Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About willemjongeneel
willemjongeneel
Communicator
Member since:
05-07-2019
10-07-2020
Community Statistics
| Posts | 44 |
| Solutions | 6 |
| Karma Given | 3 |
| Karma Received | 5 |
| Member Since | 05-07-2019 |
Activity Feed
- Got Karma for Re: Warnings on Splunk TCP Port Closures (Splunk Cloud). 04-22-2021 06:53 AM
- Posted Re: Is it possible to configure zoom or Teams add-on on IDM ? on Getting Data In. 08-12-2020 05:09 AM
- Got Karma for Re: Cron expression for splunk DB connect. 08-06-2020 08:28 AM
- Posted Re: Change host props and transforms not working on Getting Data In. 08-06-2020 08:09 AM
- Karma Re: Cron expression for splunk DB connect for isoutamo. 08-06-2020 08:09 AM
- Posted Re: Cron expression for splunk DB connect on Alerting. 08-06-2020 08:06 AM
- Posted Re: Cron expression for splunk DB connect on Alerting. 08-06-2020 07:38 AM
- Got Karma for Re: How to increase the event size which is limited to 10000 in Splunk cloud ?. 06-05-2020 12:51 AM
- Got Karma for increase zoom level geostats/clustermap. 06-05-2020 12:51 AM
- Karma Re: How to count by command on repeating field values in event for woodcock. 06-05-2020 12:50 AM
- Got Karma for Re: Syslog Json question. 06-05-2020 12:50 AM
- Posted Re: How to hide categories in trellis dashboard visualization using SimpleXML? on Dashboards & Visualizations. 06-02-2020 01:16 AM
- Posted How to hide categories in trellis dashboard visualization using SimpleXML? on Dashboards & Visualizations. 05-29-2020 06:08 AM
- Tagged How to hide categories in trellis dashboard visualization using SimpleXML? on Dashboards & Visualizations. 05-29-2020 06:08 AM
- Tagged How to hide categories in trellis dashboard visualization using SimpleXML? on Dashboards & Visualizations. 05-29-2020 06:08 AM
- Tagged How to hide categories in trellis dashboard visualization using SimpleXML? on Dashboards & Visualizations. 05-29-2020 06:08 AM
- Posted Re: How to increase the event size which is limited to 10000 in Splunk cloud ? on Getting Data In. 02-21-2020 03:18 AM
- Posted Re: Index Size limitations in Splunk Cloud on Splunk Cloud Platform. 02-21-2020 02:54 AM
- Posted Re: Copy data from an index to Self Storage on Splunk Cloud Platform. 02-13-2020 03:55 AM
- Posted Re: About rentention specification of index on Deployment Architecture. 02-10-2020 01:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-12-2020
05:09 AM
Hello, As far as I know the add-on should be Splunk Cloud supported in order to work on IDM. Both the Zoom addon https://splunkbase.splunk.com/app/4961/ and the Teams addon https://splunkbase.splunk.com/app/4994/ seem to be Cloud supported. I think you should be able to request an install of these addons on your IDM at Splunk support. Then you can configure the inputs on IDM I suppose. Kind regards, Willem Jongeneel
... View more
08-06-2020
08:09 AM
Hello, I think you should change format to: FORMAT = host::guardduty Kind regards, Willem
... View more
08-06-2020
08:06 AM
Ah yes thats right, but shouldn't it be 20 - 22 then? As it gets every second minute past hour 22. Or am I mistaken? Kind regards, Willem
... View more
08-06-2020
07:38 AM
1 Karma
Hello, I think the following cron will do: */2 8-10 * * * Kind regards, Willem
... View more
06-02-2020
01:16 AM
Hello,
Yes that did the trick. Thank you!
Kind regards,
Willem
... View more
05-29-2020
06:08 AM
Good afternoon,
I have a question on customizing trellis dashboard visualization.
I want to remove the titles/categories on the second trellis visualization (the ones that are highlighted in yellow).
Does anyone know if there is an option in SimpleXML to make this possible?
Thanks, kind regards, Willem Jongeneel
... View more
Labels
- Labels:
-
simple XML
-
trellis layout
02-21-2020
03:18 AM
1 Karma
Hello,
If you use Splunk Cloud Managed, you can make this change in Splunk Cloud through the web interface.
Settings > Sourcetypes > Select the Sourcetype you are using > click the Advanced tab > here the TRUNCATE 10000 option appears. If you change this to a higher value, this will probably solve your issue.
However as @nickhillscpl suggested, if you use a heavy forwarder then you'll probably have to make the change on the heavy forwarder.
Kind regards,
Willem
... View more
02-21-2020
02:54 AM
Hello,
I asked this question before aswell and got the following answer:
Max index size is no longer a constrains in data retention. Only the retention period is causing the data to be rolled to frozen. By default Splunk Cloud comes with 90 times your daily license GB in storage. So if you would have all your indexes on 90 day retention, then you would have the exact right amount of storage. Would you exceed your maximum default storage, then Splunk will still keep ingesting and retaining your data and you will be contacted by your Splunk account team to either reduce storage usage or to purchase additional storage.
Kind regards,
Willem Jongeneel
... View more
02-13-2020
03:55 AM
Hello,
I figured this out and if someone would need the answers:
This does not double license costs
The S3 bucket is accessable without Splunk
Kind regards,
Willem
... View more
02-10-2020
01:44 AM
As far as I know buckets need to be in warm state for the retention period to begin. The buckets will only roll from hot to warm once the bucket size has reached 750mb. Maybe the ingestionrate is very low? Causing the buckets to stay in hot phase for to long? You can check your buckets with the following query:
| dbinspect index=*
If the problem above is the cause, maybe you can have the maxDataSize adjusted in indexes.conf by Splunk support.
Kind regards,
Willem Jongeneel
... View more
01-13-2020
08:27 AM
Hello,
Maybe you can try to dedup using a stringconcat on user and time fields?
Something like:
index="uam" User="abcd"
| eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S")
| rename access_time as TIME
| eval key=tostring(TIME)+tostring(User)
| dedup key
| table User, TIME
Kind regards,
Willem Jongeneel
... View more
01-13-2020
04:21 AM
Hello,
thank you.
I've tried to do so.
<option name="drilldown">none</option>
<option name="mapping.map.center">(51.86,5.12)</option>
<option name="mapping.map.scrollZoom">1</option>
<option name="mapping.map.zoom">7</option>
<option name="mapping.showTiles">1</option>
<option name="mapping.tileLayer.maxZoom">12</option>
<option name="mapping.type">marker</option>
<option name="refresh.display">progressbar</option>
Now I can zoom in further, but the map just disappears. This leaves just the dots and a white background. Any idea what is thre problem here?
Thanks, kind regards,
Willem
... View more
01-13-2020
01:46 AM
1 Karma
Goodmorning,
I have a question on the geostats command in combination with the clustermap visualization.
Search looks like this
| search terms & stats functions
| geostats latfield=depotLatitude longfield=depotLongitude count
This leads to three points on the map of the Netherlands. I cannot zoom in to the level of detail that I want. What can I do to increase the zoomlevel?
Do I need to import some file in order to do so? Or should I change something in the search?
Thanks in advance, kind regards,
Willem Jongeneel
... View more
01-06-2020
07:35 AM
1 Karma
Hello,
Took a while, but this worked for me.
Thank you for your help!
Kind regards,
Willem Jongeneel
... View more
08-23-2019
12:31 AM
Can you tell me where I can find this information? If I am connecting from UF to the indexers from servers that do not connect through a proxy, I never have to add this to the outputs.conf. Also, should it be in etc/apps/SplunkUniversalForwarder/default/outputs.conf ?
Thanks, kind regards,
Willem
... View more
08-21-2019
05:02 AM
Hello,
What do you mean by fix them on the way? Is this possible to do this by using the sourcetype wizard in splunk web? Or do I really need to access props.conf directly? Or is it necessary to have a HF in between to do this?
Event format:
Mon Aug 12 12:29:29 UTC 2019Info: { //json part}\x00
Also, with SEDCMD I can remove the first part with "s/<.{1,40}Info:\s//g"
For the last part I tried: "s/\x00//g" This somehow doesn't work. Do you have any idea why this is not working?
Kind regards,
Willem
... View more
08-21-2019
04:25 AM
Hello,
Shouldnt these configurations come from the universal forwarder credential package in managed splunk cloud?
Kind regards,
Willem
... View more
08-21-2019
02:46 AM
Hello,
I'm trying to send data from a directory on a server to Splunk Cloud using the universal forwarder. This traffic goes through a squid proxy. I've tried to configure the proxy in server.conf:
[proxyConfig]
http_proxy = http//:8080
https_proxy = https//:8080
Port 8080 is open for tcp traffic.
I am able to connect from the server to the proxy using telnet, I am not able to connect to the indexers using telnet, however this should be possible while connecting from the universal forwarder using the forwarder credentials package, right?
The forwarder seems to be unable to connect to the indexers. splunkd file has the following warnings:
TcpOutputProc - 'sslCertPath' deprecated; use 'clientCert' instead..
Cooked connection to ip=:9997 timed out.
In the splunkd text file I don't see anything about the proxy I configured either, should this show in the splunkd file?
Does anyone have an idea on how to troubleshoot this issue?
Thanks, kind regards,
Willem Jongeneel
... View more
08-14-2019
02:59 AM
Hello David,
We are using universal forwarder, not heavy forwarder. Would this be possible using a universal forwarder?
Kind regards,
Willem
... View more
08-14-2019
02:48 AM
Hello,
Thank you.
I got this working using a substring and spath. The full search is:
index= | eval _raw=substr(_raw, 39, (len(_raw)-42)) | spath input=_raw
This cuts off the part before and after the json. Is there a way to get this substring working from props.conf by using Splunk web (as I cannot change it in another way, because I'm using Splunk Cloud).
Kind regards,
Willem
... View more
08-14-2019
12:35 AM
Hello David,
I dont fully understand how to use this spath command. Should I extract the json and use that as the input field? Is this only possible at search time?
Can you maybe explain a little more on how to approach this?
Thanks, kind regards,
Willem
... View more
08-13-2019
11:43 PM
Hello,
I've got a question on getting Splunk to extract key value pairs from syslog json events.
The events look like this:
<14>Mon Aug 12 12:29:29 UTC 2019Info: { //json part}\x00
At first I tried with the standard _json sourcetype. This didnt work. So I tried to make a custom sourcetype that would remove the part before and after the json.
I've tried to add
SEDCMD-end=s/\x00//g
SEDCMD-start=s/^[^{]+//g
KV_mode=json
When I test the sourcetype using the add data wizard in Splunk web, I see the part before the json en after the json dissapear. After I changed the sourcetype to my custom sourcetype in the source of the data, this doesnt work and I still get events with the part before and after the json.
The full sourcetype conf:
ADD_EXTRA_TIME_FIELDS=True
ANNOTATE_PUNCT=true
AUTO_KV_JSON=true
BREAK_ONLY_BEFORE_DATE=true
CHARSET=UTF-8
DEPTH_LIMIT=1000
KV_mode=json
LEARN_MODEL=true
LEARN_SOURCETYPE=true
LINE_BREAKER=([\r\n]+)
LINE_BREAKER_LOOKBEHIND=100
MATCH_LIMIT=100000
MAX_DAYS_AGO=2000
MAX_DAYS_HENCE=2
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
MAX_EVENTS=256
MAX_TIMESTAMP_LOOKAHEAD=128
NO_BINARY_CHECK=true
SEDCMD-end=s/\x00//g
SEDCMD-start=s/^[^{]+//g
SEGMENTATION=indexing
SEGMENTATION-all=full
SEGMENTATION-inner=inner
SEGMENTATION-outer=outer
SEGMENTATION-raw=none
SEGMENTATION-standard=standard
SHOULD_LINEMERGE=true
TRUNCATE=10000
category=Custom
description=Sourcetype voor SAM, dit haalt de extra syslog informatie weg en toont alleen de JSON
detect_trailing_nulls=false
disabled=false
maxDist=100
pulldown_type=true
Extra information:
This gets send to Splunk Cloud from a forwarder that receives this events over a TCP port. On the forwarder the port gets connected to the right index, and sourcetype.
Can anyone advise me on how to get the key value pairs from these syslog/json events?
Thank you in advance, kind regards,
Willem
... View more
08-12-2019
07:29 AM
Hello,
Maybe you can try to add something like this?
| eval output=case(HSMErrorCountsOnGivenStripe=0, "No Errors Here", HSMErrorCountsOnGivenStripe>0, HSMErrorCountsOnGivenStripe)
| table output
Kind Regards,
Willem
... View more
08-12-2019
02:47 AM
Hello,
Maybe you can try this?
iplocation src_ip | stats sparkline count, dc(src_ip) by Country | sort - count | head 10
Kind regards,
Willem
... View more
07-29-2019
02:47 AM
Hello,
As far as I know deleting an Index will trigger a restart. Maybe you can try that.
Kind regards,
Willem
... View more
