Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About RubenOlsen
RubenOlsen
Path Finder
Member since:
03-22-2011
06-05-2020
Community Statistics
| Posts | 23 |
| Solutions | 3 |
| Karma Given | 9 |
| Karma Received | 12 |
| Member Since | 03-22-2011 |
Activity Feed
- Karma Re: remove app from dropdown list for Damien_Dallimor. 06-05-2020 12:46 AM
- Karma Re: How to sum numbers with commas for joshd. 06-05-2020 12:46 AM
- Karma Re: Can you create a dashboard with an adjustable time frame for searches? for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: 'NOT' not working properly since 4.3 for milestulett. 06-05-2020 12:46 AM
- Karma Re: How do i create static reports for dwaddle. 06-05-2020 12:46 AM
- Karma Re: file and folder monitoring NOT indexing for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: Live count in radial gauge for vidda42. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk CLI Incompatibility with "Table" Search Command?. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk CLI Incompatibility with "Table" Search Command?. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk CLI Incompatibility with "Table" Search Command?. 06-05-2020 12:46 AM
- Got Karma for Re: splunk email alerts failing on send. 06-05-2020 12:46 AM
- Got Karma for Re: table for two dimentional distribution. 06-05-2020 12:46 AM
- Got Karma for Re: snmpget with splunk. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk Forwarder HA load balancing. 06-05-2020 12:46 AM
- Got Karma for Re: SSO with web application firewall and SAML. 06-05-2020 12:46 AM
- Got Karma for Re: customize Indexing. 06-05-2020 12:46 AM
- Got Karma for A small fix for the badges app. 06-05-2020 12:46 AM
- Karma Re: How to make my custom dashboard the default screen when users log into Splunk for Brian_Osburn. 06-05-2020 12:45 AM
- Karma Re: How to make my custom dashboard the default screen when users log into Splunk for maverick. 06-05-2020 12:45 AM
- Got Karma for Re: How to convert second to HH:MM:SS format in the exported search result?. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
02-22-2016
06:10 AM
What value did you put into the Attribute query URL field? According to the Splunk documentation, this is the identity provider endpoint where SOAP requests are to be sent. I cannot find any such URI-paths at the iis AD FS web application.
... View more
02-27-2012
02:12 AM
At a customer site I'm serving, 9 out of 10 problems with "missing data" is a mismatch between what is stated in the inputs.conf on the UF side and what is configured on the indexer side (i.e. the index you have in inputs.conf stanzas must also be present (and correctly configured) on the indexer side).
A quick way to determine if data is entering your indexes, is to check Manager -> Indexes. Locate your index and check the Earliest / Latest Event columns.
Depending on how your access controls with regards to accessing your indexes are configures, you might need to specify index= in the search field.
... View more
01-30-2012
01:12 AM
Given your example data is in the form of key=value, you probably do not need to create field extractions for these values as Splunk will do this automatically.
However, if you can amend the logging of the utm-keys to enclose the values with " (i.e. utma="242832726.1910715443.1325603689.1325603689.1325603689.1") - then you really do not need to create any explicit field extractions as this will ensure that the complete value is used.
... View more
01-13-2012
04:54 AM
I see no reason why not - but then your infrastructure becomes quite elaborate?
... View more
01-13-2012
02:20 AM
1 Karma
What you are asking is no different that any other scripted inputs.
The only advice is to reformat the data from your snmpget command to something very suitable for Splunk (i.e. key=value).
... View more
01-13-2012
02:16 AM
1 Karma
The forwarders behavior "out of the box" is to forward data to whatever indexers that are available.
In you scenario your secondary indexer could be turned off by default (i.e. not running) - and with some script check if your primary indexer is not running. If the primary indexer is not running - then start the secondary indexer.
Seen from the forwarder point of view - this is a "no-brainer" as it will buffer any inputs if your primary indexer dies until it can deliver to your secondary indexer (and vice versa).
The problem with this approach might be if you need to search the data from your primary indexer if this becomes unavailable.
I have not tried this my self - but this should work.
Another approach is to deploy a network load-balancer in front of both indexers, and let this device send data to either your primary or your secondary indexer.
... View more
01-13-2012
02:05 AM
1 Karma
Not at this moment.
According to my iterations with Splunk support with regards to running Splunk (GUI) behind a firewall/proxy that handles authentication and general authorization, SAML might be implemented in the future.
My best bet is for you to either either do a scripted authentication hack - or, if you are using LDAP as the source for your user database, enable this in Splunk. The latter is probably the least painful solution.
... View more
01-13-2012
02:01 AM
Could you please elaborate what you mean by "the host is not allowed to install any program"? i.e. is the host where you want to run wget?
Also - please provide us with an example of which hosts you want to run what and fetch from where (splunk, wget, datasource used with wget).
... View more
01-09-2012
06:43 AM
1 Karma
If you just want to count the source / destination pairs without putting the count sums into various buckets, go with imrago's answer.
If you need to group the source / destination pairs by a 1 hour timeslot - you might want to try:
... | eval SrcDestPair = src + " " + dest | timechart span=1h count by SrcDestPair
... View more
01-09-2012
06:37 AM
What are you really asking for?
1) How to count the source/destination pairs
OR
2) How to extract nr-something?
Please provide us with some sample data.
... View more
12-28-2011
05:06 AM
You should be able to add indexers to license pools from the command line - see http://docs.splunk.com/Documentation/Splunk/latest/Admin/LicenserCLIcommands
... View more
12-28-2011
04:56 AM
I have the exact same issue at at customers site, and will have to solve this using a variant of the following search (which might be run on the license server):
index=_internal source=*license_usage.log | fields pool b | stats sum(b) by pool
Another solution is to forward the license server's Splunk specific log files to your indexer(s) and perform the search there.
As a general rule, if you do not (for any operational/security reasons) have direct access (OS level, Splunk GUI) to your forwarders, license servers or indexer's Splunk (log and config) files - getting these into a place where you DO have access is really a must. Your operations people might know how to efficiently run Splunk on the operating system level - but there is no guarantee they know anything about how to manage Splunk. Splunk can be quite complex to manage - and unless the operations people are using Splunk, they will probably not care too much about how the software is supposed to work.
\Ruben
... View more
12-28-2011
04:06 AM
1 Karma
Have you by any chance set up authentication in the Splunk Manager > System settings > Email alert settings dialogue? I.e. entered anything in the Username and Password fields?
Based on the error message you posted, it seems that the error message is coming from Zimbra, and that Zimbra is not configures to support authentication by SMTP.
Unless your organization is extremely security conscious with regards to how the internal networks components are set up - any kind of SMTP authentication is probably turned off.
\Ruben
... View more
12-20-2011
04:43 AM
One, possible, untested solution, using the CLI:
Execute a variant of this search(splunk search 'index="_audit" sourcetype="audittrail" action="alert_fired" | eval trigger_time=strftime(trigger_time,"%Y-%m-%d %H:%M:%S") | dedup ss_name | table trigger_time, ss_name ' -auth user:pass) which return two columns: trigger_time and ss_name.
Iterate over the output of #1 as a input to running saved searches with the value of ss_name with trigger_time as an argument to latest= (splunk search '|savedsearch "Name Of Saved Search from #1 above" latest_time="2011-12-20 10:00:31" | table source ' -auth user:pass *) which will return the value of the soruce-field.
... View more
12-20-2011
03:27 AM
At a client site we have solved this as you assume: A full standalone version of Splunk.
We have not bothered to spend any time with removing code from the standalone version just to minimize the number of files / disk space for running remote Splunk CLI sessions. However - I guess you could try to rip away most of the files and still get the CLI to work properly.
\Ruben
... View more
12-15-2011
03:51 AM
3 Karma
I could not replicate the issue with only a few numbers (i.e. 19 results) - when I run the command, I get the same results as in the Splunk Web GUI.
You could try adding the -maxout paramter with 0 as it's argument.
Taken from splunk help rtsearch:
maxout number the maximum number of events to return or send to
stdout (when exporting events). The max allowable
value is 10k. Defaults to 0, which means it will
output an unlimited number of events.
You might also want to investigate the -timeout parameter:
timeout number the length of time in seconds that a search job
is allowed to live after running. Defaults to 0,
which means the job is cancelled immediately after
it is run.
Finally, you might also want to read up on what the manual is saying about real-time searched from the CLI - see http://docs.splunk.com/Documentation/Splunk/4.2.5/User/Realtimesearch#Real-time_searches_and_reports_in_the_CLI
Hope this will get you closer to what you are trying to achieve with using rtsearch from the command line.
\Ruben
... View more
12-01-2011
03:57 PM
1 Karma
I have created a custom search command which correctly returns : : - without getting stuck with the issues that strftime() and friend (i.e. ctime) can be plagued with.
Take a look at https://github.com/RubenOlsen/splunkcommands/tree/master/sec2time
... View more
10-26-2011
08:39 AM
1 Karma
We have great fun with this application, but some of our users do not care for using lower case characters when the log on to Splunk - so they get listed with two different user names (upper case and lower case).
The fix is quite easy: In the user_search_strength and the manager_search_strength predefined searches, you might want to add eval user=lower(user) somewhere in the pipe line to convert user names to lower case.
... View more
- Tags:
- Gaming Splunk Badges
10-24-2011
10:52 PM
There are several ways to deal with the Sql_Text=Select * from Table1 where uname="dummy"
One way which will work if the Sql_Text=something is at the end of a log event is to use filed extractions (i.e. EXTRACT) in the props.conf file:
EXTRACT-Sql_Text = Sql_Text=(? .+)$
You could even do this directly in the search app without using the props.conf stuff. The following should give you a list with the count of the 10 most used Sql_Text expression grouped by the ClientIP field:
* | rex field=_raw " Sql_Text=(?<SqlText>.+)$" | stats count ClientIP, SqlText | sort 10 -count
... View more
10-24-2011
02:08 AM
The time stamp should be in ISO8601 form - i.e. variants of YYYY-MM-DD HH:MM:SS.mmm TZ DST.
Example: 2011-10-24 14:04:02 +0200 DST
If you do not want (or need) the time zone of Daylight Savings Time designators - these may be omitted.
... View more
10-19-2011
09:59 AM
Unfortunately Splunk does not support the iv _ groups HTTP header, only iv _ user - so you still will need to let Splunk use LDAP or some scripted authentication solution.
If only Splunk did support the iv _ group HTTP header, putting Splunk behind WebSeal would really be a non-brainer.
... View more
10-19-2011
09:46 AM
1 Karma
As long as the Splunk software provide the ability for REMOTE_USER from a trusted source (i.e. proxy) within a company, it does not make any sense that Splunk Inc dictate that role information provided from the same trusted source not be used. It should be up to the company where Splunk is deployed to dictate how authentication is performed.
In our organization we use a well known reverse proxy product from IBM. If a user is correctly authenticated - the proxy will provide two HTTP headers for the back end services server (whatever these may be): One is HTTP header provides which contains the authenticated users, user name; the other is which contains a comma separated list of roles.
Splunk should, if the customer configures it that way, use the HTTP header where the roles are present.
Using scripted authentications creates CPU over head and complicate things, and using the same back end security storage that the web proxy is using might even not be possible for policy reasons.
... View more
