What is the typical or recommended data retention time frame for each bucket, hot, warm, and cold?
↧
What is the typical or recommended data retention time frame for each bucket, hot, warm, and cold?
↧
How come Splunk only can read 10000 lines from my csv? I need 9000000!
Hi team!
I have a problem.
I want to match two fields. The first one is an src_ip from an indexer(traffic events) the second one is an IP from a CSV.
My CSV has 9.000.000 lines and inputlookup only can read the first 10.000 lines...
how can I do it??
↧
↧
Stats Partition
What does stats partitions do? How would yo use this?
Sample query:
|stats **partitions=1** latest(Insert_Text) by field_1 field_2
The partition and by fields can be whatever you specify. Just would like to understand what is going on here.
↧
maxKBps hit ... no error
I replaces a very old heavy forwarder today with a universal forwarder that some of our network gear was pointing syslogs too. The flip went smooth but we quickly notices that the number of logs we were indexing prior to the replacement was well over twice what we were getting afterwards. We found maxKBps and set it to 0 on that UF which fixed the issue however>
1. How can I tell if other forwarders may be hitting this upper limit? Should it not show up somewhere in _internal?
2. How can I use the deployment server to push multiple limits.confs to our many forwarders or does limits.conf need to live exclusively in /etc/system/local and be edited individually on each? If we find multiple more servers with this limit, I would like to push the fix in bulk.
↧
How do you forward active directory events to different Splunk Clusters?
Hello,
I have two companies that use the same Active Directory but each one has a different Splunk platform (both in cluster mode).
Now, I have installed a universal forwarder (UF) on each domain controller, and I want to forward events to both Splunks following these conditions:
- Get just events with a specifics EventCode
- Forward to the Splunk of the first company information about all domain
- Forward to the Splunk of the second company information just about the second company OU
The configuration that I have (I don't know if it's OK)
inputs.conf
[WinEventLog://Security]
disabled = false
index = active_directory
start_from = newest
whitelist1 = 4720,4722,4723,4724..... (eventCodes)
whitelist2 = .*OU=secondCompany,DC=local,DC=domainName$
I don't know how to apply whitelist2 just to company2 forwarding
outputs.conf
[tcpout]
defaultGroup:company1,company2
[tcpout:company1]
server = company1indexer1.local:9997
server = company1indexer2.local:9997
[tcpout:company2]
server = company2indexer1.local:9997
server = company2indexer2.local:9997
If I'm in the right, I have to deploy the application to UF (DCs) just from the deployer server of the Splunk of the first company, but forward data to the forwarders of both Splunks (data cloning) — is that right?
Is it a problem that indexers of each Splunk uses different pass4SymmKey?
Is it a problem that each Splunk has a different index name for active directory logs?
A lot of thanks.
↧
↧
What are the capabilities of the Splunk Forwarder license?
We are running heavy forwarders to accept events from a number of universal forwarders, do some transforms and filtering with props and transforms, and then send them to our indexers.
We'd like to use the forwarder license on them, so we don't have to enable a connection to our license master. What capabilities are enabled with this license? Or more specific, are the functions of the parsing, merging and typing pipelines, according to [HowIndexingWorks][1], available with the forwarding license?
[1]: https://wiki.splunk.com/Community:HowIndexingWorks
↧
How to run a cron schedule entire month from 7 AM to 11 PM in every 5 min but supressing its for first week.
I am using this cron schedule.
*/5 7-23 8-31 * *
Could you please check and confirm if this works.
↧
Why did my Splunk account lose permissions on the syslog collector server?
Good morning.
Came in today and noticed that no logs were being fed to Splunk from my Linux syslog collector. This collector is configured to receive logs from various systems over UDP 514, then push the logs to the Indexers. Attempts to access the log directory resulted in
"ls: cannot open directory .: Permission denied".
How can I resolve this? Thanks for your assistance.
↧
Good practice to remove serverName from server.conf?
I'm wondering what are the consequences of deleting the "serverName" attribute from server.conf in /etc/system/local. We'd like to do that because sometimes servers get cloned by other teams in our organization (oblivious to `splunk clone-prep-clear-config`, and the cloned server gets deployed. Both servers send logs to Splunk Enterprise containing the same hostname. That needs to be detected and remediated. A preventative solution seems to be removing serverName from all forwarders using a deployment-app.
From testing on Windows/RHEL, Splunk works fine falling back to /etc/system/default, which contains serverName=$COMPUTERNAME, which sets the hostname at runtime. That makes it peculiar that serverName is hardcoded in /etc/system/local at installation. Is there a reason for that, or is it legacy from earlier versions of Splunk?
Two questions:
1) are there any unintended consequences of removing serverName from /etc/system/local?
2) would it be better to remove serverName from /etc/system/local, or to replace it with $COMPUTERNAME?
↧
↧
using regex to reformat json messages
I have a VidyoPortal that gives me its responses formatted this way through its event notification system:
**VDY\x00\x00\xFA**{"sequenceNum":1549002625629,"roomNotification":null,"userNotification":{"referenceNumber":null,"applicationName":null,"applicationVersion":null,"deviceModel":null,"endpointPublicIPAddress":"","accessType":"","roomType":"","roomOwner":"","applicationOs":null,"callCompletionCode":"0","extension":null,"endpointGUID":"BA8-0200323238353132-8C53EC8501659CFF","participantId":0,"roomID":0,"audioState":0,"videoState":0,"extData":null,"extDataType":0,"conferenceName":null,"callerName":null,"tenantName":null,"callState":"Online","uniqueCallID":null,"conferenceType":null,"endpointType":"D","callerID":null,"direction":null,"routerID":null,"gwid":null,"gwprefix":null},"alert":null,"creationTimestamp":3589263127594056,"queueTimestamp":3589263127646846,"wireTimestamp":3589263128426891,"externalStatusNotificationUrl":null,"externalUsername":null,"externalPassword":null,"plainTextExternalPassword":null,"vidyoStatusNotificationUrl":null,"vidyoUsername":null,"vidyoPassword":null,"plainTextVidyoPassword":null,"tenantId":0}
I need to remove the leading set of characters to get it as properly formatted JSON. Also, with some of the messages i'm getting nested JSON that has those characters in the body of the message. I have also found it in both this format (VDY\x00\x00\xFA) and this format (VDY\x00\x00)
Can anyone assist with the regex i can use when querying to remove those characters? without them the JSON is properly formatted and i can work with it.
↧
Using Splunk to analyze firewalls, how can I detect attackers who are doing IP spoofing attacks?
How can I detect attackers using IP spoofing in Splunk?
I want to be able to detect this in Checkpoint and Juniper firewalls.
I presume a standard search operation would work, but how is anti-spoofing reported?
Thanks
↧
Can you answer some questions about maxKBps involving replacing a heavy forwarder with a universal forwarder?
I replaced a very old heavy forwarder today with a universal forwarder that some of our network gear was pointing syslogs too. The flip went smooth but we quickly noticed that the number of logs we were indexing prior to the replacement was well over twice what we were getting afterwards. We found maxKBps and set it to 0 on that universal forwarder which fixed the issue however>
1. How can I tell if other forwarders may be hitting this upper limit? Should it not show up somewhere in _internal?
2. How can I use the deployment server to push multiple limits.confs to our many forwarders, or does limits.conf need to live exclusively in /etc/system/local and be edited individually on each? If we find multiple more servers with this limit, I would like to push the fix in bulk.
↧
What does stats partitions do?
What does stats partitions do? How would you use this?
Sample query:
|stats **partitions=1** latest(Insert_Text) by field_1 field_2
The partition and by fields can be whatever you specify. I just would like to understand what is going on here.
↧
↧
how to create histogram to show distirbution
I have a search like this:
My Search|chart count(data.url) as SongsPlayed over userEmail
It gives me a list of users and the number of songs they listen to for a time.
I would like a chart that breaks down the users in groups, like those who listen between 0-10, the up to 20, 30 etc.
How do I do that in Splunk?
Eva
↧
SQL Status
Good day,
I am brand new to Splunk. I am constructing a dashboard to monitor the status of our SCCM environment. I have so far figured out monitoring event logs and serviceaccount stats. My current challenge is verifying the status of the CM database. I am not tryig to index the database into splunk, although we have the Splunk DB Connect App installed if that is what needs to happen. I just want to be able to look at the dashboard and see that CM_* is OnLine.
I apreciate any assisance that might be afforded to me.
Ron Jones
↧
remove suffix and prefix
hi - i have a dashboard with a dropdown selection. for some of the panel further on I needed to add suffix and prefix to simplify search. but then I realized that for another panel, I need a clean value from the dropdown selection. i.e. w/o prefix and suffix. How can I remove the prefix and suffix in the panel below? will appreciate an answer. thank you!
↧
Show all source types even if no data available
Hi,
I'm trying to show all the source types within last 24 hours (I set that by using presets), and if those source types has no data I still want to show the name of the soucetype but with 0 (represent no data)
This is what I'm doing now but it only shows the source types with data for last 24 hours.
index=* |chart count over sourcetype
|eval name=if(count=="0", "0", "1")
Please help, I searched everywhere and tried so many things but still no luck. Also, I'm trying to use the Trellis Visualization to represent those source types
↧
↧
Receiving "500 Internal Server Error" after login - Windows Server 2012 R2 - Splunk 7.2.3
We have recently updated our Splunk server to version 7.2.3 and I am now receiving an "500 Internal Server Error" immediately after logging in with the admin account.
I'm not sure where to look in the logs for more information. Any help on where to look to get more details is appreciated.
↧
Connect to Service Now in Cloud that is using ADFS SSO for Authentication
Our ServiceNow instance is running in the cloud and we use ADFS SSO authentication to connect to it. We got the add-on working with a local account but we are unable to authorize with the Service Now web service using an AD account. Does this add-on support SSO authentication?
↧
How to replace text within a field with text from another field
I have events that contain multiple fields. For example
PARAM1: Thing1
PARAM2: Thing2
PARAM3: Thing3
MESSAGE: Refer to P1 and P2 in conjunction with P3 and escalate as need be.
What I'd like to create is a message that populates with everything in one sentence / field. For example:
MESSAGE: Refer to Thing1 and Thing2 in conjunction with Thing3 and escalate as need be.
Any suggestions on how to make this happen would be greatly appreciated.
↧