cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
emechler_splunk
Splunk Employee
Member since: ‎03-06-2012
‎06-05-2020
Community Statistics
Posts 29
Solutions 13
Karma Given 1
Karma Received 26
Member Since ‎03-06-2012
Activity Feed
View All

Re: How can I monitor the number of current artifa...

by Splunk Employee in Deployment Architecture
‎11-01-2015 01:20 PM
‎11-01-2015 01:20 PM
I think this search leveraging 'rest' should do what you want - there are number of ways to further differentiate between running / completed jobs, etc. if you need to break that out. | rest /services/search/jobs | stats count ... View more

Re: searchpeers folder filling up /opt/splunk..wha...

by Splunk Employee in Splunk Search
‎12-07-2014 04:58 PM
1 Karma
‎12-07-2014 04:58 PM
1 Karma
This is where the search heads store the bundles that are distributed to peers (indexers). This other answer might be helpful as well: http://answers.splunk.com/answers/111610/ ... View more

Re: How to find all the events since the last inst...

by Splunk Employee in Splunk Search
‎10-08-2014 02:12 PM
1 Karma
‎10-08-2014 02:12 PM
1 Karma
A subsearch should work nicely here. You can use this to pass KV pairs to the outer search, in your case _time as earliest. event_id="A" OR event_id="B" or event_id="C" latest=now [ search event_id="X" | head 1 | table _time | rename _time AS earliest ] So this passes the value of _time for the event found in the first search (named earliest) and then passes it to the outer search which should do what you want. ... View more

Re: Extract date / time from source path with cust...

by Splunk Employee in Splunk Search
‎10-08-2014 09:31 AM
‎10-08-2014 09:31 AM
Thanks, Brian. If that's the case then I should be able to use the _customdate stanza above just to pull out the date - what do I need to do for the timestamp then? I need something inside timePatterns otherwise I get an error. ... View more

Extract date / time from source path with custom d...

by Splunk Employee in Splunk Search
‎10-08-2014 09:14 AM
3 Karma
‎10-08-2014 09:14 AM
3 Karma
I'm hoping someone can help out with something that's been baffling me re: using custom a datetime.xml to extract the date and time from a file's path name. I want to pull out the year, month, day, hour, and minute from the path name for a given set of data. Source would look something like this: /path/to/data/20140416/1506/2014041615060005/[filename] Where 2014 = year, 04 = month, 16 = day, 15 = hour, and 06 = minute. I've tried two variants of custom XML and neither are pulling out either the date nor the time (Splunk only seems to use the file's modtime no matter what I try): <datetime> <define name="_customdate" extract="year, month, day"> <text><![CDATA[(?:source::.*?/)(20\d{2})(\d{2})(\d{2})(?:/)]]></text> </define> <define name="_customtime" extract="hour, minute"> <text><![CDATA[(?:source::.*?/)(\d{2})(\d{2})(?:/)]]></text> </define> <timePatterns> <use name="_customtime"/> </timePatterns> <datePatterns> <use name="_customdate"/> </datePatterns> </datetime> I've even tried doing this with one stanza and that doesn't work either. <define name="_masheddate3" extract="year, month, day, hour, minute"> <text><![CDATA[(?:source:.*?/)(20\d{2})(\d{2})(\d{2})(?:/)(\d{2})(\d{2})(?:/)(\d{16})(?:/)]]></text> </define> Thoughts on what I might be doing wrong here? Thank you! ... View more

Re: Fortigate Splunk sending data to the app

by Splunk Employee in All Apps and Add-ons
‎06-26-2014 01:08 PM
‎06-26-2014 01:08 PM
It should, yes! If not, just let the community know and someone will jump in to help 🙂 ... View more

Re: How to exclude files from indexing using black...

by Splunk Employee in Getting Data In
‎06-24-2014 07:03 PM
‎06-24-2014 07:03 PM
When you say hostname, do you really mean the full path name to the file? ... View more

Re: Fortigate Splunk sending data to the app

by Splunk Employee in All Apps and Add-ons
‎06-24-2014 06:59 PM
‎06-24-2014 06:59 PM
Assuming that you've installed this app, just select "manual" from the "Set sourcetype" drop-down and type in forigate into the "Sourcetype" text box. ... View more

Re: What endpoint for schedule searches?

by Splunk Employee in Splunk Search
‎06-14-2014 09:50 AM
2 Karma
‎06-14-2014 09:50 AM
2 Karma
I believe the REST API Tutorial will be helpful here, it walks you through this exact example: http://dev.splunk.com/view/rest-api-tutorials/SP-CAAADQ6 curl -k -u admin:changeme -d "name=web_errors" -d 'search="source%3D*web.log+status>400"' https://localhost:8089/servicesNS/admin/search/saved/searches All of the options for the search/saved/searches endpoint can be found here (including alert.expires which defines the alert expiration time): http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches ... View more

Re: Field transformation based on source

by Splunk Employee in Getting Data In
‎06-14-2014 09:41 AM
‎06-14-2014 09:41 AM
You can do this in SPL itself: | extract reload=t ... View more

Re: Field transformation based on source

by Splunk Employee in Getting Data In
‎06-13-2014 03:10 PM
3 Karma
‎06-13-2014 03:10 PM
3 Karma
In props.conf: [your_sourcetype] EXTRACT = \/data\/log\/(?<customer>\w+)\/site.* in source No need to touch transforms.conf for this. ... View more

Re: What is scheduler status=continued?

by Splunk Employee in Getting Data In
‎06-12-2014 11:40 PM
3 Karma
‎06-12-2014 11:40 PM
3 Karma
Quoting from http://docs.splunk.com/Documentation/Splunk/6.1.1/Report/Configurethepriorityofscheduledreports: Continuous scheduling is used for situations where problems arise when there's any gap in the collection of report data. In general this is only important for reports that populate summary indexes, though you may find other uses for it. When a report is enabled for summary indexing, Splunk Enterprise changes its scheduling option to continuous automatically. When you see a "status=continued" event it refers to the case where a continuous search that was supposed to run at a given time wasn't and the system will come back to it later. ... View more

Re: handle ' as field delimiter in logs

by Splunk Employee in Splunk Search
‎06-10-2014 10:52 AM
3 Karma
‎06-10-2014 10:52 AM
3 Karma
You'll probably want to use REGEX / FORMAT for this. This regex might need some tuning, but it should handle the following cases: rmIP='195.182.60.200' rmIP="195.182.60.200" rmIP=195.182.60.200 In transforms.conf: [strip-quotes] REGEX = ([^ ]+)=(?:\'|\")?([^\'\"\s]+)(?:\'|\")? FORMAT = $1::$2 In props.conf: [my_sourcetype] REPORT-strip-quotes = strip-quotes ... View more

Re: Timechart drops empty results - causes trouble...

by Splunk Employee in Splunk Search
‎05-19-2014 03:24 PM
1 Karma
‎05-19-2014 03:24 PM
1 Karma
Use fillnull (from http://answers.splunk.com/answers/106774😞 index=logins username | fillnull value=NoValue | timechart span=1d count | predict count ... View more

Re: Transaction not grouping all events

by Splunk Employee in Splunk Search
‎05-15-2014 11:57 PM
‎05-15-2014 11:57 PM
Can you share the rest of the search, please? The relevant portions of the raw events would be helpful, too. ... View more

Re: wrong host

by Splunk Employee in Getting Data In
‎05-15-2014 11:40 PM
1 Karma
‎05-15-2014 11:40 PM
1 Karma
What sourcetype are you assigning? There are built-in sourcetypes (e.g. syslog) that could be overriding the host based on the message content. ... View more

Re: REX SED Help, need to replace namespaces from ...

by Splunk Employee in Splunk Search
‎12-23-2013 10:43 AM
‎12-23-2013 10:43 AM
Sure, simply remove the "h:" from the capture group as such: "s/(<)h:(\S+)\s+(xmlns:\S+)(>)/\1\2\4/g" ... View more

Re: REX SED Help, need to replace namespaces from ...

by Splunk Employee in Splunk Search
‎12-09-2013 01:39 PM
‎12-09-2013 01:39 PM
Sorry, looked like there was an extra backslash in the regex. Try the updated version above. ... View more

Re: REX SED Help, need to replace namespaces from ...

by Splunk Employee in Splunk Search
‎12-09-2013 11:55 AM
3 Karma
‎12-09-2013 11:55 AM
3 Karma
If you wanted to do this at index-time (i.e. remove the content from the event before it's indexed into Splunk), then you could use SEDCMD to remove the content via props.conf: [XML_sourcetype] ... SEDCMD-null = s/(<h:\S+)\s+(xmlns:\S+)(>)/\\1\3/g If you're doing this inline, then the same regex should work with the rex command: ... | rex field=_raw mode=sed "s/(<h:\S+)\s+(xmlns:\S+)(>)/\1\3/g" ... View more

Re: Difficulty with linemerge and break_only

by Splunk Employee in Splunk Search
‎12-09-2013 11:40 AM
‎12-09-2013 11:40 AM
This props.conf stanza worked great for me using your data sample: [McAfeeOnDemandScan] BREAK_ONLY_BEFORE=^\d+/\d+/\d+\s+\d+:\d+:\d+\s+Engine NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true ... View more

Re: eval and "|search" question

by Splunk Employee in Splunk Search
‎08-08-2013 10:11 AM
‎08-08-2013 10:11 AM
It depends on how you're getting 'count'... Maybe this search will work for you? search terms earliest=-4h | eventstats count | addinfo | eval hours = round((info_max_time - info_min_time)/3600,0) | where count > hours ... View more

Re: How do I keep my IP address data un anonymized...

by Splunk Employee in Getting Data In
‎06-30-2013 09:58 PM
‎06-30-2013 09:58 PM
I'm not sure if this will do exactly what you want, but you can add terms to the $SPLUNK_HOME/etc/anonymizer/dictionary.txt file that you don't want anonymized (see here for more info). In your case, since you want to keep IP's intact, you'd need to add 1, 2, 3, ... 255 to this file. for i in `seq 1 10` ; do echo $i >> $SPLUNK_HOME/etc/anonymizer/dictionary.txt ; done I say this might not do what you want because there may be other numbers that you do want anonymized, however this change might prevent that. YMMV. ... View more

Re: Search to view day by day count of events by h...

by Splunk Employee in Dashboards & Visualizations
‎05-09-2013 10:47 AM
‎05-09-2013 10:47 AM
Give this search a try: .... earliest=-2h@h latest=@h | bucket _time span=1h | eventstats count AS Count by _time | timechart span=1h Count | delta Count AS Delta p=1 | eval percDelta = (Delta/Count)*100 This will give you a table looking like this: _time Count Delta percDelta 5/9/13 8:00:00.00 AM 199 5/9/13 9:00:00.00 AM 18939 16946 89.476741 If you want to do a day-by-day comparison, just change the earliest & latest terms at the beginning, and change the spans in the bucket and timechart commands as well. bmacias84 also brings up a good point that if you're going to be running this type of search on big data sets and/or on a frequent basis, Summary Indexing or Report Acceleration might prove useful too. ... View more

Re: Resolve IP to Host

by Splunk Employee in Splunk Search
‎05-09-2013 10:29 AM
‎05-09-2013 10:29 AM
Edited the original post to remove the "OUTPUTNEW host AS hostname" part of the lookup; that doesn't appear to be necessary anymore. You also don't need to add "| lookup dnsLookup Client_Address" to your search; the entry in props.conf makes the lookup automatic. ... View more

Re: Resolve IP to Host

by Splunk Employee in Splunk Search
‎05-09-2013 08:47 AM
2 Karma
‎05-09-2013 08:47 AM
2 Karma
http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsfromexternaldatasources#Example_of_external_fields_lookup If the docs are unclear or need to be improved, don't hesitate to submit feedback at the bottom of each docs page! In the meantime, maybe this will add some clarity to this process: You want to add this stanza to $SPLUNK_HOME/etc/system/local/transforms.conf: [dnsLookup] external_cmd = external_lookup.py host ip fields_list = host, ip This defines the lookup called "dnsLookup" which we can now tie to a specific sourcetype in $SPLUNK_HOME/etc/system/local/props.conf as such: [WMI*Security] LOOKUP-rdns = dnsLookup ip AS Client_Address Note that this stanza has been renamed from the docs to reference the sourcetype you're interested in performing the lookup on (WMI*Security) and will create a new field called hostname that contains the rdns lookup value. Restart Splunk and you should be all set. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All