Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About brigancc
brigancc
Explorer
Member since:
11-27-2015
01-12-2023
Community Statistics
| Posts | 10 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 3 |
| Member Since | 11-27-2015 |
Activity Feed
- Karma Re: upgrade to 7.2 fails with "ERROR while running mongod-fix-voting-priority migration." for sylim_splunk. 06-05-2020 12:50 AM
- Karma Re: Why do scheduled searches randomly stop running in a Splunk 6.3.0 Search Head Cluster? for emiller42. 06-05-2020 12:47 AM
- Karma Re: Why do scheduled searches randomly stop running in a Splunk 6.3.0 Search Head Cluster? for bohanlon_splunk. 06-05-2020 12:47 AM
- Got Karma for Re: IMAP Mailbox: Is cloning the TA the only way to monitor several mailboxes?. 06-05-2020 12:47 AM
- Got Karma for Re: How to convert epoch timestamp to readable date format?. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex?. 06-05-2020 12:47 AM
- Posted Re: Why do scheduled searches randomly stop running in a Splunk 6.3.0 Search Head Cluster? on Alerting. 06-17-2016 01:31 AM
- Posted Re: Why do scheduled searches randomly stop running in a Splunk 6.3.0 Search Head Cluster? on Alerting. 06-15-2016 02:17 AM
- Posted Re: How to convert epoch timestamp to readable date format? on Splunk Search. 12-08-2015 06:13 AM
- Posted Re: Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex? on All Apps and Add-ons. 12-04-2015 12:00 AM
- Posted Re: Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex? on All Apps and Add-ons. 12-03-2015 11:52 PM
- Posted Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex? on All Apps and Add-ons. 12-02-2015 10:39 PM
- Tagged Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex? on All Apps and Add-ons. 12-02-2015 10:39 PM
- Tagged Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex? on All Apps and Add-ons. 12-02-2015 10:39 PM
- Tagged Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex? on All Apps and Add-ons. 12-02-2015 10:39 PM
- Tagged Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex? on All Apps and Add-ons. 12-02-2015 10:39 PM
- Tagged Splunk for Blue Coat ProxySG: About 5% of our logs did not get any field extraction. Has anyone noticed bad transforms.conf regex? on All Apps and Add-ons. 12-02-2015 10:39 PM
- Posted Re: IMAP Mailbox: Is cloning the TA the only way to monitor several mailboxes? on All Apps and Add-ons. 12-01-2015 01:40 AM
- Posted Re: IMAP Mailbox: Is cloning the TA the only way to monitor several mailboxes? on All Apps and Add-ons. 12-01-2015 01:19 AM
- Posted Re: IMAP Mailbox: Is cloning the TA the only way to monitor several mailboxes? on All Apps and Add-ons. 12-01-2015 12:58 AM
Topics I've Started
06-15-2016
02:17 AM
I don't see SPL-109514 referenced in any of the known issues or release notes. In fact, I can't find any reference to this issue at all. Could we please confirm which release addressed this issue?
... View more
12-08-2015
06:13 AM
1 Karma
My Epoch timestamp was something like this
StartTime=1449559286189
EndTime=1449577678580
So dividing it by 1000 did the trick
eval StartTime=StartTime/1000, EndTime=EndTime/1000 | fieldformat StartTime=strftime(StartTime, "%F %T.%3N") | fieldformat EndTime=strftime(EndTime, "%F %T.%3N")
... View more
12-04-2015
12:00 AM
1 Karma
Used the awesome regex tool at http://regex101.com/#PCRE to visualize the matching and found that the http_user_agent named capture group was surrounded by literal quotes. That caused the whole regex to not match when the event didn't have a user agent.
The fix was to make the quotes optional by adding the "?" quantifier to make it match 0 or 1 time.
After applying the change we went from 95% overall field extraction to 100%
Fixed transform for bcreporter_v1
(?<date>[^\s]+)\s+(?<time>[^\s]+)\s+(?<time_taken>[^\s]+)\s+(?<c_ip>[^\s]+)\s+(?<cs_username>[^\s]+)\s+(?<cs_auth_group>[^\s]+)\s+(?<x_exception_id>[^\s]+)\s+(?<filter_result>[^\s]+)\s+\"(?<category>[^\"]+)\"\s+(?<http_referrer>[^\s]+)\s+(?<sc_status>[^\s]+)\s+(?<action>[^\s]+)\s+(?<cs_method>[^\s]+)\s+(?<http_content_type>[^\s]+)\s+(?<cs_uri_scheme>[^\s]+)\s+(?<cs_host>[^\s]+)\s+(?<cs_uri_port>[^\s]+)\s+(?<cs_uri_path>[^\s]+)\s+(?<cs_uri_query>[^\s]+)\s+(?<cs_uri_extension>[^\s]+)\s+\"?(?<http_user_agent>[^\"]+)\"?\s+(?<s_ip>[^\s]+)\s+(?<sc_bytes>[^\s]+)\s+(?<cs_bytes>[^\s]+)\s+\"?(?<x_virus_id>[^\"]+)\"?\s+\"(?<x_bluecoat_application_name>[^\"]+)\"\s+\"(?<x_bluecoat_application_operation>[^\"]+)\"
Here it is all by itself
\"?(?<http_user_agent>[^\"]+)\"?
... View more
12-03-2015
11:52 PM
Very good point. Thank you for the suggestion. I'll update the post and put the solution as an answer. Thanks!
... View more
12-02-2015
10:39 PM
With the ProxySG using the default "bcreportermain_v1" output, we found that in about 5% of our logs did not get any field extraction. We noted that when the "http_user_agent" was blank (represented by a hyphen), it was not quoted. This is normally a quoted field. So, we surmised that it might be a problem with the regex. Turns out we were correct.
In the line below, the hyphen just before "2.2.2.2" is supposed to be the http_user_agent... as you can see it's unquoted.
2015-12-02 14:38:17 84 1.1.1.1 - - - OBSERVED "Business/Economy" - 200 TCP_NC_MISS GET text/html;charset=UTF-8 http prod-app.enmetric.com 80 /Command-war/retrieve ?limit=5 - - 2.2.2.2 198 129 - "none" "none"
In the line below, you can clearly see the quoted User-Agent field preceding 4.4.4.4 ...
2015-12-02 14:38:17 1662 1.1.1.2 - - - OBSERVED "Web Ads/Analytics" - 200 TCP_NC_MISS GET image/gif http p.liadm.com 80 /imp ?s=5 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)" 4.4.4.4 478 982 - "none" "none"
Original transform for bcreporter_v1
(?<date>[^\s]+)\s+(?<time>[^\s]+)\s+(?<time_taken>[^\s]+)\s+(?<c_ip>[^\s]+)\s+(?<cs_username>[^\s]+)\s+(?<cs_auth_group>[^\s]+)\s+(?<x_exception_id>[^\s]+)\s+(?<filter_result>[^\s]+)\s+\"(?<category>[^\"]+)\"\s+(?<http_referrer>[^\s]+)\s+(?<sc_status>[^\s]+)\s+(?<action>[^\s]+)\s+(?<cs_method>[^\s]+)\s+(?<http_content_type>[^\s]+)\s+(?<cs_uri_scheme>[^\s]+)\s+(?<cs_host>[^\s]+)\s+(?<cs_uri_port>[^\s]+)\s+(?<cs_uri_path>[^\s]+)\s+(?<cs_uri_query>[^\s]+)\s+(?<cs_uri_extension>[^\s]+)\s+\"(?<http_user_agent>[^\"]+)\"\s+(?<s_ip>[^\s]+)\s+(?<sc_bytes>[^\s]+)\s+(?<cs_bytes>[^\s]+)\s+\"?(?<x_virus_id>[^\"]+)\"?\s+\"(?<x_bluecoat_application_name>[^\"]+)\"\s+\"(?<x_bluecoat_application_operation>[^\"]+)\"
Here it is all by itself
\"(?<http_user_agent>[^\"]+)\"
Config for "bcreportermain_v1"
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation
Not sure whether the field should be fixed so that it is always quoted or if the regex is bad... curious if anyone else has noticed this.
... View more
12-01-2015
01:40 AM
1 Karma
Yes, perhaps, but doing what ragingwire described is not complete. You can't just copy the TA to /opt/splunk/etc/apps and update imap.conf. The paths are different:
/opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py
/opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py
But Splunk doesn't seem to care because in inputs.conf, the name of the script is the same:
[script://./bin/get_imap_email.py]
Even though it expands to a different path, when you look at the "Data Inputs" page in Splunk, you'll only see ONE get_imap_email.py enabled and working.
... View more
12-01-2015
01:19 AM
There's more to this unfortunately. You have to rename the python scripts because if you have the TA installed on the same box as the App, you'll have a conflict when Splunk expands the path.
12-01-2015 07:51:46.785 +0000 WARN IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py], ignoring alternate expansion [script:///opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py] in inputs.conf
So what you end up with is the input.conf from the TA overriding the inputs.conf from the app. You effectively stop monitoring one IMAP account and start monitoring the other.
In the TA, I believe you will have to rename the get_imap_email.py to something like get_imap_email2.py and update both inputs.conf in default and local directories.
I had to stop restarting Splunk every 5-10 minutes so we could get some work done. I'll try this again another dy and post my findings.
... View more
12-01-2015
12:58 AM
This almost worked. There seems to be a problem with inputs.conf and the name of the script. After copying the TA to /opt/splunk/etc/apps and making the changes you described, Splunk logged the following:
12-01-2015 07:51:46.785 +0000 WARN IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py], ignoring alternate expansion [script:///opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py] in inputs.conf
When you look at the "Data Inputs" in Splunk, the input for the IMAPmailbox app was replaced by the "new" input for IMAPmailbox-TA.
So it's more involved than just copying the TA to /opt/splunk/etc/apps. I think you would also have to rename the python script to get_imap_email2.py and update the inputs.conf files in default and local before it will work.
I had to stop playing around as I was restarting Splunk every 5-10 minutes... will try again later and post my findings.
... View more
11-27-2015
03:17 AM
I have two mailboxes I want to monitor. It's fine for the email events to go into the same index. Is it possible to add a second IMAP configuration to imap.conf?
For example:
[IMAP Configuration]
server = imap.server.com
user = mailbox1.server.com
debug = 0
...
indexBody = True
[IMAP Configuration 2]
server = imap.server.com
user = mailbox2.server.com
debug = 0
...
indexBody = True
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-12-2023
06:14 AM
|
