Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About DaClyde
DaClyde
Contributor
Member since:
10-22-2010
02-26-2024
Community Statistics
| Posts | 121 |
| Solutions | 4 |
| Karma Given | 42 |
| Karma Received | 26 |
| Member Since | 10-22-2010 |
Activity Feed
- Posted Re: Searching for "-" in IIS logs? on Splunk Search. 02-20-2024 07:47 AM
- Karma Re: How do I remove the chart on the top of the PDF? for rsimmons. 02-20-2024 07:34 AM
- Karma Re: How do I remove the chart on the top of the PDF? for anwarmmian. 02-20-2024 07:34 AM
- Posted Searching for "-" in IIS logs? on Splunk Search. 02-16-2024 07:14 AM
- Karma Re: Where to reallocate CPU cores, SH or IDX? for isoutamo. 02-13-2024 11:03 AM
- Posted Re: Re-arranging Apps menu in Splunk 9.2.x on Knowledge Management. 02-13-2024 11:02 AM
- Got Karma for Re: Re-arranging Apps menu in Splunk 9.2.x. 02-13-2024 11:01 AM
- Posted Re: Re-arranging Apps menu in Splunk 9.2.x on Knowledge Management. 02-13-2024 10:59 AM
- Karma Re: Re-arranging Apps menu in Splunk 9.2.x for isoutamo. 02-13-2024 10:59 AM
- Posted Re-arranging Apps menu in Splunk 9.2.x on Knowledge Management. 02-13-2024 09:42 AM
- Posted Re: Where to reallocate CPU cores, SH or IDX? on Deployment Architecture. 09-15-2023 12:36 PM
- Posted Where to reallocate CPU cores, SH or IDX? on Deployment Architecture. 09-13-2023 08:18 AM
- Posted Re: Configuration from Scratch on Splunk Enterprise. 09-07-2023 02:35 PM
- Posted Re: Keeping users out of Search on Security. 08-11-2023 06:59 AM
- Karma Re: Keeping users out of Search for gcusello. 08-11-2023 06:59 AM
- Posted How to keep users out of Search? on Security. 08-10-2023 07:06 AM
- Posted Re: Lookup Editor limit the revert backup on Dashboards & Visualizations. 05-26-2022 09:11 AM
- Posted Re: Problem replicating bundle to search peer: http_status=400 "Failed to untar the bundle" on All Apps and Add-ons. 10-20-2021 06:47 AM
- Posted Re: How to use a radio button to run different searches including token from drilldown? on Dashboards & Visualizations. 06-18-2021 07:31 AM
- Karma Re: How to use a radio button to run different searches including token from drilldown? for ITWhisperer. 06-18-2021 07:30 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-20-2024
07:47 AM
I will try both approaches today and see what happens. Thanks for the suggestions!
... View more
02-16-2024
07:14 AM
In Microsoft IIS logs, when a field is empty, a dash ( - ) is used instead of leaving the value blank. Presumably this is because IIS logs are space delimited, so otherwise it would just have three consecutive spaces which might be ignored. However, even though there is something in the field, I can't search for something like cs_username="-" and get any results. Is this something Splunk is doing, where it is treating the dash as a NULL? I have a dashboard where I track HTTP errors by cs_username, but when the username is not present, I can't drill down on the dash, I can only drill down on actual username values. Is there a way to make the dash an active, drillable value? I tried this but it didn't work: | fillnull value="-" cs_username How can I search the cs_username field when the value is a dash?
... View more
02-13-2024
11:02 AM
Correction, I need to re-pin them in reverse order, as the most recently pinned app goes to the top.
... View more
02-13-2024
10:59 AM
1 Karma
Now I notice that all of the apps that existed prior to the upgrade are all already pinned. The only unpinned apps are the few we have added since then. Presumably that means I can just unpin everything and the re-pin in the order I want. I miss the dragging.
... View more
02-13-2024
09:42 AM
In previous versions of Splunk (at least up to 9.1.0), we could re-arrange the Apps menu by dragging the apps up or down in the Launcher app. Now that Launcher seems to have been rebuilt with Dashboard Studio that capability is no longer present. Is there a new way for users to re-arrange their Apps menu?
... View more
Labels
- Labels:
-
other
09-15-2023
12:36 PM
Thank you, I will have our team look into these and see if there is anything we can salvage of our current system. I feel like Goofy from Disney's Jack & the Beanstalk, slicing bread so thin it is transparent.
... View more
09-13-2023
08:18 AM
Our Splunk environment is chronically under resourced, so we see a lot of this message: [umechujf,umechujs] Configuration initialization for D:\Splunk\etc took longer than expected (10797ms) when dispatching a search with search ID _MTI4NDg3MjQ0MDExNzAwNUBtaWw_MTI4NDg3MjQ0MDExNzAwNUBtaWw__t2monitor__ErrorCount_1694617402.9293. This usually indicates problems with underlying storage performance. It is our understanding that the core issue here is not so much storage, but processor availability. Basically Splunk had to wait 10.7 seconds for the specified pool of processors to be available before it could run the search. We are running a single SH and single IDX. Both are configured for 10 CPU cores. Also, this is a VM environment, so those are shared resources. I know, basically all of the things Splunk advises against (did I mention also running Windows?). No, we can't address the overall resource situation right now. Somewhere the idea came up that reducing the quantity of cores might help improve processor availability, so if Splunk were only waiting for 4 or 8 cores, it would at least get to the point of beginning the search with less initial delay as it would have to wait for a smaller pool of cores to be available first. So our question is, which server is most responsible for the delay, the SH or the IDX? Which would be the better candidate for reducing the number of available cores?
... View more
Labels
09-07-2023
02:35 PM
At this point, you will basically be editing the various .conf (inputs, outputs, props, transforms) files in Notepad or some other text editor. The CLI will mostly for issuing commands to Splunk, which in the beginning will be mostly ./splunk stop, ./splunk start and ./splunk restart. Are you running headless, or do you have access to the web interface?
... View more
08-11-2023
06:59 AM
Thank you @gcusello, I was worried this might be the answer. As much as we can, we are leveraging the API to build dashboards into our main website and effectively replicating the dashboards in HTML, pulling the values from Splunk. That keeps the users out of Splunk entirely and may be the direction we need to go.
... View more
08-10-2023
07:06 AM
We would very much like to restrict certain users in our Splunk environment to the apps that have been provided to them and prevent them from reaching the Search interface.
We have established separate roles for each app, and assigned to the users to those roles, but are having some difficulty determining exactly which set of capabilities the roles require for the apps to function, but to make sure the users can't reach the search bar.
We remove the "Open in Search" option from the bottom on the dashboard panels, and we would like to remove access to the Search & Reporting app to all but the necessary roles. We just want to be sure everything still functions for the users in their various apps.
Any guidance would be helpful.
Thanks!
... View more
Labels
- Labels:
-
access control
-
permissions
05-26-2022
09:11 AM
With the changes in v3.6.0 of the app in the past month, is this still valid?
... View more
10-20-2021
06:47 AM
I don't have any solutions, but we started seeing this on our system this week, though I don't think it followed any updates. Looking for the sendRcvTimeout reference, I notice that has begun showing up in the Splunk logs just in the past month. The only thing we're doing new is starting to experiment with the loadjob command to reference some fairly large jobs. We only have a single indexer and a single search head. We are running 8.2.1.
... View more
06-18-2021
07:31 AM
I'm sorry, I got so lost in trying to explain and show what I was doing wrong, I got sidetracked from actually trying your suggestion. This works perfectly, thank you!
... View more
06-18-2021
06:40 AM
That was what I tried first, but got lost in how to format the search in the 'value' field. I get the idea that all of the escaping is preventing the token variables from the drilldown from being populated. When I inspect the search after running it, it still just shows my $host_tok$ and $client_tok$ instead of the values passed from the previous panel. When I was just passing tokens from the radio buttons to a standard search, it worked fine, I just didn't have the flexibility I needed in the search. Here is the panel source, I tried a straight search for Download and tried using CDATA for the Upload (which was just a mess), but in neither case do the tokens populate: <panel>
<input type="radio" token="method_tok">
<label></label>
<choice value="search index=navyclientiis sourcetype=navyclientiis cs_method=HEAD OR cs_method=GET [|inputlookup all_mid-tiers|where Unit="$host_tok$"|table host] cs_client=$client_tok$ |rename cs_uri_stem AS "File Downloaded" |eval Status=sc_status.".".sc_substatus|table _time "File Downloaded" Status">Downloads</choice>
<choice value="<![CDATA[|index=navyclientiis sourcetype=navyclientiis cs_method=POST [|inputlookup all_mid-tiers|where Unit="$host_tok$"|table host] cs_client=$client_tok$ |rename fn AS "File Uploaded"|eval Status=sc_status.".".sc_substatus | table _time "File Uploaded" Status]]>">Uploads</choice>
</input>
<html>Select Upload or Download to see client traffic.</html>
<table depends="$client_tok$">
<title>Detail for $client_tok$</title>
<search>
<query>$method_tok$</query>
<earliest>-48h</earliest>
<latest>+12h</latest>
</search>
<option name="count">15</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
... View more
06-17-2021
02:58 PM
I have a three panel dashboard using drilldown tokens, and I need help with the last panel. In panel 1 the user picks a time range and an option from a drop down list that then runs the search to return a table of servers. From the search results, the user can click on a row to launch panel 2. Panel 2 takes the token (a server name) from Panel 1 and runs a search that returns a list of clients associated with the server. From the results, the user can click on a client to launch panel 3. Panel 3 has a radio button with options Upload and Download to show either file uploads or file downloads for the selected client from panel 3. However, I need to run two completely different searches (different indexes and sourcetypes) depending on which radio button is selected, but also plugging in the token (client name) from panel 2. I know how to use a radio button menu to pass just a token into a search, but how can I pass a whole search?
... View more
06-17-2021
02:04 PM
3 years later, I'm finally getting around to using this and it works great. Thanks!
... View more
04-05-2021
07:40 AM
Everyone on our project recently got new CAC cards, and the new cards have a longer ID number on them than before. As a result, all of our account IDs changed which resulted in almost all of our searches being orphaned. I found how to go to the All Configurations and use the Reassign Knowledge Objects to fix them, but we are now left with a recurring system alert for 5 orphaned searches that are still tied to my old ID number. If I try to filter the Reassign Knowledge Objects page for Orphaned searches, these 5 do not show up. When I go look at the actual searches, they have all been successfully re-assigned and show my new ID number, but the alert persists. How can I clear this persistent false positive Orphaned Search alert?
... View more
- Tags:
- orphaned search
Labels
- Labels:
-
administration
-
troubleshooting
03-16-2021
03:06 PM
So far, so good. I implemented the combined field extractions, and it is at least working as good as before. Here are some sample events, a few that are normal, and a few that cause problems: 2021-03-16 21:01:40 10.2.3.4 HEAD /configs/army/ACD-ABNGAASN1/configs.xml - 443 usr-1125 169.31.11.142 JTDI+(JDMS+1.0.11.2.20200807;+WinServer+2016+10.0;+345.6/0/-1;West|AA|ACD|Hotelville|AL|ACD-ABNGAASN2|ACDSVR|2.5;C8F7504F05CE;NGABA-ACN-05) - 304 0 0 325 393 192.168.81.70 close - - 2021-03-16 17:02:54 10.2.3.4 GET /Army/acd/faq/ACN+v1.1.6.2002(20R2)+Release+Updates.pdf - 443 usr-1125 169.31.11.142 JTDI+(JDMS+1.0.11.2.20200807;+WinServer+2016+10.0;+345.5/285/-1;West|AA|ACD|Hotelville|AL|ACD-ABNGAASN2|ACDSVR|2.5;C8F7504F05CE;NGABA-ACN-05) - 200 0 0 5905224 399 2984 192.168.81.70 close - - 2021-03-15 17:11:08 10.2.3.4 GET /Army/lift/safety/AMAM/2020/GEN-20-AMAM-06+(2ND+UPDATE).pdf - 443 usr-1125 169.31.11.140 JTDI+(JDMS+1.0.11.2.20200807;+WinServer+2016+10.0;+345.6/104/-1;West|AA|ACD|Hotelville|AL|ACD-ABNGAASN2|ACDSVR|2.5;C8F7504F05CE;NGABA-ACN-05) - 200 0 0 274234 408 15 192.168.81.70 close - - 2021-03-15 17:11:06 10.2.3.4 GET /Army/lift/safety/AMAM/2020/GEN-20-AMAM-06+(2ND+UPDATE).docx - 443 usr-1125 169.31.11.143 JTDI+(JDMS+1.0.11.2.20200807;+WinServer+2016+10.0;+345.6/105/-1;West|AA|ACD|Hotelville|AL|ACD-ABNGAASN2|ACDSVR|2.5;C8F7504F05CE;NGABA-ACN-05) - 200 0 0 51828 409 0 192.168.81.70 close - - 2021-03-15 17:07:05 10.2.3.4 GET /Army/utility/safety/AMAM/2020/GEN-20-AMAM-06+(2ND+UPDATE).pdf - 443 usr-1125 169.31.11.141 JTDI+(JDMS+1.0.11.2.20200807;+WinServer+2016+10.0;+345.6/205/-1;West|AA|ACD|Hotelville|AL|ACN-ABNGAASN1|ACDSVR|2.5;C8F7504F05CE;NGALA-ACN-02) - 200 0 0 274234 406 15 192.168.81.70 close - - 2021-03-15 17:07:02 10.2.3.4 GET /Army/utility/safety/AMAM/2020/GEN-20-AMAM-06+(2ND+UPDATE).docx - 443 usr-1125 169.31.11.142 JTDI+(JDMS+1.0.11.2.20200807;+WinServer+2016+10.0;+345.6/206/-1;West|AA|ACD|Hotelville|AL|ACD-ABNGAASN2|ACDSVR|2.5;C8F7504F05CE;NGALA-ACN-02) - 200 0 0 51828 407 15 192.168.81.70 close - - 2021-03-15 17:03:00 10.2.3.4 GET /Army/gen/safety/AMAM/2020/GEN-20-AMAM-06.pdf - 443 usr-1125 169.31.11.140 JTDI+(JDMS+1.0.11.2.20200807;+WinServer+2016+10.0;+345.7/285/-1;West|AA|ACD|Hotelville|AL|ACD-ABNGAASN2|ACDSVR|2.5;C8F7504F05CE;NGABA-ACN-05) - 200 0 0 274234 405 0 192.168.81.70 close - - 2021-03-15 17:02:57 10.2.3.4 GET /Army/gen/safety/AMAM/2020/GEN-20-AMAM-06.docx - 443 usr-1125 169.31.11.143 JTDI+(JDMS+1.0.11.2.20200807;+WinServer+2016+10.0;+345.7/286/-1;West|AA|ACD|Hotelville|AL|ACD-ABNGAASN2|ACDSVR|2.5;C8F7504F05CE;NGABA-ACN-05) - 200 0 0 51828 406 0 192.168.81.70 close - -
... View more
03-11-2021
11:42 AM
The * shouldn't be a problem. We use it extensively in our monitor stanzas, both as parts of filenames and as path segments. Has your test index already been created?
... View more
03-10-2021
02:40 PM
I could use some expert assistance with a regex for breaking down a custom user-agent field in an IIS log into component fields while avoiding a conflict with other fields. We run software that uses IIS as a file server, and the software injects a custom user-agent value into the IIS log with every request. Here is a sample of the user agent: JTDI+(JDMS+1.0.11.2.20200807;+Win10+10.0;+229.0/62/-1;Branch|UnitType|System|City|ST|SiteIDOverride|SvrType|2.5;C8F7504F064E;UTA-AVD) The IIS log is space delimited, so all of that lands in the cs_user_agent field just fine. I made a sort of running mess of extracting the subfields. Within the string are subfields delimited by semicolon, and sub-subfields delimited by / and |. Here are my separate extractions, in order as the fields appear in the string: ^[^\(\n]*JTDI\+\((?P<jkversion>[^;]+)
^[^;\n]*;(?P<os>[^;]+)
^(?:[^;\n]*;){2}(?P<freespace>[^/]+)
^(?:[^;\n]*;){2}\+\d+\.\d+/(?P<pending>\d+)
^(?:[^;\n]*;){3}(?P<SiteDescription>[^;]+)
^(?:[^;\n]*;){4}(?P<MAC>[^;]+)
^(?:[^;\n]*;){5}(?P<cs_hostname>[^\)]+) Technically after the 'pending' field there should be a 'hits' field (represented by the -1 above), but we don't use it, so I didn't bother extracting it. So my problem is the parentheses. If a filename shows up in the cs_uri_stem field that includes them, like filename(copy1).txt, the () throw off my jkversion and cs_hostname extractions, because I don't know how to accommodate the possible existence of parentheses outside the cs_user_agent field. So I guess my question is two-fold. 1) I know my overall user-agent extraction should be a single transform instead of all separate field extractions, but I'm not sure how to tie them all together because I couldn't see a way to extract strings like that in the field extractor interface in Splunk. 2) How can I fix my regex so that parentheses appearing in other fields don't break my jkversion and cs_hostname extractions? Help?
... View more
Labels
- Labels:
-
field extraction
09-16-2020
07:55 AM
Yes, the 16th makes sense because of on-going operations, but my problem has been with the value for the 9th. I will try it with some other indexes and see if I still have the same problem.
... View more
09-16-2020
06:38 AM
I am searching IIS logs, trying to calculate the number of GB transferred each day for the last 7 days. Here is my search: index=iis sourcetype=iis cs_user_agent="JTDI*" earliest=-7d@d | stats sum(cs_bytes) as UPLOADS, sum(sc_bytes) as DOWNLOADS by date_mday | eval UPLOADS=round(UPLOADS/1024/1024/1024,2) | eval DOWNLOADS=round(DOWNLOADS/1024/1024/1024,2) | rename date_mday as "Day of the Month"| sort -"Day of the Month" The problem I am having is that I get a different result for the 7th day if I use -7d@d vs -8d@d. In both cases, every day should be the total for that day since midnight. So when I search over 8 days, why does my 7th day have more data?
... View more
Labels
- Labels:
-
stats
04-09-2020
12:39 PM
Since recently completing the upgrade of our search head to 8.0.0, a schedule search that emails and attached csv is now adding an extra line between every event. Some of our scheduled csv's are used by other automation, so the extra lines are breaking something.
Is this a known issue that was fixed in 8.0.1? I see in the 8.0.1 "Fixed Issues" this: SPL-176009, SPL-166728 - Alert email spacing issue, but I don't know how to look up what the specific issues are to know if that relates to my problem or not.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-26-2024
12:32 PM
|
Karma given to
