Hi All,
Newbie here, would appreciate if anyone can help to answer this little question
Feeds from Vulnerability Scanner having two sourcetypes -
*sourcetype='A'*: We have *asset_id* and asset_name
*sourcetype='B*': We have *asset_id* and *vulnerability_name*
I need schedule a query (runs everyday) to output *assest_id* and *asset_name* details to a csv file or to an table from *sourcetype='A'*
In next query, need to table *asset_name*, *vulnerability_name* with respect to that of an *asset_id*.
**Please NOTE**: I was asked not to use 'Joining Commands'.
Thanks in Advance.
↧
How do I lookup/return a field from one sourcetype to another sourcetype?
↧
what format is the splunk certified user exam? just Q&A like the quizzes or practicum?
what format is the splunk certified user exam? is it exactly like the quizzes from Fundamentals 1 course or a practicum?
↧
↧
Web CIM Data Model on Reverse Proxy data
Hi there,
This is the second time I configure a Splunk Add-on for Reverse Proxy data.
As fields are similar to Proxy / Web datamodel, I just went on applying that DM to the Add-on via eventtypes & tags.
So far, I never had to use it through CIM, like in ES.
Now that I see ES Web dashboards, I am wondering if it makes any sense at all to have that Web CIM applied to such data because it does not include information such as incoming / outgoing such as Email Data does, and it rather makes things more confusing.
Might be a dumb questions, but I am interested in any comment!
↧
can we change index retention at any time?
Hello All,
we have multisite cluster environment running our current retention is set to default, can we change our retention now, is it suggested to do? what will be the impact.
↧
SPLUNK Deployment
We are in the process of migrating to SPLINK from Nitro. We have requested a deployment server to be built since deploying packages ( UF for Windows) takes a while.
Can I install deployment\license server with no other SPLUNK infra ( SH\INDEXER\HF).
↧
↧
This saved search cannot perform summary indexing because it has a malformed search.
I am trying to edit Summary Index for the scheduled search. I am getting the following error message:
**This saved search cannot perform summary indexing because it has a malformed search.**
There are no problems with the search as I can run it manually without issues.
Has anyone else experienced the same error message?
↧
Regex to filter security events does'nt work, need help
Hi Guys,
We have UFs on our DCs and 2 indexers and on both indexers, to drop the unwanted text from events
I tried using the following regex in the /opt/splunk/etc/slave-apps/Splunk_TA_windows/local/props.conf
[WinEventLog:Security] SEDCMD-shortern4624 = SEDCMD-shortern4624 = s/(?mis)(.*EventCode=4624.*)This event is generated when a logon session.*$/\1/g
it does not work
↧
Host field
one of my data sources has host field in the raw packet. However when we search the events the host field is the name of the forwarder. Where do I rename that? I do use a transform, so can it be done there on ingestion?
What would be the syntak? in the props.conf file?
↧
How to list my splunk admin users list and last login details.
I have a about 250 Admin users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use
↧
↧
Free Splunk License - forward data from Splunk Forwarder
I installed the Free Version of Splunk and the Universal Forwarder. Under 'Add Data' i.e. Data Input there is an icon called forward (data from Splunk Forwarder). When I click on it, I get a message which says 'This feature is not available with your installed set of licenses. ' I am using the free version on my desktop so I can model a configuration before setting up in a corporate instance of Splunk. From what I can glean from the Splunk documentation, I should be able to setup the input on the free version of Splunk to accept data from a Universal Forwarder.
↧
How to Move users and there account from one splunk instance to another one ?
How to import users and there account from one splunk instance to another one ?
Any steps or documentation?
↧
Is splunk license based on size of data or is it based on number of events?
The reason i ask this is because i recently installed UFs on one of my DC and daily license has gone up by 15-20 gb but i dont see that much data coming into it.
events ike 4624 have the line count as 63 (seen from the interesting field column) and i read somewhere that splunk license count is based on line count field, which means 1 event of 4624 is counted as 63 events because of line count.
↧
Grouping by two fields, want to get distinct count of values in second field
Hi,
I wrote the following Splunk query which returns a list of distinct USER_AGENTs for each SESSION_ID:
index=abc | rex field=_raw "-S:(?\w+)-.+User agent: '(?.+)', Referrer" | stats count by SESSION_ID, USER_AGENT
I would now like to modify this query to return a list of SESSION_IDs that have more than one unique value for USER_AGENT, and the count of the unique values.
Thanks!
Jonathan
↧
↧
How can I capture these failures as timechart count by type of error in a single dashboard?
i have the following failures in the logs that i need to capture and show as timechart count by the type of errors , in a single dashboard .
Need help with framing the Query
UploadFile : Processing failed:
UploadFile : screen_error='Metadata file Transfer failed for'
UploadFile : status='failed', details='Metadata FTP failed. There is an orphan PDF on the system,
Caused by: java.lang.IllegalStateException: failed to connect
Caused by: java.lang.IllegalStateException: failed to create SFTP Session
SFTPServiceImpl : Failed to send file:
**P.S ;-** Just starting with splunk and having difficulty understanding splunk regular expressions . Need some links to interactive tutorials.
↧
Calculating bandwidth usage of Windows machines using WMI and Splunk
In C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf:
[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 10
object = Network Interface
index = wmi
SplunkWeb Query:
earliest=-1d host=MyHost sourcetype="Perfmon:Network Interface" | eval MB_Usage=10*Value/1024/1024| timechart span=1h sum(MB_Usage)
(multiplying by 10 because interval=10 and WMI metric is Bytes/sec?)
Would that give me MB Usage by hour for the given host?
↧
How is the Splunk license measured?
The reason i ask this is because i recently installed UFs on one of my DC and daily license has gone up by 15-20 gb but i dont see that much data coming into it.
events ike 4624 have the line count as 63 (seen from the interesting field column) and i read somewhere that splunk license count is based on line count field, which means 1 event of 4624 is counted as 63 events because of line count.
↧
Accessing bash variables via a universal forwarder scripted input
When using a shell script on my splunk server I am able to access variables with no problem ie
#!/bin/bash
java -jar custom.jar -val $(date +%Y%m%d_%H%M)
However, when using the same script with the Universal Forwarder as a .path file the it does not execute.
Any suggestions on how to achieve this as a scripted input with the UF?
↧
↧
Splunk alert for missing logs
Hi,
Below is a snippet of log pattern generating tons of record. Intending to write a alert if any log are missing for given time time range.
sourcetype source activity
sourcetype1 myLog.log activity1
sourcetype1 myLog.log activity2
sourcetype2 myLog.log activity3
sourcetype2 myLog.log activity3
sourcetype3 myLog.log activity1
sourcetype3 myLog.log activity2
sourcetype3 myLog.log activity3
Is a search, lookup or simple individual query on sourcetype best approach for making sure logs are generated for each sourcetype? Looking for best approach. Thanks.
↧
convert a string with percentage sign to number
Hello,
I have this query to alert me when percentage_q_full reaches greater than certain number
eval alert=case((PERCENT_Q_FULL>90), "Critical", (PERCENT_Q_FULL>80), "Warning", true(), "N/A")
but all the column values of alert shows as N/A because PERCENT_Q_FULL has values in percentage. These values are being extracted using multikv.
PERCENT_Q_FULL
95.00%
3.12%
5.13%
0.00%
100.00%
How do I convert it so that alert column shows me critical vs warning ?
Thank you.
↧
How to use two time ranges in one search
Hi I am trying to search for two event types each in different time range. Here i am using time token. The eventtypes are "Password Change" and "Login". When i apply search for last 4 hrs, my query should search "password change" event for last 4 hrs and "login" event for last 8hrs. Similarly when i change the time filter my query should change accordingly.
index=new (EventType="Password Change" earliest=$token.earliest$ latest=$token.earliest$) OR (EventType="Login" earliest=$token.earliest$-4h latest=$token.earliest$) | remaining query
Anyone can help me in this?
↧