hi all
we have some linux servers and we need to send the logs from these servers to splunk
should we install UF and TA on linux servers or not ?
can we directly send logs to intermediate forwarder ?
↧
can we send our linux logs to intermediate UF directly (syslog i mean, like cisco switches) without installing UF and TA on linux ?
↧
Is Credential Detected send via syslog to Splunk?
Hi,
We have recently set up Credential Phishing Prevention and would like to alert in splunk when the Credential Detected is yes.
Is this currently possible?
The flag doesn't appear to be sent with the syslog to Splunk.
Cheers,
Mat
↧
↧
LookUpでカレンダー情報を作り、該当日のサーチ範囲を指定したい。
例えば、Index=XXX sourcetype=+++ と言ったログファイルをサーチする際に
2018/09/10には2018/9/7のデータを検索したい、2018/09/11には2018/09/08~2018/09/10までのデータを検索したい
と言う様に、サーチの実施日によって検索範囲を変えるサーチ文はどの様に実現出来ますでしょうか?
例えば、下記の様なCSV形式のファイルを作成して、LookUpなどで参照して、where分などでログを絞り込むと言った
事が出来ないかと考えたのですが、どの様なサーチ文を書けばよいのでしょうか?
何らかのカレンダーデータを参照する事になるとは思っていますが、良いやり方があればご教授願います。
date,start_dat,end_day
2018/09/10,2018/09/07,2018/09/07
2018/09/11,2018/09/08,2018/09/10
2018/09/12,2018/09/11,2018/09/11
↧
Confusing Search Output
Hi
sourcetype="SourceA" ERROR NOT "GET-INFO" NOT "GET-ArchivedInfo" NOT "Error1" NOT "ERROR2"
search gives 0 results found meaning there are two types of error
Now when creating report like :
sourcetype="SourceA" ERROR NOT "GET-INFO" NOT "GET-ArchivedInfo"
| eval errorMessage = "Others"
| append[search sourcetype="SourceA" ERROR NOT "GET-INFO" NOT "GET-ArchivedInfo" "Error1"]
| eval errorMessage = "Error1"
| append[search sourcetype="SourceA" ERROR NOT "GET-INFO" NOT "GET-ArchivedInfo" "Error2"]
| eval errorMessage = "Error2"
Here search results are showing so many errorMessage as "Others"
Can someone please help me in understanding what I am doing wrong ?
↧
I need to compare two results based on one part of a field ( and not the entire field ). To give more details ,
I have search A which gives out results like field A, field B , field C where field C is a combination of two halves like part 1.part2. Now I want to compare/combine the results of this search with another search that gives out columns like field D , field E, field C ( here field C contains only part 2 and does not have part 1 ).
My question is :
1. How do I compare/combine results of search 1 with results of search 2 to see events that have part 2 of field C matching/same.
↧
↧
How to use subsearch without a field name? (but just with field value)
We have got data for particular data which contains field in many places
**Events**
2018-09-05 01:00:00 logged in by USER1
2018-09-05 01:00:01 logged in as USER2 by USER1
2018-09-05 01:00:02 logged in as USER3 by USER4 and as USER2 by USER1
2018-09-05 01:00:04 logged in as USER5 by USER6
**Reference lookup** (`usernames.csv`)
user,name
USER1,bob
USER4,chuck
The event is not parsed and we Just need to ensure if USER1 or USER4 (user) from reference lookup) is present in the events. But there is NO field mapped in the raw events
Hence if I do below search, no data shows up
index=* [|inputlookup usernames.csv | fields user]
I believe the above search expands as `index=* (user=USER1 OR user=USER4)`
I was looking for the search to expand like..
index=* (USER1 OR USER4)
So How to remove the "user" field from the lookup, so it searches just for the "user" value without the field=value concept?
↧
User password change - Missing Old Password (AdminHandler:AuthenticaionHandler)
We upgraded to 7.1.2 and now users are unable to change passwords.
splunkd.log = ERROR AdminHandler:AuthenticaionHandler - Missing old password
The form the user fills out to change the password doesn't present a field for "old password". Then the user submits the form and gives the error saying the old password is missing.
Is this a known bug? How do we fix it to allow users to change their own passwords like they were able to prior to update?
↧
help on stats(sum)
hi
I use the code below in order to count some events from 3 fields (LogName SourceName Type )
index="windows" (sourcetype="wineventlog:application" OR sourcetype="wineventlog:security" OR sourcetype="wineventlog:system" Type="Critique" OR Type="Avertissement") | stats count by LogName SourceName Type | rename LogName as EventViewer_Source | sort -count
Now I want to sum the differents counts i have with the code above by LogName and by Type
I do this but .....
Thanks
index="windows" (sourcetype="wineventlog:application" OR sourcetype="wineventlog:security" OR sourcetype="wineventlog:system" Type="Critique" OR Type="Avertissement") | stats sum(count) as Total by LogName, Type
↧
Enterprise Trial license Query
We are using Enterprise Trial License in our test environment so we just want to know whether we can able to create multi-site clustering and also Search Head Clustering.
FYI we have 1 Cluster master server, 1 Deployment master, 2 indexers and 1 search head server.
↧
↧
Alert deleted by the Splunk system
Hello everyone,
I have a problem with an alert removed without a user's action, when I join the Splunk logs:
splunk_server = "XXX" index=_audit host=YourHostName action=alert_deleted
I do not see deletion events, which may have occurred? some action of the system? How can I identify the cause of the deletion of the alert?
↧
Link transactions with other sourcetype based on timestamp
Splunk fellows your help needed,
In our project (license plate recognition on gas stations) - we have 2 sourcetypes.
**Sourcetype= plate_recognition**
Where events look like:
1. 15:00, direction=in, plate_number=xx11
2. 15:01, direction=in, plate_number=xx22
3. 15:09, direction=out, plate_number=xx11
4. 15:10, direction=in, plate_number=xx33
5. 15:12, direction=out, plate_number=xx22
6. 15:15, direction=out, plate_number=xx33
…
Event Description:
15:00 car with plate number xx11 has entered the gas station, the same car has left by 15:09.
We have used command Transaction:
| transaction plate_number startwith=”direction=in” endwith=”direction=out”
And received following results:
1. 15:00, plate_number=xx11, duration=9minutes
2. 15:01, plate_number=xx22, duration=11minutes
3. 15:10, plate_number=xx33, duration=5minutes
...
**Sourcetype=payment**
Events in this sourcetype represent payment transactions on the gas stations.
1. 15:03, card_id=AAAA
2. 15:07, card_id=BBBB
3. 15:11, card_id=CCCC
…
Event Description:
On 15:03 payment has proceeded with loyalty card AAAA (we do not have information about plate number owning this card).
### OUR TASK
we need to tie card_id with plate numbers. To achieve this, we see 2 options:
- Create a statistics table using timestamps for each card_id.
table:
card_id | plate_number
|
AAAA | xx11
| xx22
----------------------
BBBB | xx11
| xx22
----------------------
CCCC | xx22
| xx33
----------------------
From the data, we can see that when card AAAA was used, at that time cars xx11 and xx22 have been at the gas station, therefore we link those 2 with that card_id.
- For each plate number
Table:
plate_number | card_id
|
xx11 | AAAA
| BBBB
----------------------
xx22 | AAAA
| BBBB
| CCCC
----------------------
CCCC | CCCC
----------------------
From the data, we can see that when car xx11 was at the station, two cards have been used: AAAA and BBBB, therefore, we link these cards to that car.
Do you have an idea how to get those tables?
↧
Why was an alert deleted by the Splunk system?
Hello everyone,
I have a problem with an alert removed without a user's action.
When I join the Splunk logs...
splunk_server = "XXX" index=_audit host=YourHostName action=alert_deleted
...I do not see deletion events which may have occurred? Is this some action of the system? How can I identify the cause of the deletion of the alert?
↧
Trouble installing Splunk_TA_jmx Add-on: Introspecting scheme=jmx: script running failed (exited with code 1). Unable to initialize modular input "jmx" defined inside the app "Splunk_TA_jmx": Introspecting scheme=jmx: script running failed
I have the Splunk_TA_jmx add-on installed on a Heavy Forwarder but am getting the following error:
Introspecting scheme=jmx: script running failed (exited with code 1).
Unable to initialize modular input "jmx" defined inside the app "Splunk_TA_jmx": Introspecting scheme=jmx: script running failed (exited with code 1).
Scheme "jmx" is not initialized.
I ran sudo -u splunk /opt/splunk/bin/splunk cmd splunkd print-modinput-config jmx |/opt/splunk/bin/splunk cmd /opt/splunk/bin/python /opt/splunk/etc/apps/Splunk_TA_jmx/bin/jmx.py and this is what I got.
Introspecting scheme=jmx: script running failed (exited with code 1).
Unable to initialize modular input "jmx" defined inside the app "Splunk_TA_jmx": Introspecting scheme=jmx: script running failed (exited with code 1).
Scheme "jmx" is not initialized.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_jmx/bin/jmx.py", line 136, in
token = ET.fromstring(xml_str).find('session_key').text
File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1312, in XML
return parser.close()
File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1671, in close
self._raiseerror(v)
File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1523, in _raiseerror
raise err
xml.etree.ElementTree.ParseError: no element found: line 1, column 0
Any thoughts on this?
↧
↧
After upgrading to 7.1.2, why are users unable to change their passwords?
We upgraded from 7.0.2 to 7.1.2 and now users are unable to change passwords.
splunkd.log = ERROR AdminHandler:AuthenticaionHandler - Missing old password
The form the user fills out to change the password doesn't present a field for "old password". Then the user submits the form and Splunk gives the error saying the old password is missing.
Is this a known bug? How do we fix it to allow users to change their own passwords like they were able to prior to update?
More info:
the page's source code shows "oldpassword" in the source around line 722 as part of an optional field but isn't defined anywhere else to obtain a value even as a hidden value.
↧
Could you help me with a stats(sum) query?
hi
I use the code below in order to count some events from 3 fields:
(LogName SourceName Type )
index="windows" (sourcetype="wineventlog:application" OR sourcetype="wineventlog:security" OR sourcetype="wineventlog:system" Type="Critique" OR Type="Avertissement") | stats count by LogName SourceName Type | rename LogName as EventViewer_Source | sort -count
Now I want to sum the different counts I have with the code above by LogName and by Type
I tried to do this but .....
index="windows" (sourcetype="wineventlog:application" OR sourcetype="wineventlog:security" OR sourcetype="wineventlog:system" Type="Critique" OR Type="Avertissement") | stats sum(count) as Total by LogName, Type
Thanks
↧
Enterprise Trial license: does it include clustering?
We are using Enterprise Trial License in our test environment so we just want to know whether we are able to create multi-site clustering and also Search Head Clustering.
FYI we have 1 Cluster master server, 1 Deployment master, 2 indexers and 1 search head server.
↧
How do you link transactions with other sourcetypes based on timestamp?
Splunk fellows your help is needed,
In our project (license plate recognition on gas stations) - we have 2 sourcetypes.
**Sourcetype= plate_recognition**
Where events look like:
1. 15:00, direction=in, plate_number=xx11
2. 15:01, direction=in, plate_number=xx22
3. 15:09, direction=out, plate_number=xx11
4. 15:10, direction=in, plate_number=xx33
5. 15:12, direction=out, plate_number=xx22
6. 15:15, direction=out, plate_number=xx33
…
Event Description:
15:00 car with plate number xx11 has entered the gas station, the same car has left by 15:09.
We have used command Transaction:
| transaction plate_number startwith=”direction=in” endwith=”direction=out”
And received following results:
1. 15:00, plate_number=xx11, duration=9minutes
2. 15:01, plate_number=xx22, duration=11minutes
3. 15:10, plate_number=xx33, duration=5minutes
...
**Sourcetype=payment**
Events in this sourcetype represent payment transactions on the gas stations.
1. 15:03, card_id=AAAA
2. 15:07, card_id=BBBB
3. 15:11, card_id=CCCC
…
Event Description:
On 15:03 payment has proceeded with loyalty card AAAA (we do not have information about plate number owning this card).
### OUR TASK
we need to tie card_id with plate numbers. To achieve this, we see 2 options:
- Create a statistics table using timestamps for each card_id.
table:
card_id | plate_number
|
AAAA | xx11
| xx22
----------------------
BBBB | xx11
| xx22
----------------------
CCCC | xx22
| xx33
----------------------
From the data, we can see that when card AAAA was used, at that time cars xx11 and xx22 have been at the gas station, therefore we link those 2 with that card_id.
- For each plate number
Table:
plate_number | card_id
|
xx11 | AAAA
| BBBB
----------------------
xx22 | AAAA
| BBBB
| CCCC
----------------------
CCCC | CCCC
----------------------
From the data, we can see that when car xx11 was at the station, two cards have been used: AAAA and BBBB, therefore, we link these cards to that car.
Do you have an idea how to get those tables?
↧
↧
Trouble installing Splunk_TA_jmx Add-on: Has anyone seen the following error?
I have the Splunk_TA_jmx add-on installed on a Heavy Forwarder but am getting the following error:
Introspecting scheme=jmx: script running failed (exited with code 1).
Unable to initialize modular input "jmx" defined inside the app "Splunk_TA_jmx": Introspecting scheme=jmx: script running failed (exited with code 1).
Scheme "jmx" is not initialized.
I ran the following:
sudo -u splunk /opt/splunk/bin/splunk cmd splunkd print-modinput-config jmx |/opt/splunk/bin/splunk cmd /opt/splunk/bin/python /opt/splunk/etc/apps/Splunk_TA_jmx/bin/jmx.py
and this is what I got:
Introspecting scheme=jmx: script running failed (exited with code 1).
Unable to initialize modular input "jmx" defined inside the app "Splunk_TA_jmx": Introspecting scheme=jmx: script running failed (exited with code 1).
Scheme "jmx" is not initialized.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_jmx/bin/jmx.py", line 136, in
token = ET.fromstring(xml_str).find('session_key').text
File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1312, in XML
return parser.close()
File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1671, in close
self._raiseerror(v)
File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1523, in _raiseerror
raise err
xml.etree.ElementTree.ParseError: no element found: line 1, column 0
Any thoughts on this?
↧
JSON : why was the field "tag" not extracted?
Hi,
I have logs from Docker in JSON format posted to Splunk HTTP Event Collector. All fields are dynamically recognized, but the last field **tag** is never recognized. Is it possible that this is due to the duplicate **source** field just before field **tag**? The source field seems to be a default Splunk field and it’s extracted twice : in the raw and in the input source.
Here's some examples of some JSON events:
{"line":{"time":"2018-09-05 15:39:27.370","level":"silly","message":"Healthcheck:Completed"},"source":"stdout","tag":"dc7eb5ace680","attrs":{"appName":"ms-chatservice","appType":"microservice"}}
{"line":{"time":"2018-09-05 15:56:27.267","level":"debug","message":"KafkaBase.getTopicMetadata: Test"},"source":"stdout","tag":"6960306e978c","attrs":{"appName":"ms-chatservice","appType":"microservice"}}
{"line":"\u001b[0mGET /api/protected/notifications?skip=0\u0026limit=100 \u001b[36m304 \u001b[0m56.743 ms - -\u001b[0m","source":"stdout","tag":"1b6e7b4e756e","attrs":{"appName":"web-pro","appType":"webapp"}}
Does someone have an idea why?
Regards,
↧
How to drop all events automatically after license warning?
Good day,
Is there a way to drop all events whenever a license warning pops up in the platform?
Thanks!
↧