cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
manojsecsme
Explorer
Member since: ‎11-04-2017
‎07-13-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 4
Member Since ‎11-04-2017
Activity Feed
View All

Splunk map command with Network Toolkit TA

by in Splunk Search
‎12-06-2021 03:54 AM
‎12-06-2021 03:54 AM
We have a requirement to setup ping and nslookup for hosts in different network zones and index the data into Splunk.  Planning to use the ping and nslookup search commands that comes with Network Toolkit TA used along with Splunk map command as below. | inputlookup hostlist.csv| fields host | map search=“| ping dest=“$host$” index=index name” max searches=50000 do a similar one for nslookup as well instead of ping.   The will be setup as a schedule saved search to run every 5 mins. The hosts can be maximum around 50000.  Do you think we can use map for this scale? If not what is the optimal rows (search running every 5 mins) be used with map command for this to work efficiently?  Are there any other better options to setup this in Splunk? ... View more
Labels

Re: Track the intermediate forwarder that parsed m...

by in Reporting
‎07-11-2021 05:26 PM
‎07-11-2021 05:26 PM
Hi @venkatasri , Thanks for your response. I was already aware of getting the Intermediate Forwarder Host from the Splunk internal logs using the SPL you have given below but wanted a better option as it was not easy to trouble shoot or track. With respect to the creation of the index time field, I did some further reading and looks like we can only extract index field from the raw data or from one of the Splunk metadata fields (Source Type, Source or Host). In this case are you asking us to do like the below [<sourcetype>] SOURCE_KEY = MetaData:Host REGEX = (.*) FORMAT = intermediate_forwarder::$1 WRITE_META = true ... View more

Track the intermediate forwarder that parsed my ev...

by in Reporting
‎07-08-2021 10:04 PM
‎07-08-2021 10:04 PM
In our current Splunk infrastructure we have a number of UF's pushing data to a layer of Intermediate forwarders which parses OR filters the data and pushes it to a layer of Indexers. While trouble shooting any issue with a data which is already indexed is there any way to find out which Intermediate forwarder parsed this event, We are able to find the UF/data source from the host field and splunk_server field tells us the indexer where the data is stored or served from. ... View more
Labels

what does dedup_splitvals argument for stats comma...

by in Splunk Search
‎07-02-2018 04:39 PM
4 Karma
‎07-02-2018 04:39 PM
4 Karma
I have a stats command in my correlation search spl which has an argument dedup_splitvals=t not sure what this argument does. Could anyone please help. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-13-2022 12:25 AM
Karma from