Hello,
I have a report that shows me network events - most of the events will have "source ip" coming from a proxy and destination being some url.
Is there a way to formulate report query so that it contains the actual source of that event based on another "nested" search that would identify the client that originated the proxy request (there would be something in common there, most likely a destination IP)
Thanks!
↧
Can Splunk do this?
↧
API call to Palo Alto for User to IP mapping lookup
I would like to add a dynamic lookup on my splunk dashboard so that when an IP is entered it displays not only the traffic logs for the user but also the ip user mapping and any groups the user belongs to, we have the pantag and panuserupdate working but this is more of a pull from the firewall instead of push to the firewall:
**inet-fw01(active)> show user ip-user-mapping ip 10.2.2.142
IP address: 10.2.2.142 (vsys1)
User: us\myuser
From: UIA
Idle Timeout: 43017s
Max. TTL: 43017s
Groups that the user belongs to (used in policy)
Group(s): us\inet-standard-access**
↧
↧
how is installing HF different from UF
hi,
we are currently monitoring windows security event logs across 3000 machines in our organization using UF's, these UF's forward data to a HF and the HF routes data to a Syslog server (for backup) and Splunk indexers.
This all works fine so far, but we now have a requirement to forward the event logs that are stored in syslog to third party software/server and this is causing issues.
Instead of going through all the pain of parsing these logs in rsyslog. we are planning to replace UF's with HF's on all these boxes and directly forward to indexer and syslog from the endpoint.
The question here is , will installing HF's on 2-3 thousand endpoints cause any spike in performance or will it cause any remote management issues?
Thanks in advance.
↧
SPLUNK Binaries
I need to install my deployment server \License server that will part of our SPLUNK Enterprise deployment. I didn't install our POC environment, so I am not sure what download I need for this. I think I need to have the 'SPLUNK' ID created as well?
Thanks!
↧
Timechart - map data over same interval everyday
Hi,
I have a requirement to timechart data over the same time everyday for the past one month.
E.g.: Maximum responseTime between 9 and 10 everyday for the past month.
Query to construct timechart is:
host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 | timechart max(responseTime)
How do I modify this search such that the timechart displays values only between 9 and 10 (and not the whole day) everyday?
Sample chart given below.
Thanks,
Deepak
![alt text][1]
[1]: /storage/temp/217775-sample-data.png
↧
↧
Where can I regenerate Client Name info for a Universal Forwarder?
I am seeing multiple Host Names with duplicate Client Names in Forwarder Management. Why is this happening and how do I prevent it from happening?
↧
How to grep number from text
hello,
My log contains below entries.
2017-10-06T04:19:25.658+0000 I NETWORK [initandlisten] connection accepted from 68.87.53.199:49991 #192 **(10 connections now open)**
I am looking for 2 things.
1. I want to create a timechart for "Totalconnections" this will information comes from string "(10 connections now open)" here I want to timechart the number`10`
2. I want to count the IPaddress to kknow how many connections per IP.
↧
Where to create an inputs.conf to capture /var/log and send to an index. SHC and Indexer Cluster
My SHC of 3 members is Linux. I need to create an inputs.conf to ingest /var/log/* and send them to my indexer-cluster. _internal data
from all of my servers is being indexed properly so I believe that the data flow is correct. I believe I need to do two things: 1)
create an indexes.conf file on each search head and 2) create an inputs.conf file on each search head.
Step 1) On my deployer, I created /opt/splunk/etc/master-apps/_cluster/local/indexes.conf and executed splunk apply shcluster-bundle
without errrors. This is the contents of indexes.conf.
[linux]
coldPath = $SPLUNK_DB/linux/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/linux/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/linux/thaweddb
I cannot find the indexes.conf file on any of my search heads.
2) I also created /shcluster/apps/locallinux/local/inputs.conf and executed splunk apply shcluter-bundle without errors. This is the contents of inputs.conf.
[monitor:///var/log/messages]
disabled = false
index = linux
sourcetype = syslog
[monitor:///var/log/cron]
disabled = false
index = linux
sourcetype = syslog
Same problem as above, I cannot find the inputs.conf file on any of my search heads.
In a separate, but bigger picture of what I am trying to accomplish, on my License Server and on my Monitoring server, I created a linux index and used the web gui to create the inputs AND I have SPLUNK_HOME/etc/system/local/outputs.conf as below.
[indexAndForward]
index = false
[tcpout]
defaultGroup = DSCA_Indexers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:DSCA_Indexers]
server=10.20.38.11:9997, 10.20.38.12:9997, 10.20.38.13:9997
My linux information gets to the indexers.
The desired goal is to send ALL Enterprise Server Linux /var/log/* to the indexers.
↧
how to build a cron expression in a Splunk alert to run in CST time?
hi there
What would be the cron expression to run an alert every day at 11:00am CST (Central time)?
or Splunk is already taking the time zone from the operating system?
thanks
↧
↧
Where do you recommend installing the Cisco eStreamer eNcore Add-on for Splunk in a distributed environment?
I have 1 search head, 2 Linux heavy forwarders, 1 indexer, 1 Deployment server, and 3 Windows heavy forwarders.
↧
How to Use an InputLookup File to provide authorized user list and Report back Users who are not in the inputlookup
I have an input lookup file. Say 'ApprovedUsers.csv'. This contains a single field SamAccountName. I want to compare this agains the Account_Name field returned in a Windows Security Eventlog search. I then want to compare the user who logged on per the log against the inputlookup file. If the User is NOT present in the lookup file, then I want it to fire an alert.
My problem is I cannot seem to get the search using a 'NOT' operation against the lookup file. But perhaps there is a way to achieve this type of outcome? I've also done a little reading about search macros? Would that be easier?
I'm open to alternative options or what is the best practice for this.
Thanks!
Dustin
↧
Transaction based Alert Trigger with multiple conditions
I like to create a trigger which fires based multiple conditions
Example Scenario:
A per person is entering a room and the door sensor sends an open event to splunk.
Next the person switch on the light. The light sensor send the "on" event to splunk.
The person leaves the room without switch the light off. A door close event is send to splunk.
Result the person forget to switch of the light. I like to detect this.
I have two indexs
Index 1: DoorSensors
Timestamp, DoorID, State
2017-10-06 12:01:30, Door1, Open
2017-10-06 12:03:50, Door1, Close
Index 2: LightSensors
Timestamp, LightSensor, State
2017-10-06 12:01:35, Light1, On
How to detected by a alert trigger that someone forgot to turn off the light?
I like to run this in real-time.
↧
Is it possible to display the results of a search in a table visualization with a scroll bar instead of pages of events?
Is it possible to display the results of a search in a table with a scroll bar instead of pages of data? I want to display 10 rows at a time, but I don't want to have to move from page to page. I just want to scroll through the results of the search. We're using the Statistics Table visualization, but maybe there's a better option.
↧
↧
Palo Alto Networks App for Splunk: When creating a new index under the app drop-down, do you choose the PAN app or something else?
When creating the new index under the app drop-down, do you choose the Pan app or something else?
ACTION REQUIRED: Create a new index called pan_logs using the Splunk GUI or on the command line. Also, in your Splunk role settings, add the pan_logs index to the list of Indexes searched by default.
↧
Will configuring a Universal forwarder to send the same logs to two different Splunk instances cause performance issues?
Hi All,
We are planning to configure a universal forwarder to send logs to two different Splunk instances i.e.to clone data.
Configuration we are going to use is,
In outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:indexer1]
server=A.A.A.A:9997, B.B.B.B:9997
[tcpout:indexer2]
server=C.C.C.C:9997 D.D.D.D:9997
In inputs.conf
[default]
_TCP_ROUTING = *
I just need to confirm, but will this cause performance issues on the server where the UF is installed?
↧
how to compare values from two different searches and return the results if the values are equal
I have 2 searches
Search1:
index=i_temp source=*source1*
Results:
xCoord=1155276.2781774567 yCoord=1885220.7999824171
xCoord=1144751.2989115883 yCoord=1919044.2279770568
Search2:
index=i_production source=*feed*
Results:
xCoord=1155276.2781774567 yCoord=1885220.799982417
I want to compare both the search results and return the results if the string xCoord=1155276.2781774567 yCoord=1885220.7999824171 is same in both the searches. In reality the results for bot the searches are larger in number.
Thanks
↧
Is there way to generate list of date for given month in Splunk
Is there way to generate list of date for given month in Splunk
↧
↧
How to compare the same month from multiple years?
I am doing a very basic search that just shows the top URIs during a specific month each year. I would like to be able to put multiple years within the same graph to do a quick visual comparison. My search is as follows:
source="/opt/gathered-logs/*/apache2/access_log" | stats count by uri
And I define the date range for the search (November 2015/16/17/etc.) I get the information I want from the graph in a pie graph, but it's not very helpful for comparison purposes. I'd like to just show an overall line graph that displays Nov. 2015 vs Nov. 2016 on the same graph. I don't really need to know individual stats per URI, so if I remove the |stats count by uri, I get the nice general green bar graph in splunk, but I don't see a way to define two different date ranges and overlay them or whatever. Is this possible?
↧
How to extract the numeric value and IP address from a string in my sample data?
hello,
My log contains below entries.
2017-10-06T04:19:25.658+0000 I NETWORK [initandlisten] connection accepted from 12.34.56.789:12345 #192 **(10 connections now open)**
I am looking for 2 things.
1. I want to create a timechart for "Totalconnections". This information will come from the string "(10 connections now open)" and I want to timechart the number `10`
2. I want to count the IPaddress to know how many connections there are per IP.
↧
How to compare data from the same month for multiple years?
I am doing a very basic search that just shows the top URIs during a specific month each year. I would like to be able to put multiple years within the same graph to do a quick visual comparison. My search is as follows:
source="/opt/gathered-logs/*/apache2/access_log" | stats count by uri
And I define the date range for the search (November 2015/16/17/etc.) I get the information I want from the graph in a pie graph, but it's not very helpful for comparison purposes. I'd like to just show an overall line graph that displays Nov. 2015 vs Nov. 2016 on the same graph. I don't really need to know individual stats per URI, so if I remove the |stats count by uri, I get the nice general green bar graph in splunk, but I don't see a way to define two different date ranges and overlay them or whatever. Is this possible?
↧