Hello. I am troubleshooting a universal forwarder installed on a Windows system. I noticed that the SplunkForwarder service only starts if the "Log On As" user for the service has administrator rights on the system. How can I grant permissions to start the service without it needing admin rights on the system?
↧
Can you help me with my Splunk Universal Forwarder starting problem?
↧
time range picker broken in French Version of Splunk?!
Hi,
I was contacted by one of our customers who said that our dashboards have translations errors...
Since that happens all the time.
But with this one I got quite confused, because it concerns a Splunk-standard component: The Time Range Picker.
As far as I know, this element shouldn't be affected by our own translations - but it's obviously broken...
As you can see in the attached comparison, the text in the button is not resolved properly, as it seems to have problems with some tokens.
Is this known behavior? Or did we configure it to behave like that?
We're using Splunk Ent. v6.5.5 and it happens on all dashboards, as well as in Chrome and Firefox
![alt text][1]
[1]: /storage/temp/256657-french-translation-error.png
↧
↧
Use CSV file as an exemption to the main search
I have a main query which shows the destination IP of the computer and there are some destination IPs that I need to exempt, and there are many IP address that I need to exempt, How can I put the CSV as an exemption to the main search?
| datamodel IPP_Assets STOR search | search FTP.dest_ip!=10* **<- This should be a CSV that has a IP Addresses and need to exempt to the main search**
[| inputlookup owatch_ss_objects.csv | search inet_facing=* | rename src_ip as FTP.src_ip | fields + FTP.src_ip | format]
| fields + FTP.src_ip, FTP.dest_ip, FTP.password, FTP.arg, FTP.command, FTP.mime_type, FTP.Spike_Log
| bucket _time span=1d as Day
| timechart span=1d count by FTP.Spike_Log
↧
Field extraction weirdness
Hi,
I have a field extraction situaton that I've never come across before, and hoping someone can help me.
We have a number of fields setup to do search-time extractions and transformations. One of the fields is named "action", which looks at the values in the field and transforms them. The transformation works, when you do a query that doesn't directly query that field, but if you query the field directly, it isn't found. However, if you wildcard it, the field is found.
Here's my transforms.conf:
[stonesoft_action_blocked]
REGEX = \|(Connection_Discarded)\|
FORMAT = action::blocked
[stonesoft_action_teardown]
REGEX = \|(Connection_Closed(?:-Abnormally)?)\|
FORMAT = action::teardown
[stonesoft_action_allowed]
REGEX = action=(Allow|Permit)
FORMAT = action::allowed
If I query "index=myIndex", then the field "action" field appears under "Interesting Fields", with each option - teardown, allowed, and blocked". However, if I click on any of these values, and they get added to the search, it now comes back with zero events. So, "index=myIndex action=blocked" return nothing. If I enter that directly in the search (rather than clicking on it from the event), it also returns zero events.
If wildcard the search, and type `"index=myIndex action=*blocked*"`, then I get events returned.
Hope this makes sense. Appreciate any advise.
↧
DB Connect Temporal Lookup - does it exist?
Hi.
I am trying to figure out how to put together a time based lookup based using the DBX conduit, connected to a radius session table. Radius table has start/stop times and IP. Original event table has IP and event time. It feels like I need to do something like this:
**Lookup SQL**:
SELECT * from `radius`.`radiusacct`
WHERE acctstarttime < @eventTime
AND (@eventTime > acctstoptime OR acctstoptime IS NULL)
**Field Mapping**:
Event IP --> Radius IP
But I don't think I am able to call out things like @eventTime in the SQL Query, am I?
Any ideas on how to accomplish?
Thanks
Dave
↧
↧
Join time from a CSV file, and an index summary
How do I join the time field with a different field name from a CSV lookup file, with the time field specified in an index summary?
↧
Do we need to install this add-on on indexers?
Please let me know if we need to install this add-on on our indexers? I have already installed same on Heavy forwarders and search head
↧
Can you help me with my field extraction weirdness?
Hi,
I have a field extraction situaton that I've never come across before, and hoping someone can help me.
We have a number of fields setup to do search-time extractions and transformations. One of the fields is named "action", which looks at the values in the field and transforms them. The transformation works when you do a query that doesn't directly query that field, but if you query the field directly, it isn't found. However, if you wildcard it, the field is found.
Here's my transforms.conf:
[stonesoft_action_blocked]
REGEX = \|(Connection_Discarded)\|
FORMAT = action::blocked
[stonesoft_action_teardown]
REGEX = \|(Connection_Closed(?:-Abnormally)?)\|
FORMAT = action::teardown
[stonesoft_action_allowed]
REGEX = action=(Allow|Permit)
FORMAT = action::allowed
If I query "index=myIndex", then the field "action" field appears under "Interesting Fields", with each option — teardown, allowed, and blocked". However, if I click on any of these values, and they get added to the search, it now comes back with zero events. So, "index=myIndex action=blocked" returns nothing. If I enter that directly in the search (rather than clicking on it from the event), it also returns zero events.
If I wildcard the search, and type `"index=myIndex action=*blocked*"`, then I get events returned.
Hope this makes sense. Appreciate any advise.
↧
Can you help me configure my props.conf to parse out incoming XML files?
I have the following coming in via an XML file. Most of the attributes parse just fine using the default parser, but I cannot figure out what i need to put into a props.conf file to parse out all of the applications that are coming over. I am new to Splunk, so any suggestions would be greatly appreciated.
``
`ACC1582 `
`0D935CF2-ECFD-5A04-8303-34B6564EC820 `
`291 `
`ACC1582 `
`10.8.0-t1539715549 `
`2018-11-20 18:18:08 `
`Apple `
`15-inch Retina MacBook Pro (Mid 2012) `
`C02J362MDKQ5 `
`1/2 `
`Mac OS X 10.10.5 `
`14F2511 `
`Mac OS X `
`10.10.5 `
``
``
`8x8 - Virtual Office.app `
`5.4.0.19776 `
` `
``
`Adium.app `
`1.3.10 `
` `
` `
` `
↧
↧
Data Storage on Laptop
Hello - earlier I asked if I would be sharing data with Splunk, which would take me out of compliance with my company's data storage & use policy. My question was answered with the response that if Splunk was installed on my server, the data would not be shared. My IT team informed me that they installed Splunk on my laptop. Would the data still remain with my company if it was loaded on my laptop?
↧
Splunk table with nested JSON - print parent item with each child item
I'm a newbie and I know this should be super easy, but I can't create a table with separate rows (events) for each combination of project name + task. Given the JSON below, I'm trying to create a table with each task in each project -- so I should have 4 entries. Instead, I'm getting the 2 projects each with 1 task (screenshot attached).
Strangely, I got this example from another forum post where people seemed to believe it was behaving correctly. Here's what I want:
ProjectName TaskName
Build Computer Order Hardware
Build Computer Install Software
Submit Timesheet Fill out Timesheet
Submit Timesheet Email Timesheet
**Orig Json**
{
"FirstName": "John",
"LastName": "Doe",
"Projects": [
{
"ProjectName": "Build Computer",
"Tasks": [
{
"TaskName": "Order hardware",
"TaskDueDate": "1/1/2018"
},
{
"TaskName": "Install software",
"TaskDueDate": "1/2/2018"
}
]
},
{
"ProjectName": "Submit Timesheet",
"Tasks": [
{
"TaskName": "Fill out Timesheet",
"TaskDueDate": "2/1/2018"
},
{
"TaskName": "Email Timesheet",
"TaskDueDate": "2/2/2018"
}
]
}
]
}
**Here's the "answer" from the original post:**
| makeresults
| eval _raw="{\"FirstName\":\"John\",\"LastName\":\"Doe\",\"Projects\":[{\"ProjectName\":\"Build Computer\",\"Tasks\":[{\"TaskName\":\"Order hardware\",\"TaskDueDate\":\"1/1/2018\"},{\"TaskName\":\"Install software\",\"TaskDueDate\":\"1/2/2018\"}]},{\"ProjectName\":\"Submit Timesheet\",\"Tasks\":[{\"TaskName\":\"Fill out Timesheet\",\"TaskDueDate\":\"2/1/2018\"},{\"TaskName\":\"Email Timesheet\",\"TaskDueDate\":\"2/2/2018\"}]}]}" | spath |rename Projects{}.Tasks{}.TaskDueDate AS x,
Projects{}.ProjectName AS y,
Projects{}.Tasks{}.TaskName AS z | eval joinfield = mvzip(x,mvzip(y,z)) |mvexpand joinfield |eval Name=mvindex(FirstName,0) +" "+mvindex(LastName,0) | eval spjoinfield = split(joinfield,",") | eval Date=mvindex(spjoinfield ,0) | eval ProjectName=mvindex(spjoinfield ,1)| eval TaskName=mvindex(spjoinfield ,2)|table Name ProjectName TaskName Date
^which returns the wrong answer (but closer than I was getting with spath):
Build Computer Order Hardware
Submit Timesheet Install Software
↧
How do I combine multiple rex commands into a single one?
Hello,
I am working with some unstructured data so I'm using the `rex` command to get some fields out of it. I need three fields in total, and I have managed to extract them with three distinct `rex` commands. I am now trying to merge them into a single one, but I am having trouble doing so. Following is a run anywhere search where I've put the unstructured data into a string that is then used by the `rex` commands:
| makeresults
| eval string="================================================================
= JOB : MAXFED33S-LHMX#MDK1997DAILYFTPCONN[(2130 10/31/18),(0AAAAAAAAAAAOBWS)]
= USER : DOMAIN\khectic
= SCRIPT : c:\scripts\mdk_copy.bat
= Job Number: 2484514
===============================================================
********************************************************************************************
** copying from
** \temp\mdk_temp.csv
** to
** \target\
** success **
********************************************************************************************
===============================================================
= Exit Status :OK
==============================================================="
| rex field=string ".+#(?[\w]+)\[."
| rex field=string ".+SCRIPT[\s\t]*:[\s\t]*(?
↧
Return message based on what is NOT showing in Subsearch
I have a subsearch returning all files imported per client as the value "Client_File". It's value will look like ABC_File1. Based on what is returned in this first search, I have second part of the search to look if files were missed, and if that value is not returned I want it to write a message to the table being returned. Below is the search I have so far but it is not returning the missed files correctly.
| append [ search source=*importhelpers* Moved earliest=-25h@h
| eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
| eval Client_File = ClientID + "_" + FileImported ] | eval time=strftime(now(), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A")
| eval MissedFiles = case(Client_File!="ABC_File1" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File1 File. It was expected by 12:25:00",
Client_File!="ABC_File2" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File2 File. It was expected by 12:25:00",
Client_File!="ABC_File3" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File3 File. It was expected by 12:25:00")
| where isnotnull(MissedFiles)
| rename MissedFiles as "Missed Files Message Alert" | table "Missed Files Message Alert"
↧
↧
Can I return the host IP address in WinEventLog metadata search?
I'm trying to use a metadata search to quickly return the hosts that are currently sending logs to Splunk to determine if we are missing any logs. Here is the current search:
| metadata type=hosts index=wineventlog | table host
Is there a way to also return the IP address of the host from the metadata search?
↧
How do I change the panel title font size in XML instead of CSS?
Hello,
I would like to change the dashboard panel title font size using XML, not CSS.
I found the following in one of the posts:
But, when I insert it inside of the and it still changes the title font of ALL the panels in my dashboard.
How would I change the title font for one particular panel only?
Kind Regards,
Kamil
↧
Can you help me with my issue involving embedding a dashboard?
Hi,
I have multiple dashboards, A, B and C.
Is it possible to have a summary dashboard that has a drop down or three radio buttons, so that whenever a user clicks/selects dashboard A, dashboard A loads, dashboard B and dashboard B loads and so on — on a single page?
Thanks in-advance.
↧
maintenance mode while decommissioning a peer
Hi,
I want to decommission a peer and remove it from the cluster.
Should keep the cluster in maintenance mode and run the following command
`splunk offline --enforce-counts`
Or,
Just run the above command as it is on the peer and remove it from the cluster ?
↧
↧
Splunk Enterprise pricing clarification
The calculator for Splunk Enterprise is worded in a confusing way. The price is only shown as GB/day and there is talk of paying at the time of ingestion. This implies that the exact usage determines the price, but I don't think this is the case?
If the annual license for 2GB/day is listed as $1,500, is it correct to assume that you just pay $3,000 upfront? So each day has a limit of 2GB, but if you actually index 10MB a day that wouldn't affect cost at all?
↧
Microsoft Office 365 Reporting Add-on for Splunk - HTTP Request Error Not Found for URL
Hi all,
I'm trying to setup this Add-on but appear to be having issues, I've configured an Office 365 with the following permissions (View-Only Recipients) but I'm receiving the following error:
2018-11-21 08:27:56,809 ERROR pid=2942 tid=MainThread file=base_modinput.py:log_error:307 | HTTP Request error: 404 Client Error: Not Found for url: hxxps://reports[.]office365[.]com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2018-11-16T08:27:54.943081Z'%20and%20EndDate%20eq%20datetime'2018-11-16T09:27:54.943081Z'
I've tried setting the add-on input to Index Once and also checked that the Office 365 account doesn't have MFA enabled.
Any ideas?
↧
Sorting the data values in a stacked timechart
How do I order the horizontal slices in a stacked timechart by value?
The working search string looks like this:
timechart count by author.name limit=0
The data is coming from git commit records. Each record is labelled by author.name. The search string tallies the count of records for every author over a year and produces a nice stacked bar chart, one bar per month with every user's count stacked up in the bar.
However the stack is ordered alphabetically by author.name. How do I order it by count, lowest to highest top to bottom?
↧