Below is the sample event
**12:17:50.267** [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Preprocessing of job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING} done.12:17:50.268 [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Transaction started for job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING}.**12:17:50.382** [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING} done.12:17:50.382 [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Transaction postprocessing of job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING} done
i am using the below props.conf
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\d{2}\:\d{2}\:\d{2}\.\d{3}
↧
Help with props.conf in line breakage
↧
How do you apply a background color to a single value panel?
I need to apply a background color to a single value panel. Please help me in modifying below javascript.
The current code applies color to value but i need to apply it on the panel background .
@niketnilay @Ayn . pls help
require([
"splunkjs/mvc",
"splunkjs/mvc/simplexml/ready!"
], function(
mvc
) {
//Function to define range to override colors for Selected Single Value based on Single Value Result
function OverrideColorRangeByValue(selectedElement,singleValueResultIN){
switch (true) {
case singleValueResultIN>=0 && singleValueResultIN<5.9:
selectedElement.css("fill", "green");
break;
case singleValueResultIN>=6 && singleValueResultIN<6.9:
selectedElement.css("fill", "yellow");
break;
case singleValueResultIN>=7.0:
selectedElement.css("fill", "red");
break;
default:
selectedElement.css("fill", "grey");
}
}
//Get Single Value by id=single1 set in SimpleXML
mvc.Components.get('single1').getVisualization(function(singleView) {
singleView.on('rendered', function() {
if($("#single1 .single-result").text()!== undefined){
//Get the Single Value Result from svg node with class "single-result"
singleValueResult=parseFloat($("#single1 .single-result").text());
OverrideColorRangeByValue($("#single1 .single-result"),singleValueResult);
}
});
});
//Get Single Value by id=single2 set in SimpleXML
mvc.Components.get('single2').getVisualization(function(singleView) {
singleView.on('rendered', function() {
if($("#single2 .single-result").text()!== undefined){
//Get the Single Value Result from svg node with class "single-result"
singleValueResult=parseFloat($("#single2 .single-result").text());
OverrideColorRangeByValue($("#single2 .single-result"),singleValueResult);
}
});
});
//Get Single Value by id=single3 set in SimpleXML
mvc.Components.get('single3').getVisualization(function(singleView) {
singleView.on('rendered', function() {
if($("#single3 .single-result").text()!== undefined){
//Get the Single Value Result from svg node with class "single-result"
singleValueResult=parseFloat($("#single3 .single-result").text());
OverrideColorRangeByValue($("#single3 .single-result"),singleValueResult);
}
});
});
});
↧
↧
How do you calculate a percentage from a lookup table?
I have a lookup table that is written to when a user clicks on a button to confirm that they have checked logs on a dashboard. In the lookup table, these are the fields that are available and how the values are written to the CSV file.
Time | User
1521641008 john.doe@splunk.com
1521641345 jane.doe@splunk.com
1521641376 john.doe@splunk.com
1521641456 john.doe@splunk.com
1521727607 john.doe@splunk.com
1523969108 jane.doe@splunk.com
I want to check to verify that a user has checked logs per week over a span of time (lets say 6 months). I want to see how many times the logs were checked and give a percentage.
I've gotten to this point in my search but I'm unable to figure this out. I'm running this search over a the last 6 months
| inputcsv audit_check.csv
| rename Time as _time
| timechart span=1w count(User)
| addcoltotals
I get the following
_time | count(User)
2018-03-01 0
2018-03-08 0
2018-03-15 4
2018-03-22 1
2018-03-29 0
2018-04-05 0
etc......
5
So anything over 1 is considered checked. 0 is considered not checked. I'd like to get the percentage of successful audit checks per week over the 6 month period.
Thanks for your help.
↧
I'm able to log to the web UI but cannot access REST API
I have a Splunk Enterprise license and I have an admin user who can login via the web ui : `http://localhost:8000/en-US/app/`
This user also has the required user role which allows REST API access. I have also restarted the Splunk service a few times.
I still cannot login via the REST API
curl -k https://localhost:8089/services/auth/login --data-urlencode username=admin --data-urlencode password=splunklocal
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 164 100 129 100 35 686 186 --:--:-- --:--:-- --:--:-- 872Login failed
↧
Can you help me with props.conf in line breakage?
I want to break the events where you see the bolded timestamps below, like 12:17:50.267,12:17:50.268 etc
Below is the sample event
**12:17:50.267** [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Preprocessing of job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING} done.12:17:50.268 [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Transaction started for job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING}.**12:17:50.382** [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING} done.12:17:50.382 [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Transaction postprocessing of job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING} done
i am using the below props.conf
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\d{2}\:\d{2}\:\d{2}\.\d{3}
↧
↧
string to date conversion
Struggling to convert this to splunk readable format.
Sep 18, 2018 17:25:24.870411000
can you help on how to make splunk understand this as a date format..
↧
How to match IP with discontiguous mask
I am trying to match IPs from discontiguous mask as follow:
10.0.32.64/255.0.224.192
where as
1st octet: Match exactly 10
2nd octet: Match any from range 0-255
3rd octet: Match range 32-63
4th octet: Match range 192-255
A couple solutions I found while searching are:
1. Regex: however, regex is used to match 1 field only (either source_ip or destination_ip), not both at the same time. I'd like to be able to match any traffic with source_ip OR destination_ip within the range.
2. cidrmatch to span across multiple CIDR ranges: This would be a long cidrs list in this case.
I wonder if there is any efficient way to do the match in this case.
Thanks,
-Patrick
↧
Splunk password encryption for server.conf
Hi
I have a server.conf file under system/local directory which has following stanza
[general]
pass4SymmKey = $1$xxxxxxxxxx
I am expecting this password is the encrypted form of pass4SymmKey in server.conf at system/default.
But even though I changed pass4SymmKey in server.conf at system/default the pass4SymmKey in server.conf at system/local directory is not getting updated.
Then I removed the pass4SymmKey in server.conf at system/local directory. After restart same password is getting generated.
May I know from which source pass4SymmKey in server.conf at system/local might get generated other than pass4SymmKey in server.conf at system/default.
↧
RESTapi error while using dbx query any idea how to fix this?
curl -k -u rvanteru https://splunkang.brock.com:59447/servicesNS/rvanteru/splunk_app_db_connect/search/jobs/export --data-urlencode search='| dbxquery query=\"SELECT TOP 10 asof_date FROM perfdb.dbo_stat\" connection=\"Splunk_BFWD1\"'
Enter host password for user 'rvanteru':
Configuration initialization for /opt/splunk/etc took 192ms when dispatching a search (search ID: 1537295313.115513_FA99073F-7552-406E-ABE0-50BEE73D849C)
The 'dbxquery' command is implemented as an external script and may cause the search to be significantly slower.
search context: user="rvanteru", app="splunk_app_db_connect", bs-pathname="/opt/splunk/etc"
com.splunk.dbx.exception.NotFoundException: Can not find object "Splunk_BFMEWD1" of type connection.
↧
↧
Splunk Bookmarks not working in Firefox and Chrome
**Overview**
Our users use several dashboards we have in our app. They would like to have the ability to select filters on the dashboard, bookmark them, and navigate back to them later without having to reenter any filter values. Most of the filters on our dashboards are multiselect fields with a default value of: name="All" value=".*"
Currently, we can set filters and bookmark a page. Unfortunately, when navigating to that bookmark in a fresh browser session, we have 2 main problems:
1. Our custom css and js does not get applied to the dashboard
2. Out multiselects are not populated correctly with the default values
**Reproducing:**
1. Navigate to a dashboard with multiselect fields. Select a value where name="All" and value=".\*"
2. Bookmark that page
3. Close firefox
4. Open a new private browsing session
5. Navigate to the saved bookmark
At this point, the multiselect field will be populated with ".%2A" instead of "All". Also, none of the custom js/css will be applied. If I open up the debug console, it looks like the domain is wrong for the URL of the JS/CSS (with a 307 error). It uses "splunk" as the domain instead of what it should use.
**Example:**
Bookmark loads this: https://splunk/en-US/static/@03bbabcabf43/app/testApp/dashboard.css
Instead of this: https://local.test/en-US/static/@03bbabcabf43/app/testApp/dashboard.css
If I refresh the page, all of the JS/CSS loads properly, but the multiselect fields are still incorrect.
If I click the bookmark again, everything looks just fine. JS/CSS loads correctly and the multiselects populate with "All"
If I use bookmarks in IE, it works fine. JS/CSS loads properly and multiselects populate with "All"
**Environment information:**
Splunk version: 7.1.2
Browser: Firefox (various versions), Chrome (various versions)
Relevant architecture info: Splunk search head cluster (3 members) behind a load balancer
Is there something I have to do to get bookmarks to work? Our users are not motivated enough to click a bookmark twice to get it to load correctly
↧
How can I round to the nearest half with the eval command?
Hello,
I have some values that are in the format of : 0, 0.5, 1, 1.5, 2, 2.5, 3, 3.5, 4, 4.5, 5
I am trying to find that average and only want whole and half numbers so nothing like 1.7 only avg's like 1, 2.5, 4, 3.5 etc.
I thought maybe if I multiplied by 2 and then divided that by the count and then again in half that would work but its not quite right.
|eval tmpscore=(score * 2)
|eval "Maturity Level"=round(((tmpscore/count)/2),1)
"score" being the sum of all the values of a field
Any ideas how I could get this type of rounding to work?
Thanks as always
↧
How do I match IPs with discontiguous mask?
I am trying to match IPs from discontiguous mask as follow:
10.0.32.64/255.0.224.192
where as
1st octet: Match exactly 10
2nd octet: Match any from range 0-255
3rd octet: Match range 32-63
4th octet: Match range 192-255
A couple solutions I found while searching are:
1. Regex: however, regex is used to match 1 field only (either source_ip or destination_ip), not both at the same time. I'd like to be able to match any traffic with source_ip OR destination_ip within the range.
2. cidrmatch to span across multiple CIDR ranges: This would be a long cidrs list in this case.
I wonder if there is any efficient way to do the match in this case.
Thanks,
-Patrick
↧
Can you help me with Splunk password encryption for server.conf?
Hi,
I have a server.conf file under system/local directory which has following stanza
[general]
pass4SymmKey = $1$xxxxxxxxxx
I expect that this password is the encrypted form of pass4SymmKey in server.conf at system/default.
But even though I changed pass4SymmKey in server.conf at system/default , the pass4SymmKey in server.conf at system/local directory is not getting updated.
Then I removed the pass4SymmKey in server.conf at system/local directory. After restart , the same password is getting generated.
Do you know from which source pass4SymmKey in server.conf at system/local might get generated other than pass4SymmKey in server.conf at system/default ?
↧
↧
Splunk Token Search
I have the token in question.
IWant to view events submitted under this token.
• Number of events
• Details of event
↧
Will you help me with this string to date conversion?
I'm struggling to convert this to a Splunk readable format.
Sep 18, 2018 17:25:24.870411000
Can you me figure out how to make Splunk understand this as a date format?
↧
How do I search for events under a Splunk Token?
I have the following token value "7FB3A2D9......"
I want to view events submitted under this token.
• Number of events
• Details of event
↧
How do I generate a random number between a specific range?
Hi, How can I generate a random number between 1 to 20. I random() function doesn't allow to specify a range. please help
↧
↧
What is the endpoint I can use for the saved search using API ?
I have a saved search in splunk. what is the exact url I need to give to other team so they can access the saved search along with the result.
The saved search runs for every 30mins and returns the count. So the other application is using rest API to get the count and store in there database for every 30mins.
eg : saved search name is **arunsbadmin**
what could be the url that I can give to the application team and what is the method to be used(POST or GET) ?
↧
I want to create an email alert based on my search results. But i am receiving email alert after almost 8 hours. What might be the reason?
I have set the real time alert for this and the time given is rt-2m to rt-0m and throttled it for 4 hrs.
↧
How do I create an email alert based on the following search results?
I want to create an email alert based on my search results. But i am receiving email alert after almost 8 hours. What might be the reason?
I have set the real time alert for this and the time given is rt-2m to rt-0m and throttled it for 4 hrs.
↧