No columns listed when choosing a column as timestamp

January 8, 2018, 4:31 am

≫ Next: Data model acceleration status: Building

≪ Previous: Splunkforwarder playing too "nice"

I am in the process of creating a new input in DBConnect. After running my SQL query which returns correct column, I then attempt to select a column as a timestamp, which is "Date Reported". "Date Reported" is in this format, 2017-12-15 08:39:23.0. However DB Connect fails to identify any columns and returns "no matches" under the column drop down. SQL Query is: use osmq SELECT "Date Reported" AS Date_Reported FROM Tickets_IT Please could anyone advise! Thanks

↧

Data model acceleration status: Building

January 8, 2018, 4:42 am

≫ Next: Search log file based on timestamp from other file

≪ Previous: No columns listed when choosing a column as timestamp

Hi, I am new to Data models and accelerations, too. I am trying to parse log for a data model and ES. The log parsing is moving now, but far from the final solution, I can search by Data model/Pivot. I checked the Enterprise Security dashboard, but it does not show anything that can be linked to this logs. I executed the dashboards searches manually, still shows no event matched. (| tstats...) Then I checked Data model acceleration status: ACCELERATION Rebuild Update Edit Status Building Access Count 0. Last Access: - Size on Disk 0 B Summary Range 31536000 second(s) Buckets 0 Updated 1/1/70 1:00:00.000 AM What couse the problem, how can I debug and fix it? This is the Malware data model, there are events with tag malware and attack. There are events with some action and dest fields to. Regards, István

↧

Search log file based on timestamp from other file

January 8, 2018, 12:01 am

≫ Next: How to Export custome visualization in PDF format?

≪ Previous: Data model acceleration status: Building

Hi We have 2 files First File has only start time and end time of the test. STARTTIME ENDTIME 2018-01-04-17.49.29.497000 2018-01-04-18.35.44.945000 Second File: Has the long entry from test run and past test runs We want to search second file based on start and end time of first file. Also second file that has long entry has time in format YYYY-MM-DDTHH:MM:SS,mSS. We are new to splunk and please suggest how we can fetch the desired results. Thanks Tushar

↧

How to Export custome visualization in PDF format?

January 8, 2018, 12:04 am

≫ Next: compatibility with Splunk Enterprise 7.0.X

≪ Previous: Search log file based on timestamp from other file

I have created a "WordCloud" in my dashboard, when i try to export it as PDF worldcloud is not coming please help..

↧

compatibility with Splunk Enterprise 7.0.X

January 8, 2018, 2:00 am

≫ Next: continuously DB query with overcome short date format

≪ Previous: How to Export custome visualization in PDF format?

The greatest version in the compatibility list is 6.5. Are there any experiences with Splunk Enterprise 7.0.0 or 7.0.1?

↧

continuously DB query with overcome short date format

January 8, 2018, 5:25 am

≫ Next: How to extract the last string order a table around it ?

≪ Previous: compatibility with Splunk Enterprise 7.0.X

Hello, im trying querying HIVE table via 'rising' mode. query must contain certain timestamp_1 column (otherwise no results are back - massive data) and must be rising method since results must be real-time. Unfortunately timestamp column represented with yyyy-MM-dd format only (e.g 2018-01-04) - therefore cannot query real-time. Table also include bigint date column, i was trying: 1. casting it to readable timestamp - no good. 2. using bigint column as 'rising' - no good. all of this because timestamp_1 wasnt part of where clause. * im using splunk dbx. any ideas? work arounds? thanks!

↧

How to extract the last string order a table around it ?

January 8, 2018, 6:11 am

≫ Next: what is meaning of communication protocols in spunk

≪ Previous: continuously DB query with overcome short date format

40.118.209.1 0x735870x1 GG46989 [21/Dec/2014:00:00:00 -0500] "GET /rest/jphutenxporter/1.0/outputformatconfig/outputformatselected?_=1513833400783 HTTP/1.1" 200 49 2 "https://phuten.mayhem.com/browse/UOAI-1536" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 3.0.50727; .NET CLR 3.6.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" "38b0i3" **Hi,** I have some events of various length (like the one above). But in all events the last string (in this case 37b0i3) is always a session_id, is what I'm told. I would like to extract it and use that value in my table. And the table should be ordered by session_id. means something like **table _time uri etc etc order by session_id**.. <-- I am not sure if this is a real command.

↧

what is meaning of communication protocols in spunk

January 7, 2018, 10:56 pm

≫ Next: black-out/ simple way to combine events from two sourcetypes on same Id

≪ Previous: How to extract the last string order a table around it ?

what is meaning of communication protocols in spunk

↧

black-out/ simple way to combine events from two sourcetypes on same Id

January 8, 2018, 7:32 am

≫ Next: How to count events from a same file with having two different raw text ?

≪ Previous: what is meaning of communication protocols in spunk

I must have a blackout because the case does not seem to difficult but i cant get it working. I have two sourcetypes, when an event in one sourcetype gets an error it will appear in the other sourcetype with some kind of a description. The Id in both the sourcetypes will be unique. How can I get a result from both sourcetypes when the error occures?

↧

How to count events from a same file with having two different raw text ?

January 8, 2018, 7:43 am

≫ Next: Stacked100 with Bar total value

≪ Previous: black-out/ simple way to combine events from two sourcetypes on same Id

Hi Splunker, I have to count success and failure count from the same index and sourcetype on the basis of raw text in an event. Only difference is that for success raw text is different and for failure raw text is different. I have used below logic to find count of success and failure but this query is taking loads of time to execute. Please remember these strings present below are not any field in Splunk it's a simple text on the basis of that i need to filter and count. Could you please suggest me some other way by which i can execute this query faster. index=Only_prod host=winter-p*-1 sourcetype="Season.log" (Incoming OR Outgoing) NOT ("Some String One" ) ("Some String Two" OR "Some String Three" OR "Some String Four") |stats count as Error |Join serviceName type=outer [ search index=Only_prod host=winter-p*-1 sourcetype="Season.log" (Incoming OR Outgoing) NOT ("Some String Five" ) ("Some String Seven" OR "Some String Six" OR "Some String Eight") | stats count as Successes ] Thanks in Advance Regards,

↧

Stacked100 with Bar total value

January 8, 2018, 8:50 am

≫ Next: Open Splunk URL in Splunk Mobile app

≪ Previous: How to count events from a same file with having two different raw text ?

Ciao, i'd like to apply some enhancements to a stacked100 barchart i created. ![alt text][1] In particular I'd like to modify this current version: to something like this (i.e. showing totals at the end of each bar and having different color for the Total Bar) ![alt text][2] Any help? Tks in advance! [1]: /storage/temp/225680-stacked100barchart-splunk.png [2]: /storage/temp/225681-stacked100barchart-splunktobe.png

↧

Open Splunk URL in Splunk Mobile app

January 8, 2018, 9:14 am

≫ Next: User field is sometimes returning partial URL instead of User name

≪ Previous: Stacked100 with Bar total value

Hi, splunkers. We need to receive an alert by email with an URL that user needs to view. The issue is that we need that report been opened in Splunk mobile app. We have been doing tests and when we receive the email and we click in the URL, the dashboard is opened in mobile browser, not in Splunk mobile app (that is what we are looking for). Any person has tried and get it? Maybe the URL need to be setted in any special format to be opened with Splunk mobile app? Thanks and regards!

↧

User field is sometimes returning partial URL instead of User name

January 8, 2018, 7:56 am

≫ Next: Is Splunk supported on Kubernetes

≪ Previous: Open Splunk URL in Splunk Mobile app

Hi, I'm a new Splunk user and am using the TA-meraki tool downloaded from Spunkbase. Our appliance is a Meraki MX 100. We are using the free version of Splunk. As you can see from the attached screenshot, we are getting some strange results for the User field. In probably 80% of the logs, the user shows up correctly, however, sometimes it pulls a partial URL instead. In the attached example, you can see that in the first log, the user=Rick which is correct. In the second log, the user=part of the url plus the user name. Splunk highlights the user field for Christy but then fills the User field with the wrong string. Thanks for any help you can provide on this. Let me know if you need additional details. ![alt text][1] [1]: /storage/temp/225679-2018-01-08-09-38-11-greenshot-image-editor.png

↧

Is Splunk supported on Kubernetes

January 8, 2018, 8:01 am

≫ Next: Azure storage accounts: File Share Service support?

≪ Previous: User field is sometimes returning partial URL instead of User name

Is Kubernetes a supported deployment model for Splunk instead of deploying on virtual machines or bare metal?

↧

Azure storage accounts: File Share Service support?

January 8, 2018, 8:43 am

≫ Next: I will use docker swarm to deployment splunk cluster,I have an question for it

≪ Previous: Is Splunk supported on Kubernetes

Hi, I'm wondering if support is planned for Azure File Shares? We have a file share that contains some csv files. We would like to 'monitor' these files with Splunk using a SAS token, the same way you can monitor a file in a storage blob container. (Mounting the file share is not a viable solution in this case, the environment is dynamic and SAS tokens are refreshed frequently). Thank you

↧

I will use docker swarm to deployment splunk cluster,I have an question for it

January 8, 2018, 9:14 am

≫ Next: Datamodel Change

≪ Previous: Azure storage accounts: File Share Service support?

this is me docker-compose file to deployment splunk cluster,the server is a deployment server and master server,the indexer* is indexer cluster version: '3.4' services: server: image: splunk/splunk:7.0.0 hostname: splunkserver environment: - SPLUNK_START_ARGS=--accept-license --answer-yes - SPLUNK_ENABLE_DEPLOY_SERVER=true - SPLUNK_ENABLE_LISTEN=9997 - SPLUNK_CMD_1=edit cluster-config -mode master -replication_factor 2 -search_factor 2 -secret admin -cluster_label swarm -auth admin:changeme - SPLUNK_CMD_2=set servername splunk-server -auth admin:changeme - SPLUNK_CMD_3=restart ports: - 8000:8000/tcp - 8088:8088/tcp networks: splunk: aliases: - splunkserver volumes: - /opt/splunk/var:/opt/splunk/var:rw - /opt/splunk/etc:/opt/splunk/etc:rw - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro deploy: mode: replicated replicas: 1 update_config: parallelism: 1 delay: 10s placement: constraints: - node.hostname == Docker-Swarm-Splunk logging: driver: json-file options: max-file: '3' max-size: 100m indexer01: image: splunk/splunk:7.0.0 hostname: indexer01 environment: - SPLUNK_START_ARGS=--accept-license --answer-yes - SPLUNK_ENABLE_LISTEN=9997 - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089 - SPLUNK_CMD_1=disable webserver -auth admin:changeme - SPLUNK_CMD_2=edit cluster-config -mode slave -master_uri https://splunkserver:8089 -replication_port 9887 -secret admin -auth admin:changeme - SPLUNK_CMD_3=set servername indexer01 -auth admin:changeme - SPLUNK_CMD_4=edit licenser-localslave -master_uri 'https://splunkserver:8089' -auth admin:changeme - SPLUNK_CMD_5=restart networks: splunk: aliases: - indexer01 depends_on: - splunkserver volumes: - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro - /opt/splunk/var:/opt/splunk/var:rw - /opt/splunk/etc:/opt/splunk/etc:rw deploy: mode: replicated replicas: 0 update_config: parallelism: 1 delay: 10s placement: constraints: - node.hostname == Docker-Swarm-Indexer01 logging: driver: json-file options: max-file: '3' max-size: 100m indexer02: image: splunk/splunk:7.0.0 hostname: indexer02 environment: - SPLUNK_START_ARGS=--accept-license --answer-yes - SPLUNK_ENABLE_LISTEN=9997 - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089 - SPLUNK_CMD_1=disable webserver -auth admin:changeme - SPLUNK_CMD_2=edit cluster-config -mode slave -master_uri https://splunkserver:8089 -replication_port 9887 -secret admin -auth admin:changeme - SPLUNK_CMD_3=set servername indexer02 -auth admin:changeme - SPLUNK_CMD_4=edit licenser-localslave -master_uri 'https://splunkserver:8089' - SPLUNK_CMD_5=restart networks: splunk: aliases: - indexer02 depends_on: - splunkserver volumes: - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro - /opt/splunk/var:/opt/splunk/var:rw - /opt/splunk/etc:/opt/splunk/etc:rw deploy: mode: replicated replicas: 0 update_config: parallelism: 1 delay: 10s placement: constraints: - node.hostname == Docker-Swarm-Indexer02 logging: driver: json-file options: max-file: '3' max-size: 100m networks: splunk: external: true and my universalforwarder docker-compose is version: '3.4' services: uf: image: splunk/universalforwarder:7.0.0 networks: splunk: aliases: - universalforwarder volumes: - /opt/universalforwarder/etc:/opt/splunk/etc - /opt/universalforwarder/var:/opt/splunk/var - /var/run/docker.sock:/var/run/docker.sock:ro environment: - SPLUNK_START_ARGS=--accept-license --answer-yes - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089 - SPLUNK_FORWARD_SERVER_1=indexer01:9997 - SPLUNK_FORWARD_SERVER_2=indexer02:9997 deploy: mode: replicated replicas: 1 update_config: parallelism: 1 delay: 10s restart_policy: condition: any resources: limits: cpus: '0.1' memory: 100M reservations: cpus: '0.05' memory: 20M placement: constraints: - node.hostname == Docker-Swarm-M01 logging: driver: json-file options: max-file: '3' max-size: 100m networks: splunk: external: true when I add a http data input on my deployment server ,the universalforwarder will download the app,but not listen the 8088 port,what can I do for it

↧

Datamodel Change

January 8, 2018, 9:25 am

≫ Next: Shell script via button click

≪ Previous: I will use docker swarm to deployment splunk cluster,I have an question for it

whats a good search to run to see if any change was done to a datamodel. For example if I want to see if someone enable or disable datamodel acceleration. what search can I run to see what user change the datamodel and which datamodel was changed?

↧