Spluk query for UPtime and Downtime?

June 3, 2020, 11:31 pm

≫ Next: Sum of the values for last 24 hours is bigger than for the last 7 days

≪ Previous: need to use SQL query in Splunk

Hi Folks, Can anyone please help in forming the query for internal splunk components up and downtime reporting, i found a similar but this gives only uptime, | rest /services/server/info | eval LastStartupTime=strftime(startup_time, "%Y/%m/%d %H:%M:%S") | eval timenow=now() | eval daysup = round((timenow - startup_time) / 86400,0) | eval Uptime = tostring(daysup) + " Days" | table splunk_server LastStartupTime Uptime

↧

Sum of the values for last 24 hours is bigger than for the last 7 days

June 4, 2020, 2:38 am

≫ Next: Customize and Style Navigation Menu - Move that from Top to the Side with a Hamburger Menu Option

≪ Previous: Spluk query for UPtime and Downtime?

Hi, I have a little bit strange problem. I have _json format of the indexed events. One attribut "value" is big float number. If I make stats sum(value) as value_sum for last 24 hours, the number is bigger than for the last 7 days. Number of events: last 24 hours: 142.645 last 7 days: 1.497.974 The value moves between 70 and 200. Can you help me, please, where can by the problem?

↧

Customize and Style Navigation Menu - Move that from Top to the Side with a Hamburger Menu Option

June 4, 2020, 3:10 am

≫ Next: Line braking on JSON logs

≪ Previous: Sum of the values for last 24 hours is bigger than for the last 7 days

How can i customize and style to move my Navigation Bar from Top to the left with a Hamburger option to expand and see the navigation views and with an option to Collapse it ? What I mean is: Click on the Hamburger Icon, the nav bar slides in from the left to right. Click on the Collapse button, the nav bar slides back in from right to left. Is there a model using Javascript & CSS to achieve this? - I couldn't find any in the community.

↧

Line braking on JSON logs

June 4, 2020, 3:24 am

≫ Next: stats count or eval

≪ Previous: Customize and Style Navigation Menu - Move that from Top to the Side with a Hamburger Menu Option

Hi Guys, Can anyone please help me with line braking for the below json log, { "totalSize" : 473, "done" : true, "records" : [ { "attributes" : { "type" : "SetupAuditTrail", "url" : "/services/data/v48.0/sobjects/SetupAuditTrail/0" }, "Action" : "deactivateduser", "CreatedByContext" : null, "CreatedById" : "0052v00000", "CreatedByIssuer" : null, "CreatedDate" : "2020-05-18T03:35:57.000+0000", "DelegateUser" : null, "Display" : "Deactivated user xyz", "Id" : "0Ym2j0000012ACtCAM", "Section" : "Manage Users", "ResponsibleNamespacePrefix" : null }, { "attributes" : { "type" : "SetupAuditTrail", "url" : "/services/data/v48.0/sobjects/SetupAuditTrail/0Ym2j00000" }, "Action" : "changedUserEmailVerifiedStatusVerified", "CreatedByContext" : null, "CreatedById" : "0052v00000", "CreatedByIssuer" : null, "CreatedDate" : "2020-05-18T05:51:45.000+0000", "DelegateUser" : null, "Display" : "For user xyz@xyz.com, the User Verified Email status changed to verified", "Id" : "0Ym2j00000", "Section" : "Manage Users", "ResponsibleNamespacePrefix" : null }, { "attributes" : { "type" : "SetupAuditTrail", "url" : "/services/data/v48.0/sobjects/SetupAuditTrail/0Ym2j00" }, "Action" : "changeApplicationContactEmail", "CreatedByContext" : null, "CreatedById" : "00000", "CreatedByIssuer" : null, "CreatedDate" : "2020-05-18T06:08:08.000+0000", "DelegateUser" : null, "Display" : "Changed Connected App Contact Email from none to xyz@xyz.com", "Id" : "0Ym2j0", "Section" : "Application", "ResponsibleNamespacePrefix" : null }, {

↧

stats count or eval

June 4, 2020, 3:25 am

≫ Next: VMware App: Not all Snapshots are listed

≪ Previous: Line braking on JSON logs

I am trying to make an overview with different counts. The message always starts with : logger="blahblah-main.Start*" Some will go in error and then they will apear with: logger="blahblah.Exception" The difficult thing is that I want the unique ID's, so some messages will have an retry in both loggers.I tried to use dedup but then I will miss messages when they are in both loggers. I hope someone can make sense of my question.... search.... logger="blahblah-main.Start*" OR logger="blahblah.Exception" |dedup message.MessagId|dedup message.BusinessId |chart count by logger

↧

VMware App: Not all Snapshots are listed

June 4, 2020, 3:54 am

≫ Next: The rest api add-on works in with version 1.5.3 but when I upgrade to 1.8.1 or 1.8.2 the data stops being ingested into splunk. any idea why?

≪ Previous: stats count or eval

Hi, I'm using the Splunk App for VMware version 3.4.5 and facing an issue with the Virtual Maschine Snapshot dashboard. There are only some of the snapshots listed. So I'm missing snapshots for most of my virtual machines. If I expand the time range (e.g. 7 Days) there are still not all snapshots listed. Is someone dealing with the same problem? Best, Sebastian

↧

The rest api add-on works in with version 1.5.3 but when I upgrade to 1.8.1 or 1.8.2 the data stops being ingested into splunk. any idea why?

June 3, 2020, 9:25 am

≫ Next: generate a list of unique hashes and append new hashes hourly

≪ Previous: VMware App: Not all Snapshots are listed

I've got about 10 or 12 rest api inputs setup in the add-on that are all working fine with 1.5.3 but stop working whenever I upgrade the add-on to 1.8.X is there anything I need to be changing to make it work? I'm on splunk 7.3.1 currently with RHEL7.4

↧

generate a list of unique hashes and append new hashes hourly

June 4, 2020, 5:00 am

≫ Next: How to display count of two different fields with different values?

≪ Previous: The rest api add-on works in with version 1.5.3 but when I upgrade to 1.8.1 or 1.8.2 the data stops being ingested into splunk. any idea why?

I would like to take the following search that generates the hashes and outputs the lookup: index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" Image=* | fields Hashes | eval hash=split(Hashes,",") | mvexpand hash | dedup hash | rex field=hash "(?[^=]+)" | rex field=hash "=(?[^=]+)" | table hash | outputlookup append=true hashes.csv The output of the hashes.csv looks like this: hash 29B7D02A3B5F670B5AF2DAF008810863 96BEC668680152DF51EC1DE1D5362C64C2ABA1EDA86F9121F517646F5DEC2B72 D7AB69FAD18D4A643D84A271DFC0DBDF FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5 601BDDF7691C5AF626A5719F1D7E35F1 4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354 9D59442313565C2E0860B88BF32B2277 How do I now take the hashes.csv and constantly add new unique hashes to it?

↧

How to display count of two different fields with different values?

June 3, 2020, 7:32 pm

≫ Next: Combining two alerts into one condition

≪ Previous: generate a list of unique hashes and append new hashes hourly

Hello all I'm having difficulties figuring out how to output 2 seperate counts for 2 seperate fields. index=email spf="fail*" OR dkim="fail*" | dedup message_id | stats count BY spf, dkim Atttempting to return a single count of the unique logs that contain spf="fail" and a single count of unique logs that contain dkim="fail" : spf dkim 14 75

↧

Combining two alerts into one condition

June 3, 2020, 8:02 pm

≫ Next: Cannot download Splunk License from Web support portal

≪ Previous: How to display count of two different fields with different values?

Hi All, Actually I have conflict while sending the alert, Please consider below scenario, 1. detecting and sending alert for when ever server gets disconnected from the network. 2. after server gets connected to network and then I have configured one more alert condition for successful connection. Now I want merge these two alerts into one alert condition like below, for example : First server gets disconnected for 30 mins and Splunk will send the alert. and after successful reconnection then using alert has to be sent to user by using one alert condition. Can you please help me out that how do I merge two alerts conditions into one condition. Thanks. Kishore

↧

Cannot download Splunk License from Web support portal

June 3, 2020, 8:22 pm

≫ Next: Need help to create bubblechart (if even possible)

≪ Previous: Combining two alerts into one condition

I cannot download Splunk License from Web support portal. show error "You do not have the level of access necessary to perform the operation you requested." ![alt text][1] ![alt text][2] [1]: /storage/temp/291952-splunk-license.jpg [2]: /storage/temp/291953-download-error.jpg

↧

Need help to create bubblechart (if even possible)

June 3, 2020, 10:24 pm

≫ Next: Splunk mint SDK 5.2.7 iOS Appstore warning ITMS-90809: Deprecated API Usage

≪ Previous: Cannot download Splunk License from Web support portal

I am trying to create a bubblechart based on the search below. I have tried different methods to create something similar to the edited bubblechart image below, but with no success so far. I hope someone here can possibly help me achieve this, if it is even possible? I can see that i probably would need to get the eventcodes in a own columns, and same with the count...but how? ![My search][1] ![Bubblechart][2] [1]: /storage/temp/290900-search.png [2]: /storage/temp/290901-bubblechart.png

↧

Splunk mint SDK 5.2.7 iOS Appstore warning ITMS-90809: Deprecated API Usage

June 3, 2020, 11:36 pm

≫ Next: LINE_BREAKER with INDEXED_EXTRACTIONS does not work

≪ Previous: Need help to create bubblechart (if even possible)

I have added Splunk mint SDK 5.2.7 into our mobile project and tried to submit a build to iOS appStore but it's throwing an error ITMS-90809: Deprecated API Usage - New apps that use UIWebView are no longer accepted. Instead, use WKWebView for improved security and reliability.

↧

LINE_BREAKER with INDEXED_EXTRACTIONS does not work

June 3, 2020, 11:53 pm

≫ Next: What is the usage of "(?msi)" in Splunk with rex comamnd?

≪ Previous: Splunk mint SDK 5.2.7 iOS Appstore warning ITMS-90809: Deprecated API Usage

Hello Splunk TEAM, I have a question. I have this data: { "@odata.context":"https://app.inlooxnow.de/odata/$metadata#workpackageview","value":[ { "PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation" },{ PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation" },{ PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation" },{ PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation" },{ But When I Download this data from the Rest API with JSON format and sourcetype _JSON I got all the events in one event. I need to break this event in multiple events and extract the fields. I try to use this: props.conf pulldown_type = true LINE_BREAKER = (\},{) KV_MODE = none category = Structured SHOULD_LINEMERGE = false And the data breaks correctly with (\},{) but no one value is extracted to a field. ![alt text][1] And when I try to extract data from the events I cant because never pass pass when I check regular expression and click in the event which I need to extract, after that it looking stuck. ![alt text][2] I try to use INDEXED_EXTRACTIONS = json But nothing works. Please I need a hand please!! [1]: /storage/temp/291956-splunk-broken.png [2]: /storage/temp/291957-stuck.png

↧

What is the usage of "(?msi)" in Splunk with rex comamnd?

June 4, 2020, 1:14 am

≫ Next: Multiselect: value's prefix and suffix not working

≪ Previous: LINE_BREAKER with INDEXED_EXTRACTIONS does not work

Hi, I am having some problem to understand the usage of "(?msi)" with rex command,please help me regarding that?

↧

Multiselect: value's prefix and suffix not working

June 4, 2020, 4:41 am

≫ Next: Event type creation and AI

≪ Previous: What is the usage of "(?msi)" in Splunk with rex comamnd?

Hi Splunk colleagues, I'm having a problem with multiselect in my dashboards. Here's the code of the multiselect: BAPBAPBAP| search BAP IN("$form.bap$") | dedup BAP | table BAP"",Todos() The thing is that if I pass information through this token (form.bap) the value's prefix and suffix are not appearing and my searches are returning no results. This is how I look for the information in the token on my searches: | search BAP IN("$form.bap$") And this is how it appears (in this case, the values that I'm selecting are "BI" and "Core"): | search BAP IN ("BI,Core") As you can see, no quotes are added in between the two values, therefore no results found. I tried to change the way that I use to look for the information of the token (just with | search $form.bap$ and adding the "BAP IN" part on the prefix) but it's not working either. If you need more information about this or if the explanation is not as clear as possible, let me know! Thanks in advance,

↧

Event type creation and AI

June 4, 2020, 5:06 am

≫ Next: Splunk query for UPtime and Downtime?

≪ Previous: Multiselect: value's prefix and suffix not working

We categorize log events using event types and assign them to people to address the issues using tags. Our events are generally exception stacktraces (Java). Our event types are basically a search by two fields (source and message). What we do now is we look for events which don't match to any existing event type and create a new event type for them. What we would like to do is to automate the event type creation process. We have a volume of event types we have already created as a learning material. Is there any type of AI integration for this purpose in Splunk?

↧

Splunk query for UPtime and Downtime?

June 3, 2020, 11:31 pm

≫ Next: Line breaking on JSON logs

≪ Previous: Event type creation and AI

↧

Line breaking on JSON logs

June 4, 2020, 3:24 am

≫ Next: Sending Meraki Alerts to Splunk HEC Endpoint

≪ Previous: Splunk query for UPtime and Downtime?

↧

Sending Meraki Alerts to Splunk HEC Endpoint

June 4, 2020, 6:14 am

≫ Next: How to resolve splunkd error when sending Meraki Alerts to Splunk HTTP Event Collector Endpoint?

≪ Previous: Line breaking on JSON logs

I am trying to send Meraki Alerts to Splunk HEC Endpoint. Please refer this URL to understand how we send Meraki alerts to receiving services. https://developer.cisco.com/meraki/webhooks/#!introduction/overview I need to specify the Splunk endpoint and the shared secret in Meraki webhook alert page as expected by Meraki. And here are the following details **Webhook URL** : Splunk Public Endpoint DNS(Backend will be heavy forwarder:8088)/services/collector/raw **Shared Secret** : HEC token in that Heavy forwarder Now when I hit the test option, the meraki alert are not flowing into Splunk and on detailed log Splunk analysis, we get the below error in our splunkd.log: *06-03-2020 17:12:23.556 +0200 ERROR HttpInputDataHandler - Failed processing http input, token name=n/a, channel=n/a, source_IP=****, reply=2, events_processed=0, http_input_body_size=878* I could see the Meraki is not able to send the shared secret key with Splunk token embedded and hence failing, any suggestion on fixing this would be of great help.

↧