Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all 47296 articles
Browse latest View live

Regular Expression help

September 4, 2018, 4:48 am
$
0
0
Hi, I am looking for some help regarding Splunk Regular Expression. I have a data something like this in a field "field1" - \P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol. If you observe, there is a product "P1", it's description "S+ box" and Price "5.00 Dol" and like these there are multiple separated by "\". I want to extract these products with their prices so that I can see each product and it's associated price. Basically I am looking for if any product has got NULL price. Let me know if someone can help.
Search

Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

September 4, 2018, 6:04 am
$
0
0
Hello guys, my question is pretty simple. Is there a easy way to export all your searches/reports and alerts created from every user, from one splunk indexer instance to another instance? My only suggestion for this problem was to locate all savedsearches.conf from every user and create the users on my new machine and copy all the conf. files. So my question is if there's an easier way to do this. regards, Daniel

How to implement "not in" in splunk

September 4, 2018, 6:51 am
$
0
0
How to implement "not in" in splunk? I want to find out the data that is not in the collection, as shown below ![alt text][1] But always make mistakes, as shown below. ![alt text][2] [1]: /storage/temp/255914-notin.png [2]: /storage/temp/255915-notinraw.png

Alert when process appears in multiple IPs

September 4, 2018, 7:16 am
$
0
0
Say I have a table of processes and IP addresses. I want to make an alert when a certain process was monitored in multiple computers during the last 24 hours. How can I do it? Very specific question I know, I just didn't know how to phrase it otherwise.

Why does adding a table command after transaction result in no results found?

September 4, 2018, 7:23 am
$
0
0
| inputlookup id_test.csv | reverse | eval _time=now()| transaction Col_A startswith=(Col_C=yes) returns results: ![alt text][1] With table and even fields afterward, there are no results: ![alt text][2] [1]: /storage/temp/255916-splunk-trans-1.png [2]: /storage/temp/255917-splunk-trans-2.png

IF statements to determine which table to format in

September 4, 2018, 8:01 am
$
0
0
Hi there, I'm wondering if it's possible to format a Splunk query like so: IF results contains "this string" THEN use these formatting commands OR IF results contains "a different string" THEN use these formatting commands And if possible pull them all together in one table. If it makes it easier to explain, I will try and use network logs as an example e.g. say the logs are as follows: scrip=10.0.0.1 08/31/2018 11:23:34 PM (GMT) scrip=10.0.0.2 07-09-2018 23:33:57 index=network scrip=10.0.0.1 | convert time format OR index=network scrip=10.0.0.2 | different time format conversion | table bothtimeconversion Ideally the final table would look like this: scrip bothtimeconversion 10.0.0.1 09/07/2018 23:23:34 10.0.0.2 31/08/2018 23:33:57 I have already sorted the time conversion format, it's essentially how I would structure the different commands based on the different source IP. Thank you in advance

splunk search command to raise alert when the count is high compare to other host for that host

September 4, 2018, 8:48 am
$
0
0
Dear All, Need help here in raising alert for the host having higher count than others. Below is the output of my search query. Please suggest the comparison or suitable command to raise alert for the host having higher count than others host count ABC 1349 DEF 1598 GHI 1123 KLM 1150 NOP 1329

my Splunk GUI is not showing up after the upgrade from 6.3 to 7.0 ?

September 4, 2018, 8:58 am
$
0
0
Hi Splunkers, I have distributed environment having 2 IDX's, 2Sh+1SHQN and 1 Deployer. I have successfully upgraded Deloyer from 6.3 to 7.0 but when I tried to upgrade the SH's from the same version, the CLI looks fine but some how the WEBGUI is not progressing and not coming back online.? can anyone help me in this issue? Thank, Ankit
Search

Is there a Splunk search command that raises an alert when a host's count is high compared to other hosts?

September 4, 2018, 8:48 am
$
0
0
Dear All, I need help raising an alert that would return which host has a higher count than the others. Below is the output of my search query. Please suggest the comparison or suitable command to this issue. host count ABC 1349 DEF 1598 GHI 1123 KLM 1150 NOP 1329

Why is my Splunk GUI not showing up after the upgrade from 6.3 to 7.0 ?

September 4, 2018, 8:58 am
$
0
0
Hi Splunkers, I have distributed environment having 2 IDX's, 2Sh+1SHQN and 1 Deployer. I have successfully upgraded Deployer from 6.3 to 7.0, but when I tried to upgrade the SH's from the same version, the CLI looks fine. But some how the WEBGUI is not progressing and not coming back online. Can anyone help me with this issue? Thank, Ankit

With a full list of class C IPs, how can i get Splunk to show me how many VLANs are in the data?

September 4, 2018, 9:09 am
$
0
0
We are searching new environments monthly. I can get Splunk to stat out a total list of ips, but i'm not sure how to get it to find all the VLANs. ideally i would like to show all the available fields in the third octet.

License Usage justification Report

September 4, 2018, 9:39 am
$
0
0
Hi Team, I am facing license violation issue, I have received 4 warnings (29th 30th 31st 1st august) but 2nd and 3rd september there is no violation but what we are thinking is we dont want to take risk for avoid that risk we are thinking to increase the license but before increasing the license my manager wants justification why violations has been happened, So i went to license usage report and checked for last 30days and in sourcetype "wineventlog:security" consuming more data in splunk. Then i compared the logs 26th august (205 gb wineventlog:security) and 31st august (260 gb wineventlog:security) but they want why this much of data has came and from where it has came need justification. Team can you please help me out to get the report. Thanks and regards, shaik hussain

Where can I find developer resources for developing a new HUNK add-on , similar to the MongoDB add-on ?

September 4, 2018, 10:05 am
$
0
0
For Hunk , there is an add-on to query mongoDB as a virtual index. I would like to develop a similar add-on for HUNK to query a different database type. Where can I find developer resources or examples for this kind of HUNK add-on ?

Has anyone successfully configured _HTTPOUT_ROUTING in outputs.conf?

September 4, 2018, 1:19 am
$
0
0
hi all, i read about the _HTTPOUT_ROUTING in outputs.conf at https://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad . Unfortunately, I didn't find anything in the specfiles or any further examples... Has anyone configured this? Or can anyone give any advice? Best regards, Andreas

Can I change the APP folder's permissions?

September 4, 2018, 1:44 am
$
0
0
I want to use the Git tool to manage the Splunk APP code. The Git needs write and read permission for the APP folder, but when I create an app by Splunk web, the permission of app folder is 'drwx--x---+ 6 splunk splunk' . So when I login to the Linux server by my account, I can't use the git tool for it. So I want to know if I change the folder permission to 777, and its subfolder to 755, will the Splunk app always work correctly? thanks
Search

Why is my search returning no events after data entry?

September 4, 2018, 2:41 am
$
0
0
Hello I have done a data entry in Splunk for the log event below : [WinEventLog://Microsoft-Windows-PowerCfg/Diagnostic] checkpointInterval = 5 current_only = 0 disabled = 0 index = windows start_from = oldest But when I'm doing a search on this sourcetype, i have no events I think its because these event logs don't exist in the event viewer? if its the case is anybody knows how to create it? thanks

How to convert the time format to UK and 24 hour time?

September 4, 2018, 3:13 am
$
0
0
Hello, I have a field called in_time with example output = 8/31/2018 10:21:59 PM (GMT) I'd like this time (e.g. out_time) to be extracted and converted to read 31/08/2018 22:21:59 Can you help? Many Thanks,

Will someone help me with my Regular Expression query?

September 4, 2018, 4:48 am
$
0
0
Hi, I am looking for some help regarding Splunk Regular Expression. I have a data something like this in a field "field1" - \P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol. If you observe, there is a product "P1", it's description "S+ box" and Price "5.00 Dol" and like these there are multiple separated by "\". I want to extract these products with their prices so that I can see each product and their associated prices. Basically, I am looking for if any product has got NULL price. Let me know if someone can help.

Can you help me with a License Usage justification Report?

September 4, 2018, 9:39 am
$
0
0
Hi Team, I am facing a license violation issue, I have received 4 warnings (29th 30th 31st 1st august) but 2nd and 3rd September there is no violation. But what we are thinking is we don't want to take a risk. To avoid that risk, we are thinking of increasing the license, but before increasing the license, my manager wants justification for why these violations have happened. So i went to the license usage report and checked for last 30days and in sourcetype "wineventlog:security" consuming more data in Splunk. Then i compared the logs 26th august (205 gb wineventlog:security) and 31st august (260 gb wineventlog:security) but they want to know why this much of data was used and to know where it came from. Team can you please help me get this report. Thanks and regards, shaik hussain

Why are my searches only hitting one Indexer in a cluster ?

September 3, 2018, 10:44 pm
$
0
0
Hello everyone. I have a multisite Indexer cluster. 2 IDX (IDX01, IDX02) and CM 2 SH with a deployer and a VIP to SH cluster site 1 SH1 IDX01 CM site2 SH2 IDX02 search affinity is enabled. For example on SH1 if I run: |tstats c where splunk_server=IDX02 earliest=-24h by index I don't see any results. But I get results when I use splunk_server=IDX01 as both SH1 and IDX01 are on the same site = site1 Again on SH2 if I run: |tstats c where splunk_server=IDX01 earliest=-24h by index I don't see any results. But I get results when I use splunk_server=IDX02 as both SH2 and IDX02 are on the same site = site2 In the same way, on CM |tstats c where splunk_server=IDX02 earliest=-24h by index I don't see any results but I get results when I use splunk_server=IDX01 as both CM and IDX01 are in same site = site1. My Problem : IDX01 has High CPU usage alerts and has been almost hitting 100% for a long time. When I look in DMC under DMC Median CPU Usage by Process Class Maximum Search Concurrency Maximum Resource Usage of Searches it clearly shows that searches are hitting this IDX 01 then other IDX02. My doubts : 1. Is search affinity playing a role here? 2. If searches are more dispatching from SH1, is there a chance that more searches are running on IDX01 and causing high cpu problems? Please help me. Thank you! (edited)
Viewing all 47296 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>