.2, peer_name "BBB", resource "112"
19. Time, call id D, message D.3, peer_name "BBB", resource "112"
20. Time, call id J, message J.3, peer_name "AAA", resource "112"
My goal is to know the average time between transactions from the same peer / resource.
Peer AAA and resource 111:
- Call id A, peer AAA, resource 111
- Call id I, peer AAA, resource 111
- Call id ..., peer AAA, resource 111
Peer AAA and resource 112:
- Call id C, peer AAA, resource 112
- Call id J, peer AAA, resource 112
- Call id ..., peer AAA, resource 112
Peer BBB and resource 112:
- Call id B, peer BBB, resource 111
- Call id F, peer BBB, resource 111
(...)
At the end I would like to get a table with:
|| Peer || Resource || Avg (time) bettween different transactions) ||
|| AAA || 111 || 2s ||
|| AAA || 112 || 3,5s ||
|| BBB || 111 || 1s ||
|| BBB || 112 || 5s . ||
|| CCC || 113 || 1s ||
|| CCC || 114 || 5s . ||
I created a query that give almost what I want but only if I limit to a specific peer and resource. Otherwise the query does not pay attention to transactions per peer and resource and calculates the difference between all transactions.
index="index" sourcetype="sourcetype" ("SUBSCRIBE" OR "NOTIFY")
| transaction call_id maxspan=3s
| eval success=if(searchmatch("404"),1,0)
| where success=1
|
| extract resource>
| where peer_name="ABC"
| where resource="123"
| eval initial_time=_time
| autoregress _time AS previous_time
| delta previous_time AS difference
| chart avg(difference) AS ratio BY peer_name resource
|| field1 || flied 2 || avg time ||
| ABC | 123 | -5.031163865546219 |
Any ideas?
Using Splunk 7.0.3.4 version.
Thanks in advance.
↧
How search by unicode value?
Hi,
I have the following example record:
30/08/2018 13:30:27.996;VM1;ASH;AccessModule;processPacketBuffer;MSISDN;xxxxxxxxxxxx;;INFO;;;Return Access ; "msisdn":"xxxxxxxxx","Type":"\u0006","APN":"aaa","imsi":"xxxxxxxx","imei":"xxxxxxxxx","SGSN":null,"Remote IP Address":"xx.xx.xx.xx","TotalTimeInMS":0}
I can not search by Type, because it a unicode value and splunk does not parse it correctlly.
The are 2 possible Type values: 1. "\u0006" 2. "\u0003".
I am using the following splunk search:
mysearch | spath input=anyparams | search Type="\u0006"
The problem is that i receive no result,
How should i use the search, when the field contain unicode value?
Thanks in advance,
Yossi
↧
↧
No Data input following 7.1.2 upgrade on 2008 server
Hello,
I have upgraded my Splunk Enterprise 6.5.1 to 7.1.2 on a Windows 2008 R2 (https://answers.splunk.com/answers/672130/splunk-win2008r2-upgrade-65-to-71.html for my last thread).
I have enabled the TLS 1.2 support on 2008 R2 with regedit but I didn't modify anything else as I didn't modify the alert_actions.conf and ldap.conf in my configuration.
Upgrade went well bu after that, it seems my local data inputs aren't working anymore.
Several machines are sending in FTP logs on the Splunk and I'm monitoring the folders were are pushed the log files. It's probably not the best but it worked for the last 2 years.
Files are indeed pushed on those folders but they are not processed by Splunk anymore. I do not see them in the Sources of my Data Summary.
As stated in documentation, the Windows universal forwarder installation package no longer includes the Splunk Add-on for Windows.
To be honest, I'm not sure if this is linked so I tried to install the last universal forwarder. I wasn't able to install it : the error message is the default one from Windows (error has occurred setup has ended prematurely, your system was not updated).
Can you help me understand why my local file monitory / data inputs aren't working anymore ?
Thank you in advance for your help.
Best regards,
Quentin
↧
Visualizations: Why is there a dot in my time chart graph?
Just want to ask why sometimes there is a dot in my time chart graph? and how to erase that? The dot looks like picture attached.
![alt text][1]
[1]: /storage/temp/255864-screen-shot-2018-08-30-at-114501-am.png
↧
Will someone help me with my REGEX in this Transforms.conf?
8/30/18 9:38:51.000 AM **rec_type=71** dns_query=s3.amazonaws.com dns_record_name=A src_tos=0 ssl_expected_action=Unknown ...
8/30/18 9:14:19.000 AM **rec_type=109** id=185 rec_type_desc="Web Application" name="Google Translate" rec_type_simple=PAYLOAD
8/30/18 9:13:55.000 AM **rec_type=520** id=600 rec_type_desc="Geolocation Data" name=paraguay rec_type_simple=GEOLOCATION
8/30/18 9:13:55.000 AM **rec_type=63** id=1033 rec_type_desc="Server Metadata" name=Youku rec_type_simple=SERVICE
props.conf
[cisco:estreamer:data]
TRANSFORMS-send-data-to-null-queue = setnull_2
transforms.conf
[setnull_2]
REGEX = (rec_type=(?
↧
Why are my automatic lookups not working?
Hey Splunk, long time lurker, first time poster.
I am attempting to perform an automatic CIDR lookup from a CSV file on a specific sourcetype. I can manually perform the lookup and get data back, but can't figure out what is wrong with my props.conf configuration for automatic results.
I appreciate any advice provided. This app is running in Splunk 6.6.3 in a Search Head Cluster.
props.conf
[rfc5424_syslog]
LOOKUP-check = IP_Ranges ip_range AS host OUTPUT range_name
transforms.conf
[IP_Ranges]
filename = ips.csv
match_type = CIDR(ip_range)
fields_list = ip_range, range_name
ips.csv
ip_range,range_name
10.0.0.0/8,"US Generic One"
10.10.10.0/24,"US Generic Two"
When I perform the following search, I see the expected results
sourcetype=rfc5424_syslog | head 20 | lookup IP_Ranges ip_range AS host OUTPUT range_name | table host, range_name
When I perform the following search, I am not seeing range_name fields added automatically
sourcetype=rfc5424_syslog
↧
↧
For the Splunk Add-on for AppD, what is the format of the "Parameter" field?
I wish to hit "/controller/rest/applications/app-name/request-snapshots?time-range-type=BEFORE_NOW&duration-in-mins=60" but it doesn't seem to be working. I've tested with a REST client and it seems to work perfectly there, so I suspect that what I have in the parameter field isn't correct. There's no documentation on how to input the parameters into the proper fields when adding a new input.
If anyone has a clue let me know.
Thanks.
↧
Splunk crashes
Hello, my splunk keeps crashing when I try to download software ever sine I added in the [proxy_config] and http:// and https:// to the server.conf file...
When its not in there it doesn't crash.
[proxyConfig]
http_proxy=http://hostname:9997
https_proxy=https://hostname:9997
[build a0c72a66db66] 2018-08-30 12:41:25
Received fatal signal 6 (Aborted).
Cause:
Signal sent by PID 7157 running under UID 0.
Crashing thread: TcpChannelThread
↧
Why am I unable to complete Splunk 7.1.2 installation on my Mac OS 10.13?
I followed the procedure mentioned in the third module of Splunk fundamentals 1 course to install Splunk on Mac OS 10.13. All of the steps were completed. The Splunk short cut icon is created on the desktop too. But, I did not get the terminal window or Splunk's little helper, which asks for password.
Kindly help me out.
↧
How do I perform math against two searches?
I have two searches that use the same index and each return a numerical total, differing only in the period of time of the data they look at. How would I perform math on the search results for example adding or calculating percentages?
↧
↧
Can I exclude certain columns in a table from drilldown?
Hello,
Basically just want to know if there is a way in the Splunk XML to exclude certain columns in a table from drill-down making them essentially un-clickable? While others are still clickable?
Thanks
↧
Does the Splunk universal forwarder offer some sort of time monitoring feature? (TOCTOU?)
All,
SO bad guy changes the time on the system. Does the fowarder KNOW there is a sudden time change and log it? I think security pros call this TOCTOU?
https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use
↧
How can I override sourcetype and redirect to another index?
Hi Guys,
I want to override sourcetype for all events before being indexed and redirect some of those events (those with ERROR) to another index with the overridden sourcetype.
So, I need events to be spread between two indexes: test1 and test2 (with ERROR events) and I need all of the events to have the same access_combined sourcetype.
I use oneshot command to ingest data from a file:
>splunk add oneshot C://opt/log.txt -index test1 -sourcetype test_sourcetype
and now my **props.conf** looks like this:
[host::myhost]
LINE_BREAKER = \d+(&)
SHOULD_LINEMERGE = false
TRANSFORMS = custom_sourcetype
TRANSFORMS = route_notfound
LINE_BREAKER is here because its a oneline log, so I need to break it into events and it works fine.
and my **transforms.conf**:
[custom_sourcetype]
SOURCE_KEY = _raw
REGEX = .*
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::access_combined
[route_notfound]
REGEX = ERROR
DEST_KEY = _MetaData:Index
FORMAT = another_index
and if I use those transforms seperately they work fine (i switch them off by using # in props.conf) but they do not work together....
How can I do those two things in one step? before data being indexed?
↧