Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rupkumar4sec
rupkumar4sec
Path Finder
Member since:
01-24-2018
04-20-2022
Community Statistics
| Posts | 32 |
| Solutions | 7 |
| Karma Given | 10 |
| Karma Received | 7 |
| Member Since | 01-24-2018 |
Activity Feed
- Posted Re: Append 2 searches together in o365 to show if a file share has been deleted on Splunk Search. 09-13-2021 07:03 AM
- Karma Search using results of a search for LynneEss. 07-21-2021 10:59 AM
- Karma How to Extract Any Values With a Decimal in my Rex String for Traer001. 07-21-2021 10:59 AM
- Got Karma for Re: Search using results of a search. 06-22-2021 09:23 AM
- Posted Re: Role Capabilities for splunkd-log on Alerting. 06-11-2021 03:02 PM
- Posted Re: How to Extract Any Values With a Decimal in my Rex String on Splunk Search. 06-11-2021 02:48 PM
- Got Karma for Re: Subsearch filtering not working between sourcetypes. 06-11-2021 10:47 AM
- Posted Re: How to Generate a report - 1 field in index against multiple csv lookup fields on Reporting. 06-10-2021 08:18 PM
- Posted Re: Schedule CSV of Splunk Dashboard on Dashboards & Visualizations. 06-10-2021 07:47 PM
- Posted Re: Subsearch filtering not working between sourcetypes on Splunk Search. 06-10-2021 07:31 PM
- Posted Why are we not receiving artifacts from jenkins? on Getting Data In. 06-10-2021 07:15 PM
- Tagged Why are we not receiving artifacts from jenkins? on Getting Data In. 06-10-2021 07:15 PM
- Posted Re: Change epoc time to human readable format on Security. 06-10-2021 06:59 PM
- Posted Re: Can not searching by date in inputlookup es_notable_events on Splunk Search. 06-10-2021 02:04 PM
- Got Karma for Re: Using different input lookup commands based on token given in a dropdown. 06-10-2021 02:03 PM
- Posted Re: Using different input lookup commands based on token given in a dropdown on Splunk Search. 06-10-2021 01:34 PM
- Karma Re: Admin account to view all the Dashboard created by individual users for isoutamo. 06-10-2021 01:12 PM
- Got Karma for Re: Admin account to view all the Dashboard created by individual users. 06-10-2021 12:57 PM
- Posted Re: Forwarding Logs on Getting Data In. 06-10-2021 12:56 PM
- Posted Re: Admin account to view all the Dashboard created by individual users on Security. 06-10-2021 12:50 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
09-13-2021
07:03 AM
You can use a sub search to ignore the deleted files from results. Something like index=o365 file_path=* user=urn* OR TargetUserOrGroupType=Guest NOT [ search index=o365 Operation=FileDeleted | table file_path,file_name ] | fillnull value="-" | dedup UniqueSharingId TargetUserOrGroupName | where NOT Operation=="RemovedFromSecureLink" | stats latest(_time) by user Operation file_path file_name vendor_product TargetUserOrGroupName UniqueSharingId
... View more
06-11-2021
03:02 PM
I am not sure what you mean by splunkd-log object but if you are trying to access splunkd internal logs, you just need to add those internal indexes or "_*" to srchIndexesAllowed .
... View more
06-11-2021
02:48 PM
Try this | rex field=_raw "Error\sat\sPosition\s(?<x_coord>[^\s]+)\s(?<y_coord>[^\s]+)"
... View more
06-10-2021
08:18 PM
Try this, Maybe little expensive but should work on a small data set | inputlookup yourlookup | eval host=mvappend(ip_address,host_name,fqdn) | mvexpand host | fields host | search NOT [ index=<your index> |stats count by host|search count>0|fields host]
... View more
06-10-2021
07:47 PM
I don't think it is possible to get a dashboard in a CSV(Comma-separated values) file in any software tool.
... View more
06-10-2021
07:31 PM
1 Karma
Your search looks fine to me. It should work if both fields are being extracted. Some of the things I would check Check if values for both the fields are consistent (maybe change both fields to lower case) Check if there are any additional spaces at the end Confirm manually if there are any common values or not.
... View more
06-10-2021
07:15 PM
Hello all, I am using the Splunk plugin for Jenkins for pulling data from Jenkins and all the configurations are as per the documentation. https://plugins.jenkins.io/splunk-devops/
//send job metadata and junit reports with page size set to 50 (each event contains max 50 test cases)
splunkins.sendTestReport(50)
//send coverage, each event contains max 50 class metrics
splunkins.sendCoverageReport(50)
//send all logs from workspace to splunk, with each file size limits to 10MB
splunkins.archive("**/*.log", null, false, "10MB")
We are receiving logs in jenkins_console and jenkins_statistics but not receiving any data in jenkins_artifact. Do we need any additional configurations for collecting jenkins_artifact logs? Looking forward to any thoughts and suggestions. Thanks in advance.
... View more
- Tags:
- jenkins plugin
Labels
- Labels:
-
other
06-10-2021
06:59 PM
Based on the epoch time value you provided, I am assuming it is with nano seconds. If it is _time, you can add TIME_FORMAT = %s%9N in your props.conf for telling Splunk that timestamp is in epoch form with nanoseconds. If it is not _time, You can create a calculated field using something like this strftime(timefield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q") If you are doing it in search: | eval timefield=strftime(tiemfield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")
... View more
06-10-2021
02:04 PM
I don't think you can use earliest and latest in inputlookup. Try this | where ( _time >= <earliest time> AND _time <= <latest time>)
... View more
06-10-2021
01:34 PM
1 Karma
You can do that. In environment dropdown, field1Value and field2Value should be your lookup names. Then in company dropdown use that token in place of lookup name in inputlookup command In environment dropdown field1 lookup1.csv field2 lookup2.csv In company dropdown | inputlookup $tokenfromenvironment$ | fields description, value | dedup description, value
... View more
06-10-2021
12:56 PM
you should be able get that information from using btool command ./splunk btool inputs list --debug run this command from $SPLUNK_HOME$/bin
... View more
06-10-2021
12:50 PM
Did you check in the all configurations as @isoutamo mentioned? I think something else got messed up with your roles. Trying adding "admin_all_objects" if it not preset already.
... View more
06-10-2021
12:44 PM
If your application stores logs in a physical location on your EC2 instance you can simply monitor that file/directory. [monitor:<filepath>]
sourcetype = <sourcetype>
index = <index> host = add any other setting you need. Check below document for your reference https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Inputsconf#inputs.conf.spec
... View more
06-10-2021
12:25 PM
${hostName} variable used in below line should provide required value for Host. <Property name="Host" value="${hostName}"></Property> Reference from Log4j documentation: "The default map is pre-populated with a value for "hostName" that is the current system's host name or IP address" https://logging.apache.org/log4j/2.x/manual/configuration.html
... View more
06-10-2021
12:15 PM
To get the result you want, you have to use "join" command, where you can use VulnerabilityCVEIDs and common field and get the other fields you need from the main search.
... View more
06-10-2021
12:08 PM
You didn't get stats count of systems with the isolatedCVE because you have that in a subsearch for appendcols. appendcols will just add the output as a columns to existing main results). So if your appendcols worked correctly, it will just add "AssetIPAddress, AssetNames ,User,VulnerabilityCVEIDs" colunms to your search results. But that appendcols won't do anything unless you have any events where VulnerabilityCVEIDs has literal value 'isolatedCVE". Note1 : isolatedCVE field you created using eval doesn't exist in the subsearch you used for appendcols command. Note 2: field1=field2 can be used only with where command https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fields
... View more
06-10-2021
11:47 AM
If you have ES on the same search head where the reports are located, You can just use Edit>Move from UI. If you they are on different search head or you have large number of reports that you want to migrate, You can Copy their definition from savedsearches.conf(From where it is defined now) and paste it in local/savedsearches.conf in ES app.
... View more
06-10-2021
11:40 AM
I think if he got Admin access, he should be able to see from both the locations. Please correct me if I am wrong.
... View more
06-10-2021
10:54 AM
1 Karma
You should be able to see them by going to settings>User Interface>Views
... View more
06-10-2021
09:16 AM
1 Karma
We have a similar setup and it works completely fine. Indexes are defined in Indexer cluster but not defined in heavy forwarder, and receiving data to those indexes using HEC(configured on HF). Can you share the error you are getting?
... View more
06-10-2021
09:00 AM
1 Karma
Not a best one but I guess it will do the job | inputlookup AD_Groups_LDAP_list
| where group_name="Domain Admin" OR group_name="Local Admin"
| mvexpand group_members
| table cn, group_members
| lookup AD_Groups_LDAP_list group_name as group_members OUTPUT group_members as group_members1
| mvexpand group_members1
| eval group_members = coalesce(group_members1, group_members)
... View more
06-10-2021
07:33 AM
index=abc ("exception":"CommonApplicationException" OR "exception":"ExecutionException") | rex field=_raw "Exception\:\s(?=ABC)(?<ABC_CODE>[^\:]+)\:(?<Message>[^\"]+)" | rex field=_raw "errors\"\:\[\{\"code\"\:\"(?P<ABC_Code>ABC\-\d+)\"\,\"message\"\:\"(?P<Message>[^\"]+)" | eval Message=substr(Message, 1, 140) | stats count by ABC_CODE, Message Added your other key word and regular expression. I hope that new regular expression is working for you. I don't have sample data to verify that.
... View more
06-09-2021
01:15 PM
You use an eval command with substr function to get a part of that message. Example: To get first 10 letters | eval Message=substr(Message, 1, 10) I hope I understood what you are looking for.
... View more
06-09-2021
12:56 PM
1 Karma
Looks like we have solution for this in another Splunk answer. Check below link once. https://community.splunk.com/t5/Splunk-Search/I-want-to-modify-Lookup-file-directly-through-the-dashboard/m-p/23073 You may need to play with python little bit.
... View more
06-09-2021
12:36 PM
Yeah it is just a rex command so it will show raw events. If you want a table like you asked in one of your comments use below search index=abc "exception":"java.util.concurrent.ExecutionException"
| rex field=_raw "Exception\:\s(?=ABC)(?<ABC_CODE>[^\:]+)\:(?<Message>[^\"]+)"
| stats count by ABC_CODE, Message
... View more
