Hi All, Currently we are facing a problem in getting the Symantec ATP logs from heavy forwarder to the indexer instances, we have configured Symantec ATP logs to be collected via http event collector using “our Company ATP” setting configured in test01 heavy forwarder instances.
**Exact Problem**: Unable to get the Symantec ATP logs from Heavy forwarder to the indexer instances, but getting the data from ATP host to the Heavy forwarder instances.
From ATP host 10.x.x.x the data is reaching the Heavy Forwarder instance, we had confirmed by executing the below command in the HF instance, we are getting the data.
tcpdump -nvvA host 10.x.x.x
When the same tcpdump –nvvA host 10.x.x.x was executed from Indexer instance we are not getting the data.
Kindly guide me from where to start the investigating this issue, in order to fix the issue.
Thanks in advance
↧
Unable to get the Symantec ATP logs from heavy forwarder to the indexer instances. How to troubleshoot this issue ?
↧
Help to remove brackets and commas from data, sort into a CSV, and dedup
I have data which looks like the following:
[000003074859, 000003075752, 000003224575, 000003228286, 000003235217, 000003246379, 000003246434, 000003246725, 000003246934, 000003248574]
[0010242946, 0002363081, 000006459131, 0010275565, 000000430019, 000000465470, 000000465546, 000003228900, 000003616661, 000003648249]
I would like to:
1) Remove the brackets and commas
2) Change the CSV into one row per entry
3) dedup
So, the final data would look like:
000003074859
000003075752
000003224575
....................
Thank you very much in advance
↧
↧
How do you change background color for Trellis visualization by label (not by value)?
I have some Trellis to single value visualization, but I need to change the background color for each Trellis depending on label, not the value.
For example, this code changes the background-color if the trellis's label is "dbx_health_metrics"
if ()$(".viz-facet").first().first().text() == 'dbx_health_metrics') {
$(".viz-facet").first().last().css('background-color', '#000');
}
my problem is: when I execute JS in the dashboard, the search status is: in process, there fore the JS cant change the background-color because the object doesn't exist yet in the moment of execution
↧
How do I get a Sparkline to display as a pie chart?
I am attempting to use the `sparkline` functionality to display a pie chart in a table. My data has an `asset_type` ( `workstation|server|router|appliance|printer|etc`) and a `status` ( `up|down|unknown`). There are a large number of asset types, and they are subject to change/increase in number, so I don't just want to have a different panel for each type. I'd like to show a table with the asset type and a pie chart showing the `up|down|unknown` ratio. I can't seem to get the `sparkline` to only show the counts for the 3 distinct values of `status`, it seems to want to show those values 'over time' so my pie chart ends up with 8+ pieces, rather than 3. As `pie` is a supported option for a sparkline, and using `time` in a pie chart doesn't make any sense... I assume I'm missing something. I was trying the following:
` | chart sparkline(count(status)) AS trend by asset_type`
XML Options:
>
↧
Questions on best practices for a new Splunk environment
Sorry for too many questions
This is our environment
6 Splunk servers
1) splunk01 – Ad HOC Search head used for standalone searches
47.14 GB Physical Memory, 10 CPU Cores
2) splunk02 – Enterprise Security Search Head has Enterprise Security app installed on it.
125.75 GB Physical Memory, 24 CPU Cores
3) splunk03 – Indexer – Syslog plus Indexer server
62.75 GB Physical Memory, 24 CPU Cores
4) splunk04 – Indexer – Syslog plus Indexer server
62.75 GB Physical Memory, 24 CPU Cores
Below two Splunk servers are on a host that has several other VMs hosted on it.
5) splunk05 – License Master plus Indexer cluster master
7.64 GB Physical Memory, 4 CPU Cores
6) splunk06 – Deployment Server
3.7 GB Physical Memory, 2 CPU Cores
Question 1) Our indexers 3&4 are also Syslog servers with HD of 5tb each is it a best practice to have Indexers and Syslog servers on the same box?
Question 2) Our License master with its current RAM and CPU config as stated above is it enough to be a License master?
Question 3) Since our Syslog and indexer reside on the same box does that mean our HFs don't play any role in forwarding data?
Question 4) Can we install DMC on our license master?
↧
↧
Dropdown that predicts/populates options based on text as it is entered?
Hi,
I have a drop down panel, when I type text in search box i would see a list that begin with text typed.
Example:
![alt text][1]
[1]: /storage/temp/211577-search-dropdown2.jpg
Thank you
↧
Help with setting the hostname path on ~200 servers?
We are pushing out forwarders to over 200 servers this month. I intend to connect the forwarders to a deployment server and then push out the server.conf file using the below setup.
[general]
serverName = $HOSTNAME
Since there are so many servers I do not want to manually set the hostname for each server. This seems to work but when I got to edit the inputs.conf file we have to monitor a server.log file that has the hostname before it.
[monitor:///testarea/host1_server.log]
I have tried setting "host1" to "$HOSTNAME" and "`hostname`". All which return the actual we are trying to monitor
When doing a ls -ltr on /testarea/$HOSTNAME_server.log it returns /testarea/host1_server.log.
Is Splunk able to do this?
↧
how to move indexer peer from one cluster to another cluster?
Hello All
i have 2 multisite clusters in two different regions.
region one has 4 indexers with replication factor 3 --> c1_idx1,c1_idx2,c1_idx3,c1_idx8
region two has 3 indexers with replication factor 3 --> c2_idx4,c2_idx5,c2_idx6
i want to move c1_idx3 to second cluster
how should i do it? is is by changing the master information peer or is there any other process to do it?
***Am guessing this process should work
1. take peer to offline
2. change master information
3. restart the peer***
is it correct?
↧
Markdown app - Can it render markdown written in the panel
Your app is cool. Is it possible to just write markdown in the panel? Seems to require a physical file to render. Am I failing?
↧
↧
How to find missing values from a search events compared to a list - (either a lookup file or a declared values)
I need to find the missing list of process from a list of hosts and setup an alert
There will be number of process ~ 16 process to be monitored on number of hosts.
I need some help in evaluating which process is missing
I can take lookup file approach but would like to do a search and eval with out using a lookup.
I tried this way
earliest=-10m@m (index=os* OR index=matrix_os) source=ps host=abc* |rex field=COMMAND "somename\/(?[^\/]*)/httpd/sbin/httpd" |stats count by inst host |eval mylist="inst0,inst1,test1,test2" |eval procname=split(mylist,",")|mvexpand procname|eval is_running=if(match(procname, inst),1,0)|table is_running host inst count procname
This lists out all matching and non matching . I want to just list out where procname=test1 on host which is not found.
↧
Help writing the search to create this table?
Hi, I need quick help from splunk , do you know it is possible to generate below report ? if yes, then do you know what is splunk search query ?
We have two fields in splunk and wants to know how to generate time column report by result with color :
Rate SUCCESS for result:
90 ~ 100% : Green color
80 ~ 90 % : yellow color
otherwise red color
Splunk fields:
- flow_name : name of APIs
- result : SUCCESS / ERROR
expected report :
Name | … | 1 pm | 2 pm | 3 pm| 4pm|…
=====================================
flow_name_A |… | Green | Yellow | Yellow| Red |…
flow_name_B |… | Yellow | Yellow| Green | Red |…
any suggestion will be appreciated.
↧
Splunk Add-on for Amazon Web Services not discovering EC2 role
I created an IAM role and assigned it to the heavy forwarder EC2 instance however the role doesn't appear in the Splunk UI as "Auto-Discovered". Any logs or anything I can look at to see why it can't find my role?
thanks....
↧
Custom Viz - Markdown Renderer App - Can it render markdown written in the panel?
Your app is cool. Is it possible to just write markdown in the panel? Seems to require a physical file to render. Am I failing?
↧
↧
Adding link to SharePoint document in XML
Hi all,
Tried a bunch of different recommendations for adding a hyperlink to a document (site) to no avail. My wish is to add a link at the top of each Dashboard that takes the dashboard auditor to the current reference audit guide. I believe the SharePoint link (with it's crazy characters it the issue). Below is the closest I've gotten.
"Code Sample
Audit Guide
↧
Alert to the MsMpSvc (Microsoft Antimalware Service) not starting?
Good afternoon all
There doesn't seem to be a way for me to actually stop the MsMpSvc service (Microsoft Antimalware Service) so that I can get a specific event viewer code so I'm curious how you would all go about this one? I'm trying to create a splunk alert which tells me if that service has either stopped or did not start after a reboot.
↧
Splunk Add-on for Microsoft PowerShell - Linux Splunk Enterprise Server
To use the Splunk Add-on for Microsoft PowerShell, does my Splunk Enterprise Server need to be a windows box or can it be linux. I figured just the forwarder, where the add-on was also installed, needed to be windows. But I am currently having issues collecting any data. My Splunk Enterprise server is Splunk Enterprise 6.5 on Ubuntu 16.04.3.
↧
Best practice on Index and TCP Input creation by .spl application package install
Dear All
working with app deployment and installing, and after reading Dev articles
SP-CAAAEMY
SP-CAAAE3H
... and all related
noticed a few things:
the app_name.spl package - installing in a new clean environment - does create both:
1. a new index
2. a new TCP/Input (on a certain port xxxxx - my app makes use of it to get data input )
while the above is great and helps big, I wander if it is invasive a bit, especially:
the second part - TCP input creation on the client's Splunk server. That xxxxx port is a parameter in my solution (software that will feed the App) and can be set to anything.
But also the index creation, as in the "App Certification criteria", article SP-CAAAE3H on dev.splunk,
under "Indexes.conf standards", it is said (quoted):
"Check that the app does not create indexes."
Does this excludes app_name.spl install ? I guess it should be yes, in the sense that index creation is forbidden
during normal app operations, while allowed to create own index[s] during install.
So, my questions in this case would be:
Q1. Is Best practice to Create index on .spl install, or do it not (create manually)?
Q2. Is Best practice to Create TCP input on .spl install, or do it not (create manually)?
Q3. what is the relation of the two above regarding Splunk App Certification process?
thank you very much
best regards
Altin
↧
↧
Can a "redundancy" forwarder be triggered to send logs if the primary forwarder is down?
Hi,
Is it possible to configure the indexer to index logs from one forwarder only (say forwarder 1) and if logs from "forwarder 1" stops, start indexing logs from "forwarder 2"
At the moment, we have two universal forwarders (for redundancy purpose) sending same data to one indexer. So we are consuming twice as much the licence. Is there a way to remove duplicate logs before it gets indexed / or listen to one forwarder at a time.
Many Thanks
↧
Searching a particular field and performing actions based on its presence and value
My application logs will print each record with id. If the record has any error, it will display the Error field else it won't. I want to look for the error field in each record, if present I have to look for the values in Error field. If 'A', I have to increase the count for Error Code as 503 by 1, if 'B', I have to increase the count for Error Code as 504 by 1 and if Error field is not present in the record, I have to increase the count for response code of 200 by 1.
↧
Alert to the Microsoft Antimalware Service (MsMpSvc) not starting?
Good afternoon all
There doesn't seem to be a way for me to actually stop the Microsoft Antimalware Service (MsMpSvc service), so that I can get a specific event viewer code so I'm curious how you would all go about this one? I'm trying to create a Splunk alert, which tells me if that service has either stopped or did not start after a reboot.
↧