Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ftk
ftk
Motivator
Member since:
04-07-2010
06-05-2020
Community Statistics
| Posts | 478 |
| Solutions | 105 |
| Karma Given | 1235 |
| Karma Received | 710 |
| Member Since | 04-07-2010 |
Activity Feed
- Got Karma for Re: Changing AM/PM to 24 hours in search timeline. 03-19-2024 11:35 AM
- Got Karma for Re: Changing AM/PM to 24 hours in search timeline. 12-11-2023 07:18 AM
- Got Karma for Re: Changing AM/PM to 24 hours in search timeline. 11-30-2022 05:38 AM
- Got Karma for Re: How do I concatenate two fields into a string?. 08-05-2022 01:17 AM
- Got Karma for Re: Remove Old Summary Index. 02-07-2022 06:35 AM
- Got Karma for Re: Subsearch fields "query" "search" - How do I know which to use?. 02-05-2022 02:24 AM
- Got Karma for Re: How do I concatenate two fields into a string?. 06-23-2021 01:00 PM
- Got Karma for Re: How do I concatenate two fields into a string?. 03-09-2021 07:09 AM
- Got Karma for Re: How do I concatenate two fields into a string?. 12-24-2020 03:00 PM
- Got Karma for Re: Is it possible to use outputlookup to append results to a lookup table?. 11-22-2020 11:35 PM
- Got Karma for Re: Entire file contents as a single event. 11-18-2020 12:13 AM
- Got Karma for Re: How to make a search case-sensitive?. 10-28-2020 03:25 AM
- Karma Re: Slow search when evaluating a numeric value. for dwaddle. 06-05-2020 12:46 AM
- Karma Re: How to pass values of a dashboard panel to a drill-down, but NOT the click.values for sideview. 06-05-2020 12:46 AM
- Karma How to add Custom email alert content. for DEkocklukas. 06-05-2020 12:46 AM
- Karma How do I tell what enviroment is production? for talbot7. 06-05-2020 12:46 AM
- Karma Re: How do I tell what enviroment is production? for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Splunk Filter on Windows for kristian_kolb. 06-05-2020 12:46 AM
- Karma Forwarders and Reverse Proxy for mzorzi. 06-05-2020 12:46 AM
- Karma Where to put macros.conf so available everywhere (all users/apps/searches)? for woodcock. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 4 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 2 | |||
| 14 | |||
| 1 | |||
| 6 | |||
| 7 | |||
| 12 |
04-22-2014
08:35 AM
1 Karma
You should be able to find all of this information in the _audit index. All actions performed in Splunk are logged there, including admin activity.
index=_audit
For more info and examples, check the docs here: http://docs.splunk.com/Documentation/Splunk/latest/Security/AuditSplunkactivity
... View more
07-24-2013
08:45 AM
That's a great idea. Not sure why I didn't think of that since we are using the SACLs for FIM already...thanks!
... View more
07-24-2013
08:42 AM
Do you mind posting a single sample event (before using transaction)? Maybe I am assuming something in my test data that is not present.
... View more
07-24-2013
06:07 AM
In my answer I assumed that "value" is an extracted field. Is this correct? If it is an extracted field then the search I gave you aggregates the counts fine (I tested it on sample data).
... View more
07-23-2013
11:14 AM
The files never grow. They are being used as a simple flag by the vendor, i.e. ABCD.zip will receive ABCD.done at 0 kb length to flag the file as processed.
... View more
07-23-2013
10:43 AM
1 Karma
Since the transaction command groups events based on the common identifier and then basically creates a new event containing all of the transaction's events, you can do your counts based on _time (as each transaction will have a unique _time) value.
In your example you could do as follows:
index=ing sourcetype=callcenter | transaction maxpause=30m cif | stats count(value) by _time, cif, value
Which would give you a results set similar to this:
23/07/2013 17:09 userid1 value1 3
23/07/2013 17:09 userid1 value2 2
23/07/2013 17:09 userid1 value3 1
23/07/2013 14:09 userid2 value2 4
23/07/2013 14:09 userid2 value3 2
Each unique value of _time indicates the counts for a single transaction.
... View more
04-16-2013
07:43 AM
4 Karma
I have a business need to monitor 0 kb files. I can get this to work using fschange, however with fschange being deprecated in 5.x this is not a viable option. I would prefer using monitor rather than a script, and only want to index new files, with the system time being used as timestamp (DATETIME_CONFIG=CURRENT).
Any ideas?
... View more
10-24-2012
06:01 AM
Examples are always nice to have.
... View more
03-30-2012
12:06 PM
Correct. I would recommend to force HTTPS for splunkweb as well. To get a friendly URL I recommend setting up DynDNS or similar service.
... View more
03-29-2012
06:58 AM
2 Karma
As long as you can give Splunk the disk IO and memory it needs it runs just fine in a VM. Perfect for Dev system.
... View more
02-13-2012
12:49 PM
Hey Nick, thanks for the pointers. Button did indeed work, however I had to put both allowAutoSubmit and allowSoftSubmit to false. Setting allowSoftSubmit to false didn't garble the dashboard up in my case, all charts are invisible, works for me. Thanks!
... View more
02-13-2012
08:26 AM
1 Karma
I have several dashboards that I use the Sideview Utils Pulldown module on. The pulldowns grab a list of industries and customers out of our customer data, and then pass these values on to downstream searches. This works all without a problem, however when the Pulldowns are populated, they kick off the downstream searches automatically, causing all downstream searches to display data for All customers on page load.
What I want them to do is load the pulldown values on page load, but not autoRun the searches downstream -- I want a submit button or similar so I can first select my desired pulldown combination before kicking off the downstream searches. I have tried SubmitButton and different autoRun=true/false combinations to no avail.
Dashboard code:
<view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
<label>My label</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="appHeader" />
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.error</param>
<param name="maxSize">1</param>
<param name="clearOnJobDispatch">False</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="Search" layoutPanel="panel_row1_col1" group="" autoRun="true">
<param name="search">| inputlookup host_customer_lookup | where host!="" | dedup industry | fields industry</param>
<param name="earliest">-60d@d</param>
<param name="latest">now</param>
<module name="Pulldown">
<param name="searchFieldsToDisplay">
<list>
<param name="value">industry</param>
<param name="label">Industry</param>
</list>
</param>
<param name="name">selectedIndustry</param>
<param name="label">Industry</param>
<module name="Search" layoutPanel="panel_row1_col1" group="" autoRun="true">
<param name="search">| inputlookup host_customer_lookup | where host!="" | search industry="$selectedIndustry$" | dedup customer | fields customer</param>
<param name="earliest">-60d@d</param>
<param name="latest">now</param>
<module name="Pulldown">
<param name="searchFieldsToDisplay">
<list>
<param name="value">customer</param>
<param name="label">Customer</param>
</list>
</param>
<param name="name">selectedCustomer</param>
<param name="label">Customer</param>
<module name="TimeRangePicker">
<param name="default">-60d@d</param>
<module name="Search" layoutPanel="panel_row2_col1" group="" autoRun="false">
<param name="search">some search industry="$selectedIndustry$" customer="$selectedCustomer$" | timechart avg(somevalue) by customer</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="legend.placement">right</param>
<param name="chart.nullValueMode">zero</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Hours Mined</param>
<module name="JSChart">
<param name="width">100%</param>
</module>
</module>
</module>
</module>
<!-- end timepicker-->
<module name="Search" layoutPanel="panel_row3_col1" group="" autoRun="false">
<param name="search">some otgher search industry="$selectedIndustry$" customer="$selectedCustomer$" </param>
<module name="SimpleResultsTable">
<param name="count">30</param>
<param name="displayRowNumbers">False</param>
<param name="drilldown">none</param>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
... View more
02-10-2012
08:10 AM
5 Karma
Depending on what data you display, a second option would be to install the Sideview Utils app, and forego the SimpleResultsTable all together -- use Sideview's HTML module instead. You won't have to mess with the CSS at that point plus you can really control the layout. For a drill down that would show a very large text string (a huge regex) I actually used the HTML module along with <textarea> tags.
So you could do something like this (table is optional, I just like things to line up):
<module name="HTML">
<param name="html"><![CDATA[
<table border=0>
<tr><td align=right>Customer:</td><td>$selectedCustomer$</td></tr>
<tr><td align=right>Some ID:</td><td>$click.fields.someid$</td></tr>
<tr><td align=right valign=top>String:</td><td><textarea rows="4" cols="200">$results[0].string$</textarea></td></tr>
<tr><td align=right valign=top>otherstring:</td><td><textarea rows="2" cols="200">$results[0].otherstring$</textarea></td></tr>
</table>
]]></param>
</module>
Make sure you read up on how to use the HTML module in Sideview Utils first, and have a look at the example views included in that app.
... View more
01-19-2012
01:52 PM
What error did you get in the Manager? Did a new props.conf appear after you renamed the original?
... View more
01-19-2012
12:36 PM
In Manager > Fields > Filed extractions make sure you select the correct app context from the drop down at the top (or just select all). You should be able to find it then.
... View more
01-19-2012
11:43 AM
2 Karma
If you used the IFX the extraction is likley inline and should be easy to edit via the UI. Got to Manager > Fields > Field extractions and click on the name of the field extraction you created in the IFX. In the Extract/Transform field hunt down the field name (it will look similar to this: (?P ). Just replace the fieldname with your desired name, and then click Save.
Alternatively, you can edit the appropriate EXTRACT line in the appropriate props.conf configuration file in $SPLUNK_HOME$/etc/apps/yourapp/local/props.conf.
... View more
01-19-2012
11:10 AM
Can you post your current extractions from props.conf and transforms.conf?
... View more
11-07-2011
08:28 AM
1 Karma
You don't have to include your wildcards in the front and back. Give it a try as follows:
[setnull]
REGEX = 10\.3\.0\.(11|12)
DEST_KEY = queue
FORMAT = nullQueue
Also make sure that you are actually applying this routing rule to your applicable sourcetype in props.conf....e.g.
[mysourcetype]
TRANSFORMS-setnull = setnull
... View more
09-08-2011
09:22 AM
4 Karma
I recommend going with the UF and using the regular splunk forwarder connections using TCP 9997, mainly because you are not guaranteed delivery with UDP - it's basically fire-and-forget. For a decent comparison between TCP and UDP check the following: http://www.diffen.com/difference/TCP_vs_UDP
In addition to just using a more reliable protocol, the UF gives you a host of other useful features, such as queuing (indexer down -- no worries, data is queued and sent once indexer is available), bandwidth throttling, splunk app (config bundles) distribution, etc.
... View more
08-23-2011
09:41 AM
Maybe you can post an answer to this question with what you did in order to make it work, so that other users can benefit from it? Thanks!
... View more
08-22-2011
01:10 PM
Which also explains why so many people are having problems with the IIS header extractions...
... View more
