I'm wondering if there is an equivalent way to do this with the rest search command:
curl -k -u admin:changeme -d "search=savedsearch CIF%3Adomain_botnet" -d "output_mode=csv" https://localhost:8089/servicesNS/admin/search/search/jobs/export -o domain_botnet.csv
That runs the saved search called CIF:domain_botnet.
Is that possible?
Thx.
Craig
I was wondering if it is possible to send a message to the users currently logged into the UI as a warning that we are going to restart Splunk. Is there any way to do that? Maybe send a message that will display across the top in red, like errors and "restart required" messages do. If not, it would be a really nice idea. We have a few hundred users and it would be great to send out a warning to them somehow.
Thanks!
Hi;
Seems like, with LDAP integrated and roles mapped to LDAP groups, Splunk will update its cached list of users and their roles only when a splunkweb session starts--ie, if we add a user to a mapped role, this does not show up in Manage > Access Controls > Users, but after that user logs in, he/she now shows up in that list.
On the other hand, if we make changes to that user's role, and he/she is currently logged into splunk web, that change will not take effect unless they log out and back in--correct?
We know we can hit manage > Access Controls > Authentication method > Reload authentication method to reset, but:
a) is there any setting in authentication.conf or limits.conf to make this happen on a periodic basis?
b) we see that according to http://blogs.splunk.com/2009/08/20/reload-4-auth/, we can do this via a cron job, but is this still best practice in 5.0 +?
thanks, bw
Hi,
I am experiencing trouble downloading from apps.splunk.com. I've tries multiple computers, networks, market apps but nothing seems to work.
Anyone knows if there is an issue with the system right now? Thanks in advance,
Naor
I am using the Datetime module of sideview utils. I need to extract the date. How can I do that?. I am using the earliest and latest parameter to set 'From' and to 'Date' range
Ex: current Date: 05/30/2014 00:00:00 I need the final result as >> current Date: 05/30/2014
Below is the Code I am using
<module name="Search" layoutPanel="panel_row12_col2_grp1" autoRun="True">
<param name="search">| stats count | fields - count | addinfo | rename info_min_time as earliest info_max_time as latest</param>
<param name="earliest">-14d@d</param>
<param name="latest">-1d@d</param>
<module name="ResultsValueSetter">
<param name="fields">earliest, latest</param>
<module name="Search">
<param name="earliest">$earliest$</param>
<param name="latest">$latest$</param>
<module name="DateTime" layoutPanel="panel_row2_col2_grp1">
<param name="label">From</param>
<param name="name">earliest</param>
<module name="DateTime" layoutPanel="panel_row2_col2_grp1">
<param name="label">Thru</param>
<param name="name">latest</param>
</module>
</module>
</module>
</module>
How do I specify a minimum width for columns in a column chart?
The documentation very usefully says columnStyle style<sprite> The properties to apply to column sprites in column charts. See the sprite defaults but there are no examples of the syntax and the intuitively obvious choice of option name="charting.chart.columnStyle.maximumWidth" does nothing.
Nor do these:
option name="charting.chart.columnStyle.spriteMinimumWidth"
option name="charting.chart.sprite.width"
In general the developer documentation would benefit greatly from more syntax explanation and examples. Can anyone advise what option or param is required to set sprite minimumWidth for a column chart?
Thanks
hiii
we are having waf and ids the ip passes from ids and waf so i need to correlate the ip address and name fields in both devices... give me some example query regarding this
we have two device like waf and ids in this we
what i need is common ip address in both devices source address waf signature of waf source address of ids signature of ids
Hi,
I saw that there is dc so we can get the distinct count but what if I want to get the sum for unique field values? I have tried something like this but it is missing some values. Any suggestions?
base search | dedup field | stats sum(field) as sum
Having a hard time getting Splunk Universal Forwarder to be installed on the pfSense Firewall for collecting firewall events. Is there any documentation. I'm using PFSENSE 2.1
6.1.1 known issues: Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used. (SPL-67491)
Were using Eval to do comma formatting on some fields: eval Merch=tostring(Merch,"commas")
and noticed that in the generated pdf fields formatted with commas are not in line like they are with the dashboard. The other numbers are right aligned, they are left aligned
(dashboard) |Merch | | 1,260.00|
(exported pdf) |Merch | |1,260.00 |
Hi, i'm using splunk 6.1.1
I made this si- search and scheduled it to run "every hour" at period -1h@m to "now"
..
| where isnotnull(HAS_ERROR_TYPE)
| dedup SID1
| sitimechart span=1h count by HAS_ERROR_TYPE
I've got many overlapping events in Summary index next day.
,"2014-05-25T00:00:00.000+0400",,"Summary Index - USSD","Summary Index - USSD","Found overlap in saved search 'Summary Index - USSD' between search ids: '1402966801.531' and '1402974001.568' from 'Sun May 25 00:00:00 2014' to 'Tue Jun 17 05:00:01 2014'","Sun May 25 00:00:00 2014","Tue Jun 17 05:00:01 2014"
Whats wrong in my search or scheduler?
Hello,
I´m looking for another option or possibility to select the first value of a populating search of a dropdown than using "<selectfirstchoice>true</selectfirstchoice>". Important is that the first value is selected automatically every time the populating search stopped running! And is it possible to always hide the dropdown in the dashboard in simple xml?
Thanks
Greetings
I will try my best to formulate my question as I couldn't find anything similar asked already.
I am trying to display timechart as AreaChart over the last 4hrs with a span of 1h
source="*searchstring*" index=main | timechart span=1h dc(user_id) as "Users"
At a time this posted, my time was 4:50pm. I am applying custom time of: -4h@h to @h
Very simple task and pretty straight forward.
The challenge is that my chart has blank space on the left edge of it and missing information from the 4:00pm.
Any help will be appreciated. (I cannot upload screenshot, but I hope my explanation makes sense)
Hello Team,
I have tried sar and it gives proper output.Systat is also installed properly. However i get no output for sourcetype=cpu. I tried variety of methods but none of them work.
Can you please give me a simple solution to troubleshoot the issue?
Thanks
All,
i have few fields in my data which contain html/xml tags, is it possible to convert them to human readable format when running search on them? example below.
thanks,
DESCRIPTION=" <p><b>APPROVE </b></p><br><br><br><br><p><p xmlns:v=\"urn:schemas-microsoft-com:vml\" xmlns:o=\"urn:schemas-microsoft-com:office:office\" xmlns:w=\"urn:schemas-microsoft-com:office:word\" xmlns:m=\"http://schemas.microsoft.com/office/2004/12/omml\" xmlns=\"http://www.w3.org/TR/REC-html40\"> <p lang=\"EN-US\" link=\"blue\" vlink=\"purple\"> <div class=\"WordSection1\"> <p><span style=\"font-family:"Calibri","sans-serif"\">Please click send to APPROVE this request.</span> <br> <span style=\"font-family:"Calibri","sans-serif"\"> </span> <br> <span style=\"font-family:"Calibri","sans-serif"\"> </span> <br> <span style=\"font-family:"Calibri","sans-serif"\"> ------------------------------------------- Do not delete anything below this line -------------------------------------------</span><o:p></o:p></p> <p><span style=\"font-family:"Calibri","sans-serif"\"> </span> <br> <span style=\"font-family:"Calibri","sans-serif"\"> @OPERATION@='SOLVE' </span><br> <span style=\"font-family:"Calibri","sans-serif"\"> @RFC_NUMBER@='REQ:140328_0074_008' </span><br> <span style=\"font-family:"Calibri","sans-serif"\"> @ACTION_ID@='3214043' </span><br> <span style=\"font-family:"Calibri","sans-serif"\"> @CHOICE@='1'</span> <o:p></o:p></p> </div> </p> </p></p>
I was wondering if anyone has experience integrating McAfee Network DLP with Splunk in a secure fashion? The challenge is that McAfee DLP's syslog notification when incident is triggered is in plaintext through UDP 514. As incident data are highly sensitive, we need to get them encrypted on the network.
One possible solution I'm testing out is to set DLP to send the syslog to localhost, and then run a Splunk universal forwarder on the same host to forward the log to the Splunk indexer. I was able to succesfully install Splunk Forwarder on the DLP host (running McAfee flavored Linux), opened a listener on 514 and added a forwarder to the index on port 9997. The indexer has been configured to listen on port 9997. However, I'm not getting any incidents forwarded to the indexer. Is there anything I'm missing or is there a way I can check whether the Splunk Forwarder is receiving any syslog from DLP?
Hello,
I have recently been learning the Splunk Web Framework and putting an app together using Django. However, I cannot find any documentation that details how to achieve the following -
I would like to be able to click a section (bar) on my timechart and instead of getting redirected to a results view on a new page, I would like to populate a panel underneath with the results (events viewer).
I was hoping there is a slick way to achieve this rather than creating variables from a drilldown action, as I would need to capture the exact time & other fields to ensure I was displaying the correct event underneath. A redirect to panel/module function would be ideal in this instance.
Thanks, DS
My log looks something similar to this. I will have at least 100 different durations per hour. (Duration is the time which is taken to complete one transaction). My requirement is to create a table/chart with the average duration per hour.
Expected
06/09/2014 | 12:00:00 AM - 12:59:59 AM | 15 ms | i.e (10+20)/2
06/09/2014 | 01:00:00 AM - 01:59:59 AM | 20 ms | i.e (20+20+20)/3
.
.
I should get only 24 results always. The time mentioned in log is not the time indexed by Splunk. It comes from the application logs. I tried lot of things but nothing is working. can someone help me in solving the problem.
Log format
MYTIME,DURATION
06/09/2014 12:01:16 AM 10ms
06/09/2014 12:05:51 AM 20ms
..
06/09/2014 01:01:16 AM 20ms
06/09/2014 01:05:51 AM 20ms
06/09/2014 01:05:51 AM 20ms
..
06/09/2014 02:01:11 AM 70ms
06/09/2014 02:03:11 AM 20ms
...
06/09/2014 03:01:14 PM 74ms
06/09/2014 03:01:16 PM 87ms
...
I recently installed the Splunk For Nagios application so I could monitor the service availability. However, I have been unable to succesfully install and integrate the software in order to populate the livestatus dashboards in Splunk For Nagios. The livestatus dashboards are all empty as if no data is received from livestatus
I have a virtual machine ABC where Nagios is installed and a VM XYZ where splunk is installed.
I managed to install livestatus on my Nagios server and can extract data from it using the query language provided
I believe that my issue resides in the communication between my nagios installation and the my splunk server
I have a couple questions concerning this:
Where is the agent installed? on the Nagios server or the Splunk server?
I have looked inside the livestatus' log file and when I try and display the dashboard, there are no new logs so I know the request does not reach the server.
Has anyone managed to install and integrate this application? I found the documentation quite ambiguous and incomplete.
Any help would be appreciated.
Thanks
For every scheduled search I have that runs in intervals greater than every 24 hours, my dashboards will not use the results of the last run, but instead will run the search inline. I am setting the useHistory parameter to auto, such that it will use the results of the last run, or run it inline if it can't find them. The problem is, it can never find them.
I know the TTL you specify in your saved_searches.conf file is the go-to place for configuring this setting. Mine is currently set to 2p, which as I understand, means the results of each one will be set to two times the length of the interval between each search (e.g. - the results for a scheduled search set to run every MONTH will live on the server for 2 months). Also, I am unclear as to whether this interval also applies to scheduled searches that implement CRON scheduling (instead of the basic start time & end time settings available when you set-up or modify a saved search's settings in the manager UI).
However, I can literally NEVER get these to load by default in my view without the view first having to re-run the search in its entirety.
Before posting, please keep in mind:
(1) Yes, I have the name of the scheduled spelled correctly in my view (otherwise, I'm pretty sure you'd get an error)
(2) I am not trying to run a saved search from the search bar and use 'Actions' > 'Save'. This search runs automatically and I'm trying to incorporate its results into my View and create a graphical representation of them.
Any help / feedback is much appreciated! I've been trying to overcome this issue for a while now.