Pie chart eval in drilldown search

October 10, 2018, 4:13 pm

≫ Next: Why am I getting an error when using the Send to Phantom alert action?

≪ Previous: How to properly parse nested json logs during index time

I have a pie chart that divides things up by severity. The query for that is: index=os sourcetype=events host=util04 | lookup pre_organizations.csv organization |dedup _time,event_id,counter| search event_type="cleared"| stats count by severity When the user clicks on one of the pie slices, I'd like it to display a table of the following search: search?q=index=os sourcetype=events host=util04 | lookup pre_organizations.csv organization |dedup _time,event_id,counter | search event_type="cleared" severity=$click.value$| eval eventTime=strftime(_time, "%Y-%m-%d %H:%M:%S")|table event_id,eventTime,severity,message The "eval eventTime" portion is breaking my search and I don't know how to get around this. Any ideas?

↧

Why am I getting an error when using the Send to Phantom alert action?

October 10, 2018, 6:50 pm

≫ Next: Why does the password field not allow input in Linux Splunk Web Interface?

≪ Previous: Pie chart eval in drilldown search

Splunk Version: 7.1.2 Phantom App for Splunk Version: 2.5.23 My alerts are being triggered successfully, but there is an error sending to Phantom. In /opt/splunk/var/log/splunk/phantom_forwarding.log I get the following line: phantom_forward:109 - /opt/splunk/etc/apps/phantom/bin/scripts/phantom_forward.py called without the correct set of parameters. and the lines of code in question are: if len(sys.argv) < 9: logger = PhantomConfig.get_logger('forwarding') logger.error('{} called without the correct set of parameters.'.format(sys.argv[0])) sys.exit(0) With some digging I've determined that sys.argv in this case is an array with one item which is the name of the file. I'm wondering if this is caused by an error on my part (misconfigured alert?) or maybe a bug in the Phantom app code.

↧

Why does the password field not allow input in Linux Splunk Web Interface?

October 10, 2018, 6:51 pm

≫ Next: How to convert my aruba switch.my file to .py and then to .egg in lunux

≪ Previous: Why am I getting an error when using the Send to Phantom alert action?

On multiple installations, multiple Ubuntu versions in fact, when creating a new user, when installing an app basically anything where a password is needed in Splunk....The password field does not take ANY input at all. Why is this?

↧

How to convert my aruba switch.my file to .py and then to .egg in lunux

October 10, 2018, 9:44 pm

≫ Next: Tracking usage of data space of multiple directories for multiple hosts.

≪ Previous: Why does the password field not allow input in Linux Splunk Web Interface?

Please help out here

↧

Tracking usage of data space of multiple directories for multiple hosts.

October 10, 2018, 11:18 pm

≫ Next: what is the cause of ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex

≪ Previous: How to convert my aruba switch.my file to .py and then to .egg in lunux

Hi I want to track space usage of directories on multiple hosts eg:- /var/tmp so that I can check which directory/subdirectory is growing in space, any new directory created etc.. can you please suggest me the app which can help to achieve this?

↧

what is the cause of ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex

October 10, 2018, 11:26 pm

≫ Next: color in single value which change if minus or plus result

≪ Previous: Tracking usage of data space of multiple directories for multiple hosts.

I get this error messages for rather simple regexep 10-11-2018 07:48:27.818 +0200 ERROR Regex - Failed in pcre_exec: Error **PCRE_ERROR_MATCHLIMIT** for regex: (\S+\s+\S+\s+\S+)\s+(?\S+).*\ss=(?\S+)\s.+\sx=(?\S+)\s+mod=(?\S+)\s+(?cmd=(env_from|data|msg).*) 10-11-2018 07:48:27.818 +0200 ERROR regexExtractionProcessor - Regex for stanza SDCS-liveclone-firmenich-ls_reformat01 **exceeded configured PCRE match limit**. Consider raising the MATCH_LIMIT for the regex in props.conf The transforms which contains this regexp is [SDCS-liveclone-xxxxxxxx-ls_reformat01] SOURCE_KEY = _raw (env_from|data|msg).*) REGEX = (\S+\s+\S+\s+\S+)\s+(?\S+).*\ss=(\S+)\s.+\sx=(?\S+)\s+mod=(\S+)\s+(cmd=(env_from|data|msg).*) DEST_KEY=_raw FORMAT=$1 transaction_id=$2_$4 server=$2 session_id1=$3 session_id2=$4 mod=$5 $6 The match limit is 10'000 and the regexp is rather simple so i don't see a reason for this error.

↧

color in single value which change if minus or plus result

October 10, 2018, 11:41 pm

≫ Next: Search query fine-tune question

≪ Previous: what is the cause of ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex

Hello In a single value result (see attachment) i want that if the result is minus then the color is green but if the result is + the color is red but impossible to do this with the formant command pearhaps in xml?? could you help me please?

↧

Search query fine-tune question

October 11, 2018, 12:43 am

≫ Next: Different timezone for script monitor cron expression

≪ Previous: color in single value which change if minus or plus result

Hi All, i dont know much info about that ABC inputlookup(i can update bit later), from the first look of this query, do you see anything odd, is there any suggestions regarding the query fine-tune please.. (index=desktop EventID=4624) OR (index=wineventlog EventCode=4624) [ inputlookup ABC.csv | rename samaccountname as Account_Name | fields Account_Name] | eval Subject_Account_Name = mvindex(Account_Name,0) | eval New_Logon_Account_Name = mvindex(Account_Name,1) | search [ inputlookup ABC.csv | rename samaccountname as New_Logon_Account_Name | fields New_Logon_Account_Name] | stats dc(host) as "Number of Hosts" count by New_Logon_Account_Name | eval Date=strftime(now(), "%m/%d/%Y %H:%M:%S")

↧

Different timezone for script monitor cron expression

October 10, 2018, 9:18 pm

≫ Next: Display all values at time when hoovering over timechart

≪ Previous: Search query fine-tune question

I can see that general cron jobs can support running in a particular timezone through the CRON_TZ parameter. https://stackoverflow.com/questions/13289751/cron-job-in-a-different-timezone/22463484#22463484 Is this supported in Splunk inputs..conf > interval? Note I'm not concerned with changing the timezone of the events that get forwarded. Just looking to schedule the script triggering based on a cron in a particular timezone.

↧

Display all values at time when hoovering over timechart

October 11, 2018, 3:01 am

≫ Next: what happens if license volume limit is exceeded?

≪ Previous: Different timezone for script monitor cron expression

I have a timechart with multiple values/graphs. When hoovering my mouse over the timechart I can only see one value at the time in the tooltip. (see pictures) ![alt text][1] ![alt text][2] Is it possible to display all values at a certain time when hoovering over? eks: at 6.10 AM I have two datapoints (8,592 and 0), so when the mouse is positioned at 6.10 AM I want both those values displayed. [1]: /storage/temp/255148-timechart-1.png [2]: /storage/temp/255149-timechart-2.png

↧

what happens if license volume limit is exceeded?

October 11, 2018, 3:15 am

≫ Next: Remove the reserved space for title bar left behind after hiding the title bar

≪ Previous: Display all values at time when hoovering over timechart

hello everyone. I'd like to know what will happen if i exceed the license volume limit. After getting the warning how should i do? If I get the warning over 5 times, what will happen? can't i search anymore? or do i have to reset my license? now, my splunk version is 6.6.2. And I'd like to know what license volume is. e.g. I have a license 1GB / day. If I create two 500MB index, that is exceeded the limit? if it's not, how do i know how many data I used in a day? If you have a good search query or other way to check data, please let me know.

↧

Remove the reserved space for title bar left behind after hiding the title bar

October 11, 2018, 3:22 am

≫ Next: How to resolve the snmp error

≪ Previous: what happens if license volume limit is exceeded?

I am hiding the title bar using - hideTitle="true". However, the space used by the title bar still exists even while the title bar is hidden. I need to hide the title bar along with removing the space that's used or reserved by the title bar. Can someone please let me know how I can achieve this?

↧

How to resolve the snmp error

October 11, 2018, 3:39 am

≫ Next: How is Splunk Answers both as a forum and wiki/content repository setup including search built and powered?

≪ Previous: Remove the reserved space for title bar left behind after hiding the title bar

snmpbulkwalk -v2c -c awadmin 172.30.188.200 1.3.6.1.4.1.14823.2.2.1.1.3.4 SNMPv2-SMI::enterprises.14823.2.2.1.1.3.4 = No Such Object available on this agent at this OID I have placed my mib file in the snmp_ta/bin/mibs directory . But still getting the error . How to resolve this .i need to show the wireless accesspoint status

↧

How is Splunk Answers both as a forum and wiki/content repository setup including search built and powered?

October 10, 2018, 8:19 pm

≫ Next: strptime with time zone - eval token drilldown

≪ Previous: How to resolve the snmp error

How is Splunk Answers both as a forum and wiki/content repository setup including search built and powered? Is it powered and indexed via splunk ?

↧

strptime with time zone - eval token drilldown

October 11, 2018, 4:12 am

≫ Next: How to calculate Throughput for web servers.

≪ Previous: How is Splunk Answers both as a forum and wiki/content repository setup including search built and powered?

When evaluating this token in an "eval" drilldown: strptime("2000-01-01 +00:00", "%F %:z") It does not produce any result. ...But, actually, if in a standard search we write: eval foo = strptime("2000-01-01 +00:00", "%F %:z") It will produce "946684800" as result, which is the correct epoch we are looking for. In the end, it looks like the command is properly written but, for some reasons, it cannot work in drilldowns. Do you know why?

↧

How to calculate Throughput for web servers.

October 11, 2018, 4:15 am

≫ Next: We have an automated report which runs for every 24 hrs I need to highlight the alert which is generated by new device comparing to yesterday's device

≪ Previous: strptime with time zone - eval token drilldown

How to calculate Throughput for web servers. if we have following data source. server name **RAF**,**TAP**,**DFT** sourcetype=qwedc host=pcde* i want to calculate throughput in term of **Request** , **avg** , **max** , **p95** in per second waiting for response and thanks in advance.

↧

We have an automated report which runs for every 24 hrs I need to highlight the alert which is generated by new device comparing to yesterday's device

October 11, 2018, 5:04 am

≫ Next: ERROR DispatchReaper - Failed to reap

≪ Previous: How to calculate Throughput for web servers.

We have an automated report which runs for every 24 hrs I need to highlight the alert which is generated by new device comparing to yesterday's device

↧

ERROR DispatchReaper - Failed to reap

October 11, 2018, 4:26 am

≫ Next: Why can't I log-in to Splunk Enterprise?

≪ Previous: We have an automated report which runs for every 24 hrs I need to highlight the alert which is generated by new device comparing to yesterday's device

We had to restore the Splunk indexer from a backup, loosing the 'colddb'. I now see the folowing ERROR in splunk.log, anything I need to worry about? 10-11-2018 11:22:50.108 +0200 ERROR DispatchReaper - Failed to reap D:\Program Files\Splunk\var\run\splunk\dispatch\remote_pvpsvgs6c01_scheduler__nobody_RUNCLUF1ZGl0__RMD524612f09816f458b_at_1536120900_323 because of The directory is not empty. 10-11-2018 11:22:50.117 +0200 ERROR DispatchReaper - Failed to reap D:\Program Files\Splunk\var\run\splunk\dispatch\remote_PVPSVHC2C01_SummaryDirector_1536121209.679 because of The directory is not empty. 10-11-2018 11:23:20.074 +0200 ERROR DispatchReaper - Failed to reap D:\Program Files\Splunk\var\run\splunk\dispatch\remote_pvpsvgs6c01_scheduler__nobody_RUNCLUF1ZGl0__RMD524612f09816f458b_at_1536120900_323 because of The directory is not empty. 10-11-2018 11:23:20.091 +0200 ERROR DispatchReaper - Failed to reap D:\Program Files\Splunk\var\run\splunk\dispatch\remote_PVPSVHC2C01_SummaryDirector_1536121209.679 because of The directory is not empty. 10-11-2018 11:23:21.473 +0200 WARN DatabaseDirectoryManager - Directory='D:\Program Files\Splunk\var\lib\splunk\_internaldb\colddb\911_8E7523CC-5821-453D-AE7E-7E46FB5189E5' does not exist. The directory representing this bucket might have just rolled.

↧

Why can't I log-in to Splunk Enterprise?

October 11, 2018, 5:41 am

≫ Next: Regex Expressions

≪ Previous: ERROR DispatchReaper - Failed to reap

Hi, I am doing the Splunk Fundamentals 1 course and I need to use Splunk Enterprise for the lab work in module 3. I downloaded the application, installed it and chose an admin password but when I try to log-in it won't accept the password I chose. Can someone please help me with this issue? Thanks.

↧

Regex Expressions

October 11, 2018, 5:55 am

≫ Next: Token manipulation from JS

≪ Previous: Why can't I log-in to Splunk Enterprise?

Hi Team, I need to extract the fields from the JSON format in my Search Head GUI so kindly let us know how to proceed further. { [-] id: message: 2018-10-11 10:33:46,879 [44] |INFO|Access=abcdef|Max=(abcd)|Data=(xyz)|Fox=(ghi)|Mach=(pqrs)|Bend=(uvw)| http://amazon.com.local:098765/dam/healthchecks/band severity: INFO } Need to extract fields in the form of Regex: Date:2018-10-11 10:33:46,879 Level=INFO Access=abcdef Max=(abcd) Fox=(ghi) Mach=(pqrs) Bend=(uvw) Message=http://amazon.com.local:098765/dam/healthchecks/band Once the fields are extracted if we click Max on the left hand side it needs to show abcd So kindly help on this to make up a regex so that i can able to implement the same and extract those fields.

↧