Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About psharkey
psharkey
Explorer
Member since:
06-13-2013
04-07-2023
Community Statistics
| Posts | 10 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 6 |
| Member Since | 06-13-2013 |
Activity Feed
- Got Karma for Re: The maximum number of concurrent historical scheduled searches on this instance has been reached. 03-02-2023 06:40 AM
- Got Karma for Re: Could someone help clarify Splunk Documentation Accuracy Around Forwarder SSL Configuration?. 03-01-2023 01:57 AM
- Posted Re: Could someone help clarify Splunk Documentation Accuracy Around Forwarder SSL Configuration? on Getting Data In. 02-28-2023 10:11 AM
- Karma Re: Search not functioning in all apps after upgrade from Splunk Enterprise 5.0.4 to 6.0.4 for alterdego. 06-05-2020 12:47 AM
- Got Karma for How to troubleshoot why events of the same sourcetype are being indexed in two indexes?. 06-05-2020 12:47 AM
- Got Karma for Re: How to troubleshoot why events of the same sourcetype are being indexed in two indexes?. 06-05-2020 12:47 AM
- Got Karma for Search not functioning in all apps after upgrade from Splunk Enterprise 5.0.4 to 6.0.4. 06-05-2020 12:47 AM
- Got Karma for Re: Nested Field Extraction. 06-05-2020 12:46 AM
- Posted Re: The maximum number of concurrent historical scheduled searches on this instance has been reached on Splunk Search. 05-26-2020 01:56 PM
- Posted Re: Users logging windows on two machines at the same time on All Apps and Add-ons. 03-30-2015 10:45 AM
- Posted Re: How to troubleshoot why events of the same sourcetype are being indexed in two indexes? on Getting Data In. 10-21-2014 08:37 AM
- Posted How to troubleshoot why events of the same sourcetype are being indexed in two indexes? on Getting Data In. 10-17-2014 12:25 PM
- Tagged How to troubleshoot why events of the same sourcetype are being indexed in two indexes? on Getting Data In. 10-17-2014 12:25 PM
- Tagged How to troubleshoot why events of the same sourcetype are being indexed in two indexes? on Getting Data In. 10-17-2014 12:25 PM
- Tagged How to troubleshoot why events of the same sourcetype are being indexed in two indexes? on Getting Data In. 10-17-2014 12:25 PM
- Tagged How to troubleshoot why events of the same sourcetype are being indexed in two indexes? on Getting Data In. 10-17-2014 12:25 PM
- Tagged How to troubleshoot why events of the same sourcetype are being indexed in two indexes? on Getting Data In. 10-17-2014 12:25 PM
- Posted Re: Search not functioning in all apps after upgrade from Splunk Enterprise 5.0.4 to 6.0.4 on Splunk Search. 06-18-2014 10:55 AM
- Posted Search not functioning in all apps after upgrade from Splunk Enterprise 5.0.4 to 6.0.4 on Splunk Search. 06-17-2014 06:58 PM
- Tagged Search not functioning in all apps after upgrade from Splunk Enterprise 5.0.4 to 6.0.4 on Splunk Search. 06-17-2014 06:58 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 0 |
02-28-2023
10:11 AM
1 Karma
I faced a similar situation. However, I only needed to include the sslRootCAPath directive. Neither of the NameToCheck directives were necessary. I ended up deploying a PKIChain.pem file in a different App which also included a server.conf file with an [sslConfig] stanza like this: [sslConfig] sslRootCAPath = $SPLUNK_HOME/etc/apps/<App>/default/PKIChain.pem
... View more
05-26-2020
01:56 PM
1 Karma
The default value of max_searches_perc in the scheduler stanza of the limits.conf file is 50 (as in 50%).
This is the maximum number of searches the scheduler can run, as a percentage of the maximum number of concurrent searches.
50% of 10 is 5.
... View more
03-30-2015
10:45 AM
Sergei - you are missing a close quote " after values(src_ip) as "Logins IPs.
It should read:
values(src_ip) as "Logins IPs", ...
... View more
10-21-2014
08:37 AM
1 Karma
I used ngrep to look at the raw data coming into my indexer from the Universal Forwarders running on my Windows Domain Controllers. The syntax that I initially used was similar to this:
ngrep -d <interface name> -q '_MetaData:Index.main' host <DC IP>
This did not return any results. When I made the search less specific via -q '_MetaData:', I saw some data arriving with _MetaData:Index.default (which is index=main). The events all had the path _path>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe . As far as I can tell, splunk-admon.exe is part of the Windows Universal Forwarder.
Since our Domain Controllers are all running Windows 2012, I decided to update "Splunk App for Windows Infrastructure" app on my SH/Indexer from version 1.0.2 to version 1.0.4, and deployed the TA-DomainController-2012R2, Splunk_TA_Windows and Splunk Add-on for Microsoft Powershell apps to my DC's via the Deployment Server.
The problem has not occurred again since I have updated these components. The ngrep search is now consistently showing raw events with the correct index metadata, like this:
_path>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe.._MetaData:Index.msad
... View more
10-17-2014
12:25 PM
1 Karma
I have Splunk Universal Forwarders installed on my Windows Domain Controllers. Up until 5 weeks ago, sourcetype=ActiveDirectory events were exclusively being indexed in an index named msad.
Starting 5 weeks ago, some of the sourcetype=ActiveDirectory events have been indexed in the default index (main). The DC's that have indexed some sourcetype=ActiveDirectory events in index=main have also indexed other sourcetype=ActiveDirectory events in index=msad.
For what it is worth, there are four domain controllers, three of which are running Splunk Universal Forwarder version 6.1.3 and the other is running version 5.0.4. The DC running UF version 5.0.4 has consistently indexed sourcetype=ActiveDirectory events in index=msad if that matters.
The inputs.conf on my indexer routes these sourcetypes to index=msad, so I am curious to know why/how some of the events are winding up in main. Any help would be appreciated.
... View more
06-18-2014
10:55 AM
Thanks alterdego. Your recommendation resolved the problem that I was experiencing.
... View more
06-17-2014
06:58 PM
1 Karma
Splunk Enterprise v6.0.4 (build 207768).
Search works inside the Search & Reporting app and a few other apps. By that I mean if your search terms are syntactically correct and there are matching events, they will be returned.
However, in some apps with embedded search capability, nothing is returned when you enter search terms and select the magnifying glass button. If you use the same search terms in the Search & Reporting app, results will get returned.
The account that I am logged in with is in the admin role. Users with the admin role are allowed to search all indexes.
We recently upgraded from Splunk Enterprise 5.0.4. I am not sure if this behavior started when we upgraded or since then.
Examples of apps where Search does function:
Search & Reporting v6.0.4
Cisco IOS v1.3.2
*NIX 4.6 v4.6 (Build 133346)
Examples of apps where Search does not function include:
Splunk for Blue Coat v3.0.7 (Build 30007)
Cisco Security Suite v3.0.3 (Build 100784)
Splunk App for Microsoft Exchange v2.1.1
These apps are compatible with Splunk 6.0. App permission settings look appropriate.
Any ideas?
... View more
03-18-2014
09:59 AM
1 Karma
After some experimentation I arrived at a solution:
(?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>[^\t]+))\t+
Yielded the desired results:
combined_field = "1A-1B"
src_zone = "1A"
dst_zone = "1B"
Thanks for your help.
... View more
03-18-2014
09:00 AM
I should have specified that there are additional tab separated fields after combined_field. When I attempted your first suggestion it captured more than I wanted.
However, I am getting closer using a variation on your first suggestion:
(?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>[^\t]))[^\t]+
yields
combined_field = "1A-1"
src_zone = "1A"
dst_zone = "1"
combined_field and dst_zone are getting clipped by one character.
Any more suggestions?
... View more
03-18-2014
08:17 AM
I have extracted a field that contains two values separated by a dash character "-". Now I want to retain that field/value as well as splitting its value into two additional fields.
For example:
combined_field = "1A-1B" (or src_zone-dst_zone)
src_zone = "1A" (one or more numbers followed by a single letter)
dst_zone = "1B" (one or more numbers followed by a single letter)
This rex worked (?< combined_field>[^\t]+) for capturing combined_field = "1A-1B".
(fields are tab separated)
This rex worked (?< combined_field>(?< src_zone>\d+\w+)[^\t]+) for capturing both combined_field = "1A-1B" and src_zone = "1A".
However, this rex (?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>\d+\w+)[^\t]+) fails to capture src_zone or dst_zone.
How can I revise this rex to capture the combined_field in its entirety, src_zone and dst_zone?
Thanks,
Patrick
... View more
- Tags:
- extraction
