Input to splunk is a csv file which has column headers like 'Falcon 15.01.01.03.100', 'Falcon GA 15.01.02.06.1'.. (there are values present under each of these columns in rows). on dashboard, there are 2 dropdowns.
Both the dropdowns should have values of these column header i.e. which has Falcon word in it. Only thing I want is, Value which is selected in 1st dropdown , should not be displayed in 2nd. Means if search returns 3 results, 1st dropdown should have 3 values in it and after selecting the one value from 1st dropdown.. second should have only 2 values in it.
in 1st dropdown, M executing this query: input.csv|fieldsummary *Falcon* | dedup field | table field >> returning me 3 results
What query should I execute in 2nd dropdown for above mentioned scenario?
Thanks in advance!!
↧
Second Dropdown should not have value displayed in 1st dropdown.
↧
Capture Login Logout times from the log.
Hi Splunk Experts,
We have the below log file
40312 [6] DEBUG 2018-09-03 08:28:42.987 TM1.Login Login attempt by client: user1
40312 [6] DEBUG 2018-09-03 08:28:43.007 TM1.Login Login Success: User user1
40312 [6] DEBUG 2018-09-03 08:28:59.392 TM1.Login Logout User user1
Could you please help me with the search command to extract login and lout time of any user.
I am looking for a table with Username LoginTime LogoutTime Duration.
Regards
Dinakar
↧
↧
Combine Cells based on another column value
Is it possible for splunk to get an output something along the lines of:
Source:
Col_A | Col_B | Col_C
ID_A | log 1 | yes
ID_A | log 2 | no
ID_A | log 3 | no
ID_B | log 4 | no
ID_B | log 5 | no
sort Col_A
| if Col_C == yes, then search and include all rows where Col_A == ID_A
| eval to combine ID_A into one cell
(will filter away records with ID_B as all of it's Col_C == no)
Desired Result
ID_A | log 1 | yes
ID_A | log 2 | no
ID_A | log 3 | no
Am I able to use splunk for the middle logic? ->if Col_C == yes, then search and include all rows where Col_A == ID_A
↧
Splunk responsible for more than 40% of firewall traffic.
Hello All,
I'm working in a huge installation and Splunk is consuming more than 40% of firewall traffic.
I don't have details of the Splunk Topology yet, but we have firewall between Splunk Servers and Forwarders.
What is the recommendation to minimize the firewall traffic?
I'll appreciate any suggestion.
Thanks in advance,
MarcoR
↧
Data Not Onboarding
Hi , i have a Problem i wrote one input.conf file and half of the data is been onboarded and i can see the data in splunk but rest of half of the data from same input.conf file is not onboarded. I thought it might be a firewall issue or networking but if so then half of the data is also not going to be onboarded pls help me out.
↧
↧
How to enable rest-api
Hi Team,
I'm running Splunk on AWS ec2 instance backed by AWS ALB.
I've created target group for port 80,443 & 8089 for splunk. Security groups & network ACL are already opened for these ports.
But whenever I do "curl -k http://localhost:8089/en-us",
it says -- "curl: (56) Recv failure: Connection reset by peer"
I'm accessing it as a root user , also I've admin credentials as well.
Please let me know how I can access this port, I've a requirement to enable rest-api. I checked for other articles but I didn't find any satisfactory answers. I got to know that rest-api works for everyone, but in my case it is not working.
Please help me enabling rest-api features.
Thanks,
↧
It´s splunk compatible with Oracle Linux OS?
I have a ODA X5, that is gonna be erased and formatted. Can this system be used for a Splunk deployment. It the application compatible with oracle linux OS.
↧
dropdown list show
I have two dropdown list related to each other.
- Dropdown_list 1= red, yellow, orange, blue…
- Dropdown_list 1= user_a, user_b, user_c, user_d
When I choose a colour in dropdown_list_1, I want dropdown_list_2 to show default all user who love that colour. ALL. Thanks your help.
↧
I want 'HF' to forward on 9997 port and send the same data to itself by syslog transfer.
I want `HF` to forward specific logs(tcp input from 514 port) to indexer, and also transfer them itself with syslog format.
By the way, I configured like below, but its not working.
`props.conf`
[source::tcp:514]
TRANSFORMS-out = tcp_output, syslog_output
`transforms.conf`
[tcp_output]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = tcp_output
[syslog_output]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_output
`outputs.conf`
[tcpout:tcp_output]
server=:9997
sendCookedData=false
[syslog:syslog_output]
server=localhost:10514
sendCookedData=false
Are these settings wrong?
If someone can tell me about it, I really apppreciate it.
↧
↧
How to sort the month when using the field in Chart Over command
Hi
Below is a query which returns the latency over month by cust_id. Events contain fields as month=April, month=May etc
...| chart max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id useother=f limit=40 |sort -Max, -P95
The query shows result in sorted by month name since month is a string. How do i sort by calendar series and display as a chart ?![![alt text][1]][1]
[1]: /storage/temp/255907-screen-shot-2018-09-04-at-104036-am.png
↧
How to get top 20 results by Aggregation method used in Trellis Layout
Hi
Below is a query which returns the latency over month by cust_id. Events contain fields as month=April, month=May etc
...| chart max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id useother=f limit=40 |sort -Max, -P95
I would like to display this as a trellis chart by the Aggregation method used. While using Trellis Layout , i am getting graph each one for Max, Avg, Max - 3 charts. How to display top 20 cust_id latency only for each layout ? Is that possible ?
![alt text][1]
[1]: /storage/temp/255910-screen-shot-2018-09-04-at-104529-am.png
↧
Error in 'PivotProcessor': Error in 'PivotUtil': The dataset 'Interface' has no field 'index'.
I have just installed Cisco Networks app and getting this error when I click on Inventory>Interfaces
Error in 'PivotProcessor': Error in 'PivotUtil': The dataset 'Interface' has no field 'index'.
Any help is appreciated.
↧
Why my searches are only hitting one Indexer in a cluster ?
Hello everyone.
I have a multisite Indexer cluster . 2 IDX (IDX01, IDX02) and CM
2 SH with a deployer and a VIP to SH cluster
site 1
SH1
IDX01
CM
site2
SH2
IDX02
search affinity is enabled.
For example on SH1 if I run
|tstats c where splunk_server=IDX02 earliest=-24h by index
I don't see any results but I get results when I use
splunk_server=IDX01
as both SH1 and IDX01 are on the same site = site1
Again on SH2 if I run
|tstats c where splunk_server=IDX01 earliest=-24h by index
I don't see any results but I get results when I use
splunk_server=IDX02
as both SH2 and IDX02 are on the same site = site2
In the same way, on CM
|tstats c where splunk_server=IDX02 earliest=-24h by index
I don't see any results but I get results when I use
splunk_server=IDX01
as both CM and IDX01 are in same site = site1.
My Problem :
IDX01 has High CPU usage alerts almost hitting 100% for a long time.
When I look in DMC
under DMC
Median CPU Usage by Process Class
Maximum Search Concurrency
Maximum Resource Usage of Searches
it clearly shows that searches are hitting this IDX 01 then other IDX02.
My doubts :
1. Is search affinity is playing a role here?
2. If searches are more dispatching from SH1, is there a chance that more searches are running on IDX01 and causing high cpu problems?
Please help me. Thank you! (edited)
↧
↧
Issue with image overlay on background
I wanted to overlay image on my dashboard with green light or red light depending on a search result. I'm putting the images and CSS in a separate folder as shown in the code attachment.
My expected output is to have light under each rectangular box and color of the light depend on search query.
I did follow the link provided by @NiketNilay, but my output is not showing up. I have attached the output i m seeing. It looks like the CSS file is not being picked or the value is not picked. I m not sure where the problem is, any help would be really grateful.>
↧
Can we setup alerts using REST API, with action to send a POST request at a webhook?
We want to setup alerts using REST API.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches described how we can do it with POST request to /saved/searches.
But this only talks about email as action. Can we have action as call to a webhook when the alert is set up through REST API.
↧
_HTTPOUT_ROUTING example
hi all,
i read about the _HTTPOUT_ROUTING in outputs.conf at https://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad . Unfurtunatly I didn't find anything in the specfiles or any further example...
Did anyone configured this or an can give advice?
Best regards,
Andreas
↧
Scheduled Saved Search [CRON */30 * * * *] runs, but result is not refreshed
Hi Splunkers,
I have a few saved searches that query SQL DB via dbxquery and perform some calculations.
The search CRON schedule is set to `*/30 * * * *`.
The dbxquery is something like : `SELECT top 20 * FROM tbl WHERE unitname LIKE '%integrated%' ORDER BY day DESC, shiftcode DESC`
I have kept them as scheduled reports so that I can quickly check the cached results and not have to wait for the query to execute every time.
However, frequently the following happens:
`This scheduled report runs on cron schedule */30 * * * *. Its time range is last 60 minutes. The following results were generated an hour ago.`
This should not happen. As per the CRON exp., the results should **always be generated less than 30mins back**.
I have checked **scheduler.log**, the reports run successfully every 30mins as per the CRON exp. A sample event in scheduler.log for this savedsearch is as follows [I am masking some sensitive data with ***]:
`09-04-2018 09:00:43.048 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;***IntegratedLines_30min", search_type="scheduled", user="***", app="search", savedsearch_name="***IntegratedLines_30min", priority=default, status=success, digest_mode=1, scheduled_time=1536051600, window_time=-1, dispatch_time=1536051604, run_time=8.906, result_count=35, alert_actions="", sid="scheduler__anirbandd__search__RMD58c6d3639d9d658a6_at_1536051600_151", suppressed=0, thread_id="AlertNotifierWorker-0"
host=M***1 source=/opt/splunk/var/log/splunk/scheduler.log sourcetype=scheduler`
The data that is generated is not refreshed as well. If I run the query manually, I get the refreshed data.
Please note that the time range for the search does not matter since we are not working on indexed data.
Is this something related to dbxquery, or am I missing out something?
Let me know if you guys need more information.
Thanks in advance!
↧
↧
no events after data entry
Hello
I done a data entry in splunk for the log event below :
[WinEventLog://Microsoft-Windows-PowerCfg/Diagnostic]
checkpointInterval = 5
current_only = 0
disabled = 0
index = windows
start_from = oldest
But when i m doing a search on this sourcetype i have no events
I think its because these event logs doesnt exists in event viewer?
if its the case is anybody knows how to create it?
thanks
↧
Can I change the APP folder permission
I want use Git tool to manage the splunk APP code, the Git need write and read permission for the APP folder, but when I create a app by splunk web, the permission of app folder is 'drwx--x---+ 6 splunk splunk' ,
so when I login the Linux server by my account, I can't use git tool for it.
so I want to know if I change the folder permission to 777, and it's subfolder to 755, dose the splunk app always work correctly?
thanks
↧
Convert time to UK format and to 24 hour time
Hello,
I have a field called in_time with example output = 8/31/2018 10:21:59 PM (GMT)
I'd like this time (e.g. out_time) to be extracted and converted to read 31/08/2018 22:21:59
Can you help?
Many Thanks,
↧