Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all 47296 articles
Browse latest View live

Dont show Repeative result

September 27, 2017, 4:53 am
$
0
0
hi i have one problem in making report. in my report result i have repeative name how can i avoid to not show the repeative name in result. i put the screen shot here![alt text][1] i want to show last log on status for each user without showing the repeative name . how can i do it ? [1]: /storage/temp/216638-untitled.png
Search

Are there best practices for CIM datamodel mapping for PaloAlto firewalls?

September 27, 2017, 7:29 am
$
0
0
Are there best practices when mapping PaloAlto firewall logs to CIM datamodels? One think that I noticed is that Network_Traffic maps anything with tag="network" and tag="communicate". This means all logs of type "start" and "end", which are not filter terms for the Network_Traffic datamodel. It seems to me that the datamodel should only include "end" events to prevent double counting traffic. Is that right? Are there other considerations for how PaloAlto firewall logs should get mapped into Network_Traffic? How about how PaloAloto firewall logs get mapped into other datamodels? -Network_Sessions -Web Are there best practice docs for other log sources getting properly mapped to CIM datamodels? If not, such docs could prove invaluable to a person trying to get their datamodels working properly. This has been bugging me since we implemented Splunk ES. Our professional services consultant thought I should have had an answer for Network_Traffic (we didn't even address others), but without more knowledge of how the datamodels were used, I could not know.

Custom alert action script return value handling

September 27, 2017, 7:33 am
$
0
0
If I create a custom alert action script normally the output sent to stderr is logged by Splunk. But if I use the `alert.execute.cmd` option this output is not logged. Is there a way to capture the output of these custom scripts?

JSON Search Challenge

September 27, 2017, 8:41 am
$
0
0
Hi all, Very close with the offerings in other JSON/SPATH posts but just not getting it done. We have a JSON formatted log coming into Splunk that gives a ton of data on our servers. One of them being a 'metal' field that we classify our systems by. We'd like to parse that values.metal field and build a stats table (?) that shows how many systems are in each metal. The current search (which isn't working well) is 'index=unix source="/var/log/facts/*" metal | stats distinct_count(host) by values.metal Here's some of the JSON file: { "name": "toritsgitvlp01.xx.com", "values": { "aio_agent_build": "1.7.2", "aio_agent_version": "1.7.2", "architecture": "x86_64", "augeas": { "version": "1.4.0" }, ...... }, "memoryfree": "6.76 GiB", "memoryfree_mb": 6918.28125, "memorysize": "7.63 GiB", "memorysize_mb": 7815.03125, "metal": [ "dirt" ], ....... Any help MUCH appreciated.

Index Volume by Host

September 27, 2017, 8:43 am
$
0
0
I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and I'm not seeing the hosts that I need. If I search a specific host under main index, the host is there and actively sending data to the indexer. I've tried modifying the search from index="_internal" to index="main", and it doesn't report anything back From: index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb) To: index="main" source="WMI:WinEventLog:Security" | chart sum(kb) by series | sort - sum(kb) But, with only: index="main" source="WMI:WinEventLog:Security" Brings back 2710 results from today. I have hosts that are sending to this index, and I need to be able to tell how much data they're sending, but the internal index isn't showing them for some reason....

Scatter Plot zoom

September 27, 2017, 9:11 am
$
0
0
Hello All, I have scatter plot visualization, I am trying to zoom the visualization using mouse cursor but its not happening , if the same visualization i make on a bar chart I can zoom the visualization. Is there any issue that scatter plot in Splunk cannot be zoomed ![alt text][1] Can Someone please let me know how can i zoom the scatter plot. Regards Shailendra Patil [1]: /storage/temp/217674-screen-shot-2017-09-27-at-120952-pm.png

how to increase retention time of Splunk monitoring console Reports

September 27, 2017, 9:29 am
$
0
0
how to increase the retention time of Splunk monitoring console Reports in distributed environment

Splunk lookup using csv-keys as input and csv-values as output

September 26, 2017, 4:42 pm
$
0
0
I have event data as follows: `a,b,",1,2,3,",c,d` And I have lookup table as follows key, value 1, one 2, two 3, three 4, four I need the following output using lookup a,b,",one,two,three,",c,d note ",1,2,3," is not fixed in size. Any help appreciated.
Search

Splunk Supporting Add-on for Active Directory: ERROR socket ssl wrapping error

September 26, 2017, 6:52 pm
$
0
0
External search command 'ldapsearch' returned error code 1. Script output = " ERROR socket ssl wrapping error: [Errno 104] Connection reset by peer " installed and Configured "Splunk supporting Addon for AD" addon on Search head. but when i clicked on "Test Connection" Button i gettting follwing error message. **External search command 'ldapsearch' returned error code 1. Script output = " ERROR socket ssl wrapping error: [Errno 104] Connection reset by peer "** Did any one got this issue ? please help me in fixing it. i added commands.conf file in ../local directory. even then issue remains the same.

Can I perform stats count on a substring using regex?

September 26, 2017, 7:30 pm
$
0
0
I have log events such as activity:http://xyz/rest/876 http://xyz/rest/223 http://xyz/rest/263 http://xyz/rest/4534 http://abc/rest/1 when I do stats count by activity I want to get results as: http://xyz/rest 4 http://abc/rest 1 How can it be best done?

Why are results different if my search is used in the dashboard versus the search bar?

September 26, 2017, 10:10 pm
$
0
0
I have used sub earch, while running from search bar its showing correct result as single value. But when put it on Dashboard panel, its showing No result found. I tried to put that query in CDATA as well, but no luck. index="aa1" sourcetype="adlist" earliest=-8d latest=now | table ComputerName | dedup ComputerName | eval ComputerName = lower(ComputerName) | join type=inner ComputerName [ search index="aa1" sourcetype="serverg" earliest=-8d latest=now | rename Name as "ComputerName" | eval ComputerName = lower(ComputerName) | table ComputerName ] | join type=inner ComputerName [ search index=bb1 source=DSM sourcetype=hostp earliest=-2d latest=now | rex field=_raw "Hostname=\"(?P[^.]+)" | rename Hostname as "ComputerName" | eval ComputerName = lower(ComputerName) | table ComputerName, Pattern | join type=left "Pattern" [ search index=bb1 source=DSM sourcetype=hostp earliest=-2d latest=now | table Pattern | dedup Pattern | sort-"Pattern" | streamstats count as row | eval Compliance = case(row=1, "Compliant(N, N-1, N-2)", row=2, "Compliant(N, N-1, N-2)", row=3 , "Compliant(N, N-1, N-2)", row>3 , "Non Compliant") | table "Pattern", Compliance] | table ComputerName, Pattern , Compliance] | table ComputerName, Pattern, Compliance | top limit=10 Compliance | search Compliance="Compliant(N, N-1, N-2)" | fields count

Why am I receiving "No matching visualization found for type: treemap" message?

September 27, 2017, 12:07 am
$
0
0
***No matching visualization found for type: treemap, in app: aiam-common-visual-6_4*** I've already check the permission and the app settings. I am also using other custom visualization and they all work except for the treemap. And when I try to run the search seperately from the dashboard, the treemap works fine.

Is it more efficient to search in the main index with data from the summary index?

September 27, 2017, 12:43 am
$
0
0
i have created a dashboard with 6 panel's, with last 7days time frame (from today) for transaction's count between the A-b, B-c, C-D applications, daily more than 1lakh + transactions are flowing, no i want to use summary index for improving the performance. As summary index run's fast searches, My requirement is, i want to use the regular index for capturing today's data and for last 6 days it should capture the data from summary index. Please help me with the queries and commands which i can use.

Can I use dedup to remove a duplicate value in my report and to show only the last log? Other options?

September 27, 2017, 4:53 am
$
0
0
hi i have one problem in making report. in my report result i have repeated name how can I avoid to not show the repeative name in result. i put the screen shot here![alt text][1] i want to show last log on status for each user without showing the repeated name . how can i do it ? [1]: /storage/temp/216638-untitled.png

missing users.ini file

September 27, 2017, 10:50 am
$
0
0
I have been getting a message that says that a file has been improperly modified or missing. The result of the integrity check says that that file that failed is users.ini that is located in /etc/users. Upon inspection of the folder the users.ini file is named users.ini.pre405 and its size is 0KB. This doesn't prevent Splunk from working, but just more of an annoyance right now. Can anyone help me with resolving this issue? Thank you in advance. Configuration: Splunk 6.6.3 Windows 2012 R2 16 CPU Cores/32 Virtual CPU Cores 256 GB Memory 3TB disk space
Search

Splunk 7.0 installation failed to complete

September 27, 2017, 5:00 am
$
0
0
I am upgrading to Splunk 7.0. The installer hangs and does not complete. Running Win10 1703 on vmware 12 looking for help

Alert Manager app: Can I integrate alerts to all search heads in a search head cluster?

September 27, 2017, 5:25 am
$
0
0
Hi, I have a search head cluster with 3 members. I want to integrate alert manager app in the search head cluster in such a way that on all the search heads I should be able to get all the alerts OR all the alerts should come on any one search head. Because right now what is happening is that alert manager app has been installed on all the search heads through deployer and "alerts" index is also created on all the search heads. And whenever the scheduled searches run different alerts are coming on different different search heads. Typically the search head which initiates the search gets the alert triggered in alert manager. How do I integrate Alert Manager so that the alert gets triggered in either all the search head's or any one??

Method for non-admin users to reset their password upon first login to Splunk?

September 27, 2017, 5:34 am
$
0
0
Hi, As an admin user I have logged into Splunk & created few Roles & Users followed by assigning common password for all users that I created. How can I facilitate users to reset their password at first login? Thanks Mohanish

How do I edit permissions so customers can only view dashboards and reports?

September 27, 2017, 5:56 am
$
0
0
Hi, i wish to provide a Splunk application to our customers. But I do not want to provide them with 'search' capabilities. I have tried removing permissions for search & Reporting, but then I also lose 'Dashboards' and 'Reporting' capabilities. Also, removing the 'search' from the User interface of the application does not solve the issue, as the users can get to search by right-clicking any result. any recommendations on how to address this issue? thanks in advance

Why does my search that checks for extract yield events twice with two different timestamps?

September 27, 2017, 6:37 am
$
0
0
I recently setup Splunk Dashboard integrated with Tableau, when i run below mentioned query it gives me a count of successful extract for today. host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" | stats count. But recently when the query ran it shows two results for same extract when it should be 1, also,if you see both the events closely even though it has a date of 09/27/2017 but inside it displays date_mday = 27 for the second query result date_mday = 26. What can i add to the query where it does not duplicate and display Today results 9/27/17 7:30:04.734 AM 2017-09-27 03:30:04.734 -0400 (XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXXPrgExtensions/extract repoExtractId:17503 size:12572 (twb) + 758672090 (guid={XXXXXXX) = 758684662 date_mday = 27 date_month = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --_::._-_(,,,)_---_:___....._-___:_/_:_:_()_+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-XX-XXX-X-XXX unix_category = all_hosts unix_group = default 9/27/17 12:50:47.694 AM 2017-09-26 20:50:47.694 -0400 (XXXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXX/extract repoExtractId:17494 size:12521 (twb) + 758649674 (guid={XXXXXXXX5}) = 758662195 date_mday = 26 date_month** = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --_::._-_(,,,)_---_:___....._-___:_/_:_:_()_+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-10-168-2-185 unix_category = all_hosts unix_group = default
Viewing all 47296 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>