We have a dashboard that is specific to 2017. So the latest time needs to be either the start of the current day or 12/31/2017 (once we reach 2018). We are using the below eval statement to set the latest token and it was working fine until we recently upgraded from 6.3.5 to 6.6.3. After the upgrade I could not get it to work no matter what I tired.
if(now()>1514782800,1514782800,@d)
↧
Dashboard Token Eval Not Working After Upgrade
↧
Why does Splunk think this is a single event?
It recognizes the datetime correctly based on the first line, but it seems to randomly be grouping up lines.
Example log that has wildly different times, but Splunk thinks is a single event
[INFO][DesDycrptor][20170911-19:55:46.798] Decrypting file: equity_option_open_uf.dif.gz.enc.20170911
[INFO][DesDycrptor][20170911-19:55:46.800] Unzipping file: equity_option_open_uf.dif.gz
[INFO][S3Client][20170911-19:55:46.803] Copying file: /tmp/###############-7351797381042467611/equity_option_open_uf.dif to s3 bucket: ###################### key: ##########/#######/2017/09/11/equity_option_open_uf.dif.20170911.
↧
↧
How to send an alert email with cluster map visualization?
I have a saved search of last hour activity from our firewall and using the cluster map visualization plugin. When I create an alert for this search and enable attachment of pdf, it shows this weird plot. Why won't it show the geographical country map w/ the cluster bubbles?
![alt text][1]
[1]: /storage/temp/212573-capture.png
↧
What could be causing intermittent "NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id" messages
Hello,
I recently set up splunk stream to receive netflow v9 data from a few sources. Everything seems to be working fine so far, but every so often I'll start getting these messages in my streamfwd log, which will last few several minutes and then go away again, only to return several minutes later.
2017-09-12 15:48:49 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 56
2017-09-12 15:48:50 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 212
2017-09-12 15:48:51 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 160
2017-09-12 15:48:54 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 372
2017-09-12 15:48:57 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 108
What could be causing these messages to intermittently appear like that? I thought that this could be due to a netflow template not being sent (cisco devices are sending the netflow data), but I don't think that this is the case since this only happens intermittently.
In case it would help, my streamfwd.conf file contains the following lines:
[streamfwd]
logConfig = streamfwdlog.conf
port = 8889
netflowReceiver.0.ip = x.x.x.x
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow
↧
Splunk Mobile Access For windows 10 Tablet Mode
Hallo together,
For iOS and android "Splunk Mobile Access" exist which display and organise the dashboards for tablets in a optimized style.
Exist these APP or a alternative Presentation Mode also for Windows 10 (Tablett Mode)?
REGARDS
↧
↧
Correct my Query or identify where the mistake is please.
I have a query as follows
| inputlookup ABCD | search Forward="Yes" | table Region,IPHost, ip_address | rename Region AS my_region, IPHost AS my_hostname, ip_address AS my_ip
| join type=left my_hostname [|metadata type=hosts index=* | rename host AS my_hostname]
|eval lastTime=if(lastTime>0,lastTime,0)
|eval timeDiff=now()-lastTime
| eval last_seen_in_24_hours=if(timeDiff>86400,"NO","YES")
| eval lastReported=strftime(lastTime,"%F %T")
| table my_region,my_hostname,last_seen_in_24_hours,lastReported
Which displays the results as follows
![alt text][1]
[1]: /storage/temp/213578-dashboard.png
For some reason though the hosts were reporting to splunk(I verified that by picking the hosts from the dashboard and searching with host="abcd" for last 24 hours) all I can see from the dashboard is NO for last_seen_in_24_hours field.
Could anyone let me know where did i made the mistake or help me modifying the query to display the4 accurate results like YES for all the hosts which were reporting
↧
Cannot forward data from universal forwarder on a VM network
Hi,
I'm trying to set up a universal forwarder on a VM network. I've set up the inputs and outputs configuration files on the forwarder:
In inputs.conf:
[monitor:///var/log/syslog]
sourcetype = syslog
disabled = 0
index=ubuntu
In outputs.conf
[tcpot-server://ip_address_of_receiver:9997]
[tcpout]
defaultGroup = default-autolb-group
tcpout:default-autolb-group]
server = steven-VirtualBox:9997
[tcpout-server://steven-VirtualBox:9997]
I've also tried to set up receiving on the VM with the main Splunk instance, first from Splunk web, and then from the CLI:
In inputs.conf:
[default]
host = steven-VirtualBox
[splunktcp://9997]
disabled = 0
However, when I try to add data in splunk web with the forwarder, I get the error "There are currently no forwarders configured as deployment clients to this instance." Further, when I use "./splunk list forward-server" on the forwarder, I get the following output:
Active forwards:
None
Configured but inactive forwards:
ip_address of receiver:9997
steven-VirtualBox:9997
Does anyone have any insight on how to bring this forwarder up? I'm at a loss.
↧
Time filter issue when executing drilldown on a timechart dashboard
Hi,
I have a problem to execute a drilldown on a timechart dashboard.
This is the search for my source dashboard:
source="SDC_GUI_DEN_ER_V" | timechart span=1d count
I have to click on the date (format date 2017-06-30) and open a new dashboard filtered on this date:
I have tried in the following way but it isn't working. On source and destination dashboard there is a filter on the time:
Please let me know.
Thanks,
Nello
↧
Dashboard token eval statement not working after upgrade (v6.3.5 > v6.6.3)
We have a dashboard that is specific to 2017. So, the latest time needs to be either the start of the current day or 12/31/2017 (once we reach 2018). We are using the below eval statement to set the latest token and it was working fine until we recently upgraded from 6.3.5 to 6.6.3. After the upgrade I could not get it to work no matter what I tried.
if(now()>1514782800,1514782800,@d)Today Historical true @d now true if(now() > 1506830401, 1506830400, @y) if(now() > 1514782801, 1514782800, @d)
↧
↧
Log that has wildly different times, but Splunk thinks it is a single event
It recognizes the datetime correctly based on the first line, but it seems to randomly be grouping up lines.
Example log that has wildly different times, but Splunk thinks is a single event
[INFO][DesDycrptor][20170911-19:55:46.798] Decrypting file: equity_option_open_uf.dif.gz.enc.20170911
[INFO][DesDycrptor][20170911-19:55:46.800] Unzipping file: equity_option_open_uf.dif.gz
[INFO][S3Client][20170911-19:55:46.803] Copying file: /tmp/###############-7351797381042467611/equity_option_open_uf.dif to s3 bucket: ###################### key: ##########/#######/2017/09/11/equity_option_open_uf.dif.20170911.
↧
Why do we get a "Failed to create a bundles setup with server name GUID" message?
We get a message such as - *[indexer name] Failed to create a bundles setup with server name GUID : Using peer's local bundles to execute the search, results might not be correct. *
Search results seem to be much smaller than expected.
What can it be?
↧
Splunk Mobile Access compatibility with Tablet Mode in Windows 10
Hallo together,
For iOS and android "Splunk Mobile Access" the display and organization of the dashboards for tablets is presented in an optimized style.
Does this sort of feature exist for Windows 10 (tablet mode), or is there an app?
REGARDS
↧
Search help -- my search is inaccurately showing if hosts have been online in the past 24 hours.
I have a query as follows
| inputlookup ABCD | search Forward="Yes" | table Region,IPHost, ip_address | rename Region AS my_region, IPHost AS my_hostname, ip_address AS my_ip
| join type=left my_hostname [|metadata type=hosts index=* | rename host AS my_hostname]
|eval lastTime=if(lastTime>0,lastTime,0)
|eval timeDiff=now()-lastTime
| eval last_seen_in_24_hours=if(timeDiff>86400,"NO","YES")
| eval lastReported=strftime(lastTime,"%F %T")
| table my_region,my_hostname,last_seen_in_24_hours,lastReported
Which displays the results as follows
![alt text][1]
[1]: /storage/temp/213578-dashboard.png
For some reason though the hosts were reporting to splunk (I verified that by picking the hosts from the dashboard and searching with host="abcd" for last 24 hours) all I can see from the dashboard is NO for last_seen_in_24_hours field.
Could anyone let me know where did i made the mistake or help me modifying the query to display the 4 accurate results like YES for all the hosts which were reporting
↧
↧
On which components does the Splunk 6.x Dashboard Examples app need to be installed?
I've installed the Dashboard Examples app on our search head and our index cluster.
Did I really need to install it on the index cluster? Or is this app just for search heads?
,I've installed the Dashboard Examples app on our test search head and on our test index cluster.
Most of the examples I've looked at so far are using the _internal index, which suggests to me that there's no index peer component of the app. Does it need to be installed on the index cluster?
↧
Unique users by application over time periods
As a example, I have a search that calculates "Unique Users per Application" and this can be constrained to a particular timeframe with either a timerange picker or earliest/latest fields.
| stats dc(UserId) AS UserLogonCount BY ApplicationId | table ApplicationId UserLogonCount
What I would like to do is extend this to essentially be a timechart but in a table format that shows 1 day, 1 week, 1 month values etc.
The only way I can think of is to append multiple searches that use earliest/latest to define the different time periods, however this seen rather inefficient to me.
What other options do I have?
↧
How do I make fields with a replacement for an argument work inside a saved search with the map command?
I'm sure there's a really easy answer, but it isn't coming to me so I'd greatly appreciate some help.
If I define a saved search test as:
| makeresults | eval foo="cat", bar="dog", baz="moose" | fields $fields$
Then it works as expected with `savedsearch` (returns fields `foo` and `bar` or `bar` and `baz`), but fails with the map command (it returns one field `foo bar` or `bar baz`)
Saved Search Examples:
| savedsearch fields="foo bar"
Returns the fields `foo` and `bar`
| savedsearch fields="bar baz"
Returns the fields `bar` and `baz`
Map
| makeresults
| eval fields="foo bar"
| map test
Returns the field `foo bar` (which is empty) instead of the fields `foo` and `bar`
| makeresults
| eval fields="foo baz"
| map test
Similarly returns field `foo baz` instead of the fields `foo` and `baz`
Not surprisingly, if I specify one field it does work:
| makeresults
| eval fields="foo"
| map test
I'm sure this is something really simple, but the solution just isn't coming to me.
↧
how to calculate the percentages of the field values(yes/no) in a field ?
Hi I have a splunk search as follows
My search | table host_name, last_seen_in_24hours
which displays the result as follows
![alt text][1]
Now I'm trying to see the percentage of YES's and NO's in a pie chart.
[1]: /storage/temp/213580-dashboard-1.png
↧
↧
Perform stats count based on the value of a field
What I am looking to do is something of this nature:
| stats count(eval(if(action=success))), count(eval(if(action=failure))) by computer
but it has not been working out as I had hoped. Can anyone fill me in on what I might be able to do in order to get this result in my stats area of my search?
↧
The log has been line breaking twice.
In my environment the following servers exist.
windows 2012 R2
Splunk 6.5.2
On this server, when trying to export logs in csv format on Splunk web, the line breaking twice and outputted with blank line between each line.
I suspected a misconfiguration of a specific log, but even if I exported _internal log, a line breaking was done.
After converting it to binary format and confirming it, I found that the first line feed was done in CR format and the second line feed seemed to be done in CRLF format.
I think that it caused by reconverting only the LF part of the line feed in CRLF format into CRLF again.
I predicted that the following phenomena might be occurring.
###############
_raw ~ CRLF (* At this time still a single line break)
_raw ~ CR CRLF (* LF is converted to CRLF, and the number of line feeds is twice.)
###############
Is this a known issue?
↧
Splunk limiting concurrent session logon
Hi,
I would like to check if splunk is able to limit the concurrent session login.
Meaning to say user account Alpha is already login on Computer A and if the same account is used to login at Computer B, computer session will be logout.
Please advise.
Thank You
↧