Hi, I am trying to show a comparison of traffic on my website for today, yesterday and last week. I am using below query for getting the results. My query is if i put that into a chart then on x-axis, i get time field which shows time for last 24 hours. So what does it mean exactly?
I mean does it show the 7 days before on this time, this was the traffic? I am not able to get the _time field understanding here.
Can someone help?
index=web_prod sourcetype=access_combined req_content="/" earliest=-8d@d latest=now
| timechart count span=1h
| timewrap d
| table _time 1day_before 7days_before latest_day
↧
Help with timewrap Command
↧
Assign subsearches to multple fields and evaluate their additions/substractions
I have a base search and there are multiple events that I can find depending on some set of the subtstring. Let's say A, B, C
I just want to get the counts of these events and calculate a single result from them. This is what I got so far...
basesearch | stats count(eval(searchmatch("A should contain"))) as successA,
stats count(eval(searchmatch("B should contain"))) as failureB,
stats count(eval(searchmatch("C should contain"))) as failureC,
| eval overall = successA - failureB - failureC
| stats count by overall
....needless to say, it does not work. Any simple ideas out there?
It's a very simple and basic question but I cannot find any entry or valid answer. I appreciate any help.
Thanks
Tunch
↧
↧
How to extract words and digits from a particular field
Hello everyone,
I am trying to extract strings containing SAMM #2222-A-1111 from other strings in a field named SAMU
This is what I have entered
SAMU="SAMM*" "#2*" "-*"
It works but also output other strings that I don't want to see. Any suggestions?
↧
Monitor files in a Windows Directory with wildcards
I am having a problem trying to monitor some files on some Windows servers.
The directories that I am trying to pick up the files from are:
**D:\webroot\www.foo1.foo.cd\App_Data\logs
D:\webroot\www.foo1.foo.cm\App_Data\logs**
And the file name will be similar to this:
**Aggregation.log.20191103.224856.txt**
I am needing to use wildcards in the path because the portion which is **www.foo1.foo.** changes based on which environment we are looking at and want to ensure as they bring up different environments the files are just automatically consumed.
I tried using an * in the path and it did not work. this is the inputs section right now (which is still not working):
> Blockquote
[monitor://D:\webroot]
disabled = false
sourcetype = SiteCore:cm
whitelist = .+cm\\App_Data\\logs\\Aggregation.+\.txt$
[monitor://D:\webroot]
disabled = false
sourcetype = SiteCore:cd
whitelist = .+cd\\App_Data\\logs\\Aggregation.+\.txt$
> Blockquote
any idea what I have wrong ?
↧
Splunk App for Infrastructure: Error message on search head
Splunk App for Infrastructure data collection on Search Head
Followed:
https://docs.splunk.com/Documentation/InfraApp/2.0.0/Admin/ManualInstalLinuxUF
Environment:
Search Head 7.3.0
Indexer 7.3.0
Setup:
collectd -> localhost udp port 5000 -> indexer (via system/local/outputs.conf)
Issue:
So data flows from collectd to localhost udp port 5000, verified with tcpdump to include viewing data. Search Head forwards data to the Indexer. Indexer has Add-On as instructed in documentation but get the following error:
Metric value = unset is not valid for source=5000 sourcetype=em_metrics_udp. Metric event data with an invalid metric value would not be indexed. Ensure the input metric data is not malformed.
Thanks.
Jeremy
↧
↧
How to assign subsearches to multiple fields and evaluate their additions/subtractions
I have a base search and there are multiple events that I can find depending on some set of the subtstring. Let's say A, B, C
I just want to get the counts of these events and calculate a single result from them.
This is what I got so far:
basesearch | stats count(eval(searchmatch("A should contain"))) as successA,
stats count(eval(searchmatch("B should contain"))) as failureB,
stats count(eval(searchmatch("C should contain"))) as failureC,
| eval overall = successA - failureB - failureC
| stats count by overall
...needless to say, it does not work.
Any simple ideas out there?
It's a very simple and basic question but I cannot find any entry or valid answer.
I appreciate any help.
Thanks,
Tunch
↧
Remove data after moving index location
I just moved my homePath and coldPath to a new location, and wanted to delete the data stored on Splunk's default index location ($SPLUNK_DB). I would leave it, but it's using the bulk of that partition. Can I simply delete these files, or will they fall off from the relocate?
↧
How to join fields that have different values
I need to join two searches that do not have a common fields.
First search has a field **FileName=Test.json**
Second search has field **FileName=Test.json.pgp**
How do I join the two searches?
Thanks
↧
Why does syslog data delay when setting no_priority_stripping=true?
Hi,
When I set no_priority_stripping = true in input.conf in Splunk server, my syslog data send to Splunk work but a very long delay of time.
When I remove no_priority_stripping = true from input.conf. My unit sends syslog to Splunk in real-time.
I do need to set no_priority_stripping = true, in order for me to use syslog_priority.csv lookup table.
I need help to resolve this issue. Can you please point me in the right direction?
Thanks,
Matoula Senethavong
↧
↧
How to match index search results to CSV lookup
I have a search that returns information about usernames and their IP, machine name, etc.
I want to cross-reference a CSV lookup that has a list of usernames and then the search result would only show the results that match a username in the CSV.
This is what I have been working with so far, but it's not changing my query results.
index=dlp
[|inputlookup users.csv |fields username]
|table username, machine_name, ip_address
My CSV has 1 column labeled username with the fields containing the usernames.
↧
Is it possible to route events to particular license pool based on host or index name?
Hi,
We have a situation where we want to have multiple pools in our license master and each pool should index data from specific host.
We don't want multiple indexer OR license master to achieve this.
Please let me know if such scenarios are possible.
↧
I'm trying to use makeresults to test an alert but it doesn't work
I'm trying to use makeresults to test an alert but it doesn't work because "number of events" is always 0, but I thought the point of makeresults is to always make events?
↧
Sending logs to HEC endpoint
Hi,
I need to sent logs to HEC through HTTP. Only available option via HTTPEVNTCollector APPender. But Httpeventcollector is Layout Based. But i am using Encoder in my project.
Can anyone suggest HttpAppenders to HEC endpoint which use encoder instead of Layout
Thanks
↧
↧
How do I send just the value of token $job.resultCount$ to a webhook?
We have a simple alert with a Webook action assigned to it with an endpoint is OMI.
Search: index=xyz TCP_ERROR appName="jojothedolphin"
Alert: If number of results > 10
After the alert is triggered, field and values I want to send as my payload are stored in tokens:
$trigger_date$
$trigger_time$
$alert.severity$
$job.resultCount$
But I am pulling my hair out trying to figure out how to access them and their value. I cannot get them to display in a table (or any other way which would then become my payload. Help!
Damon
↧
timecharting 2 seperate data sources with a case statement. What about this makes it so it will never get the label "msad", EVER
Something about this search makes it so we absolutely never get into the case that would label the column "msad". I have tried switching everything up: Making the zscaler case first, changing the msad case so that it just needs to meet the condition =* and every other tweak of syntax and values.
As an FYI, I have tried searching the default search separately and get events that meet both of the criteria mentioned in the case statement.
(index=zscaler) OR (index=msad) query=*debug*opendns*
| eval field=case(index="msad" AND query="*debug*","msad",index="zscaler" AND query="debug.opendns.com","Zscaler", true(),"undefined")
| timechart span=1h count by field
In this situation, it defaults to the undefined, which technically is all the events that I want labeled as msad and could change that to get desired results, but I'm posting this question because I am trying to understand the functionality of this command more then finding a workaround.
To me, it's very frustrating that the case statement will work with the zscaler events, but not with msad no matter how I change the case statement. I would really appreciate someone explaining the disconnect I am experiencing.
↧
Syslog event timesteamp not display in correct format with no_priority_stripping = true
Hi,
How do I display the correct syslog event timestamp in Splunk.
this is Syslog Event timestamp when display in Splunk with no_priority_stripping=true.
2019-11-14T14:34:02-08:00
I want to display like 11/14/2019 14:34:02
Below is the syslog event message.
<134>1 2019-11-14T14:34:02-08:00 CPM-1600-1-ECM-ITLAB server - - [meta sequenceId="39" enterpriseId="2634.1.17.16" vendorId="WTI"] CPM: CPM-1600-1-ECM-ITLAB, (AUDIT LOG) DATE-TIME: 11/14/19 14:34:02, USERNAME: super LOGOUT By /X SSH Port 22
host = CPM-1600-1-ECM-ITLAB source = udp:514 sourcetype = syslog
Looking forward to someone that can help out to resolve this issue.
↧
Do I need to meet all course prerequisites to take a class?
I would like to take and advance class that has course prerequisites.
Do I need to meet all requirements in order to register?
↧
↧
How to add text fields to dashboard to specify start and end time filter ?
We have a dashboard and wanted to add text fields to enter start date with time and end date with time say
(11/13/2019 08:00 pm - 11/14/2019 10:00 AM) so that dashboard should be updated according to the time period.
↧
Support for Python 3 ?
Hello @starcher
Are you planning to upgrade you app to support Python 3 / Splunk 8.x.x ?
It would be great.
Thanks.
↧
error when executing samlpull command
I installed your app on a SHC with SAML (ADFS) configured.
When executing | samlpull, I get an error. Inside log, I see:
11-15-2019 09:23:26.615 ERROR ScriptRunner - stderr from '.../splunk/bin/python .../splunk/etc/apps/nhsd_all_prod_sh_adhoc_samlmanager/bin/saml-pull.py': Traceback (most recent call last):
11-15-2019 09:23:26.615 ERROR ScriptRunner - stderr from '.../splunk/bin/python .../splunk/etc/apps/nhsd_all_prod_sh_adhoc_samlmanager/bin/saml-pull.py': File ".../splunk/etc/apps/nhsd_all_prod_sh_adhoc_samlmanager/bin/saml-pull.py", line 33, in
11-15-2019 09:23:26.615 ERROR ScriptRunner - stderr from '.../splunk/bin/python .../splunk/etc/apps/nhsd_all_prod_sh_adhoc_samlmanager/bin/saml-pull.py': expected_saml_groups = saml_utils.pull_remote_saml()
11-15-2019 09:23:26.615 ERROR ScriptRunner - stderr from '.../splunk/bin/python .../splunk/etc/apps/nhsd_all_prod_sh_adhoc_samlmanager/bin/saml-pull.py': File ".../splunk/etc/apps/nhsd_all_prod_sh_adhoc_samlmanager/bin/saml_utils.py", line 47, in pull_remote_saml
11-15-2019 09:23:26.615 ERROR ScriptRunner - stderr from '.../splunk/bin/python .../splunk/etc/apps/nhsd_all_prod_sh_adhoc_samlmanager/bin/saml-pull.py': if not authorization_conf_url.startswith("https"):
11-15-2019 09:23:26.615 ERROR ScriptRunner - stderr from '.../splunk/bin/python .../splunk/etc/apps/nhsd_all_prod_sh_adhoc_samlmanager/bin/saml-pull.py': AttributeError: 'NoneType' object has no attribute 'startswith'
↧