I have a 20 days events in one log file but i want to monitor today's events only.i tried below stanza but not worked as what i expected
[monitor:///xx/xxx/x.log]
disabled = false
index = xxx
sourcetype = access_combined
ignoreOlderThan = 0d
↧
How to configure forwarder to forward only today events ignore remaining events
↧
Connect Splunk addon JMX with JBOSS Wildfly
Hi,
I tried to use splunk addon for JMX with Jboss but I haqve this error :
com.splunk.modinput.ModularInput -1380800 [Thread-2] ERROR - Exception@checkConnector, e=
java.net.MalformedURLException: Unsupported protocol: remote+http
at javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:359)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:269)
at com.splunk.jmx.ServerTask.connect(Unknown Source)
at com.splunk.jmx.ServerTask.checkConnector(Unknown Source)
at com.splunk.jmx.Scheduler.run(Unknown Source)
The JMX service URL is : **service:jmx:remote+http://localhost:10090**
I copied the files jboss-cli-client.jar and jboss-client.jar to the foilder ....../apps/Splunk_TA_JMX/bin/lib
I am able to connect with Jconsole.
Can tou help me please?
Thanks
↧
↧
Output - IP's with just the three octets
I have the below command to extract the top 100 IP addresses. How can I modify the query to extract only the first three octets of the IP address instead of the whole address?
sourcetype="cisco:asa" | top limit=100 src_ip
↧
Internal mechanism of how license work
What is a mechanism behind splunk which lets the splunk to calculate the license:
For example if i am forwarding the data to indexer and indexer is indexing the data and splunk is checking how much data is indexed as per license that mechanism i know . But what i want to ask is what is the internal mechanism in back end that's is being followed like if my indexer indexed 2 gb data and my license capacity is 10 gb , so where is the two value being compared is somewhere splunk store the remaining left out 7gb license capacity value in some conf file or something else.
SPlunker, i repeat how license works i know . But what i am asking what is the internal mechanism .
↧
Which is the correct add-on to make eStreamer data CIM Compatible?
Hi,
We recently upgraded to the latest eStreamer eNcore app from Cisco ( https://splunkbase.splunk.com/app/3662) and are also using the new dashboard for the same ( https://splunkbase.splunk.com/app/3663), although neither of them list any CIM versions under the compatibility section.
And the only Add-on for eStreamer which does lists CIM compatibility is https://splunkbase.splunk.com/app/1808 ( Built by Splunk, not Cisco).
Is this still the correct add-on to be used for adding CIM compatibility to sourcefire data pulled by eStreamer eNcore app?
Thanks,
~Abhi
↧
↧
How to access a field name using variable ?
My Splunk results are returning multiple fields including fields Sunday, Monday, Tuesday .... Saturday.
Now my requirement is if today is Sunday i want to access the value of field name Sunday, if today is Monday i need to access the value of Monday and so on..
Can someone help me in how to access the value of a field using variable ?
↧
BRO IDS Message pcap_monitor Unable to locate suitable script for introspection.
Hello, I am running Splunk Enterprise 6.6.2 with a 10 indexer cluster. I have the Splunk Add-on for Bro IDS v3.2.0 installed on a heavy box. When I need to reboot my 10 indexers, each indexer shows a message (see below). Has anyone else seen this and if so, is there a way to disable this message?
![alt text][1]
[1]: /storage/temp/210685-capture.jpg
↧
Search for hex string
I am trying to do a search for a number of strings that are hex encoded. For example, http would be stored as 68747470.
However, I am having an issue in that nothing is pulled up. For example, if I search:
wscript.exe 68747470
nothing pulls up. However, if I search:
wscript.exe 68747470*
it works. I suspect that the hex characters are being converted to a string with the wildcard, but since I have multiple ones I want to search for I don't think that would be very efficient.
Any suggestions for how to search for just the hex encoded string as stated?
↧
Universal Forwarder App whitelist
Hi,
I installed the universal forwarder agent on some servers for monitoring and would like to add a whitelist filter on the windows security event.
When I add the "whitelist" line in the inputs.conf file in the "C: \ Program Files \ SplunkUniversalForwarder \ etc \ apps \ SplunkUniversalForwarder \ local" from the server that I installed the agent, the filter works.
As it is configured, I need to edit all the inputs.conf files on the servers that I installed the agent to add to the whitelist.
Is there any way to replicate the whitelist settings on the deployment server?
Thanks.
↧
↧
Root Can't Create /var/log files
This is the first time this has come up:
When running the following command as root:
(10:07:49) root@servername:/opt/splunkforwarder/bin
--> ./splunk enable boot-start -user splunk
Warning: cannot create "/opt/splunkforwarder/var/log/splunk"
Warning: cannot create "/opt/splunkforwarder/var/log/introspection"
First-time-run has not finished. Ignore this error when previewing migration - exiting.
Any idea what could be causing this? Root permissions should have what's needed to create the var/log/ files
↧
how to hide html in panel using multiple tokens
hello,
I have a panel with tag like this:
....text....
I have two tokens based on different searches in the dashboard.
I want the html be hidden when **both** the token are set.
how can I do this?
thanks.
↧
How to perform math on a field extracted where there were multiple matches
Hello,
I have a log entry with a variable number of possible matches with my regex. i had to use max_matches to get them all. for the rows that only have a single match, i can perform math on them, like round() or +1; however, for the rows where there are multiple matches, i am unable to manipulate those matches and when i try it results in a null value being displayed.
How can i perform math on inline field extractions where there are multiple matches?
Chris
↧
Rangemap in Glass Table (Splunk ES)
currently im having an issue displaying colors correctly using a Glass Table in Splunk ES. Its working as designed in splunk core but apparently the rangemap command is not working or cannot be used in ES.
Im trying to show the status of a system by having it display "Up" and be the color green when a system is active, Then "Down" and red when its not. Currently In the glass table I can only get them to display the text while the color remains black.
My code is below, Any ideas?
index=_internal sourcetype=splunkd component=DistributedPeerManager uri=slpsplnkshl01.unix.magellanhealth.com:8089 status=* earliest=-30m@m latest=now|stats count by uri| appendpipe [stats count | eval count=0| where count==0 ]|table count | rangemap field=count low=0-0 severe=1-10000|eval count=case(count=0,"OK",count>=1,"DOWN")|head 1
↧
↧
Feature importance in Splunk Machine Learning App /Toolkit
Hello,
Maybe, it is an easy one and I just did not see it. Basically, I am running the machine learning app to predict a categorical field (OK/NOK).
It worked smoothly and I got some nice predictions. So far so good.
But now, on the hundreds of parameters that I added to predict this categorical field, how do I know which ones are the most important features. In Python with scikit learn, I will do something like that
importances = classifier.feature_importances_
indices = np.argsort(importances)
features = dataset.columns[0:26]
plt.figure(1)
plt.title('Feature Importances')
plt.barh(range(len(indices)), importances[indices], color='b', align='center')
plt.yticks(range(len(indices)), features[indices])
plt.xlabel('Relative Importance')
However, i would prefer using the Splunk interface (my python skills are pretty limited), so my question, did I miss this option in the app? if not, can I use the results of splunk in the python script (e.g. how to get the features_importances_ as arguments for the script)?
Thanks
↧
summery indexing + index-time fields
I am trying to write a table to a summery-index
i have being able to write it with sumindex command
index="baseIndex"
|table field1,field2,field3
| sumindex index="indexExample" host="sample" sourcetype="Create_summery_index" source="Create_summery_index"
|table field1,field2,field3
| sumindex index="indexExample" host="sample" sourcetype="Create_summery_index" source="Create_summery_index"
I have 2 qutions
1.Is it possible to give a calculated Host\source (for example | sumindex command index="indexExample" host=field3)? 2.Is it possible that all the table fields will be index-time fields My base index is extremely big (500 GB) and the sumindex command running on the background to aggregate the resulted its working fine but even the aggregation table is big (25GB) and i am hopping that i can use tstat command instead of a regular search. right now i am creating a accelerated report on the table but i believe that there is a better way. thank you↧
Can you disable Splunk from prompting for splunk username and password?
We have a splunk service account but you're only supposed to be able to su splunk. It's not supposed to allow actual sign ons. I've done passwd on the splunk account but when attempting ./splunk add forward-server servername.domainname:9997 it keeps prompting me for a splunk username and credentials.
Is it best practice to assign this account credentials? Does anyone know how to bypass the credential prompting?
↧
Coalesce not working in props.conf?
Hi,
I have a TA, where my props.conf has an EVAL, with a coalesce of 3 fields, which doesn't work for some reason.
From the 3 fields, always only the third field has a value.
For a small portion of the events (10%), the coalesce is able to EVAL the field.
When I'm running the same coalesce in an inline search, it works fine, covering all the occurrences of the fields which were specified as arguments of the function.
What am I doing wrong in the TA? I was thinking about some precedence/ordering mistake with extractions and eval, but the field which is used as an argument of the coalesce is coming from KV_MODE = auto.
The interesting thing, as technically I'm using only one field from the tree arguments of coalesce, I've tried changing this to a FIELDALIAS instead of an EVAL - results the same coverage in events (10%) as the original coalesce.
↧
↧
Need to customize bubbles to pushpin at clustermap
Currently values are showing in Bubbles ( RED, Yellow & Green according to the threshold values )
Need to change the Bubbles/DOTS to push pin icons.
Current Map.
Expected result is to show Push pins in the map
![alt text][1]
[1]: /storage/temp/210687-map-pin.jpg
↧
Is there a REST API for rolling-restart on Search Head Captain
Hello,
I am trying to find a REST API call to do a rolling-restart on Search Head Cluster captain so that I can schedule a curl command.
Thanks in advance,
↧
Updating the 'GeoLite2-City' database in SH cluster and Index cluster
I have an IP (216.3.51.108) that I'm trying to geolocate, but the City and Region fields are returning as Null. When I geolocate using the Maxmind '[GeoIP2 City Database Demo][1]', I get all the values I expect.
In reading the documentation for the `iplocation` command I came across the instructions for updating the database. But the instructions aren't quite clear if I need to update the database on the SH cluster or the Index cluster (or both). There is a paragraph stating that you /can/ update on the indexer, but to me this is different than saying you /must/. What are the steps to update the geoip database in a distributed cluster? I actually did it on both but this did not change my results, so I must be doing it wrong.
[1]: https://www.maxmind.com/en/geoip-demo
↧