I had heard that SPLUNK comes with some additional software, can someone tell me what that is?
↧
What additional software gets automatically shipped with Splunk?
↧
How to use token substitution in the payload with the POST method in the REST API Modular Input Add-on?
Hey all,
I use the REST Modular Input to fetch some Data from a Backup System.
Everything works fine, even Token substitution ($ids$) with the GET method. Now I need to fetch data with the POST method on a single endpoint but where the **Token substitution** takes place in the **request payload**. So in principle something like:
request_payload =
↧
↧
Splunk - Log Reduce solutions?
What is Splunk using for their Log Reduce solution? Is it similar to what Sumo logic can do?
↧
How to specifiy two different dates in a single search?
I have to fetch results for an event happened on Sep. 1 and Sep. 6.
How do I specify two dates in single query?
↧
is the saved search called by the map function allowed to send emails/run scripts?
hi, I want to send an email / run a script one time each for a bunch of ip's in a list, so I was going to iterate over them with the map function with a saved search, instead of setting up a separate saved search for each ip. However I can't get the emails to send. Is the saved search called by the map function allowed to send emails/run scripts?
Thanks,
↧
↧
Need a little help converting seconds to days, hours, minutes
Hi all,
Windows reports everything in really long seconds uptime fields. I want to convert that to days, hours, minutes. Trying to get syntax provided in another post to work (and think I'm close) but now receiving "eval" command: Regex unmatched closing parens message that I can't seem to find.
Here's my search:
index=windows sourcetype=WinEventLog* host!="*.xx.com" EventCode=6013 | rex "(?\d+)\ seconds.$" | convert rmunit(secs) as numSecs | eval stringSec=tostring(numSecs,"duration") | eval stringSecs=replace(stringSecs,"(\d+)\:(\d+)\(\d+)","\1h \2min \3s") | stats avg(duration) AS "Windows AVG Uptime"
Here's a sample of data:
10/9/17
12:01:44.000 PM
10/09/2017 12:01:44 PM
LogName=System
SourceName=EventLog
EventCode=6013
EventType=4
Type=Information
ComputerName=TORBSIVWD01.xx.com
TaskCategory=The operation completed successfully.
OpCode=None
RecordNumber=885007
Keywords=Classic
Message=The system uptime is 2132870 seconds.
All help MUCH appreciated!
Barry
↧
How can I identify hosts that don't have any events over a 4-hour period and create an alert?
I want to identify any host that doesn't have any events over a four hour period and create an alert. Having trouble extracting the individual host.
index=ind1
| timechart span=4h count by host
| where count = 0
| table host count time
↧
How can I run stats sum as command on same search for two different values?
I have the following search:
index="data_integration" host="sampledata" sourcetype="csv" Object_Account="4*" OR Object_Account="5*"|stats sum("Domestic _Amount") AS CM
and the following second search:
index="data_integration" host="sampledata" sourcetype="csv" Object_Account="4*"| stats sum("Domestic _Amount") AS Sales
I want to be able to divide CM/Sales. What is the best command or the best way to join these two searches in order to do the division?
↧
Search returns "No results found", when it should be returning 1.
The search below looks for an event for a specific client during a specific time. If the event is not there, I would want to be notified, thus a "1" should be returned.
There is no event, so noNull is 0. The case statement "end" should be "1-0" (1-noNull), so 1 should be returned. However, I get "No results found." FYI: the search does work is noNull is 1.
source=*D:\\FHSO\\imports* source=*daily\\imports* End earliest=-30h@h
| eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
| where ClientID="WHI"
| where ((like(source,"%"."WHI"."%")) AND time>"02:00:00" AND time<"02:25:00")
| stats count as lateEnds
| eval noNull = if(ISNULL(lateEnds),0,lateEnds)
| eval end = case(ClientID="WHI", 1-noNull ) | table end
↧
↧
Is the saved search called by the map command allowed to send emails/run scripts?
hi, I want to send an email / run a script one time each for a bunch of ip's in a list, so I was going to iterate over them with the map function with a saved search, instead of setting up a separate saved search for each ip. However I can't get the emails to send. Is the saved search called by the map function allowed to send emails/run scripts?
Thanks,
↧
Help understanding standard deviation alert for entries that have a count of 0?
I have seen several similar questions asked, but they are often answered in different ways so I'm hoping whoever answers this can explain why they created the search string the way they did.
I have multiple hosts and I want to create an alert if the count of events reduces by more than 2 standard deviations on a per hour basis for the last four weeks for each host. I have seen many examples that used buckets while others used timechart. My understanding is that bucket will not include entries that have a count of 0 so timechart should be used, is this correct?
index=is1
| timechart span=1h count by host
| stats stdev(count) AS Stdev
| eval thresh=Stdev*2
| where count < thresh
| table host count
↧
How to achieve pagination in Splunk?
My Splunk command is :
1)
index=myIndex search base earliest=-1h latest= now
2)
index=myIndex search base earliest=-30m latest= -1h
3)
index=myIndex search base earliest=-30 latest= 30m
↧
Splunk timezone change for a specific sourcetye
Hi,
I am using the timezone converting attribute " _tzhint" to convert EDT to UTC . This attribute was able to convert events timestamp to UTC but it is only converting only very few events, but not all. Below is the how configuration looks. when I use "TZ=UTC" splunk is not converting to UTC timezone , it is still using system time that is the reason I used _tzhint
[monitor:///web/appache.log]
disabled = false
followTail = 0
_tzhint=UTC
index = apache_web
sourcetype=web_logs
↧
↧
How to handle LINE_BREAKER regex for multiple capture groups? Specifically now that we are getting both ip4 and ip6 logs?
In the past we had an easy LINE_BREAKER regex that broke on newlines where an ip4 was present ([\r\n]+)\d+\.\d+\.\d+\.\d+
Now we have some logs with ip6 in addition to ip4 being logged, so I was hoping I can just do this via piping it out to alternate capture groups depending on which ip it matches:
([\r\n]+)(\d+\.\d+\.\d+\.\d+|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])))
Is there something present where splunk only expects one capture group to be here for the LINE_BREAKER regex? I'm wondering how we can handle linebreakers now that we have 2 different style of IP that can come in.
↧
Will the Splunk Add-on for Microsoft SQL Server suffice to access logs from SQL server? Should I use Splunk DB Connect as well?
I wish to get only user access logs from SQL Server. Basically, who accesses what database at what time.
For this purpose, is the Splunk add on for microsoft sql server enough or DB Connect is also required ?
My understanding is that I could be able to get the user access info from AUDIT LOG but I am uncertain about that.
↧
How can I use the results of a search in a second search?
I'm running a query which returns destination ip address of external traffic of a user in one column something like that:
----dest-----
1.2.3.4
23.23.23.23
45.45.45.45
67.67.67.67
4.3.2.1
Which means the user access the IP addresses listed above (last 15 minutes for example)
I'm also running a different query to make DNS ptr record check of a given ip address something like that:
index=dnslogs sourcetype=ptr_data dns_name="1.2.3.4" | stats values(query)
and it returns something like that:
----------DNS Value---------
google.com
What I'm trying to do is:
**AFTER** my first query **return** this one column result, I want to iterate every value of the each raw into my next query to look for DNS ptr records and then merge the result of queries.
What I mean is I need to run every IP address in this query and then merge the results. In my case:
my ip addresess are 1.2.3.4, 23.23.23.23, 45.45.45.45, 67.67.67.67, 4.3.2.1
x.x.x.x is should be replaced by these ip addresses for each iteration
index=dnslogs sourcetype=ptr_data dns_name="x.x.x.x" | stats values(query)
And my expected results should look something like that:
----dest------ ---------DNS Value---------
1.2.3.4 google.com
23.23.23.23 NULL
45.45.45.45 whatsapp.com
web.whatsapp.com
67.67.67.67 twitter.com
4.3.2.1 NULL
The result above shows that some of query result return **NULL**, some of them return **multiple values** like 45.45.45.45 some of them only return **one** value.
Is there any way to do that something like that? These two query are completely different query. I looked at sub-search but it didn't work me or I couldn't do this.
↧
"What to Search" dont work.
"What to Search" on the right side of "Splunk Search" does not work.
⇒ Waiting for data…
As for the Data summary as well...
Is it bug?
Splunk Ver 6.6.2
Please give me some hints!
↧
↧
MSP and Enterprise License (To define pools from which license file)
I have 2 licenses,one of which is using for 1 customer and other license is shared among n number of customers (MSP - Multitenant).Say for an example
1.License for Customer A (200GB) expiry date : 2018
2.For other n number of customers (500 GB-50 GB per customer) expiry date 2019
I can define pools for each customers. My question is,if I am stacking the above 2 licenses in one license master,can I create a single pool for Customer "A" which should uses the first license file and not to share it with other customers.Is that possible?
Please suggest how can I achieve this kind of deployment.
Regards,
Ansif
↧
Box Plot Viz
HI,
I tried to install the Box Plot Viz downloaded from here --> https://splunkbase.splunk.com/app/3157/#/details
However, the installation failed with error message: "There was an error processing the upload.Error during app install: failed to extract app from c:\windows\temp\tmp7bvdqu to C:\Program Files\Splunk\var\run\splunk\bundle_tmp\1b67b8f37873f7b6: The filename or extension is too long."
I tried to install this in Windows 10 (both Splunk server and web browser) and make sure the registry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled = 1 as suggested by similar post before.
Anyone successful install this app in Windows Splunk server? Any idea what should I do to install this app? Or any other chart like Box Plot? Thanks!
↧
How to change the default local for the web UI
From the little documentation I can find, it seems that Splunk Search head Web UI will attempt to use the locale configure in your browser.
I am in an european country which language is not supported in Splunk so the UI keeps defaulting to en_US.
How do I tell Splunk to default to en_GB (Or one of the other support Splunk languages) so we get more sensible timestamps in the UI?
I am looking for a "proper" solution (A simple configuration somewhere) and NOT having to manually change the URL address in the browser nor have to hack python files which may break on upgrades.
↧