HI All ,
We having Splunk no enforcement license and we are breaching it almost everyday.As per name suggest their is no impact if we breach some data.
If we breach the license,do we have any operational impact, bar having to pay to increase the usage figure to splunk?
I am not clear after reading the documents ,please help me on this.
Thanks
Rohit
↧
Splunk No Enforcement License
↧
Splunk DB Connect and java versions beyond v8
Does anyone have any knowledge of DB Connect being supported by Java (Oracle and/or Open) beyond version 8? Will you run into any trouble if, for example, version 11 (the current version) is installed? This would be in conjunction with the latest DB Connect version, which is now 3.1.4.
↧
↧
KV Store Help - Best approach to schedule deletion of records based on a flag set
We have a KV store with below fields:
_key (mapped with alert_id)
Splunk_ID
Can_Delete (a flag with Yes/No)
KV Store records are being added/updated with schedule searches. Now our requirement is to delete all records from KV store whose Can_Delete flag is set to "Yes", on regular basis.
What is the best way to achieve this?
↧
視覚エフェクトで作成したグラフの色について
Splunk Enterprizeでログのサーチ結果をグラフ化しようとしています。
サーチした結果について、視覚エフェクトからグラフ化したところ、グラフの色が用意していた項目の色とずれてしまいました。
主導でグラフの色を変えられないかと考えていますが、可能でしょうか?
グラフはArea Chartを使用しています。
↧
Applying CSS definitions to row of charts in a single panel
Hello guys,
Hope you can guide me with this since I've been going around this for some time and not seeing a solution at sight.
I have a panel with 3 charts in it and I wanted to put them in a row. I've tried using CSS for .panel-element-row but unfortunately, it affects all the charts in the dashboard, which is not the desired goal.
.panel-element-row{
display: inline-block !important;
width: 33% !important;
}
I've applied a class to see if it worked, but to no avail:
#panel1 .panel-element-row{
display: inline-block !important;
width: 33% !important;
}
Can you guys guide me the right way?
↧
↧
How to send alert when number of records go below 20% of daily avg ?
Hi ,
I am using the below query to get the average count . But how do I write query to send an alert when number of records go below 20% of daily average
index= abc platform=xyz | stats avg(count) by _time
↧
Can I merge 2 indexes.
I have index A stored on my systemdisk (i know)
And I have made a new Index B on my datadisk.
How wil I go forward putting the IndexA eventes into IndexB, So I can delete IndexA.
What is the best way to fix this?
Can I merge it, or is it best to just move the Index, If so, how?
I don`t have enough point to post links, but I have followed a guide wich told med basicaly:
Stop splunk,
move hot and cold.
Chmod for new directory
Start Splunk, and disable old index.
But Splunk shows event count 0 new index.
Has anyone experience with this?
System is running Reedhat 7*
Thanks in advance for all help
↧
視覚エフェクトで作成したグラフの色について - About color of graph created by visual effect
Splunk Enterprizeでログのサーチ結果をグラフ化しようとしています。
サーチした結果について、視覚エフェクトからグラフ化したところ、グラフの色が用意していた項目の色とずれてしまいました。
主導でグラフの色を変えられないかと考えていますが、可能でしょうか?
グラフはArea Chartを使用しています。
[Google Translate]
Splunk Enterprise is trying to graph the search result of the log.
As a result of the search, when graphing from the visual effect, the color of the graph deviated from the color of the items prepared.
I think whether it is possible to change the color of the graph led by the initiative, is it possible?
The chart uses Area Chart.
↧
How can I move a index in *.nix
Hi
I have index A stored on my systemdisk (i know)
And I have made a new Index B on my datadisk.
How wil I go forward with putting the IndexA eventes into IndexB, So I can delete IndexA.
Or just move the Index. and restart Splunk?
What is the best way to fix this?
Is it possible to merge it or to move it?
Has anyone experience with this?
System is running Red hat 7*
Thanks in advance for all help
↧
↧
Send Windows Logs to thrid party without Splunk adding in new syslog header
I can send a subset of windows data as syslog server by sourcetype and then use the TransFroms to REGEX out the host.
None of this works though if Splunk puts a timestamp server header on each syslog message.
I have tried the
syslogSourceType = sourcetype::WinEventLog:Security, but this doesn't work.
Am I missing anything?
↧
Too many one time connections
I recently upgraded a Windows heavy forwarder to 7.2.3 and I am now getting errors when it attempts to connect to an indexer saying "Too many one time connections: Skipping". Has anyone ever encountered something like this and know what exactly the TcpOutProc service needs to get the data flowing again?
↧
Dashboard Permissions question
Howdy,
We have roles setup for our various splunk users. They are able to create dashboards. When they go to share it, they can only share with Everyone, or the group they are in.
Example
SplunkDevOps1
SplunkDevOps2
SplunkDevOps3
Each has the same base Index access, but higher levels have more index access. SplunkDevOps1 creates a dashboard for IIS data. They want to share with SplunkDevOps3.
Since they cannot see that group, is there a perm to add or a setting that would allow them to do this?
Thanks
↧
CSV scheduled export for savedsearch can't have more than 50.000 rows
Hi,
We need to have a copy of a big SQL table in a CSV file to speed up some lookups...
We do retrieve the data using a savedsearch and we schedule it to run every hour and save the result to a CSV file.
The search is like this:
| dbxquery maxrows=0
query="query string" connection="db_connection"
| fields field1, field2, field3, field4, field5, field6, field7, field8, field9
Adding the maxrows=0 allow to retrieve all data. If we run the search thru splunk web, we do see 507.000 results.
If we use the API to get the results as explained in this link:
[Exporting Large Result Sets to CSV][1]
we get the full CSV, with 507.000 rows, and we can use it for lookups.
However, if we create an schedule to the savedsearch and a trigger to export to a lookup csv file, we only get 50.000 lines...
How can we save the whole 500.000 lines to a CSV using the scheduler?
Thanks in advance!
[1]: https://www.splunk.com/blog/2013/09/15/exporting-large-results-sets-to-csv.html#
↧
↧
Splunk Universal Forwarder Phone Home Via Intermediate Forwarder
Hi All
I'm currently using a query on a dashboard that is showing Splunk Machines that are online,
*index="_internal" services/broker/phonehome/connection | stats count by host* (for the past 15 minutes)
My problem is half of my machines sit behind a firewall, and send their data via an intermediate forwarder
Diagram Bellow (Security Team wouldn't sign off the solution unless i followed this approach)
![alt text][1]
[1]: /storage/temp/263752-splunk-topology.png
I cannot show the status of these endpoints using the same method as the host value for data in the internal index has the forwarder's hostname rather than the actual endpoint, has anyone found a way around this?
Thanks
Josh
↧
license usage by host. Queries giving different results with several hosts missing.
Hi,
I am trying to determine total license usage in GB by a certain group of assets where hostname starts with "xyz". There are total of 24 such hosts that are currently sending data in Splunk but I tried two different searches to get license count and both reported a different number of hosts.
Following query gave results for 10 hosts.
index=_internal host= source=*license_usage.log* type="Usage" h=xyz* | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | eval b=b/(1024*1024*1024) | timechart span=1d sum(b) AS volumeB by h fixedrange=false useother=f
Whereas the following gave data only for 7 of them.
index=_internal source=*metrics.log group="tcpin_connections" hostname=xyz* | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | stats sum(kb) as KB by sourceHost | eval KB = round(KB)
We have just one license master and both queries above were run for 24 Hour window. How can I get the total sum of data sent by these hosts(xyz*) in last 24 hours?
Thanks,
~ Abhi
↧
Find difference between 2 different indexes with fields in common
Hi All,
I am working on piece of work on reconciling the trades from DB and a log. I had a thought that the below query should be working fine but it is not. It has shown be 9K differences if I ran it against Today or yesterday time range. I have checked the query separately to see if the version has changed but its the same version and same trade when I ran the 2 searches separately.
| set diff [search index=stdb sourcetype=stdbtype
| dedup TRADEID sortby -AUD_VER
| rename TRADEID as tradeId,AUD_VER as SMTVersion
| table tradeId, SMTVersion]
[search index=XXX_inbound SMT55/BOND_TR
| dedup tradeId sortby -SMTVersion
| table tradeId, SMTVersion]
If I investigate few trades, the version and the trade id are same but it shows as a difference in the above query. I'm not sure why and pretty much confused.
Any help is much appreciated.
↧
splunk backup - How to Exclude /var folder during backup
I want to know what is the command and from where can i execute to exclude ( /var) folder from backing up.
↧
↧
Educational Resouces for log quality
All,
Our developers need a lot of training just on producing solid log quality. Wondering if anyone has any formal training or books that we can recommend to them?
↧
Why store the urls in the index vs lookup?
I see where you write out the ip downloads from the threat list to the lookup files, but do not see where you are storing the urls, looks like in an index, any specific reason why the index and not a lookup file?.
↧
Splunk Stream Tag for Certificate missing?
All,
I just happened to notice that source=strea:Splunk_SSLActivity from Splunk stream isn't tagged with tag=certificate as I believe is outlined in CIM https://docs.splunk.com/Documentation/CIM/4.12.0/User/Certificates
Is this an oversight/bug or am I misunderstanding the process on that?
↧