How to implement "not in" in splunk?
I want to find out the data that is not in the collection, as shown below
![alt text][1]
But always make mistakes, as shown below.
![alt text][2]
[1]: /storage/temp/255914-notin.png
[2]: /storage/temp/255915-notinraw.png
Say I have a table of processes and IP addresses. I want to make an alert when a certain process was monitored in multiple computers during the last 24 hours. How can I do it?
Very specific question I know, I just didn't know how to phrase it otherwise.
1. I have an index that is populated by and extensive, long running query that creates a line like "Client1 Export1 Missed. Expected Time: 06:15:00".
2. I have another index that is populated with fields to be over written and not appear in report. So if this above file needs to not show up I have the information of "Client1" and "Export1"
I am looking for a way to search for all results in point 2 (the ones to not include) and exclude them in point 1. Something like this:
`| where "Missed Exports Message Alert" NOT in [ search sourcetype="si_Export_FileMissed" earliest=-24h@h | eval clearExport = ClientID + " " + ExportType | table clearExport ]`
How do you use NOT in as this is not working as I expect.
Another way to ask this question, is how to exclude results from a subsearch from the overall search?
Hi
Below is a query which returns the latency over month by cust_id. Events contain fields as month=April, month=May etc
...| chart max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id useother=f limit=40 |sort -Max, -P95
I would like to display this as a trellis chart by the Aggregation method used. While using Trellis Layout , i am getting graph each one for Max, Avg, P95 - 3 charts. How to display top 20 cust_id latency values for each aggregation method ? Is that possible ?
![alt text][1]
[1]: /storage/temp/255910-screen-shot-2018-09-04-at-104529-am.png
We are searching new environments monthly this means we are blind going in. I can get Splunk to stat out a total list of ips, but i'm not sure how to get it to find all the VLANs. Here is an example search.
sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count by src_ip | table src_ip
It gives me a list of Private ip addresses in the Bro Conn log. I would like to see all the VLANS that these ips reside on.
for example lets say my search returned:
192.168.0.123
192.168.10.30
192.168.20.32
10.1.0.100
10.10.2.45
i would like to no that 5 total subnets maybe even list them out as
192.168.0
192.168.10
192.168.20
10.1.0
10.10.2
Hello all,
I'm running into an issue with installing the universal forwarder on my clients through group policy. I've attempted multiple ways with no success. Now I decided to use Orca to create a MST with our desired property values and push this through software installation in group policy. I've read about the 2 advanced options, "Ignore the language when deploying and include OLE class & product info." and have made sure to have those checked under the advanced deployment options for the MSI. I run a gpupdate on the client and it says there is an install from group policy that requires a restart to install. I type y or yes and allow the restart, when I log back in... NOTHING. Something is hanging up and I'm not sure what? Any help would be greatly appreciated.
I followed the jenkens config steps recommended here:
https://wiki.jenkins.io/display/JENKINS/Splunk+Plugin+for+Jenkins
Events show up If I search
index=jenkens*
But jenkens app in splunk shows "No results found"
Splunk version: 7.1
Jenkens App version: 1.0.7
All,
My Windows Event Log items are coming in as sourcetype=WinEventLog and not sourcetype=WinEventLog:Security as it set in my inputs.conf
# inputs.conf
[WinEventLog://Security]
source = WinEventLog:Security
sourcetype=WinEventLog:Security
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false
On my intermediate servers I have a props.conf file
[source::WinEventLog:Security]
sourcetype=WinEventLog:Security
TRANSFORMS-winsourceeventlogsecurity = st_wineventlog_security,route_stubhinfo_to_es
[WinEventLog:Security]
TRANSFORMS-wineventlogsecurity = route_stubhinfo_to_es
#props.conf
[route_stubhinfo_to_es]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=lvssplunkes
My indexers do not have any props.conf settings.
My search heads do not have search time sourcetype renaming enabled.
Any idea where I might be messing up? How I can troubleshoot this farther?
Hi,
I am trying to perform a search in 3 different ways using a dropdown.
Depending on which search criteria is selected, tokens from the relevant search inputs are all passed into the dropdown token ($multisearch$) which is then passed into the relevant panels to display the search result in table and raw event format.
When I click the submit button after entering new text into a relevant search text field, the search does not update.
I have narrowed this problem down to one of my tokens not updating (the $multisearch$ token from the "Search Criteria" dropdown).
There is one quirk I found that makes the search update in the panels (for the default option only) but it is not a solution to my problem, when I click submit after changing my search and then click on the clear button (x) in the dropdown the search updates in all the panels.
I think the reason for this is that the token is re-evaluated once the value is reset.
Is there a way to force the dropdown token to re-evaluate every time one of the associated inputs is changed?
Setting "Search on Change" to true for relevant inputs has no effect.
I have trimmed my dashboard Source code as follows:
Thank you for your time.
I have several critical lookup files that I want to monitor to determine if they are altered in ANY capacity (lookup editor, outputlookup command, command line, etc.) One idea i had was to call something like the MD5 function on the ENTIRE lookup file but can't seem to do that. My current method at present is to calculate the length of every field and sum them all up for a total byte count. It wouldn't detect a net-zero change in total bytes, but absent a better solution, it may be my best hope.
Ideas?
Now ,I want to get common values from data.
I use this command:
`index="new_1" |stats list(oper_field) as gn by department
Now ,I want to get a column to show values which count >=2
For example :
there have two "Model List" ,I want to show it in another column
Please help me
![alt text][1]
[1]: /storage/temp/254857-p1.png
hi,
i upgraded the splunk version from 6.4 to 7
i use a lot of html dashboards and i have some eventlistener "onlick" to highlight cells and rows.
that's work perfectly with splunk 6.4 but not on version 7.
why? how can i fix that ?
Hi,
I am creating alert in Splunk And I want to send this as event in service now So I am using Service now add-on for Splunk.
Under Trigger Actions i am using ServiceNow Event Integration but here I can see only 5 fields like Node,Type,Resource, Severity and description but I want to add more field like MetricName etc.
So I can add more fields so that it will go to service now as event using this Event Generation trigger action.
Added screenshot of trigger actions fields name-https://imgur.com/a/B4OX7eZ
Thanks.
Hi at all,
I tried to pass a token in a drilldown to another dashboard to the default values of the Time Picker but I received the message "invalid earliest_time".
In the Time Picker I have "Custom time" and opening it I have the token's names ($TimeFrom$ and $TimeTo$) instead their values.
Replacing the token's names with the values I see in the Browser address bar (e.g. "-15m" and "now"), the search runs.
In othe words: tokens are correctly passed to the secondary dashboard but only in the Time Picker aren't changed in values, If instead I pass my tokens to the dashboard's panels they correctly runs.
This is my code:
in the main dashboard:
/app/my_app/home_page_overview_servers?TimeFrom=$Time.earliest$&TimeTo=$Time.latest$&System_Type=Server Windows&Stato=severe
In the secondary dashboard:$TimeFrom$$TimeTo$
In othe words, is it possible to pass a token to a Time Picker?
Bye.
Giuseppe
whats the best practice in case of having different groups that each group dont want to see another groups logs, but they have the same assets ,all of them have cisco switches,linux servers,..
how can we seperate their logs?
I am trying to read log file from a server. I have made all the configuration in Splunk but data is not coming in Splunk search. When I checked Splunk internal log, getting permission denied error for that server. I logged to specific server and verified that all users have read permission to path I am trying to Monitor. Can anyone suggest what could be the real cause for this issue.
Below is the inputs.conf configuration
[monitor:///usr2/oracle/saltlog/*logs.log]
sourcetype = oracle_os:healthcheck
index = os_na
interval = 600
crcSalt =
Below is the props.conf configuration
[sourcetype:oracle_os:healthcheck]
SHOULD_LINEMERGE= true
NO_BINARY_CHECK = true
BREAK_ONLY_AFTER = TIMESTAMP=
TRUNCATE =9999
TZ = US/Eastern
I know that once an event is indexed, it cannot be modified. But is that specifically stated somewhere in the Documentation? I need to provide proof of it for security documentation.
We have got data for particular data which contains field in many places
**Events**
2018-09-05 01:00:00 logged in by USER1
2018-09-05 01:00:01 logged in as USER2 by USER1
2018-09-05 01:00:02 logged in as USER3 by USER4 and as USER2 by USER1
2018-09-05 01:00:04 logged in as USER5 by USER6
**Reference lookup** (`usernames.csv`)
user,name
USER1,bob
USER4,chuck
The event is not parsed and we Just need to ensure if USER1 or USER4 (user) from reference lookup) is present in the events. But there is NO field mapped in the raw events
Hence if I do below search, no data shows up
index=* [|inputlookup usernames.csv | fields user]
I believe the above search expands as `index=* user=USER1`
But if I parse/model the data to extract user from events, it works.
So How to remove the "user" field from the lookup, so it searches just for the "user" value without the field=value concept?
I was looking for the search to expand like..
index=* USER1
index=* USER4