Is there any way to remember user's initial selection in the filters(multiselect,dropdown) , so that the filter values are retained when they visit the splunk dashboard next time.
↧
Option to remember user initial selection in filters
↧
Sending Perfmon data to metrics index
I would like to collect my windows perfmon data into a metrics index. Is this feature planned for the near future?
The reason: I've had very good experience with this feature. Great performance and very powerfull mstats command (no extra data model plus acceleration jobs)
Thanks for your help in advance,
Andreas
↧
↧
How to create an alert on a calculated field
I am attempting to create an alert based on a field calculated from all of the events of the search, specifically when it is less than some value. However, the alert solutions I've found thus far look to give alerts based on the count of events returned by the search, or filtering on a field of the events to determine the count of events that meet the filter. The calculated field I am interested in creating the alert on is not passed in any of the events. My search string for the alert is as follows (the search itself I've left out as I've already narrowed down to the events I am interested in):
search ...filter...
| eval device_duration = 0
| eval sensor_duration = 0
| convert num(SM_C.value.data.elapsedTime) as device_duration num(SM_C.value.data.time_active) as sensor_duration
| stats sum(device_duration) as total_device_duration sum(sensor_duration) as total_sensor_duration
| eval ratio = if((total_device_duration > total_sensor_duration), round((total_sensor_duration / total_device_duration), 2), round((total_device_duration / total_sensor_duration), 2))
| eval ratio = 100 * ratio
The search is comparing events from 2 devices and getting the difference ratio between the sum of durations reported by each device's events.
I'm looking to send an alert if the ratio falls below some threshold, say 70% (correlation drops below 70%). In the alert itself for the Trigger Conditions I have it set to a custom trigger "eval ratio < 70" but this does not cause the email. Please let me know what I'm doing wrong, or if there is a way to modify the search string to work on a different trigger condition. Thank you for any help!
↧
EVAL causes a field to be blank
I need the field "Location" added to my search as seen in the screenshot attached. However, in this query below the Location field does not pull through and I have identified that it does work when the `| stats values(con_UL) as con_UL by machine` line is excluded.
**Query below:**
index=windows host=*nas* source=WMI:Shares
| eval machine=lower(host)
| eval drive = Path
| rex field=drive "(?P\w+)\:"
| eval con_splunk=machine. "," .Drive
| eval con_splunkUL = upper(con_splunk)
| join type=left machine
[ search index = varonis source = otl_varonis_monitoring sourcetype="csv"
| eval machine = lower(machine)
| rex field=Share "((?\w+)\$)"
| eval con=machine. "," .drive
| eval con_UL = upper(con)
| table machine, Location
| stats values(con_UL) as con_UL by machine ]
| eval MonitoringStatus = if(like(upper(con_UL),"%".upper(con_splunkUL)."%"), "Monitored", "Not Monitored")
| eval Action=if ((MonitoringStatus="Not Monitored")AND(like(Path,"%Hosting%")),"Action Required","No Action Required")
| dedup machine, Drive, Path, MonitoringStatus
| table machine, Drive, Path, MonitoringStatus, Action, Location
| sort +str(type), machine
![alt text][1]
[1]: /storage/temp/225666-picture.png
↧
eStreamer compatible with 7.0.1
Is the current version of the app compatible with Splunk v _7.0.1? if no, whats the alternative?
↧
↧
Splunk ES notables to Service now incidents.
Hi guys,
Wondering if anyone has noticed this issue I'm having.
Some of our ES rules run every 15 minutes, and their trigger settings are to fire once with a throttle for 24 hours. This means notable events come in drops every time the rule is run if the throttle has worn off. Some days we might get 6 notables, other days only 2. I've installed the service now TA and all data is being pulled down okay, however when i use the trigger action to create an incident in service now from any of my alerts/rules, it will only generate one service now incident regardless of how many notables are fired. Does anyone know how to get a separate service now INC for EACH notable regardless of it it's set to fire for each result or once?
If I need to explain that further then just ask.
↧
SPLUNK Text analysis
Hi
I have logs indexed in my Splunk Instance. Those logs contains conversation between user and chat bot. I would like to know if there is any app that I can use for text analysis like the most used words or phrases etc.
I know that there is one called Sentiment Analysis but it is only compatibile with splunk version 6.5 or lower.
I would be thankful for any pice of information.
↧
remove duplicate or similar event in a trasaction command from the search
Hello Everybody,
I want to remove similar event which are in a transaction command.
In my case, I want to merge the eventcode 4663 similar so that only 1 eventcode 4663
Be careful, there are event code 4663 that are not similar so there will be 2 event code 4663 in this case.
Here is my request which display the result below:
host="XXXX" "eventcode=4663" OR "eventcode=7036" | transaction startswith="*running state." endswith="*stopped state."
i try dedup but without success.
Thank you
Amir
![alt text][1]
[1]: /storage/temp/225667-splunk-dedup.png
↧
JSON event breaks not working - sometimes
I have a log file of properly formatted JSON events, but the event break is not working properly. Sometimes it separates the JSON into separate events, sometimes it does not. There doesn't seem to be any rhyme or reason to this.
I tried the solution here: https://answers.splunk.com/answers/80741/event-break-json.html but it did not work. I am unable to restart Splunk at this time, however, but my understanding is that I shouldn't need to. (Please correct me if I'm wrong.)
Here's my props.conf entry:
[s-web]
KV_MODE = json
LINE_BREAKER = "(^){"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false
Here's a sample event:
{"pid":17156,"hostname":"sub.hostname.com","name":"s-undefined","level":30,"time":1515143225539,"remoteAddr":"::ffff:99.99.99.99","remoteAddrs":[],"method":"GET","url":"/","sessionId":"abcd2b32-00e8-4e0b-97f6-23abcdef3233e","v":1}
Am I missing something here?
Thank you in advance for your assistance!
↧
↧
Correlating HVAC data
I have a customer who is thinking about correlating HVAC data in Splunk. They are also interested in correlating weather data and access card readers to correlate employee traffic and weather with energy usage. Anyone done this before?
↧
Cacti Mirage Add-On for Cluster
regards
We are currently trying to install this app in a cluster environment, but the following error is appearing.
[splunk-indexer-01-cnt] Streamed search execute failed because: Error in 'SearchParser': The search specifies a macro 'cacti_index' that can not be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
Tests have been made and installed this app in standalone only creating the index = cacti and we have no problems.
Is there any recommendation in this regard? you only have to bundle the app in the master and deployer? must we change the file permissions? ...
I'll be attentive to the comments
regards
↧
Installation cacti splunk cluster
regards
Currently, you try to install the app in a cluster environment, 3 search head and 6 indexer, but at the time of deploy and bundle, from the search head the following message is displayed:
[splunk-indexer-01-cnt] Streamed search execute failed because: Error in 'SearchParser': The search specifies a macro 'cacti_index' that can not be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
This message appears for each indexer.
Is there any recommendation and configuration in the search head and indexer? All permissions have been enabled for cacti macros and we have not had favorable answers.
I hope you can help me.
↧
How to get ADFS Location Login Lookup based on IP address with iplocation region country and time?
Why is this search not returning the iplocation of the ip addresses. It is not the most efficient search, but right now I am just trying to get it to work for iplocation lookup. This search would run every 5 minutes for the last 5 minutes and alert on any country that does not = United States. I do not have that in the search string because right now I am just trying to get a result.
index="wineventlog" sourcetype="WinEventLog:Security" host=adfs*
(EventCode=299 OR EventCode=410 OR EventCode=403 OR EventCode=500 OR EventCode=501)
| rex field=_raw "Activity ID: (?[^\ ]+)"
| rex field=Message "More information for the event entry with Instance ID (?[^\.]+)\."
| transaction Activity_ID Instance_ID maxpause=10s
| rex field=Message "SAIF\\\(?.*).*"
| search domain_uid=*
| rex field=Message "(?\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s)"
| dedup clientip
| dedup X_MS_Forwarded_Client_IP
| makemv delim="," X_MS_Forwarded_Client_IP
| eval alltheips=mvappend(clientip, x_ms_forwarded_client_ip)
| mvexpand alltheips
| iplocation alltheips
| stats values(Keywords),values(City),values(Region) ,values(Country),values(alltheips),values(ip_count),values(Activity_ID),values(Instance_ID),values(X_MS_Client_User_Agent),values(User_Agent),values(_time) by domain_uid,_time
suggestions would be helpful. This is very similar to what the following two posts are trying to do.
https://answers.splunk.com/answers/454144/is-there-a-splunk-app-or-add-on-that-will-help-rea.html
https://answers.splunk.com/answers/215994/how-do-i-find-active-directory-usernames-logging-i.html
↧
↧
Splunk .bat script file not getting triggered
I'm having a simple alert (for POC, so checking with _internal data) and on alert action there is 'add to triggered alerts' and 'run a script'. I'm able to see the triggered alerts, but the .bat file doesn't seem to run. I'm able to run it manually, but not through the alert action.
I've placed my try.bat under $splunk_home$/bin/scripts folder. While checking for "try.bat" in index=_internal, i get the below event:
2018-01-05 18:22:19,585 +0530 INFO **runshellscript:141** - **['C:\\Program Files\\Splunk\\bin\\scripts\\try.bat',** '44', 'index^=_internal^ 3mreportErrors', 'index^=_internal^ 3mreportErrors', 'testAlert', 'Saved^ Search^ ^[testAlert^]^ number^ of^ events^(44^)', 'http://CDC2-L-5286WND:8001/app/3m/@go?sid^=scheduler__admin__3m__testAlert_at_1515156720_51', '', 'C:\\Program Files\\Splunk\\var\\run\\splunk\\dispatch\\scheduler__admin__3m__testAlert_at_1515156720_51\\results.csv.gz']
**try.bat**
@echo off
REM Next command inputs the greeting
echo Hello! This a sample batch file.
time /t >> "c:\sandya\output.txt"
I'm using Windows 10, Splunk 7
↧
Multiple Renderers to Multiple Tables (Splunk JS)
Apologies if this has been asked elsewhere - I couldn't find an answer.
I am attempting to apply a BaseRowExpansionRenderer and a BaseCellRenderer to multiple tables on a dashboard like so:
mvc.Components.getInstance("tbl_id1").getVisualization(function(tableView) {
tableView.addRowExpansionRenderer(new RowExpansionRenderer());
tableView.addCellRenderer(new ActionsRenderer());
tableView.table.render();
});
mvc.Components.getInstance("tbl_id2").getVisualization(function(tableView) {
tableView.addRowExpansionRenderer(new RowExpansionRenderer());
tableView.addCellRenderer(new ActionsRenderer());
tableView.table.render();
});
The issue is that the sometimes all the tables render as expected, sometimes some of them render, and other times none of them render. This is currently being tested on Splunk Enterprise 7.0.1.
Is there a better way to do this to ensure all the tables always render the BaseRowExpansionRenderer and a BaseCellRenderer?
Thanks in advance.
↧
After upgrading Splunk to latest version(7.0.1), ES dashboard for "Notable" & "Incident Review" not displaying any new data/events.
Hi,
We recently upgraded to latest Splunk version 7.0.1 but it seems that since that day, ES is not able to populate anything under "Notables" or "Incident Review" as if ES doesn't have access to indexes anymore.
Verified that all correlation and searches related to notable are running.
We did come to know about a specific Bug in UI which causes all the assigned indexes to disappear from Roles. SPL-145546. Fix was applied to the search heads after which we were able to re-assign indexes to roles. could this bug be responsible for the ES issues ?
Noticed that for all ES specific roles(ess_admin, ess_analyst, ess_user), the assigned index section were blank. Added all indexes and restarted Splunk but we still dont see anything under Notables(Securtiy Posture) and for incident review, when search for "all time", the last event is from the day we did the upgrade.
![alt text][1]
When I check for internal indexes on the SH, latest event timestamp is 25 days ago, which matches exactly the day Splunk got upgraded to 7.0.1
![alt text][2]
I should mention here that we are still able to search all events outside of ES App. Also, within ES, dashboards like Access Center or Traffic Center do show current data. It's just the notable and Incident review that are completely blank.
Has anyone else seen such issue? Anything else I can check to isolate whatever is causing this issue?
Splunk Version - 7.0.1
Splunk ES Version - 4.7.4
Many Thanks,
~ Abhi
[1]: /storage/temp/226653-incidentreview-alltime.png
[2]: /storage/temp/226654-internalindex-latestevent.png
↧
Search auto-finalized after disk usage limit (100mb) reached - What does this mean?
Started getting Search auto-finalized after disk usage limit (100mb) reached - What does this mean?
↧
↧
AND OR not working correctly
I am getting the below error when trying to form an AND & OR in my query.
`Error in 'eval' command: The expression is malformed. Expected ).`
My eval is below:
| eval Action=if((MonitoringStatus="Not Monitored") AND(like(Path,"%Hosting%")
AND Location="Varonis"
OR(7DayBackUpStatus="Not Backed Up") "Action Required","No Action Required")
↧
How to merge and make one result out of multiple results
HI,
I have a result which displays common starting URI. but I have to combine it to one and have the result, how can I do it ?
Result -
/credit/company/23532525 . 10
/credit/company/34532523 . 30
/credit/product/23235225 . 40
I need something like
/credit/ 80
↧
Palo Alto Networks Empty Dashboards
I've read through the documentation, followed all the steps but still cannot get dashboards to populate in Splunk for the Palo Alto App.
Versions -
Splunk - 7.0.1
Palo Alto Networks - 6.0.1
Palo Alto Networks Add-On - 6.0.1
Inputs.conf -
[udp://XXX]
index = pan_logs
sourcetype = pan:log
no_appending_timestamp = true
Data Model Acelleration is at 100% - There was an error preventing the data models from functioning 100%, related to system not having proper NTFS access.
eventtype=pan - returns results
eventtype=pan_config - no results
According to Documentation we should check the timestamp for upd which we've done, We are forwarding straight from the Palo Alto Firewalls with default format. We only have one splunk server running all roles.
I've found this in the _internal index -
CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.
I've no other ideas why data isn't being tagged properly. Any and all help is appreciated.
↧