how do i query all events with windows ID 4738 for a specific user
↧
how do i query all events with ID4738 for a specific user?
↧
Trouble with Choropleth US Map
I am trying to generate a Cloropleth map of IPs in the US. I have already created on for countries of the world. For that I have successfully used:
| iplocation src_ip
| stats count by Country
| where Country!="United States"
| geom geo_countries featureIdField=Country
Great.
I want to create a new map of JUST the United States, and show IPs by state. I am having some trouble there. When I run:
|inputlookup geo_attr_us_states
I see that I have data. Ok.
When I run:
| iplocation src_ip
| where Country="United States"
| table clientip, status, City, State, Country
I see that I have a table that shows the cities and countries, but not the states for the IP addresses. I figure this might be an issue. Back when I ran the inputlookup, I see that the data I get back are state_code, state_fips, state_name. I try to run:
| iplocation src_ip
| where Country="United States"
| geom geo_countries featureIdField=state_name
And state_name is blank for all events.
The fact that Splunk knows the city name of the IP, would suggest that it should know the state as well...
I see on https://answers.splunk.com/answers/334780/can-someone-provide-an-example-for-geom-counts-bas-1.html That there is a comment that suggests that:
| iplocation src_ip
| where Country="United States"
| stats count by src_ip
| geom geo_us_states featureIdField=src_ip
Might work. And it looks like it almost does. But, geom is blank on the statistics tab.
Anyone know what I might be doing wrong?
↧
↧
calculating the total time an extension has spent on calls, vs idle
(NOTE: I am posting this on behalf of a customer of ours who asked this of us a while back)
This is in Callmanager CDR. I need to calculate a kind of "non overlapping" duration for a set of VTC Calls. I don't want just the "total duration" of calls through the extension, but rather the total clock time that the number has been on 1 or more VTC calls, vs the total clock time that it has sat idle.
I can't figure it out. For a while we thought the difference might be to use the 'duration_elapsed' field instead of 'duration' and 'duration_total' but those didn't work out.
by the way we are using the "Cisco CDR Reporting and Analytics" app for Cisco Unified Communications Manager.
↧
whats happens when hot buckets are not specified ?
hi,
Can i please know what happens if maxHotBuckets is not specified , when will splunk roll the buckets from hot to warm ?
↧
How to select one event from a transaction?
I need to group the events (in this case by JSESSIONID) and select the one with the max date
I have the groups with the following query:
`date_month="march" date_mday>="25" date_mday<="26" | transaction JSESSIONID `
How can I get every transaction only with the newest event?
TKS!
↧
↧
in timechart, how do you display average by field, but also show a total average
Hi,
I have events from various projects, and each event has an eventDuration field.
I'm trying to visualize the followings in the same chart:
1. the average duration of events for individual project by day
> ... | timechart span=1d avg(eventDuration) by project
2. the total average duration of events for all projects/events by day
> ... | timechart span=1d avg(eventDuration) as TotalAverage
But I'm having hard time figuring out how to combine these,
so I can have the TotalAverage column from #2 added as the last column to the timechart from #1.
Maybe I'm missing something obvious, but I'm hoping someone can give me some pointers.
Thank you!
↧
Grouping results in a table by IP address
I know I have bumped into this in the past, but I can think of a good keyword to do a search on...
I have a search that produces a list of IPs, most have multiple content categories associated with them. I want to create a table, where each IP is listed once, and all the content categories that are associated with that IP are listed with that IP. For example:
1.1.1.1 test1
1.1.1.1 test2
1.1.1.1 test3
1.1.1.2 test1
Would go into a table like:
1.1.1.1 test1
test2
test3
1.1.1.2 test1
I know that there is a way to cluster the results around the IP address. I just can't think of the right term to google. Anyone know what I should be searching for?
↧
Can Search head members and deployer run on same lb
Can the deployer and search head cluster members run on the same load balancer? I have a load balancer and the pool members behind the lb are search head members, captain. Can I have the deployer on the same load balancer or should I run independently outside lb?
↧
Using per_second with summary index not working
I have a saved search:
source=/opt/app/workload/MCRRepo/*/*.csv | rex "(?.*),(?.*),(?.*),(?.*),(?.*),(?.*)" | search componentName=ServiceComponent* measurementName=transactionAttempts | sitimechart span=5m per_second(counterValue)
When I run the normal version of this query over a 24 hour period:
source=/opt/app/workload/MCRRepo/*/*.csv | rex "(?.*),(?.*),(?.*),(?.*),(?.*),(?.*)" | search componentName=ServiceComponent* measurementName=transactionAttempts | timechart span=5m per_second(counterValue)
I get per_second ranges of up to 7000 TPS which matches the expected range of my data. But when I run the query against the summary index using the query over a 7 day or longer period:
index=summary search_name="MCR_TPS" | timechart span=5min per_second(counterValue)
I get per_second ranges up to 200K. What am I missing? The TPS should still range up to 7000 TPS for each of the 7 days.
↧
↧
WIndows 7 support
I was trying to download the universal forwarder for windows 7 32 bit OS, but i can see only windows 8, 8.1, 10 OS.
Is Splunk supporting windows 7? If I will download universal forwarder for windows 8. Will it take the data from window 7 system?
↧
replace function for eval token problem
Hi Splunkers,
I was stuck with cutting the part of string for drilldown value from a chart using the ``.
So I have values with names divided by symbol with other values and I need to have only the first part in output for drilldown page.
Obviously this won't work:replace('click.value',"(^[^\;]+)(.+)","\1")
And here's workaround :
mvindex(split($click.value$, ";"),0)
But here's question - is it planned to provide support for replace function for eval token.
And also can someone please provide a JS interpret of replace function for this case, because I've tried so much but with no success.
↧
Finding a percentage for every value in another field
I am looking for source IPs that have a high percentage of being blocked. The evaluations below work fine if I use just one source IP. But I want to test multiple source IPs, and am not sure how to cycle through them. I know that Splunk has a foreach command. I am not sure how to cycle the testing SPL into the 'foreach loop'. (Or how to refer to the src variable for purposes of getting a total count.) (src="1.1.1.1" OR src="1.1.1.2")
| stats count(eval(src="")) as totalCount,count(eval(result="blocked")) as blocked
| eval blockedPercent=blocked/totalCount*100
| where blockedPercent>50
| table src, blockedPercent
Anyone good at nesting this type of search?
I did find:
https://answers.splunk.com/answers/298931/how-to-calculate-percentage-for-each-category.html
But when I use:
(src="1.1.1.1" OR src="1.1.1.2")
| eventstats count(src) as total |stats count(eval(result="blocked")) as count by src |eval percent=round(count/total*100,2)
| table src,percent
I get a blank percentage. Not sure if I should stick with event stats, or try a foreach...
↧
pie chart with 2 search results
Hi
Search
index=index1 word1 AND word2 | stats count as card | appendcols [search index=index1 word1 AND NOT word2 | stats count as mail ]
Result
card mail
123 99
Expected Result
card 123
mail 99
so, i can see the results in a PIE chart
Thanks
nkk
↧
↧
Form input issue - "duplicates values causing conflict..."
Hi,
I'm creating a form that uses a rest call to populate a multi-select, but it's failing with "duplicate values causing conflict", but I'm not sure why. The search works when it's run outside of the editor. Any suggestions?
↧
Splunk search heads "waiting for data..."
I have a indexer cluster up and running receiving data from forwarders. I can confirm the indexer cluster is set up correctly both from the master dashboard (which shows all peer indexers as healthy and all indexes as searchable) and from running the various CLI commands to check cluster health.
I've integrated my search head cluster with the clustered indexers. I can confirm this by checking the dashboard on the seach head captain and it shows the indexers as present. The command line also shows all the search heads are part of the search head cluster and the host intended to be the captain as the elected captain.
So the forwarders are working and sending data. The indexers are working receiving that data and are clustered correctly. And the search heads are clustered together, identify the correct search head captain, and the captain shows the 12 indexers.
However, every one of the search heads say they are "Awaiting on data..." from the search page.
I seem to have forgotten some step in the set up. Anyone know what that might be?
↧
How do I setup an alert action for sending an email (App certification)
Hi Splunkers,
I am attempting to package my app for Splunk app certification. In app inspect it keeps failing on alert_actions.conf.
All I am trying to do is package up an action to send an email if a saved search has a number of results greater than one.
These are the app inspect errors I get.
Alert actions structure and standards
Check that each custom alert action has a valid executable.
FAILURE: No executable was found for alert action email
FAILURE: No executable was found for alert action custom_action
Check that icon files defined for alert actions in alert_actions.conf
exist. Custom Alert Action Component Reference
FAILURE: No icon_path was specified for [email].
FAILURE: No icon_path was specified for [custom_action].
Check that custom alert actions are user configurable with setup.xml
file.
MANUAL_CHECK: An setup.xml exists at default/setup.xml.
Check that each custom alert action has an associated html file.
FAILURE: No HTML file was found at default/data/ui/alerts/ for
/tmp/tmp5jtSeN/optiv_threat_intel/default/data/ui/alerts/email.html
FAILURE: No HTML file was found at default/data/ui/alerts/ for
/tmp/tmp5jtSeN/optiv_threat_intel/default/data/ui/alerts/custom_action.html
I can't find any useful documentation that walks through this using alert actions. Do I need to have an executable script now? Again, all I want to do is send an email using internal spunk email functionality.
↧
how to add header field to an inputlookup CSV without header
Hi guys, I am wondering if it is possible to add a header field to search result if the CSV source doesn't have a header?
I know that props.conf is needed to setup but I am hoping that it can be done without making any change on the config.
Let say my CSV is something like this:
> `user1, google.com, 2002, 23:32:08`
and if I do a search "| inputlookup filename.csv" it shows the results as a field name instead of the results.
so I want to have something like:
> username website hits date> user1 google.com 2002 23:32:08
Thanks.
↧
↧
Splunk SAML SSO MetadataExchange
It is possible to setup ADFS to automatically refresh SAML metadata using an endpoint.
Splunk has such an endpoint accoring to the docs (/saml/spmetadata) , but it looks like it doesn't allow anonymous access.
Is there any way to exclude this path from authentication?
And the other way around, is it possible to have Splunk automatically refresh the IDP metadata?
This would enable the Splunk SSO setup to automatically refresh rollover certificates.
↧
Indexer cluster - Cluster Master behavior
Hi,
There are some docs about Cluster Master (CM) restart during an error when Replication Factor (RF) is greater than the count of accessible Indexers : https://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Restartindexing
Can this blocking happen in a single site architecture? E.g RF=2 and there are 2 Indexer. One Indexer goes down and little later CM restart?
One of our customer planning install a deployment with a 2 node Indexer cluster, RF=SF=2
Are there other things that need attention with this deployment?
Regards,
István
↧
How to edit my transaction search so that it will only return grouped results?
This seems like it would be easy to figure out through search but I'm coming across a dead end.
I have a transaction and I want to ONLY return the grouped results, not the ones that don't find a match as well.
xyz0024 OR xyz0019 fooxyz source="/company-logs/abc/current/abc.log" NOT (type=pa) | transaction field1 maxpause=3s
Thanks
↧