Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all 47296 articles
Browse latest View live

search string query

September 25, 2017, 7:37 pm
$
0
0
Hi I can use the search string to get the statistics output index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3 Name Count SRV1 800 SRV2 600 SRV6 700 Question is how I continue use string to query each of the output "Name" to display a new field "RULE" under "Name" Example index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by RULE | sort -count
Search

how to monitor the last command in AIX?

September 26, 2017, 1:08 am
$
0
0
I want to Shows last login time for users who have ever logged in AIX. And enable the lastlog stanza: [script://./bin/lastlog.sh] sourcetype = lastlog source = lastlog interval = 300 index = os disabled = 0 but I found it didn't work, and i see the lastlog.sh scripts: if [ "x$KERNEL" = "xLinux" ] ; then CMD='lastlog' FILTER='/Never logged in/ {next} (NR==1) {next}' FORMAT='{username = $1; from = (NF==9) ? $3 : ""; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $NF}' elif [ "x$KERNEL" = "xSunOS" ] ; then CMD='last -n 999' FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' FORMAT='{username = $1; from = (NF==10) ? $3 : ""; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' **elif [ "x$KERNEL" = "xAIX" ] ; then failUnsupportedScript** elif [ "x$KERNEL" = "xDarwin" ] ; then CMD='last -99' FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' FORMAT='{username = $1; from = ($0 !~ / /) ? $3 : ""; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' elif [ "x$KERNEL" = "xHP-UX" ] ; then CMD='lastb -Rx' FORMAT='{username = $1; from = ($2=="console") ? $2 : $3; latest = $(NF-3) " " $(NF-2)" " $(NF-1)}' FILTER='{if ($1 == "BTMPS_FILE") next; if (NF==0) next; if (NF<=6) next;}' elif [ "x$KERNEL" = "xFreeBSD" ] ; then CMD='lastlogin' FORMAT='{username = $1; from = (NF==8) ? $3 : ""; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $(NF-1) " " $NF}' fi It say does not support AIX ! does any one can help me to add backup the script for AIX? AIX also has "last" command for last login time for users who have ever logged in. thanks a lot.

How to calculate with multiple values in a table?

September 26, 2017, 1:44 am
$
0
0
I have few results which look like below in a table ID Ask Bid 1 | 4 | 3 2 | 5 | 6 3 | 7 | 8 I want to create new field with newfield=(4*6-8)/8 so how i do it? All suggestions are welcome.

all json fields are alphanumeric

September 26, 2017, 1:54 am
$
0
0
Hi, I'm ingesting data in pure json and all fields are being extracted. However, all fields are strings regardless of whether the field contains a float or an integer. Trying to convert the required fields in search has no effect, so we are unable to execute any arithmetic or numeric comparisons. Is there anything that can be done to have the correct type at indextime? Cheers Steve

Forward data to syslog-ng from splunk

September 26, 2017, 1:58 am
$
0
0
Hi all, For some reason, I need forward "wineventlog" to syslog-ng from splunk enterprise. Since I have 2 source ip in wineventlog, I want to separate source ip by port. I don't know how to get this to work, even by attempting to force it, as per below props.conf [wineventlog] TRANSFORMS-routing = routeHostA, routeHostB transforms.conf [routeHostA] REGEX=(10\.1\.12\.1) DEST_KEY=_TCP_ROUTING FORMAT=HostA [routeHostB] REGEX=(10\.1\.12\.2) DEST_KEY=_TCP_ROUTING FORMAT=HostB outputs.conf [tcpout] defaultGroup=nothing [tcpout:routeHostA] disabled=false sendCookedData=false server=10.2.12.1:514 [tcpout:routeHostB] disabled=false sendCookedData=false server=10.2.12.2:515 Two problems, (1) When I forward [sourcetype=wineventlog] to syslog-ng, I found any others of sourcetype lose at the same time, even can not search in splunk. (2) When I run and run a unix command netstat -an | grep tcp, there are only 514 port can ESTABLISHED. Is there anything I miss? Thanks in advance!

Best method of alerting on unusual web behavior ?

September 26, 2017, 2:01 am
$
0
0
Hi Guys, I'm looking for some help / advise around unusual web based behavior, so we have out Post and Get logs for all users web activity going into Splunk, what I dont really know is how to alert on odd behavior, what odd behavior would look like and how best we look into it. I guess what I'm looking for is someone that has already implemented some basic form of user behavior alerting for web traffic, can anyone help ?

indexes.conf do not working。

September 25, 2017, 11:46 pm
$
0
0
hi everyone : i have set indexes.conf link this:> [qt]>coldToFrozenDir = /SplunkBack/splunk/qt>frozenTimePeriodInSecs = 20736000 20736000 = 240 days but i can still search last year's data。 splunk enterprise = 6.6.3 thinks

Three water gauges in a dashboard get same height waves

September 26, 2017, 12:32 am
$
0
0
Hello, splunkers. I have three water gauges in one dashboard. Each water gauge runs its own query with its own result. I'm getting troubles because each water gauge shows the correct numerical value (corresponding to percentage), but the height of the wave does not represent this value, the wave represent the height of the value of the first water gauge in all water gauges, like shows next image: ![alt text][1] If I change the order of the water gauges, the waves still get the height of the first value: ![alt text][2] I have tried to put an id to each viz tag of water gauge, and they still works wrong. Any idea about what could be happening? Thanks!! [1]: /storage/temp/217653-capture1.png [2]: /storage/temp/217654-capture2.png
Search

Whitelisting for universal forwarder not working in 6.6.3.0

September 26, 2017, 2:51 am
$
0
0
I am using UF 6.6.3.0 on my domain controller and following is my inputs.conf. The whitelisting part is not working I am seeing all event codes. [WinEventLog://Security] disabled = 0 start_from = newest current_only = 1 evt_resolve_ad_obj = 0 checkpointInterval = 5 # only index events with these event IDs. whitelist = 4723,4724,4740,4782 index = wineventlog renderXml=false

MasK SSN on forwarder/Indexer ?

September 26, 2017, 2:43 am
$
0
0
Tried this on both the Forwarder & indexer without success, what am i missing ? Log output SignUpState='3.30' SSN='176783140' desired output SSN='xxxxxxxxx'. Tried this on both the Forwarder & indexer without success, what am i missing ? Props.conf [source:://e:\trs\log\accountweb\aw*.log] SEDCMD-SSN = s/SSN=\d{9})/SSN=xxxxxxxxx\1/g _____________________________________________ Props.conf [source:://e:\trs\log\accountweb\aw*.log] TRANSFORMS-anonymize = ssn-anonymizer, ssnlookup-anonymizer Transforms.conf: [ssn-anonymizer] REGEX = (?m)(^|)SSN=($|['])[0-9]{9}($|[']) FORMAT = $1SSN=#########'$2 DEST_KEY = _raw [ssnlookup-anonymizer] REGEX = (?m)(^|)SSNLookup=($|['])[0-9]{9}($|[']) FORMAT = $1SSNLookup=#########'$2 DEST_KEY = _raw

Correlation Search error messages in ES

September 26, 2017, 2:45 am
$
0
0
Hi All I have configured a test Correlation search using Content Management tab. Now I am getting below message in splunk repeatedly:- <> I disabled the search and deleted the alert Rule that was created in SEARCH & REPORTING app as a part of this correlation search creation (I guess so..correct me also on this)... This resulted in removal of Correlation search from ES that I created and disabled.. but still I am getting the same message... Kindly share if I have done anything incorrect or something else needs to be done????

Should accelerated reports always be scheduled?

September 26, 2017, 3:20 am
$
0
0
I have created an accelerated report with a summary range of 1 day. Should i also schedule this report with the cron schedule to run lets say hourly? If accelerated report is not scheduled, how splunk is going to build summary in this case?

javascript doesn't execute in dashboard

September 26, 2017, 3:54 am
$
0
0
Hello, I created a dashboard using this xml file : ` FL ERRORS

FL ERRS

Select a market:

<br/>

Here's the search:

 ` but, it doesn't execute the javascript file, and I have an empty dashboard. Is something missing in my javascript ? thanks, Fausto -------------------------------- The javascript file is : require([ "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/dropdownview", "splunkjs/mvc/tableview", "splunkjs/mvc/textinputview", "splunkjs/mvc/simplexml/ready!" ], function( mvc, SearchManager, DropdownView, TableView, TextInputView ) { // Search query is based on the selected index var fl_error_search = new SearchManager({ "id": "fl_error_search", "cache": true, "earliest_time": "0", "latest_time": "$latest$", "app": utils.getCurrentApp(), "search": mvc.tokenSafe("$searchQuery$") }); // Display an arbitrary list of indexes var marketlist = new DropdownView({ "id":"marketlist", "choices": [ {label: "ITA", value: "ITA"}, {label: "DEU", value: "DEU"}, {label: "FRA", value: "FRA"}, {label: "USA", value: "USA"}, {label: "", value: "*"} ], "showClearButton": false, "value": mvc.tokenSafe("$marketName$"), "el": $("#marketlist") }).render(); // When the $indexName$ token changes, form the search query var defaultTokenModel = mvc.Components.get("default"); defaultTokenModel.on("change:marketName", function(marketName) { var newQuery = "|datamodel msc_logger b2c search | fields msc_logger.CORRELATION_ID, msc_logger.MarketCode, MessageText | search msc_logger.CORRELATION_ID!=NULL | transaction msc_logger.CORRELATION_ID maxspan=5m |"; var newQuery = newQuery + " search msc_logger.MarketCode=" + marketName + " | stats count AS "Total" BY MessageText | sort 3 - Total"; // Update the $searchQuery$ token value defaultTokenModel.set('searchQuery', newQuery); }); // Display the search results var textinput1 = new TextInputView({ "id": "textinput1", "value": mvc.tokenSafe("$searchQuery$"), "el": $("#text1") }).render(); var tableindex = new TableView({ "id": "tableindex", "managerid": "fl_error_search", "pageSize": 5, "el": $("#tableindex") }).render(); });

Getting outer values in a transaction that has repeated startswith endswith parms

September 26, 2017, 3:57 am
$
0
0
Hi there, I've been trying to solve an issue I have when using transactions. Here's an example of the logs I am working with ~ ** ^0-15 only there for clarity\illustration not in actual logs 0 [9/26/15 0:31:06:105 CDT] 0000958c Mad I classmad info Begin|txntype|196476||||011|0123456789|0123456789 1 [9/26/15 0:31:06:105 CDT] 0000958c SystemOut O Begin|txntype|196476||||011|000016914100015|0123456789 2 [9/26/15 0:31:06:105 CDT] 0000958c SystemOut O Other row 3 [9/26/15 0:31:06:105 CDT] 0000958c SystemOut O Other row 4 [9/26/15 0:31:06:105 CDT] 0000958c SystemErr O Other row 5 [9/26/15 0:31:06:106 CDT] 0000958c SystemOut O End|txntype|196476||2|87|003|0123456789|0123456789|011|0123456789|0123456789 6 [9/26/15 0:31:06:108 CDT] 0000958c Mad I classmad info End|txntype|196476||1|848|003|0123456789|16057 7 [9/26/15 0:58:02:332 CDT] 0000013a Mad I classmad info Begin|txntype|221183||||011|0123456789|0123456789 8 [9/26/15 0:58:02:332 CDT] 0000013a SystemOut O Begin|MEMGET|221183||||011|000000762100300|99945750000172 9 [9/26/15 0:58:02:342 CDT] 0000013a SystemOut O Other rows 10 [9/26/15 0:58:02:372 CDT] 0000013a SystemInfo O Other rows 11 [9/26/15 0:58:02:373 CDT] 0000013a Mad I classmad info End|txntype|221183||2|65|011|0123456789|0123456789|011|0123456789|0123456789 The fields 0000958c\0000013a represent a thread id which should be present throughout the transaction and can be reused once a transaction finishes. The strings Mad\SystemOut represent the classes generating the logging, while the third pipe delimited field is a unique correlation id which only appears in lines with Begin \ End, for rows 0,1,5 & 6 for example this value is 196476. I am interested in capturing the transaction around the outer rows containing Begin and End strings by thread and correlation id. In that vein, rows 0-6 should be a transaction based on startwith "Begin\|" and Endswith "End\|" as should rows 7-11. Unfortunately the logging order of these classes Mad\SystemOut is not guaranteed, it is also not guaranteed that both will log a Begin\End line, but it is guaranteed that between them a Begin & End will be logged so we could end up with logs like this just as validly as the one's above ~ 12 [9/26/15 0:31:06:105 CDT] 0000958c SystemOut O Begin|txntype|196464||||011|000016914100015|0123456789 13 [9/26/15 0:31:06:105 CDT] 0000958c SystemWarn O Other row 14 [9/26/15 0:31:06:108 CDT] 0000958c Mad I classmad info End|txntype|196464||1|848|003|0123456789|16057 15 [9/26/15 0:31:06:106 CDT] 0000958c SystemOut O End|txntype|196464||2|87|003|0123456789|0123456789|011|0123456789|0123456789 in which case I would expect the transaction to be rows 12-15. I have been using the following transaction, but am getting inconsistent results as I do not feel I am getting the outer rows for Begin and End based on the Thread. | transaction correlationid thread startswith="*Begin\|*" endswith="*End\|*" Is there anyway to force this to use the widest match possible i.e. the outer matching cases. Also I know that by using the correaltionid I only get the begin \ end lines, but I couldn't see how to perform the match without having it in there. I've also tried using various combinations of the class type with Begin\End but it was no use as you are never sure exactly which you are going to get. Thanks in advance, N

How many logs does an Index get in a 24hour Period?

September 26, 2017, 4:28 am
$
0
0
Afternoon Splunk Guru's I wonder if you would be as kind to help \ point me in the right direction ? I'm new to Splunk and still getting used to extracting data, I'm looking to find out how to get the total number of logs which go to an Index in a set time period ? (24 hours) Or even how to get all the Indexes currently in Splunk and log source and number of logs in last 24hours. Many thanks for any help provided
Search

How to pull the details of triggered alert for last 7 days (when it was triggered, how many times and whom it was sent?

September 26, 2017, 4:59 am
$
0
0
Hi, I have same issue as mentioned in this question (https://answers.splunk.com/answers/329954/how-can-i-create-a-report-on-alert-information-wha.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev) and looking for resolution. I followed the same query but it didn't work for me. Can you guys please help me out. FYI: I am using enterprise splunk, version 6.3.2 I was able to get the list of all the enabled alert from here: | rest /servicesNS/-/-/saved/searches But I need to get the details of how many times the alert was triggered in particular time duration, what was the alert and what time(when) ? Thank you!

timechart - show every week, even if there is no value

September 26, 2017, 5:33 am
$
0
0
Hi, I am creating a timechart and in some of my weeks I have no value for a field ("Number Of Lines"). I need the timechart to present every week, and when there is no value for a week, fill it with value of 0 in the field "Number Of Lines". I have tried fillnull but it is not working. my query: index=testeda_p groupID=sloc_data | eval _time = strptime(dateformat, "%m-%d-%Y") | timechart span=1w sum(sloc) as "Number Of Lines" Thanks

How to generate token for netskope input

September 26, 2017, 6:32 am
$
0
0
Following the instructions for the Netskope app there should be an option under Settings - Tools - REST API, but I am not seeing it. Is my app limited or is there another location where I can generate an API key to provide to the Netskope Splunk app?

in Windows Security events. Why are some not logging in Splunk?

September 26, 2017, 7:20 am
$
0
0
I have a UF setup on a windows 2012 server. I am logging Win sec logs but I see some in the event viewer that are not going into splunk.. How can I get all the logs to go into Splunk from the windows server?

permissions for scripts in TA-nmon

September 26, 2017, 7:54 am
$
0
0
Hi, Do the Embedded Scripts in the TA-nmon require special permissions like root privileges/ACLs ? thanks, Shreedeep Mitra.
Viewing all 47296 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>