Hello. I am having trouble with a complicated query. Here's what I'm trying to do:
We have events from IIS w3svc1 logs which include requestor IPs. For example:
2018-09-03 15:47:10 yy.yy.yy.yy GET //Catalog/ year=2018-2019 80 - xx.xx.xx.xx WordPress/4.9.6;+https://somewhere.com https://somewhere.com/Public/Catalog/?year=2018-2019 200 0 0 62
We also have standard WinEventLog:Application events that include the username that authenticated but does not include the requestor IP address.
When the WinEventLog:Application event has "MESSAGE="Login success", I want to correlate that event with the w3svc1 access log event at the same exact time stamp.
In other words, I want to determine which user successfully logged in at a specific time by reference two separate logs. I can create the two separate queries, I'm unsure how to connect the two. I looked at transactions, but I didn't get very far.
Does anyone have any suggestions on how to begin with this query?
Thanks!
↧
Group two queries from different sourcetypes and events
↧
Does "F5 Networks - Analytics " work on Splunk 7.1.2?
Does "F5 Networks - Analytics " work on Splunk 7.1.2? We are trying it, but the scheduled searches and data models do not work.
↧
↧
New to splunk
Hi All,
I am new to splunk and tools like it, but a tool that I am needed to use for a project. I was trying to find a tutorial on how to set it up, and run the queries I need for it to do. The ultimate end goal is that I need to use splunk to search through IIS files on windows 2003 for application activity to determine if the applications are inactive or not within a certain time frame. Would someone mind pointing me in the right direction? Thank you!
↧
How to migrate buckets from a standalone indexer to a multisite cluster environment?
I had an older standalone splunk indexer. I set up a new multisite cluster (2 indexers, site rep/search factor of 2) and have all data available at both sites. Splunk version is the latest, 7.1.2.1.
I want to take the old data (legacy indexer, not replicated), and have it replicate in the new multisite cluster.
I am dealing with ~1tb of logs across many years. Just adding the old indexer to my search heads is not a valid workaround -- 100% data availability at both sites is my primary concern.
- Steps followed -
1.Set up an indexer (single_idx) with index named "test".
2.Set up an indexer cluster (multi_idx1, multi_idx_2) with index "test".
3.Copy a warm bucket from single_idx to multi_idx_1
4.Rename the bucket to append the multi_idx_1 guid following the clustered bucket naming convention.
5.Watch the multi_idx_2 db folder and watch for a rb_ folder corresponding to the manually added bucket.
It never replicates to the other site indexer.
↧
How do you group two queries from different sourcetypes and events
Hello. I am having trouble with a complicated query. Here's what I'm trying to do:
We have events from IIS w3svc1 logs which include requestor IPs. For example:
2018-09-03 15:47:10 yy.yy.yy.yy GET //Catalog/ year=2018-2019 80 - xx.xx.xx.xx WordPress/4.9.6;+https://somewhere.com https://somewhere.com/Public/Catalog/?year=2018-2019 200 0 0 62
We also have standard WinEventLog:Application events that include the username that authenticated but does not include the requestor IP address.
When the WinEventLog:Application event has "MESSAGE="Login success", I want to correlate that event with the w3svc1 access log event at the same exact time stamp.
In other words, I want to determine which user successfully logged in at a specific time by reference two separate logs. I can create the two separate queries, I'm unsure how to connect the two. I looked at transactions, but I didn't get very far.
Does anyone have any suggestions on how to begin with this query?
Thanks!
↧
↧
Can you suggest some Splunk tutorials for beginners?
Hi All,
I am new to Splunk and tools like it, but I need a tool to use for a project. I was trying to find a tutorial on how to set it up, and run the queries that I need for it to do. The ultimate end goal is that I need to use Splunk to search through IIS files on Windows 2003 for application activity to determine if the applications are inactive or not within a certain time frame. Would someone mind pointing me in the right direction? Thank you!
↧
How do I pass some subsearch result fields to the result?
I'm trying to figure out if the following can be done with subsearch or requires a join.
I'm running a search that boils down to:
index=indexA sourcetype=outer
[search index=indexB sourcetype=inner innerinput=abc | fields inneroutput1 inneroutput2 inneroutput3]
| table _time host outeroutput1 outeroutput2 **inneroutput3**
My subsearch results provide the keys necessary for the main one, but I'd like one extra field to be passed to the final table without being used on the outer search.
Anything I'm missing or do I have to run a join just for that extra field?
↧
How do you group two queries from different sourcetypes and events?
Hello. I am having trouble with a complicated query. Here's what I'm trying to do:
We have events from IIS w3svc1 logs which include requestor IPs. For example:
2018-09-03 15:47:10 yy.yy.yy.yy GET //Catalog/ year=2018-2019 80 - xx.xx.xx.xx WordPress/4.9.6;+https://somewhere.com https://somewhere.com/Public/Catalog/?year=2018-2019 200 0 0 62
We also have standard WinEventLog:Application events that include the username that authenticated but does not include the requestor IP address.
When the WinEventLog:Application event has "MESSAGE="Login success", I want to correlate that event with the w3svc1 access log event at the same exact time stamp.
In other words, I want to determine which user successfully logged in at a specific time by referencing two separate logs. I can create the two separate queries, I'm unsure how to connect the two. I looked at transactions, but I didn't get very far.
Does anyone have any suggestions on how to begin with this query?
Thanks!
↧
How to combine two fields results into single field permanently ?
Lets say I have extracted two fields rs_time1 and rs_time2 , But now I want to merge the values from these fields to one single field called rs_time . I have the following query which does correctly what I wanted in search time , but is there a way to do it permanently rather than during search time ?
| eval "rs_time"=coalesce(rs_time1,rs_time2)
|stats avg(rs_time) as res_time
↧
↧
one indexer + one search head - Which instance should host the console?
REF - http://docs.splunk.com/Documentation/Splunk/7.0.5/DMC/WheretohostDMC
Doc seems not straightforward to me for the case: one indexer + one search head
it suggests "not to host the console on a production search head"
does this mean console should sit on the indexer?
Thanks inadvance
↧
Config backup
Hi,
In order to take a backup of the config files I have copied a file to lets say `authorize.conf_bak_03_21_2018`
Will Splunk read the settings from the above file. I am in an assumption that it does not.
But why am I getting following error message in the internal logs.
ERROR Archiver - Failed to open file="/opt/splunk/etc/system/local/authorize.conf_bak_03_21_2018":
Permission denied
What is the best way to backup the config files and save it in the same folder.
↧
Citrix Netscaler Appflow Reduce the noise!!!
Can anyone help me out? We have 6 netscalers with appflow enabled. Prod/dev environments.
I figured out how to use the appflow policys to reduce the appflow data by requested host. But it seems like the majority of my events are netscaler_session events. I would like to also reduce/filter these events. I have not been able to fine the right source in resolving this. Any help would be appreciated.
↧
Rename Column in Dashboard
We have a dashboard that shows the status codes (which we filter through checkboxes) for all of our web server farms. It is set up properly for all of our IIS servers as the status code field is "sc_status" but for our one web server farm that is Linux, the status code field is "status" so I can't pass the tokens from our checkbox input filter.
What is the best way to rename a field for this situation?
↧
↧
How to extract timezone from the event
I have events which have timezone field whose values are UTC, America/chicago, etc.
How Can I map these timezones to standard time zone.
I tried to use TZ_ALIAS, But string "America/Chicago" string should be mapped to CST/CDT based on daylight savings.
Is there any possiblity to handle such situations?
↧
How do I extract a timezone from the event?
I have events which have timezone field whose values are UTC, America/chicago, etc.
How can I map these timezones to standard time zone.
I tried to use TZ_ALIAS, But string "America/Chicago" string should be mapped to CST/CDT based on daylight savings.
Is there any possibility to handle such situations?
↧
How to combine two field results into single field permanently ?
Lets say I have extracted two fields rs_time1 and rs_time2. But now, I want to merge the values from these fields to one single field called rs_time . I have the following query, which does correctly what I wanted in search time , but is there a way to do it permanently rather than during search time ?
| eval "rs_time"=coalesce(rs_time1,rs_time2)
|stats avg(rs_time) as res_time
↧
What is the best way to back up config files?
Hi,
In order to take a backup of the config files, I have copied a file to, let's say, `authorize.conf_bak_03_21_2018` .
Will Splunk read the settings from the above file? I am assuming that it will not.
But why am I getting following error message in the internal logs?
ERROR Archiver - Failed to open file="/opt/splunk/etc/system/local/authorize.conf_bak_03_21_2018":
Permission denied
What is the best way to backup the config files and save them in the same folder?
↧
↧
How to Use Field Aliases to Rename a Column in Dashboard?
We have a dashboard that shows the status codes (which we filter through checkboxes) for all of our web server farms. It is set up properly for all of our IIS servers as the status code field is "sc_status," but for our one web server farm that is Linux, the status code field is "status" so I can't pass the tokens from our checkbox input filter.
What is the best way to rename a field for this situation?
↧
How do I search to exclude logs with extensions?
Hi,
In my data, I have API calls with several extensions like (.html, .com, .php and many more). I am trying to exclude the logs that have these extensions. I tried the below.
index=abc NOT (api_call=".html." OR api_call=".php")
But, I don't want to use NOT since there are many extensions that will come in the future.
Can anyone help?
↧
Why are my alerts created under launcher app missing?
Today I opened up my Alerts page and clicked "All Apps" and half of my alerts were gone. I finally realized it was all the ones that were in the launcher app.
Has anyone else seen this happen? When I review the apps listed in the /apps directory through the Terminal, the launcher app still seems to be present.
↧