Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gbeatty
gbeatty
Path Finder
Member since:
02-12-2019
03-10-2021
Community Statistics
| Posts | 14 |
| Solutions | 2 |
| Karma Given | 44 |
| Karma Received | 0 |
| Member Since | 02-12-2019 |
Activity Feed
- Karma Re: How can we find size of events in a particular duration? for mattlucas719. 03-10-2021 03:58 PM
- Karma Re: How can we find size of events in a particular duration? for sonny_monti. 03-10-2021 03:57 PM
- Karma Re: How can we find size of events in a particular duration? for mattlucas_gps. 03-10-2021 03:57 PM
- Karma Re: How can we find size of events in a particular duration? for rmerrit. 03-10-2021 03:57 PM
- Karma Re: How can we find size of events in a particular duration? for rajgowd1. 03-10-2021 03:57 PM
- Posted Re: How to switch universal forwarder traffic between heavy forwarder and Splunk Cloud directly? on Getting Data In. 02-27-2021 01:01 AM
- Posted Re: Why isn't my TIME_FORMAT working for this syslog data? on Getting Data In. 02-27-2021 12:09 AM
- Posted Re: Microsoft Azure addon for Splunk on Getting Data In. 02-26-2021 11:50 PM
- Karma Re: Trial license limits for samerfaour. 02-22-2021 01:11 PM
- Posted Re: Cannot get into webUI, tried everything I can think of on Splunk Enterprise. 02-21-2021 08:55 PM
- Karma Re: Routing and filtering is not working as expected for saravanan90. 02-21-2021 08:42 PM
- Karma Re: props.conf TZ not working for richgalloway. 02-21-2021 08:42 PM
- Karma Re: Line-breaker not working on FortiGate logs forwarded via syslog for asridhara. 02-21-2021 08:42 PM
- Karma Re: Intergrate data between two indexes for manjunathmeti. 02-21-2021 08:41 PM
- Posted Re: Line-breaker not working on FortiGate logs forwarded via syslog on Getting Data In. 02-21-2021 08:40 PM
- Posted Re: Routing and filtering is not working as expected on Deployment Architecture. 02-21-2021 08:30 PM
- Posted Re: props.conf TZ not working on Getting Data In. 02-21-2021 08:07 PM
- Karma Re: Sourcetype reassignment with props and transforms not working for woodcock. 10-22-2020 03:46 PM
- Karma splunk app for aws: aws_vpc_flow_logs not storing data. for jarrell. 06-05-2020 12:51 AM
- Karma Re: Extracted field not showing up after creation, though it displays in "+ Extract New Fields" for justinw. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
02-27-2021
01:01 AM
Is there a specific reason you want the data to route through heavy forwarders? If it isn't because of fears of some sort of network straining, and you aren't doing parsing, it may make sense to just forward directly to Splunk Cloud. That will make the load on your heavy forwarders a bit more predictable and may allow you to have fewer. I know at one point you could only have one set of certs per instance of splunkd.
... View more
02-27-2021
12:09 AM
I would try explicitly declaring your time zones, as it seems like the time lines up too perfectly to be anything else. Is your timezone UTC -5 perhaps? (or perhaps UTC+5?) From my experience time zones between the time settings of the log source, sourcetype, forwarder, IDX/SH, and user settings the time zones can get quite messy. There's been more than once I assumed everything was properly configured for UTC only to find an error somewhere.
... View more
02-26-2021
11:50 PM
I often find these modular input views struggle to load when the system is under-powered or under heavy load. Obviously that's not the only cause, but it may be worth looking into if you aren't sure there aren't issues there.
... View more
02-21-2021
08:55 PM
Are you able to telnet to port 8000 on the Splunk server? Are you able to connect to any other ports? I am assuming yes. Additionally, if it is a fresh install of Splunk Enterprise then HTTPS is likely disabled. If your browser is automatically rerouting all requests to HTTPS, you may not be able to connect. Turn off anything like HTTPS Everywhere or any applicable browser settings and try to reach the HTTP page explicitly. Lastly, from my experience with Splunk on Ubuntu is that it comes with UFW enabled and not iptables. Have you double checked there isn't another host based firewall? Apologies if these seems simple, but you've already done a lot of troubleshooting steps that I would perform.
... View more
02-21-2021
08:40 PM
@frapei It looks like the issue is that some events start with a 3 digit code and some don't. If that isn't due to the parser, and the regex from @asridhara does not work, you need to address those cases.
... View more
02-21-2021
08:30 PM
[vmw-syslog]
Tranforms-routing=vmwarelogs,discarlogs [vmwarelogs]
REGEX=(logged out|Rejected password for user|Cannot login|logged in as|Accepted user for user|was updated on host|Password was changed for account|Destroy VM called)
DEST_KEY=_TCP_ROUTING
FORMAT=target1
[discarlogs]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue I have not been able to test on my own, but I believe your problem lies with trying to apply both transforms with one line of props. It is possible for your events to match on both, so the the events are sent to the null queue, overriding the assignment to TCP ROUTING. I would try reversing the order as @saravanan90 suggested, but also reducing the complexity of your [vmwarelogs] regex to one kind of event, until you have the routing down, then expand it to cover the other events. The example given in Splunk documentation supports this order. Props
[source::/var/log/messages]
TRANSFORMS-set= setnull,setparsing
Transforms
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = indexQueue https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Lastly, check to make sure that the data is set to go through the parsing queue whereever you are attempting to apply props.
... View more
02-21-2021
08:07 PM
I agree with @richgalloway that you should not assign time in default. Please review the precedence of configuration files: https://medium.com/splunkuserdeveloperadministrator/splunk-configuration-files-precedence-explained-1b5c20b7b41c You likely have something overriding the timezone in your app local or system local directory. I would check the props where the sourcetype is defined. Additionally, if this data is forwarded, the indexer may not parse and change the time unless you specifically tell it to go to the parsing queue. Forwarded data will not always go through each queue that data would go through in a single-instance deployment. https://wiki.splunk.com/Community:HowIndexingWorks Often times when I have a item not being applied from props, I find it is because I have the props stanza "applied" after the data has gone through the parsing queue, so it is not really applied.
... View more
05-05-2020
09:17 AM
Can you explain this further?
... View more
05-02-2020
11:58 AM
I had this issue as well with the newest version. Thanks. It fixed my issue.
... View more
09-03-2019
01:40 PM
Is there any chance you could post the full configurations for this?
... View more
03-26-2019
11:30 AM
Can you check that you don't have any apps or add-ons that are possibly changing that sourcetype? I had an issue yesterday that was very similar. The field I wanted was not extracted and after I manually extracted it would not show up in interesting fields. Turns out there was a conflict between *nix add-ons.
... View more
02-13-2019
09:18 PM
Hey @woodcock
Thanks for the help. You were right about the name in props.conf.
I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE
props.conf
[WinEventLog:Security]
TRANSFORMS-routing = routeSubset
transform.conf
[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
Thanks for helping me think of different ways to approach it.
... View more
02-13-2019
03:09 PM
Unfortunately this did not solve it. Thank you though.
... View more
02-12-2019
11:53 AM
Hi all,
I am trying to set up WindowsEventLog to send all events with EventCode=4648 to one index, wineventlog_4648 , and the remainder to a second index, wineventlog .
My progress so far has leaned heavily on this answer: https://answers.splunk.com/answers/565511/can-i-use-clone-sourcetype-to-send-events-to-multi.html.
However, I have been unable to get it to work. Am I fundamentally misunderstanding how some of these fields operate? To start, I am fine with duplicate entries but have not been able to populate wineventlog_4648 with any events.
Any guidance would be greatly appreciated.
inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
props.conf
[WinEventLog://Security]
TRANSFORMS-WinEventLog_4648
transforms.conf
[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
SOURCE_KEY = field:EventCode
REGEX = /4648/
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-10-2021
08:03 PM
|
Karma given to
