I have a splunk instance running on Amazon AWS for testing. I'm trying to configure my home pc to forward (universal forwarder) to the AWS Splunk instance.
So far I'm not seeing anything. My AWS instance is on 1.2.3.4 (fake obviously). And my computers outputs.conf is:
[tcpout]
defaultGroup = group1
[tcpout:group1]
server = 1.2.3.4:9997
I'm not sure if there is anything else I should be doing. My router is allowing traffic on 9997. I can hit the web interface - 1.2.3.4:8000. I'm not sure what is happening.
↧
My local Universal Forwarder to AWS Splunk Instance
↧
Deployment server for deployment server
Is there any option in splunk to use a deployment server to deploy apps in n number of deployment server. The deployed apps should reside on /deployed-apps folder of the client deployment server and which in-turn deploy apps to the end machines.
The client deployment server will reside on different customer site having different network and time zone.
↧
↧
Issue with SAML configuration
Hi all,
my issue is not properly related to SAML configuration.
We have a search head cluster where we are trying to enable SAML authentication instead of LDAP simple authentication. I'm using a different user of admin, but with more power. When i try to enable SAML, i receive a "User xxxx must have change_authentication capability" and then i can't access splunk anymore!!!! Strange thing is that user has change_authentication capability. Any idea?
Thank you in advance
↧
How do I use the latest value given to replace a field that is NULL but both event have one common value?
As stated I want the latest value in "Hash Value" and "Type" column to be filled instead of being "NA" and "Unknown" which I hardcoded if NULL. I want the latest value to be carried over instead of being null if the "Location" column have the common value.
Referring to the screenshot, I want the file "what is this", its hash value and type from the latest which is below it to be carried up.
![alt text][1]
[1]: /storage/temp/216758-point.png
↧
Passing token value from one dashboard to another in drilldown
Hi,
I want to pass a value from one dashboard to another with drilldown click.
I manage to pass it to an input in the second dashboard ($click.value$), but I don't want to show it to the user in the input, just use it in the charts.
How do I pass the token value and
Thanks
↧
↧
Not getting Indexes list in Indexer cluster.
![alt text][1]
[1]: /storage/temp/217796-splunk-cluster-master.png
My cluster master is not listing the indexes that are being shared by the peers, if I run a search
indexes=* | stats count by index
I am getting results but I am not able to see the same in settings -> Data -> Indexes
I have tried it in search head also no luck even there.
↧
How can I break up one long line into multiple events?
I have a file that contains one really long line, see below
Example:
["2017-10-09 13:05",976.0,"OK"],["2017-10-09 13:06",908.0,"OK"],["2017-10-09 13:07",1001.0,"OK"] ...... And so on..
How can I break up each ["2017-10-09 13:05",976.0,"OK"] into events?
I first tried to accomplish this in props.conf with no luck.
So now Im adding the file using "upload file" just to see if I can breake the line, still with no luck..
Any pointers would be much appriciated
↧
,number of days between two dates in same event
In an event i have two dates.
G_S="2017-10-07 23:21:19.0" and A_Z="2017-10-07 00:00:00.0"
I have mutiple examples but somehow i cannot get it working. IK would like to know how to extract the number of days between these dates
,
↧
Type of data for Machine Learning App
Hi All,
Will Machine learning app be useful for analysing server logs which contains the details of start and shut down of servers, exception details, server settings etc
Thanks
↧
↧
Escaping (*) in Fieldvalues while inputlookup
Hello everyone, I have the following problem.
My Inputlookup (a whiltelist) has the following data structure:
host,dest_host,Host_Application
host1, dest_Host1,Host_Application1
host2, dest_Host2,Host_*2
My inputlookup is structured as follows:
NOT
[| inputlookup something2exclude.csv
| table * ]
The normalized search looks good for the first row (host1):
(host=host1 AND dest_Host=dest_Host1 AND Host_Application=Host_Application1)
But, for the second row I get an error message:
> ...contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation.
How can I exclude the asterisk as fieldvalue while inputlookup?
↧
How to configure different timezones requirement for different apps , running on same server such that same user has access to multiple apps?
Hi ,
We are working on a clustered environment, having multiple apps all running on default server timezone (Europe/London). Each app has respective user roles defined. And we fetch data from MQs and databases in UTC zone. In one of the apps, we need to show all dashboard panels with time fields as per America/NewYork.
Since there are multiple users who login , also these users who have multiple roles (of various apps ) assigned to them , we are facing issues to achieve this.
I have tried below options but nothing seems to work.
1. Setting Time-zone Role wise, as per the sample provided in the link below,
https://answers.splunk.com/answers/439363/how-to-set-a-default-timezone-for-an-entire-multis.html
Even though we set time-zone at role level, since for a user, time-zone parameter is set to default ( i.e., server time-zone), this causes role level time zone to be overridden by user level time zone.
2. Changing time zone at user level is tedious as every-time user switches between the app, he needs to change the timezone setting.
3. Adding the difference offset to time field during display on dashboard using eval. Not recommended as during daylight saving offset varies.
Please do suggest if there is any alternative to achieve app level timezone?
Thanks in advance !
↧
Logging Azure using Eventhub vs. direct from BlobStore
We are embarking on an install of Splunk in Azure. We are looking at the various methods offered for gather azure stats. What experiences have any of you had in this same journy? What is most scalable? Seems to me to be using eventhub is the way to go. But is it too expensive? Is there latency? How well does splunk play with it?
Any thoughts/experiences shared is much appreciated. Thanks in advance!
↧
How to track the bundle size on indexers over time
Hi all, I wanted to set up an alert to monitor the bundle size if the size is about to reach the limit. I am able to get the "max_content_length" for all indexers from a rest call, but I am unable to get the bundle size across all my indexers over time. Any clues?
Thanks.
↧
↧
Modifying the body of the email message for saved searches
I have a saved search which sends an email to the users when a condition is met. I need to include an image in the body of the email before it is sent. When I go to the saved search - Edit - Advanced Edit - "action.email.message.report", I can only enter texts in the box. Is there a way I can include an image to be displayed instead of the text?
↧
Extracting a field from an existing field
Hello:
I have an existing field name "filename" (extracted from Splunk) in this format abcdefg.000000AB.DDD01A222222222222222222.xml. I want to create a new field that extracts the characters in the position of "DDD01A" in the field above.
I do not want to lose the existing "filename" extraction - I want to add another column with the new value.
The Extract New Fields GUI did not work. Can someone please advise?
Thanks!
↧
How can I show the percentage of events that match a criteria?
I have the following query which provides me results for every 1 hour and for each mne as single row
index=N sourcetype=APP earliest=-24h (time>5 AND (id=111111 OR id=222222))
| rex field=_raw "^(?\d{4}-\d{2}-\d{2} \d{2}).*time*"
| eval mne=case(id=111111, "FIRST", id=222222,"SECOND")
| eval resp=case(time>=5 AND time<=2000, " 0 - 2 seconds", time>2000 AND time<=4000, " 2 - 4 seconds", time>4000 AND time<=6000, " 4 - 6 seconds", time>6000 AND time<=8000, " 6 - 8 seconds", time>8000 AND time<=10000, " 8 - 10 seconds", time>10000, "> 10 seconds")
| eval time_mne=time+":00 "+mne
| chart count over time_mne by resp| addtotals |sort time_mne desc
Output is displayed as -
time_mne | 0-2 seconds | 2-4 seconds | Total
2017-10-09 11:00 FIRST | 23 | 12 | 126
2017-10-09 11:00 SECOND | 21 | 16 | 120
2017-10-09 10:00 FIRST | 20 | 18 | 128
2017-10-09 10:00 SECOND | 22 | 15 | 124
What I want to do is - add a percentage for one of the columns based on total E.g.: What percentage of total are under 2-4 seconds ?
How do I do it?
↧
Why isnt't our firewall showing events? We're sending syslogs to a UDP port
Good afternoon,
We have 3 firewalls that are sending their syslogs to a udp port. 2 are showing events, one is not. It's like the events aren't being indexed. I tried sending the 1 firewall we aren't seeing data for to a different port mapped to the same source type to no avail. I do see splunkd listening on that port, and tcpdump shows data from that ip coming in on that port. What further steps may I take to diagnose this?
Thank you in advance!!!
↧
↧
Sankey Diagram: How can I change Sankey node to red according to column value?
Hi Splunk Community
I know how to display Sankey diagram in Splunk with the help of apps like Custom-SimpleXml-extension, Sankey diagram gallery and Dashboard examples. But that is all.
What I want to do is to turn the nodes to red color to alert my users that there is error at that node (in my case, node=equipment).
For example, equipment 1 is connected to equipment 2, which is in turn, connected to equipment 3. The number of connection between equipment 1 and 2 is c12 and so on. If c1 is 1, then the node that represents equipment 1 will turn red while the other nodes will have different colors other than red.
========Sample Data==========
eqpt1,eqpt2,eqpt3,c12,c23,c1,c2,c3
01-A-01,01-B-01,HB-C-01,50,100,0,1,0
01-A-01,01-B-02,HB-D-01,150,200,0,0,0
02-A-01,02-B-01,HB-D-01,350,100,1,0,0
Pls guide me on which app to use and show me code snippets so that I can extend to my scenario. Have been trying sample code snippets for days but unsuccessful. Really unfamiliar with javascript. Many thanks in advance!
↧
Help searching a CSV file with multiple conditions
Hi,
I spent a lot of hours to find the request I need with no success so I ask your help.
My goal is to build a request with multiple fields condition values extract from a CSV.
I have a CSV file with the below construction
| inputlookup nios_member_ip_lookup | fields MEMBER_IP
MEMBER_IP
192.168.1.xx1
192.168.3.xx2
192.168.1.xx5
192.168.1.xx7
192.168.1.xx0
192.168.xx.x0
192.168.x.xx5
192.168.x.xx0
192.168.x.xx0
192.168.x.xx3
Based on this result, I would have all results from each defined value for a field like:
index=ib_dns_summary report=si_dns_top_clients CLIENT=@IP1 OR CLIENT=@IP2 OR CLIENT=@IP3 ...
So I think I need to build a subsearch request, but I failed to do that. I tried this:
index=ib_dns_summary report=si_dns_top_clients CLIENT="$member_ip" [| inputlookup nios_member_ip_lookup | fields MEMBER_IP | rename MEMBER_IP as member_ip]
Thanks a lot for your help.
↧
Lists accounts in Splunk that have not been used (logon) for 90 days or more.?
Any query help Highly appreciated ? Thanks in advance !
lists accounts in Splunk that have not been used (logon) for 90 days or more.
↧