We have a single Splunk instance (the server) with a number of Forwarders on remote machines (the clients). I've installed Splunk_TA_nix which added a number of scripts as data inputs on the clients and on the server. I want to exclude the server, but since there is no way (that I know of) to reassign a script (or any data input for that matter) to a Server class, I first disabled the scripts on the server. This also disabled them on the clients (because the app deployment keeps Splunk_TA_nix in sync I suppose). So I started recreating the scripts as new data inputs assigned to a Server class that includes just the clients. But a number of the scripts have source types (auditd, Unix:ListeningPorts, etc.) that are absent from the Settings: (Data) Source types display, and as a result I cannot create the corresponding new data inputs. At the Input Settings step, just before Review, the Select Source Type drop-down refuses to find the ones I need.
Am I missing something obvious? Is this a bug? Is there a way to do this that is less painful, maybe by editing some .conf file(s)?
↧
How can it be that a source type in use isn't listed in Settings: (Data) Source types?
↧
Why doesn't rex sed work with this expression: s/=[^&]*//g
I have used rex to extract a URL from log message. I then want to eliminate the parameter values so I can build statistics based on the URL. To do this I use the following rex command:
rex field=request_url mode=sed "s/=[^&]*//g"
With the following input:
/UsomCustomer/customers?storeNumber=####&phone=##########
I get:
/UsomCustomer/customers?storeNumber
but I expect
/UsomCusteomr/customers?storeNumber&phone
When I execute sed locally with the same expression and the same input it works.
$ sed 's/=[^&]*//g' < test-sed.txt
/UsomCustomer/customers?storeNumber&phone
One curious thing is that when I take away the second rex command and look at the "request_url" field in the UI. I see '\u0026' instead of & in the display.
↧
↧
Conditional transaction
Hello,
I have two types of events: clicks and searches.
I want to group two searches into a transaction if
1. they don't have any other events in between
2. they are within 5 seconds from each other
Input:
time=1505404370 query=foo type=search
time=1505404371 query=foo type=click
time=1505404372 query=bar type=search
time=1505404373 query=baz type=search
time=1505404374 query=bak type=search
time=1505404375 query=ban type=search
Output:
time=1505404372 query=bar type=search
time=1505404373 query=baz type=search
--------------------
time=1505404374 query=bak type=search
time=1505404375 query=ban type=search
↧
How can I see the invalid password attempts from Cisco ASA events?
Hi,
I'm trying to see the Invalid password from cisco asa events.
message_id=113005 | stats count by user | where count > 1
I try to count the number of failures by user and generate an alert for example in 5m the user fail the password 2times, but the alert is not trigger.
RealTime
Number of results is greater then 0 in 5minutes
Trigger for each result once.
Any idea whats the problem is?
Thanks
↧
What should be the homePath.maxDataSizeMB in relation to the maxDataSize?
Hello -
I am getting the following warning:
*"IndexConfig - Home path size limit cannot accomodate maximum number of hot buckets with specified bucket size because homePath.maxDataSizeMB is too small. Please check your index configuration: idx=someidx maxDataSize=1000 MB, homePath.maxDataSizeMB=1000 MB"*
What should be the homePath.maxDataSizeMB in relation to the maxDataSize?
↧
↧
New version of Splunk not working PHP SDK
We had a report using the Splunk PHP SDK running and using a a splunk instance of 6.4.2. We recently upgraded it to 6.6.2 and now it seems we are getting an SSL error that didn't exist before. Does anyone know why this might be happening?
PHP Fatal error: Uncaught exception 'Splunk_ConnectException' with message 'Unknown SSL protocol error in connection to 10.10.2.xxx:8089 ' in /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Http.php:191
Stack trace:
#0 /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Http.php(93): Splunk_Http->requestWithCurl('post', 'https://10.10.2...', Array, 'username=kpi&pa...')
#1 /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Http.php(44): Splunk_Http->request('post', 'https://10.10.2...', Array, 'username=kpi&pa...')
#2 /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Context.php(94): Splunk_Http->post('https://10.10.2...', Array)
#3 /var/www/html/kpi/vzw/kpi-report/functions.php(1841): Splunk_Context->login()
#4 /var/www/html/kpi/vzw/kpi-report/scp2.php(67): collect_stats4(1504242000, Array, 'S0080', 'scp')
#5 /var/www/html/kpi/vzw/kpi-report/kpi-report2.php(111): scp_report(1504242000)
#6 {main}
thrown in /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Http.php on line 191
↧
Poor search performance
I'm running the following query:
index=ironstream MFSOURCETYPE=SMF110 SAPPLID=CSFBTP*
| bin _time span=1d
| eval cpu=USRCPUT_MICROSEC/1000000
| eval RegionType=if(SAPPLID="CSFBTPC1","Legacy","Laurus")
| eval IntervalDate=strftime(_time,"%Y/%m/%d")
| chart count(TRAN) as "Total Transactions" sum(cpu) as "Total CPU" over IntervalDate by RegionType
It passes millions of records and I suspect converting microseconds to seconds for each record may be the major reason. Is there a way to allow the search to sum up cpu time in microseconds and perform the division one time prior to display in the chart?
Is there a performance blog or other available resource that would help me in writing efficient searches?
↧
Splunk Integeration with ServiceNow -- returning a SPL number instead of the INC number
Recently installed the Splunk Integration application in our ServiceNow instance but it is returning a SPL number instead of the INC number that was created. Is there a way to modify this to send the end user the INC number instead?
↧
How can I improve my search performance? (I think time conversion is why my search is slow)
I'm running the following query:
index=ironstream MFSOURCETYPE=SMF110 SAPPLID=CSFBTP*
| bin _time span=1d
| eval cpu=USRCPUT_MICROSEC/1000000
| eval RegionType=if(SAPPLID="CSFBTPC1","Legacy","Laurus")
| eval IntervalDate=strftime(_time,"%Y/%m/%d")
| chart count(TRAN) as "Total Transactions" sum(cpu) as "Total CPU" over IntervalDate by RegionType
It passes millions of records and I suspect converting microseconds to seconds for each record may be the major reason. Is there a way to allow the search to sum up CPU time in microseconds and perform the division one time prior to display in the chart?
Is there a performance blog or other available resource that would help me in writing efficient searches?
↧
↧
Search from host 'A' (based on multiple values of a field of another search from host 'B')
Hi,
I have a question for searching.
I want to search from host 'A' (based on multiple values of a field of another search from host 'B').
In other words, I have a search result (values of field 'id') from host 'B' as below:
search query: host='B' "Test" | fields + id | table id
And I want to find results for all values of 'id' in host 'A'.
I tried sub-search, but it seems it only works for one value of a field. (I am newbie, maybe I might be wrong)
Can anyone provide any suggestion?
↧
Times are off
What would cause times to be off on received logs? I installed the UF on a server yesterday that had the correct time. If I search for "All Time" for that host, I receive log entries for 8/1/2018, but if I specify ANY time range - last 7 days, last 24 hours, etc., it shows the correct time. Is this a bug in Splunk?
![alt text][1]
[1]: /storage/temp/215582-2017-09-14-14-01-44.png
↧
Can Splunk search DB2 LUW active logs and archive logs looking for DML activity against sensitive data tables?
Can Splunk search DB2 LUW active logs and archive logs looking for DML activity against database tables. We have 12 tables with sensitive data and I am hoping that Splunk can locate Insert, Delete or Update records in the DB2 LUW logs to use for audit reporting of user activity against these tables. Thank you. -Victor
↧
How to extract a string in a CSV where the field position can have multiple different values?
Hello -
I'm trying to extract a field from a CSV. The problem is the 9th position can have several different values. I need the field for the "700 Auth_Method_success" value. When I set up the field, I'm getting the "70..." alone with all the other possible values.
EXAMPLE
246436066,Application,SSH Tectia Server,INFORMATION,abc.def.ghi.com,9/13/2017 9:28:55 AM,0,None,"700 Auth_method_success, Username: custdm10/ECS-40ZV,
Thanks.
Carl
↧
↧
Is there a way to modify the request frequency of an indexed real-time search?
I have indexed real-time searching set up for my app by setting the `indexed_realtime_use_by_default = true` in limits.conf.
My dashboard has 1 indexed real-time search and it looks like it is generating 1 HTTP GET request per second. Is there a way to modify the request frequency of an indexed real-time search? For example, I would like to have my indexed real-time search only generate 1 HTTP GET request every 10 seconds instead of 1 per second.
I have tried modifying some variables in the limits.conf file, but could not find the right property to achieve this.
↧
Questions about getting started with Splunk Enterprise Security
Hi,
I'm new to Splunk Enterprise Security but we do have Splunk to monitor and alert on our application logs.
Are there white papers about how to implement and scale an existing implementation?
1) What logs can you monitor with the Enterprise Security app?
2) With switches, routers, etc. sitting remotely do you recommend having a Splunk instance running on the remote location and using the Standalone Splunk instance to forward it to centralized indexers?
Thanks,
Ryan
↧
Question about accuracy of results when specifying the time range
What would cause times to be off on received logs? I installed the UF on a server yesterday that had the correct time. If I search for "All Time" for that host, I receive log entries for 8/1/2018, but if I specify ANY time range - last 7 days, last 24 hours, etc., it shows the correct time. Is this a bug in Splunk?
![alt text][1]
[1]: /storage/temp/215582-2017-09-14-14-01-44.png
↧
How to dynamically create a custom x-axis label in a search?
how can we give a custom dynamic value for x-axis in the search?
i know we can change it manually in the format tab - x-axis
but i want that to be generated dynamically from the search.
Thanks
↧
↧
How to use regex to filter out Windows events with Account names ending with $?
Hi
How to exclude the windows events with event Codes 4634 and Account_Name ending with $? Below is the sample event![alt text][1]
[1]: /storage/temp/215583-capture.png
↧
Splunk SDK for PHP -- SSL error after upgrading to Splunk v6.6.2
We had a report using the Splunk PHP SDK running and using a a splunk instance of 6.4.2. We recently upgraded it to 6.6.2 and now it seems we are getting an SSL error that didn't exist before. Does anyone know why this might be happening?
PHP Fatal error: Uncaught exception 'Splunk_ConnectException' with message 'Unknown SSL protocol error in connection to 10.10.2.xxx:8089 ' in /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Http.php:191
Stack trace:
#0 /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Http.php(93): Splunk_Http->requestWithCurl('post', 'https://10.10.2...', Array, 'username=kpi&pa...')
#1 /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Http.php(44): Splunk_Http->request('post', 'https://10.10.2...', Array, 'username=kpi&pa...')
#2 /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Context.php(94): Splunk_Http->post('https://10.10.2...', Array)
#3 /var/www/html/kpi/vzw/kpi-report/functions.php(1841): Splunk_Context->login()
#4 /var/www/html/kpi/vzw/kpi-report/scp2.php(67): collect_stats4(1504242000, Array, 'S0080', 'scp')
#5 /var/www/html/kpi/vzw/kpi-report/kpi-report2.php(111): scp_report(1504242000)
#6 {main}
thrown in /var/www/html/kpi/vzw/kpi-report/Splunk/Splunk/Http.php on line 191
↧
single value panel color change
This is my XML :["host","source","sourcetype"]
Am trying to change the background color of the single value panel , but no matter what color code I put in there , the background color remains black.
2nd thing am trying to do is change the color of the actual value being displayed on the single value panel from black to something else.
The value shown in the single value panel is textual and not numeric
↧