Hello Splunkers,
Is there any way how to change/develop/tune/test indexing time transformations (props configurations) without need of restart of a Splunk instance?
Thanks in advance!
Afroditi
↧
Props.conf - Time transformations
↧
Extract farm name to table
Im Trying to run a table on iis logs the farm is https://*sp001*, examples below).. however within the farm we have individual sites – i would like to be able to extract the site name like Access%20Requests KYCOpsSupportDocuments etc to table
https://sp004.mydomain.net/sites1/spvfvfst/Access%20Requests/pendingreq.aspx...
https://sp004.mydomain.net/sites1/spvfvfst/KYCOpsSupportDocuments/...
https://sp004.mydomain.net/sites1/spvfvfst/KYCOpsSupportDocuments/...
https://sp004.mydomain.net/sites1/spvfvfst/Blah/LOB%20Es...
https://sp004.mydomain.net/sites1/spvfvfst/_vti_bin/LOB%20Escalation..
https://sp004.mydomain.net/sites1/spvfvfst/12345dddd/LOB%20Escalation3bivey%25252C%252520Sara&ContentTypeId=0x010047A299BD56B33B42903EAD238B543EC1&RootFolder=%2Fsites1%2Fspvfvfst%2FLists%2FL...
https://sp004.mydomain.net/sites1/spvfvfst/Lists/LOB%20Escalation8B...
Thanks!
↧
↧
SSL error adding Splunk slave to master
Trying to add a Splunk instance as a slave to another master is failing with "Bad Request - editTracker failed, reason ="Unable to connect to license master=https://x.x.x.x:8089 Error connecting: error:1408F10B:SSL routine:SSL3_GET_RECORD:wrong version number" . This instance can reach the master (and port 8089). I'm not sure where to look for ssl version(s) between the instances. I've tried making changes on the slave's server.conf but it didn't appear to help. Any assistance is appreciated.
↧
Splunk Transforms REGEX Wildcard Help
We are routing events to some_index based on the source during parsing.
Part of the source goes to original_index which is set in inputs.conf, part of them goes to some_other_index
props.conf
[source::some_part_of_source]
TRANSFORMS-index_routing = route_to_some_other_index
transforms.conf
[route_to_some_other_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = some_other_index
We receive lot of events per second and we are concerned, if this transforms is causing the delay in indexing (we are seeing indexing lag).
Now the query I have is:
a) REGEX = .
b) REGEX = (.)
c) REGEX = .*
d) REGEX = .*?
Does all of the above REGEX matches means the same or any one is better over the other, which could help speed up the transformation and reduce the indexing lag?
↧
Splunk is not ingesting my Websense data
So, I have a Websense server which I've configured to send logs to Splunk but nothing is being fed in.
I have verified that I've configured the input correctly by confirming that:
-I configured the correct IP address of the Splunk platform node responsible for data collection in my Websense Content Gateway configuration.
-The port that I configured in my Websense app is UDP 514.
-My syslog input is configured to set the source type to websense:cg:kv.
-I am searching the correct index, which is the main index.
-The Siem Collector service is running on the Websense server
I had it working a few months ago and had to discontinue log collection due my daily ingestion limitation. Any ideas would be greatly appreciated. Thanks
↧
↧
Chart drilldown not passing parameter
When I attempt to drill down from a dashboard (line) chart to another dashboard (form), it seems like the parameter is not being passed on.
The chart is pretty simple, the query for it ends with:
... | table "Month" "NonCompliant"
So the X axis is each month and the Y axis is a count of NonCompliant things.
The drilldown is set as:
/app/splunk_app_sa/noncompliants_for_period?thePeriod="$click.value$"
The idea is when I click on a node on that chart (say, for month 09/2018), that “09/2018” should get passed to the other dashboard as “thePeriod”.
The other dashboard, which works fine if you enter thePeriod manually, has:
Clicking on the month node does bring up the other dashboard, but without providing the clicked-on month parameter.
I have tried “$click.name$”, "$click.value$", “$row.Month$”, etc, with and without quotes...
Any ideas?
↧
Search logic using lookup or inner query
Sample Logs:
- Incident=112 Group=ABC Status = Open
- Incident=113 Group=ABC Status = Open
**- Incident=113 Group=XYZ Status = Closed**
- Incident=114 Group=ABC Status = Open
**- Incident=114 Group=ABC Status = Closed**
- Incident=115 Group=ABC Status = Open
- Incident=116 Group=ABC Status = Open
**- Incident=116 Group=XYZ Status = Closed**
I want write a query to get only those Incidents which are currently opened with group ABC.
**The result should NOT have : 114** As it was closed by ABC group.
**The result should NOT have : 113 and 116** As they were eventually closed by some other group.
My result should be :
112 and 115
index=test sourcetype=test_st | search group="ABC" AND status="Open"
But this query gives my 113 and 116 also.
Shall I use inner query or lookup for this ? please suggest some query logic
↧
LDAP Filter Adding DN
We've been struggling to set up Splunk to use LDAP authentication for a while now. After finally getting it to bind successfully, it lists the groups when I map roles; however, when I log in as a user under a mapped role + group combo, it does not work. The DEBUG logs show the LDAP server retruend no entries in search for DN="ou=Groups,dc=XXXX" filter="(&(memberuid=uid=XXXX,)(cn=*)"
A manual ldapsearch for the below does work:
ldapsearch -x -D "uid=XXXX,ou=XXX,dc=XXX" -W -H -b "ou=XXX,dc=XXX" "(&(memberuid=XXXX)(cn=*))"
It LOOKS in the logs like Splunk is trying to do this equivalent search: ldapsearch -x -D "uid=XXXX,ou=XXX,dc=XXX" -W -H -b "ou=XXX,dc=XXX" "(&(memberuid=uid=XXXX,ou=XXX,dc=XXX)(cn=*))"
Specifically, if it would just not put the DN in the filter, it should work. Any advice to get this working?
↧
Should I use a lookup or an inner query for the following search?
Sample Logs:
- Incident=112 Group=ABC Status = Open
- Incident=113 Group=ABC Status = Open
**- Incident=113 Group=XYZ Status = Closed**
- Incident=114 Group=ABC Status = Open
**- Incident=114 Group=ABC Status = Closed**
- Incident=115 Group=ABC Status = Open
- Incident=116 Group=ABC Status = Open
**- Incident=116 Group=XYZ Status = Closed**
I want write a query to get only those Incidents which are currently opened with group ABC.
**The result should NOT have : 114** As it was closed by ABC group.
**The result should NOT have : 113 and 116** As they were eventually closed by some other group.
My result should be :
112 and 115
index=test sourcetype=test_st | search group="ABC" AND status="Open"
But this query gives my 113 and 116 also.
Shall I use inner query or lookup for this ?
Please suggest some query logic.
↧
↧
LDAP Filter Adding Distinguished Name (DN)
We've been struggling to set up Splunk to use LDAP authentication for a while now. After finally getting it to bind successfully, it lists the groups when I map roles; however, when I log in as a user under a mapped role + group combo, it does not work. The DEBUG logs show the LDAP server returned no entries in search for DN="ou=Groups,dc=XXXX" filter="(&(memberuid=uid=XXXX,)(cn=*)"
A manual ldapsearch for the below does work:
ldapsearch -x -D "uid=XXXX,ou=XXX,dc=XXX" -W -H -b "ou=XXX,dc=XXX" "(&(memberuid=XXXX)(cn=*))"
It LOOKS in the logs like Splunk is trying to do this equivalent search:
ldapsearch -x -D "uid=XXXX,ou=XXX,dc=XXX" -W -H -b "ou=XXX,dc=XXX" "(&(memberuid=uid=XXXX,ou=XXX,dc=XXX)(cn=*))"
Specifically, if it would just not put the DN in the filter, it should work. Any advice to get this working?
↧
What are Splunk Validated Architectures and where can I find them?
I have heard about Splunk Validated Architectures, but I don't really know what they are and where I can find them.
↧
Specific Dashboard as Default App View
I know you can do the following in order to make Dashboards as the default view for an App:
However, is there a way to make a specific dashboard the default view when the user clicks on the App? For example, if I have a dashboard titled "Total Sales". I tried the following, but it does not work:
↧
Why is chart drilldown not passing parameter?
When I attempt to drilldown from a dashboard (line) chart to another dashboard (form), it seems like the parameter is not being passed on.
The chart is pretty simple, the query for it ends with:
... | table "Month" "NonCompliant"
So the X axis is each month and the Y axis is a count of NonCompliant things.
The drilldown is set as:
/app/splunk_app_sa/noncompliants_for_period?thePeriod="$click.value$"
The idea is when I click on a node on that chart (say, for month 09/2018), that “09/2018” should get passed to the other dashboard as “thePeriod”.
The other dashboard, which works fine if you enter "thePeriod" manually, has:
Clicking on the month node does bring up the other dashboard, but without providing the clicked-on month parameter.
I have tried “$click.name$”, "$click.value$", “$row.Month$”, etc, with and without quotes...
Any ideas?
↧
↧
Can you make a specific dashboard the default view when the user clicks on an app?
I know you can do the following in order to make a dashboard as the default view for an App:
However, is there a way to make a specific dashboard the default view when the user clicks on the App? For example, if I have a dashboard titled "Total Sales".
I tried the following, but it does not work:
↧
Why am I not able to view my JSON Logs that are being sent to the HEC?
JObject l_JsonObj = JObject.Parse(l_strJson);
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
var l_MiddleWare = new HttpEventCollectorResendMiddleware(l_oLogPoint.ResendMiddlewareCount);
var l_EventCollectorSender = new HttpEventCollectorSender(new Uri(l_oLogPoint.ServerEndpoint), l_oLogPoint.Token,
null,
HttpEventCollectorSender.SendMode.Sequential,
0, 0, 0, l_MiddleWare.Plugin);
l_EventCollectorSender.Send(Guid.NewGuid().ToString(), "INFO", null, l_JsonObj);
await l_EventCollectorSender.FlushAsync();
↧
What is a good way to Splunk log lines with JSON like the following?
Lets say I have a log line that contains of a JSON field with this content:
{
"breakdown": {
"a": [
{
"t1": 100,
"t2": 0
},
{
"t1": 0,
"t2": 0
}
],
"b": [
{
"t1": 1,
"t2": 0
},
{
"t1": 1,
"t2": 0
}
],
"c": [
{
"t1": 1,
"t2": 2
}
],
"d": [
{
"t1": 5,
"t2": 1
}
]
}
}
I want to Splunk this and convert the results into something like this:
component count p50_t1 p50_t2 min_t1 max_t1 min_t2 max_t2
a 2 50 0 0 100 0 0
b 2 1 0 0 1 0 0
c 1 1 2 1 1 2 2
d 1 5 1 5 5 1 1
What's the Splunk query to do such transformation?
↧
Why is Splunk is not ingesting my Websense data?
So, I have a Websense server which I've configured to send logs to Splunk but nothing is being fed in.
I'm running Splunk on Linux.
I have verified that I've configured the input correctly by confirming that:
- I configured the correct IP address of the Splunk platform node responsible for data collection in my Websense Content Gateway configuration.
- The port that I configured in my Websense app is UDP 514.
- My syslog input is configured to set the source type to websense:cg:kv.
- I am searching the correct index, which is the main index.
- The Siem Collector service is running on the Websense server
I had it working a few months ago and had to discontinue log collection due my daily ingestion limitation. Any ideas would be greatly appreciated. Thanks
↧
↧
Why am I getting the following SSL error when adding Splunk slave to master? : "editTracker failed, reason ="Unable to connect to license master"
Trying to add a Splunk instance as a slave to another master is failing with the following error message:
"Bad Request - editTracker failed, reason ="Unable to connect to license master=https://x.x.x.x:8089 Error connecting: error:1408F10B:SSL routine:SSL3_GET_RECORD:wrong version number"
This instance can reach the master (and port 8089). I'm not sure where to look for SSL version(s) between the instances. I've tried making changes on the slave's server.conf but it didn't appear to help. Any assistance is appreciated.
↧
How do I extract farm name from IIS logs to a table?
I'm Trying to run a table on IIS logs. The farm is https://*sp001*, examples below)... However, within the farm we have individual sites. I would like to be able to extract the site name, like "Access%20Requests KYCOpsSupportDocuments" etc... , to table:
https://sp004.mydomain.net/sites1/spvfvfst/Access%20Requests/pendingreq.aspx...
https://sp004.mydomain.net/sites1/spvfvfst/KYCOpsSupportDocuments/...
https://sp004.mydomain.net/sites1/spvfvfst/KYCOpsSupportDocuments/...
https://sp004.mydomain.net/sites1/spvfvfst/Blah/LOB%20Es...
https://sp004.mydomain.net/sites1/spvfvfst/_vti_bin/LOB%20Escalation..
https://sp004.mydomain.net/sites1/spvfvfst/12345dddd/LOB%20Escalation3bivey%25252C%252520Sara&ContentTypeId=0x010047A299BD56B33B42903EAD238B543EC1&RootFolder=%2Fsites1%2Fspvfvfst%2FLists%2FL...
https://sp004.mydomain.net/sites1/spvfvfst/Lists/LOB%20Escalation8B...
Thanks!
↧
Display dropdown input Name instead of Value
Hello, I added a dropdown input at the top of my dashboard with various time intervals to refresh each chart. Now on the charts' subtitles I would like to display that auto-refresh rate. The token for the dropdown input is $AutoRefresh$:
Name: Value:
1 minute 1m
5 minutes 5m
10 minutes 10m
15 minutes 15m
30 minutes 30m
In the subtitle I have:
**This chart auto refreshes every $AutoRefresh$**
This displays, for example, **5m** when I would like it to display **5 minutes**. Reading the documentation I am not seeing any "additions" to tokens, such as $AutoRefresh.Name$, etc.
Is this possible to do?
↧