cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
hbacbs
Explorer
Member since: ‎08-17-2012
‎10-11-2022
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎08-17-2012
Activity Feed
View All

Re: SPLUNK 6.1.1 - Customzing Splunk logo and Mess...

by in Splunk Enterprise
‎10-11-2019 05:43 AM
‎10-11-2019 05:43 AM
CSS is made for styling not for security. It's like putting the key under the mat. ... View more

Re: How to exclude multiple time ranges in a searc...

by in Splunk Search
‎10-17-2018 08:21 AM
‎10-17-2018 08:21 AM
Hi Darren, thanks for your quick response. The subsearch basically works as expected. Unfortunately it fails if a transaction is not closed because there is a "Start exclude messages" event without matching "End exclude messages" event or vice versa. Also I could not get the proposed combination of main search and subsearch working. If I directly apply the syntax as I receive an error: Search Factory: Unknown search command 'index'. However when I add the search keyword to the subsearch index=IndexWhereTheDataIs sourcetype=SourcetypeWhereTheDataIs [ search index= ... the search result is empty and I could not figure out why since when I execute the searches separately and add the result of the subsearch manually to the main search, it works like a charm. ... View more

How to exclude multiple time ranges in a search?

by in Splunk Search
‎10-16-2018 06:53 AM
2 Karma
‎10-16-2018 06:53 AM
2 Karma
Hi, I would like to execute a search, where several non-overlapping time ranges are excluded. An exclusion time range is marked by a begin event ("Start exclude messages") and an end event ("End exclude messages") and is typically several minutes long. The number of exclusion ranges within the search time range is not defined in advance: it could be 0, or it could be many. What I have come up with so far works if there is, at most, one exclusion time range completely within the search time range. However, it does not work if there are several time ranges that should be excluded or if the beginning or end of the search time range lies within an exclusion time range (e.g. no "Start exclude messages" event within search time range): index=* <some search parameters> | eval startExcludeTime=[ search index=* "Start exclude messages" | eval time=_time| return $time ] | eval endExcludeTime=[ search index=* "End exclude messages" | eval time=_time| return $time ] | where _time < startExcludeTime OR _time > endExcludeTime I also tried using a transaction based subsearch which works great to determine the exclusion time ranges but I was again not able to figure out how to exclude multiple time ranges in the main search: index=* | transaction startswith="Start exclude messages" endswith="End exclude messages" | eval startExcludeTime=_time | eval endExcludeTime=startExcludeTime+duration Is there another way how to exclude multiple time ranges from a search? Any help would be highly appreciated. Thanks, hbacbs System: Splunk Enterprise Version: 7.2.0 ... View more

Stanza to select Nginx log files

by in Getting Data In
‎04-23-2018 09:19 AM
‎04-23-2018 09:19 AM
I want to forward some Nginx log files. Nginx log files look like: - server-access.log - server-access.log-20180102 - server-access.log-20180101.gz I configured inputs.conf [monitor:////var/log/nginx/server-access.log*] index = server-index But I didn't receive any events. It works without the wildcard. According to the documentation (1) the stanza [monitor:////var/log/nginx/server-access.log*] is translated to [monitor:////var/log/nginx] whitelist = server-access.log[^/]*$ Specifying the whitelist does the job. My question is what is wrong with server-access.log* (1): http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Specifyinputpathswithwildcards ... View more

Re: Is there a way to hide or disable "Manage Apps...

by in Security
‎08-30-2017 02:49 PM
‎08-30-2017 02:49 PM
I tried this with no success. (6.3.3) and the file hidemanageapps.css a[data-role="manage-apps"]{display: none;}, a[data-role="more-apps"]{display: block !important;} "Manage Apps" is still visible and results to 404. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-11-2022 06:54 AM
Karma from
View All