Hi, What is this field pctIdle which automatically gets extracted when we use multikv command?
Is it the avg cpu load?
Is it the percentage of time when CPU was idle?
If i need to calculate the CPU utilisation % of my 2 host, which query and sourcetype should i use from the below 2 queries?
1. index=os sourcetype=top host="host1" OR host="host2"
| timechart span=5m values(pctCPU) by host
2.index=os sourcetype=cpu host="host1" OR host="host2"
| eval Percent_CPU_Load = 100 - pctIdle
| timechart avg(Percent_CPU_Load) by host
Appreciate if someone can help
↧
what is pctIdle in splunk index os?
↧
Search for exact sequence of events
Hi All
Wondering if anybody can assist, we're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs.
We have data such as follows:
Time | User | Action
10:00 Joe Copied To Clipboard (Sensitive Data)
10:01 Ben Copied To Clipboard (Normal Data)
10:01 Ben Pasted From Clipboard
10:01 Joe Copied To Clipboard (Normal Data)
10:02 Joe Pasted From Clipboard
10:03 Joe Copied To Clipboard (Sensitive Data)
10:04 Joe Pasted From Clipboard
10:06 Joe Copied To Clipboard (Normal Data)
10:07 Joe Pasted From Clipboard
We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored
I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:
index=privillege_user_actions
| SORT time
| transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"
Could anybody recommend a query for doing this?
↧
↧
Search all fields in a sourcetype with regex
The context: I'm looking for sensitive information patterns showing up in the IIS sourcetype that we have.
What I can already do: I can run this search:
sourcetype="iis"
| rex field=_raw "[^(^|[0-9])](?(5[1-5][0-9]{14})|(4[0-9]{12}([0-9]{3})?)|(3[47][0-9]{13})|(6011[0-9]{12})|((30[0-5]|36[0-9]|38[0-9])[0-9]{11}))"
| search ccmaybe!=""
| table ccmaybe
What I need is the field this shows up in, largely so I can exclude known fields that will never have that data. But I do not at all want to specify each and every field that's in IIS logs: partly the query would be tremendous, partly what if we add items to the logs?
What should I do?
↧
How do I search for exact sequence of events?
Hi All
Wondering if anybody can assist. We're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs.
We have data such as the following:
Time | User | Action
10:00 Joe Copied To Clipboard (Sensitive Data)
10:01 Ben Copied To Clipboard (Normal Data)
10:01 Ben Pasted From Clipboard
10:01 Joe Copied To Clipboard (Normal Data)
10:02 Joe Pasted From Clipboard
10:03 Joe Copied To Clipboard (Sensitive Data)
10:04 Joe Pasted From Clipboard
10:06 Joe Copied To Clipboard (Normal Data)
10:07 Joe Pasted From Clipboard
We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored
I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:
index=privillege_user_actions
| SORT time
| transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"
Could anybody recommend a query for doing this?
↧
How do you search all fields in a sourcetype with regex?
The context: I'm looking for sensitive information patterns showing up in the IIS sourcetype that we have.
What I can already do: I can run this search:
sourcetype="iis"
| rex field=_raw "[^(^|[0-9])](?(5[1-5][0-9]{14})|(4[0-9]{12}([0-9]{3})?)|(3[47][0-9]{13})|(6011[0-9]{12})|((30[0-5]|36[0-9]|38[0-9])[0-9]{11}))"
| search ccmaybe!=""
| table ccmaybe
What I need is the field this shows up in, largely so I can exclude known fields that will never have that data. But I do not at all want to specify each and every field that are in IIS logs: partly because that query would be tremendous, and partly because what if we add items to the logs?
What should I do?
↧
↧
After turning on Okta SAML authentication, saved searches and reports are no longer available
Since i moved authentication from LDAP to SAML, `$SPLUNK_HOME/etc/users` has a bunch of new `username@our.domain` directories (the old `username` directories are still there). What's the best way to fix this (migrating the contents of `username` to `username@our.domain`? or changing a setting so username settings go back to how they were? something else??
↧
Checking website contents
We have a requirement of checking contents on website specially the prices of certain products on daily basis.
Is there an app in Splunk which can serve the purpose? or alternative way of doing so..
Thanks,
↧
Azure Addon Script Error
We are trying to use the Azure monitor script, but unfortunately, we encounter an error regarding Microsoft Insight,
Can someone tell me on how does it the error shows and how can we fix it?
![alt text][1]
[1]: /storage/temp/254899-error.png
↧
Machine Learning tool kit v3.4 model not returning result
I just upgraded the MLTK from v2.2 to v3.4, along with the latest python SA. After this change, I realize that my Random Forest model is returning empty result for some rows. (I apply the model to a few thousand rows each time.) At first I thought that it was an input data problem. But when I took a row that had empty result before, ran it individually (i.e. doing a |head 1), then the model returned result. Then I thought maybe the model was built in v2.2, so I rebuilt (or fit again) the model in v3.4, again it was returning empty results for some rows, but a different subset of rows this time.
Has anyone seen the same issue? Should I revert back to the old version??
I don't see anything in search.log that will help, but I always see this:
09-10-2018 22:08:54.625 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/Splunk_ML_Toolkit/bin/util/search_util.py", line 114, in add_distributed_search_info
09-10-2018 22:08:54.625 ERROR ChunkedExternProcessor - stderr: raise RuntimeError('Failed to load model "%s": ' % (process_options['model_name']))
09-10-2018 22:08:54.625 ERROR ChunkedExternProcessor - stderr: KeyError: 'model_name'
09-10-2018 22:08:54.625 ERROR ChunkedExternProcessor - Error in 'apply' command: (KeyError) 'model_name'
Is it trying to distribute the apply command to the indexers? Can I run it locally on the search head, since all my input data (csv and kvstore) are on the search head?
↧
↧
Can I remove a part of a string?
Hi,
Is there an eval command that will remove the last part of a string.
For example:
"Installed - 5%" will be come "Installed"
"Not Installed - 95%" will become "Not Installed"
Basically remove " - *%" from a string
Thanks
↧
Is Splunk logging synchronous or asynchronous?
In brief, I meant to ask or understand, whenever the logs are getting pushed to splunk instance from any source (say for ex: a remote machine having universal forwarder installed and being to push forward the data to splunk instance) , these logging is synchronous i.e. until a response is returned by the API, your application will not execute any further or asynchronous i.e. calls do not block (or wait) for the API call to return from the server. Execution continues on in your program.
↧
Host in one sourcetype get updated or not?
Does any body have search_query related sourcetype update that show:
- how many host in one sourcetype (increase/decrease host)?
- which host not update on time? Thanks
↧
How to combine the column chart with area chart.
hello everyone.
I'd like to combine column chart with area chart.
I attached image of the graph what I want to create.
I already know If I use the overlay option I can merge with line chart. But in this case, I don't need line chart.
If you have a good idea , Please let me know that.
Thank you in advance.
![alt text][1]
[1]: /storage/temp/255972-mergetwocharts.png
↧
↧
monitoring directory files
Hello!
Need help with monitoring
We monitor the directory and load from the text files the data of the following format:
![alt text][1]
We need to complete the record of information about the IP address with resolve by name of the PC (armName) after adding the event data.
How to make such an enrichment and also remove some of the fields that do not carry useful information for us?
[1]: https://yadi.sk/i/0AP8KcpsLNYdTw
↧
show percentage in 100% stacked bar chart
i have a two fields like request_time and app_error. i need to show the count and percentage as well.this is working fine when i using pie chart but i want to use 100% stacked bar chart. So, whenever i mouse over to the bar it has to show count and percentage like if count is request_time 62 percentage 68.2% and app_error 44 percentage 32% like pie chart.
↧
Eventgen: How to generate Exactly same count of events from a sample file
Have been using eventgen for quite some years, but still I couldn't figure out How to generate exactly same events (of course timestamp and parameters changed) from a sample file.
Example, I've got a sample file with 10 events. All I need is these 10 events "sampled" in the last 1 hour. Here is a config example
# To generate
mode = sample
sampletype = csv
backfill = -1h
earliest = -1h
latest = now
outputMode = file
fileName = /tmp/myeventGenfile.out
The above config generates, the output file correctly, but the events are repeated by about 8x. So I will receive 80 events (8x cloning of original sample/seed file within matter of seconds). Any idea to make sure it generates only 1x clone of the seed file?
PS: I tried putting options like (different combinations)
end=10 # To make it exactly 10 events and exit. But rather it waits to hit the timer to be 10 events and multiples
timeMultiple = 2 # This slows down, but cannot ensure exact events are output
backfill = -15min # Played around various values
but one works working
↧
tooltip is going out of screen
The left most panels in my dashboard have tool tip which is shown only half and other have is cut.
i have used position as relative.
on the right most panels the tool tip shown fine and on left side of the screen.
Same is not happening for left ones to show on right
↧
↧
DB Connect task server not connection
I have installed DB connect app on my splunk. Am facing Cannot communicate with task server, please check your settings issue. I found below error in the logs.
ERROR ExecProcessor - message from "/home/iapsp02/etc/apps/splunk_app_db_connect/linux_x86_64/bin/server.sh" com.splunk.modularinput.Event.writeTo(Event.java:65)\\com.splunk.modularinput.EventWriter.writeEvent(EventWriter.java:134)\\com.splunk.dbx.server.bootstrap.TaskServerStart.streamEvents(TaskServerStart.java:77)\\com.splunk.modularinput.Script.run(Script.java:66)\\com.splunk.modularinput.Script.run(Script.java:44)\\com.splunk.dbx.server.bootstrap.TaskServerStart.main(TaskServerStart.java:150)\\
and other error.
ERROR ExecProcessor - message from "/home/iapsp02/etc/apps/splunk_app_db_connect/linux_x86_64/bin/server.sh" 03:08:51.576 [main] INFO com.splunk.dbx.utils.TrustManagerUtil - action=load_key_manager_succeed
↧
Filtering search
Hi,
I am trying to create a list of customer based on one event type but then show stats from all events by those customers. I tried the following:
index=event
| join type=inner Username
[ search index=event event_type=web_login ]
| stats sum(purchase.amount)
But with this structure I only get purchase.amount for web_login event whereas I want to have a sum from all events from those customers.
Thanks in advance,
Simon.
↧
How to change the title text on the tabs from default text to a custom text or how to disable the Splunk version details being displayed on the tab title?
I want to change the title text on the tabs from, for example, "Login|Splunk" or "Dashboards | Splunk 7.1.2" to a text which I want to, something like just "Login" or just "Dashboards" excluding the Splunk Version details from being displayed on the title.
Is there a way that I achieve this?
Note: Found a similar question here - https://answers.splunk.com/answers/521061/how-to-change-bookmark-name-from-loginsplunk-to-na.html, but the answer provided was in Chinese.
↧