About richgalloway

richgalloway

According to the app's splunkbase page, "Versions 3.0.x and higher can connect to both Splunk Enterprise and Splunk Enterprise Cloud versions 7.3 and higher" so, yes, it is compatible with Splunk Cloud.

richgalloway

I can't help if I don't understand what the goal is. Once we have a deterministic way to set the service name I may be able to help.

richgalloway

The requirements are inconsistent. Sometimes everything after the second : is the service name; other times the service name follows the first _. How is a computer to decide which method to use?

richgalloway

To summarize: 434531263412:us-west-2:lambda_functions -> lambda_functions 434531263412:us-west-2:nat_gateways -> gateways 434531263412:us-west-2:application_load_balancers -> load_balancers If this is correct then more information is needed. What is the rule to use to determine how much of the service is to be used?

richgalloway

The split function is extracting the desired field, but then rex reduces it to the part before the first underscore (_). Remove the rex command and the query should work as expected. In props..conf, add a transform that uses INGEST_EVAL INGEST_EVAL = aws_service=mvindex(split(source,":"),2)

richgalloway

The timechart command accepts only one field name in the by clause. Anything else will result in an error.

richgalloway

Have you seen the Admin's Little Helper app (https://splunkbase.splunk.com/app/6368). It includes a btool command that lets you see your configurations on both SH and indexers using SPL. While many configurables can be loaded safely on either/both SH and indexer, others cannot. Inputs and outputs are good examples. Clustering settings are another.

richgalloway

What is your question?

richgalloway

What does the $AccountType$ token expand to?

richgalloway

The IN operator only works in the search command. In where you must use the in function. | loadjob savedsearch="name:search:cust_info" | where in(AccountType,$AccountType$)

richgalloway

The eval is trying to divide a string literal ("SumBalances") by a field, which won't work. Replace the double quotes with single quotes or remote the double quotes.

richgalloway

I've had more consistent results by putting the trigger condition in the search and having the alert trigger if the number of results is not zero. | tstats count where index=cts-dcpsa-app sourcetype=app:dcpsa host_ip IN (xx.xx.xxx.xxx, xx.xx.xxx.xxx) by host | eval current_time=_time | eval excluded_start_time=strptime("2024-04-14 21:00:00", "%Y-%m-%d %H:%M:%S") | eval excluded_end_time=strptime("2024-04-15 04:00:00", "%Y-%m-%d %H:%M:%S") | eval is_maintenance_window=if(current_time >= excluded_start_time AND current_time < excluded_end_time, 1, 0) | eval is_server_down=if(count == 0, 1, 0) | where is_maintenance window = 0 AND is_server_down=1

richgalloway

Yes, a heavy forwarder can be used in that manner. Having only one HF, however, is a single point of failure that could lead to data loss if it is unavailable. Be sure to set up at least 2 intermediate forwarders. See https://www.linkedin.com/pulse/splunk-asynchronous-forwarding-lightning-fast-data-ingestor-rawat/ for how to configure the HFs for better performance in this situation. What specific questions do you have about the configuration?

richgalloway

The answer depends on your definition of "HA". If you only care that your data has some place to go then having (at least) 2 indexers qualifies. OTOH, if it's the data itself that must be HA then unclustered indexers is/are not the answer. That's because loss of an indexer means loss of the data stored on that indexer. SmartStore helps by putting warm buckets in off-box storage, but hot buckets remain on the indexer unprotected. In an indexer cluster, each bucket is replicated to at least one other indexer so the loss of an indexer does not result in data loss. Yes, an indexer cluster requires a cluster manager, but that instance can be shared with the Monitoring Console/License Manager instance.

richgalloway

No, you cannot get the index name from a log file. The index is specified when the data is onboarded as part of the inputs.conf settings. At search time, data is fetched from one or more indexes. Getting the index from a log file would mean going to an index to get a log file to get the name of an index. Doesn't make much sense. What problem are you trying to solve?

richgalloway

Every query should specify an index name before the first pipe. index=aaa source="/var/log/tes1.log" |stats count by index Of course, there must be data in the specified index from the specified source for there to be results.

richgalloway

The field name ("attribute") for index is "index".

richgalloway

The query returns no results because the timechart command requires the _time field, but that field was removed by the stats command on line 2. The fix is to include _time in the stats command, like this index=OMITTED source=OMITTED host="SERVER1" OR host="SERVER2" | bin span=1d _time | stats max(Value) as Value by host, _time | eventstats ... | timechart span=1d avg(value_percentage_difference) Adjust the span option in the bin and timechart commands to preference. Make sure they match.

richgalloway

Splunk does not have an out-of-the-box REST input. You have to install an app for that. There are a number of apps on splunkbase that support REST so perhaps you can use one of them as a model for building your own app to the API in question.

richgalloway

That document is for a specific source where the event size is well-defined. The information there cannot be generalized because the size of an "event" is unknown. I've seen event sizes range from <100 to >100,000 bytes so it is very difficult to produce an EPS number without knowing more about the data you wish to ingest. It's possible the documentation for other TAs provides the information you seek. Have you looked at the TAs for your data?

richgalloway

The Forwarder Management screen applies only to Deployment Server (DS) instances. A DS is a Splunk instance type that ensures each forwarder has the configuration (apps) it needs. DSs are optional and are unnecessary when you only have a single forwarder. When you installed the forwarder, did you configure it to forward data to the server? If so, then you should be seeing data from the forwarder. Verify that by searching for index=_internal host=f1 Make sure that returns results for continuing further. The next step is telling the forwarder what you want it to forward. By default, it only sends its own logs. Install the Splunk Add-on for Windows (https://splunkbase.splunk.com/app/742) on the forwarder and turn on (set disabled=0) the inputs you desire. Be sure to restart the forwarder after changing inputs.conf settings.

richgalloway

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

richgalloway

The current query can't do that because it only looks at failed logins. It will never see a successful login. The solution will entail appending a tstats command that counts successes and then modifying the where command to look for 6 or more failures and at least 1 success. You can find an example in the Basic Brute Force Detection use case in the Splunk Security Essentials apps.

richgalloway

Splunk is not going to be able to process that binary PowerPoint file without some pre-processing (manual or via a script).

richgalloway

You appear to have a hex dump of binary data. Decoding the hex will give you the original binary, but Splunk doesn't support binary data. I've seen similar-looking input when an encrypted input stream is not decrypted before being indexed. Double-check the TLS/SSL settings.

Posts	15649
Solutions	2828
Karma Given	1571
Karma Received	6043
Member Since	‎07-24-2012

Online Status	Offline
Date Last Visited	3 hours ago

Receiving notifications that are disabled

collectd reports "write_http plugin: curl_easy_per...

How do you restart splunk?

stats count(eval) always returns zero

Need help getting right timestamp from CSV

How to display more than 5 questions per page on A...

What will break if I set coldPath to /dev/null?

Knowledge Object Explorer won't load

How to use a field in SingleValue label?

How to move an index to another app?

Re: Is Splunk ODBC compatible with Splunk Cloud?

Re: Extract aws service name from source field of ...

Re: Extract aws service name from source field of ...

Re: Extract aws service name from source field of ...

Re: Extract aws service name from source field of ...

Re: Timechart but based on 2+ more user selections

Re: Mirror props, transforms and indexes from inde...

Re: Splunk HF to splunk cloud Outputs.conf file

Re: Error in 'where' command: The expression is ma...

Re: Error in 'where' command: The expression is ma...

Re: Error in 'EvalCommand': Type checking failed. ...

Re: How to exclude alert to trigger during mainten...

Re: Limitation of Heavy Forwarder outputs?

Re: HA with just 2 indexers?

Re: querying index

Re: querying index

Re: querying index

Re: Finding when difference between servers greate...

Re: Import data from REST APIs in Splunk Cloud

Re: EPS in flat file with universal forwarder

Re: Having trouble getting started

Re: need help on regex

Re: Correlation Search for brute force

Re: Automatic conversion from HEX to text

Re: Automatic conversion from HEX to text