Would it be possible to search for certain events within the raw data?
For example I need to find events with C:\Windows\explorer.exe
I used | extract kvdelim=":\t" pairdelim="\n" on the raw events, but its not parsing the field that I wanted,
so I used rex to get the field parsed and this worked, bu then I couldn't do any searches on the field, because I need to adjust fields.conf or something like that, so instead of creating fields, I was wondering if we could straight search for the events with Rex?
Or maybe eval would be better command to create field and search for events within a field?
↧
rex a process path from raw data
↧
Edit hot/warm/cold data retentions
Hello
I want to add below configuration to specific indexer
Hot/Warm/Cold Data retention 6 months 1.75TB
Frozen Data retention 6 months
configuration is
[myindex]
coldPath = $path\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $path\db
maxTotalDataSizeMB = 1835008
thawedPath = $path\thaweddb
maxDataSize = 1835008
frozenTimePeriodInSecs = 15780000
but when am trying to add anew index i got error like below
The following issues were found with submitted configuration: stanza=myindexparameter=maxDataSize Value supplied='1835008' is illegal; default='750'
↧
↧
pdf issue in mobile dashboard
Hi all,
when am downloading pdf it is downloaded with queries instead of values .
please anyone help to this issue.
thanks![alt text][1]
[1]: /storage/temp/217867-asa.jpg
↧
Saved search parameters not passed to python script
Hi,
I am trying to pass arguments from a savedsearch result to a python script, and it does not work. Code below.
savedsearches.conf
[test_search]
action.log_message = 1
action.log_message.param.name = $name$
action.log_message.param.condition = $result.condition$
action.log_message.param.host = $result.host$
action.log_message.param.source = $result.source$
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */1 * * * *
disabled = 1
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=main host=test_host source=test_source status=* earliest=-2m latest=now | eval condition=if(status!="OK","CRITICAL","OK") | stats last(condition) as condition by host,source
alert_actions.conf
[log_message]
is_custom = 1
label = test
description = test
icon_path = appIcon.png
alert.execute.cmd = test.py
payload_format = json
disabled = 0
param.name =
param.condition =
param.host =
param.source =
test.py
#!/bin/python
import json
import sys
import os
import datetime
timestamp = datetime.datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
name = config['name']
condition = config['condition']
host = config['host']
source = config['source']
f = open('temp.txt', 'w')
sys.stdout = f
sys.stderr = f
print(host, source, name, condition, timestamp)
f.close()
And I get no output. If hard code some values in the script directly, then the file will be written every time the script is triggered.
Expected output
('test_host', 'test_source', 'test_search', 'condition' , 'timestamp')
Thank you in advance.
Regards,
↧
Regex question
Hi!
if I can make groups from `` with regex? Excel 1 9.3 6.9 N/A Excel 1 9.3 6.9 N/A Excel 1 9.3 6.9 N/A
↧
↧
Diff in PROD and DEV with same data
We have export and import some data from our production to development environment with same fields. But we found that "index=*" must be added to query in development environment. Could we know what we should set to make it the same as production? Thanks.
↧
Splunk DB connect2: unable to restrict identities based on user role
There are two 2 DB connections (say A and B) in our Splunk , I wanted to restrict user access only to "B" database and should not have access to "A"
I have created user role and granted read and write permission to "B" DB connection. but the problem here is, Still they are able to access "A" database.
looks like, if DBX capabilities granted to a role, then they can access all the db connections. is there anyway where we can have users to access only one connection and not all.
I restricted permission at identity level, db connection level but still no luck.
Thanks in Advance!
Prem
↧
Does CLI authentication per LDAP work while web authentication per SAML is activated?
We switched our Splunk web authentication from LDAP to SAML.
Now when I for example try to "apply cluster-bundle", I can't authenticate myself with my LDAP credentials anymore,
only with the local Splunk admin.
Is there a way to configure the CLI authentication to use LDAP while the web authentication works with SAML?
↧
How to index arbitrary number of fields and do tstats operations on them?
Hi,
I've got these strange XML logs, where each log has (among other things) a username and an arbitrary number of hashes, each stored in its own XML field. A simplified version of the log is shown below.
[...]hettervi sdflkjsdf sdfoiujkalw [...]powkerldsf
There are usually no more than around 13-14 hashes for each event, and what I'm trying to do is to count by users and hashes. To do this I've used the foreach and mvappend command to make the XML fields into a multivalue field, and then count the by that new multivalue field, like shown in the search below.
| foreach hash* [ eval hashes=mvappend(hashes, '<>')]
| stats count by hashes user
The problem is this is quite slow, mostly due to the big amount of logs. I've looked into making a multivalue indexed field so that I can use tstats instead of stats, or use an accelerated datamodel with a multivalue field for the hashes, but as far as I can tell this isn't possible. Any idea on how I can make this search faster, e.g. by doing some indexing and tstats magic?
↧
↧
Is the Newsletter app ready for Splunk 7.0 yet? Do you know when?
I put this on my Splunk 7.0 dev install and the Newsletter tab is essentially unreadable. I assume that's because it is only released for 6.3 as it says on Splunkbase.
↧
indexes are not available to select from "Available search indexes" during role creation since upgrade to 7.0
Since upgrading to splunk 7.0 I am not able to select our indexes from our indexcluster from "Available search indexes" during user role creation in the splunk web gui. The indexes do exist and the Index-Role authorization is still working well using the authorize.conf files within the searchhead cluster.
I have seen this has been a bug in the early versions of Splunk 6 and this looks like the same issue.
Has anyone experienced this issue, before or in splunk 7.0 ?
↧
Computer Program for modeling time for a search to complete?
Hi Splunk,
I work for a corporate partner and have a question.
Been having issues with auto-finalization of sub-searches and understanding how to configure search/sub-search parameters. Wondering if any attempt has been made to model search time to complete in terms of constraints.
For example, suppose we want to perform a join command with 1000 splunk tickets in an outer search with 1000 events in a sub-search (assume that both searches are 'dense'). Something like the following:
index = ticket_data | head 1000
| JOIN type=left ticket_id max=0 [ search index=event_data | head 1000 ]
Does there exist some sort of a tool that performs convex optimization, to predict the following:
1. When searches would auto-finalize.
2. How to optimize the architecture and deployment configurations such that a particular search would work.
An example of the computer program may look like the following:
Best parameters in terms of speed of the search, p* = arg min p s.t. { ∆t_search head (p) + ∆t_indexers (p) },
where p would involve the constraints and what we optimize:
n = # of tickets in main search (constraint)
f_n = # of fields in tickets (constraint)
m = # of events in join search (constraint)
f_m = # of fields in tickets (constraint)
k = # of indexers used, (independent or constraint)
l = # of search heads used, (independent or constraint)
Configuration parameters (e.g. maxout, maxtime, ttl) (independent or constraint)
Assuming such a tool doesn't exist, any insights or documentation to approach developing this would be greatly appreciated.
Thanks for your help!
↧
Can the TA for Unix show dropped packets?
I got an ask from one of my Splunk users wondering if we can expose the Dropped packet count from network interfaces. I took a look at the TA for nix, and it doesn't seem like it is doing that today. Is there an alternate way to gather that information from our *nix based hosts?
↧
↧
How can I drilldown values from a hidden field?
Hey!
I am building a dashboard and this problem is being a headache. I really need to find a way to drilldown values from hidden fields and/or panels, but not sure how to do so.. Can anyone help me, please?
Thanks in advance!
↧
Each row of a table as pie chart without drilldown
Hi I have a table result created as:
Emp sold consumed wasted...... stolen
ABC 8 12 5 12
XYZ 2 5 6 7
:
:
TUV 10 34 2 3
where Emp, sold,consumed, wasted , stolen etc. (can be more also), are table header
ABC is row1, with 8,12,5,12 as the values of sold,consumed, wasted , stolen respectively.
My problem:
I need to create a pie chart for ABC, XYZ etc on page load (not drilldown), to show the detail of each category corresponding to each Emp.
Please help me with some pointers
Best,
↧
Splunk DB Connect 2: Unable to restrict identities based on user role
There are two 2 DB connections (say A and B) in our Splunk , I wanted to restrict user access only to "B" database and should not have access to "A"
I have created user role and granted read and write permission to "B" DB connection. but the problem here is, Still they are able to access "A" database.
looks like, if DBX capabilities granted to a role, then they can access all the db connections. is there anyway where we can have users to access only one connection and not all.
I restricted permission at identity level, db connection level but still no luck.
Thanks in Advance!
Prem
↧
Splunk for EMC ECS
Is there a Splunk add-on in the works for EMC's ECS product? Something similar to the Isilon package for file / object storage? - thanks
↧
↧
SAML authentication with LDAP authorization
Ask the question of Splunk support and was told "not possible". I am counting on the fact that we are not the only organization running into this problem.
Or organization is a heavy user of AD for our RBAC solution. Granular roles are managed by one of MANY corporate wide RBAC solutions, all accessed via LDAP. We have the option of LDAP or SAML for authentication, but only SAML for 2-factor. We now need to integrate Splunk with SAML for 2-factor.
The challenge: PingIdentity is used for Authentication only and the IDP team will provide two roles only (Admin, Users). Any additional roles must be presented via the App (splunk) or LDAP. Not finding a way to perform Authentication via SAML and Authorization via something else, and Splunk support is confirming with a "not possible".
↧
Why are the queues being filled up on one indexer?
In the last day or two all the queues of one indexer got filled up. We bounced it and now on another indexer all the queues are close to 100%. What can it be?
![alt text][1]
[1]: /storage/temp/217873-queues.jpg
↧
Splunk universal forwarder not reporting data from SQL server
Hi everyone ,
We have issue with Splunk universal forwarders , we installed recently on SQl servers , i have all inputs.conf and outputs.conf set correctly and there is no error in log data . but its no reporting logs in splunk. Ours is clustered search head pool with 2 search heads , 5 indexers and 5 heavy forwarders . we have forward management console , which generally phone-in to the universal forwarders by pushing some of the apps . In Past i have some other VM's which i faced the same issue , i reinstalled the universal forwarder agent which fixed the issue , but currently its not happening with these SQL servers .
Thanks in advance
↧