count by percentage

June 17, 2014, 12:54 am

≫ Next: Choropleth maps of splunk results by zip codes and custom regions?

≪ Previous: Fundamental issue with Splunk's architecture for overwriting other app's configuration

Hi, we're trying to find out windows XP users with some rules:

if mod=syn, get client ip (cli)
if mod=syn+ack, get server ip (server)
For each ip, regard as Windows XP if over 80% of OS shows os="Windows XP"

Logs look like following:

I use following search which seems to be a bit clumsy (I'm newbie to Splunk) and I'm finding the way to verify it:

search sourcetype=p0f ( mod=syn ) | rename cli AS ipaddr | fields mod, os, ipaddr 
 | append [ search sourcetype=p0f (mod="syn+ack" ) | rename srv AS ipaddr | fields mod, os, ipaddr ] 
  |  rex mode=sed field=ipaddr "s/\/.*//g" 
  | stats count, count(eval(match(os,"Windows XP"))) as XP, count(eval(NOT match(os, "Windows XP"))) as nonXP by ipaddr 
  | eval matched = XP/count * 100 | search matched >= 80 | fields ipaddr ]

I wonder if this can be achieved more efficiently. Would anyone please help? Thanks a lot.

Rgds

↧

Choropleth maps of splunk results by zip codes and custom regions?

June 18, 2014, 6:16 pm

≫ Next: Upgraded to Dell R910 from 710 no change in performance

≪ Previous: count by percentage

I would like to visualize splunk query results on choropleth maps.

Can the Google Maps Splunk App make choropleth maps?

I realize that the Google Maps Splunk App can geocode ip addresses to zip codes using MaxMind's geo-ip mapping.

Can the Google Maps Splunk App make maps using custom sales regions?

If these features do not exist, are there any alternative Splunk mapping apps or any plans in the future by Splunk developers to develop an app that visualizes Splunk queries as a choropleth map, and using custom sales regions?

Thanks!

↧

Upgraded to Dell R910 from 710 no change in performance

June 19, 2014, 10:58 am

≫ Next: Counting Events?

≪ Previous: Choropleth maps of splunk results by zip codes and custom regions?

We moved from a single machine hosting both the search head as well as the indexer, to our current configuration of separate physical machines for both roles.

The new setup is: Search head R710 Raid 10 array (32GB of RAM single processor) Indexer R910 Raid 10 array (128GB of RAM, multiple physical processors).

As stated in the title, we upgraded the hardware and there is no noticeable change in performance. I logged into the machine and watched as I kicked of rather extensive searches and only minimal levels of the system resources were consumed (sub 10% of the CPU, very little memory increase, and disk usage was within scope of normal levels).

Has anyone else experienced this issue?

↧

Counting Events?

June 19, 2014, 8:57 am

≫ Next: Sizing new installation, calculate storage from events

≪ Previous: Upgraded to Dell R910 from 710 no change in performance

Splunk Community,

I’d like to be able to count the number of events I have per SourceFile when my sourcetype is LogFile:

sourcetype="LogFile" SourceFile="File1”

I also have a number of other SourceFiles (“File2” , “File3” …etc…)

I’ve tried a number of things with no success as of yet – does anyone know how would I be able to count the number of events, per SourceFile within the SourceType “LogFile”?

Thank you,

Mike

↧

Sizing new installation, calculate storage from events

June 19, 2014, 10:56 am

≫ Next: Remove Realtime Searches From Home/Search Views 6.0/6.1

≪ Previous: Counting Events?

Hi, we are preparing to deploy splunk and I have a question about sizing. All the documentation I've found so far talk about size of the storage per day in GB and the tools that I have found calculate that storage against existing splunk installs or demo installs. All I have currently is the calculation of events per day our (smallish) network will generate. Is there a way (or an article or link or previous discussion) to translate events per day into storage per day?

The events are mostly from windows servers and firewall logs.

Thanks.

↧

Remove Realtime Searches From Home/Search Views 6.0/6.1

June 19, 2014, 8:26 am

≫ Next: The 'Splunk WebLog Add-On' TA application is not providing Source nor many Sourcetype

≪ Previous: Sizing new installation, calculate storage from events

I would like to remove the realtime searches that get kicked off automatically when a user is on the following pages

/en-US/app/launcher/home (Data Panel) /en-US/app/search/search (What to Search Panel)

This is the search that gets kicked off if you visit those pages | metadata type=sourcetypes | search totalCount > 0

Anyone know what edits need to be made and where need to stop them from happening?

↧

The 'Splunk WebLog Add-On' TA application is not providing Source nor many Sourcetype

May 22, 2014, 3:36 pm

≫ Next: Splunk for Palo Alto App - Peer Splunk Indexers

≪ Previous: Remove Realtime Searches From Home/Search Views 6.0/6.1

I just installed the Splunk WebLog Add-On app per the documented instructions. After splunk restarted, I went to use it. If I click on "Source" then the "Open Field Extraction" drop-down menu has no Source listings at all. If I click on "Sourcetype" then that drop-down menu has some sourcetypes, but certainly not all, and definitely does not have the one I am interested in, which is access_common.

Is there something I need to do in the config to help it find all my sourcetypes? I am going to de-install it if no one has any suggestions to get it working. I've read all the documentation on it and I see nothing helpful for this issue there.

↧

Splunk for Palo Alto App - Peer Splunk Indexers

June 19, 2014, 11:15 am

≫ Next: _geo does not plot on google maps

≪ Previous: The 'Splunk WebLog Add-On' TA application is not providing Source nor many Sourcetype

We've recently started to change our splunk topology from a single search head / indexer, to search head and remote peer indexers.

The PAN splunk app will stay installed on the search head, however now with the traffic going to the indexers, all traffic is indexed as pan_log, however I recall a transforms.conf file that was setup in the application that would use some regex values to split up the traffic / threat / system traffic into different sourcetypes (?).

How is the PAN app supposed to work in this type of topology? Do I need to install the app on each of the indexers and have the transforms.conf copied over from the search head (original install point)?

↧

_geo does not plot on google maps

June 19, 2014, 8:53 am

≫ Next: action="*" not working in Splunk 6

≪ Previous: Splunk for Palo Alto App - Peer Splunk Indexers

Good Evening All, I am new to splunk and I need to a POC integrating with google maps. I appreciate any help. I have created a lookup table us_cities, configured transforms/props.conf. In fact I even have the below command resulting in the response "4 results with location information ( 4 distinct locations ) over all time" but I don't see anything plotted on the map. Also, the geo results tab shows the right lat,long retrieved from the lookup table for all the 4 locations.

| inputlookup us_cities.csv | search city="Chattanooga" | eval _geo=lat+","+long

↧

action="*" not working in Splunk 6

June 19, 2014, 8:04 am

≫ Next: How to configure heavy forwarder created with TCP/UDP 514 input to forward syslog message?

≪ Previous: _geo does not plot on google maps

Hello,

I am using Splunk for Squid in Splunk 6. I did notice that this app is not supported by Splunk 6, I hope that you will still be able to support this app in the latest version. The field extractions are working properly, but the dashboard elements are not populating properly. Specific, this search returns no results:

search sourcetype="squid" action="*" | eval reqcount=1 | timechart per_second(reqcount) by action

causing the dashboard elements to not populate. For some reason when you add action="*" the query does not return any results. Any support would be appreciated.

↧

How to configure heavy forwarder created with TCP/UDP 514 input to forward syslog message?

June 19, 2014, 12:44 pm

≫ Next: Transferring Alerts from one instance to another

≪ Previous: action="*" not working in Splunk 6

I would like to configure the heavy forwarder to forward the syslog message to indexer. The forwarder is created with TCP/UDP 514 input for listening the syslog data, however nothing can be searched from the indexer.

I have installed the Deployment monitor app and the forwarders have data coming in.

Is there any configuration need to be done in the indexer?

Following is the info from deployment monitor app

Hostname: linux01 Current Status: active Last Time Data Received: 06/20/2014 03:15:51 Forwarder Type: heavy forwarder Splunk Version: 6.1.1 Platform: Linux on x86_64 Source IP: 192.168.8.5 Destination Port: 9997 Connections This Period: 23 Average KB Per Second: 38.1618 Average Events Per Second: 3.1206

↧

Transferring Alerts from one instance to another

June 19, 2014, 12:43 pm

≫ Next: Is Cisco eStreamer on Linux search head with Windows indexer supported?

≪ Previous: How to configure heavy forwarder created with TCP/UDP 514 input to forward syslog message?

Hi,

Can we transfer alerts and/or dashboards that have been created in one instance to any other instance in splunk? Does anybody have an idea?

↧

Is Cisco eStreamer on Linux search head with Windows indexer supported?

June 19, 2014, 1:36 pm

≫ Next: How to extract text from an error message in a log that follows a pattern?

≪ Previous: Transferring Alerts from one instance to another

Hello, Do you support deploying Cisco eStreamer app on Linux search head and the indexer running on a Windows server? If not, is there an estimate by when the app can be supported running on Windows search head and indexer?

Thanks!

↧

How to extract text from an error message in a log that follows a pattern?

June 19, 2014, 7:43 am

≫ Next: Problem with inner join

≪ Previous: Is Cisco eStreamer on Linux search head with Windows indexer supported?

I am battling a field extraction. I am trying to get the text extracted from an error message in a log that follows a pattern. Here are a couple of examples of lines in the log:

LOG ERROR:6/6/2014 3:37 PM:Error during accepting socket connection - A blocking operation was interrupted by a call to WSACancelBlockingCall
LOG ERROR:6/5/2014 1:21 PM:NHibernate.dll wasn't found. NHibernate Service Browser and Handler won't be working

I am trying to extract the text after "LOG ERROR:6/6/2014 3:37 PM:". I have tried the following extraction:

(?i)w+s+w+:d+/d+/d+s+d+:d+s+w+: (?P<fieldname>.+)

What am I missing? The field extraction fails. I do not know if I have an error in the REGEX or in the general layout of the field extraction.

↧

Problem with inner join

June 19, 2014, 2:57 pm

≫ Next: Dashboards slideshow

≪ Previous: How to extract text from an error message in a log that follows a pattern?

Hi All,

I have 2 searches in which CM_TOKEN_TX is common field, am trying to join(inner join) both the searches based upon it but somehow am not getting expected results: Total no of records in primary search is 90,000 and 63,000 in subsearch. Can anyone look into it and help me out. Expected count is 18,000 but getting 15,000 difference of 3,000. Please let me know in case you need more details.

|inputlookup PRIMARYSEARCH.csv | join CM_TOKEN_TX [ | inputlookup SUBSEARCH.CSV]

↧

Dashboards slideshow

June 19, 2014, 6:35 am

≫ Next: Why does Splunk enterprise license show: Status= FROM_THE_FUTURE?

≪ Previous: Problem with inner join

Does anyone know of a good way to rotate through different dashboards? I tried the Slideshow app, but it seems to only work with IE and I still couldn't get it to change to another dashboard after the timeout period. Anyone else have a setup going?

Thanks,

↧

Why does Splunk enterprise license show: Status= FROM_THE_FUTURE?

June 19, 2014, 3:26 pm

≫ Next: License Pool daily volume configuration not working

≪ Previous: Dashboards slideshow

I am running Splunk 6.0.4 on linux. On the "Licensing" page, my enterprise license shows a status of "FROM_THE_FUTURE" instead of "valid" like in the documentation. Why is this and what does it mean? Also, the volume of my license is 5,120 MB but Effective daily volume is 0 MB. Why?

Any help is greatly appreciated.

↧

License Pool daily volume configuration not working

June 19, 2014, 3:06 pm

≫ Next: SNMP modular input not indexing data for multiple oid's in v3

≪ Previous: Why does Splunk enterprise license show: Status= FROM_THE_FUTURE?

Hi all, I am running Splunk 6.0.4 on linux redhat. I installed an enterprise license and the auto-generated pool was created. However, when trying to set the daily volume allocation, it appears the pool will not go over 0MB. I have a 5GB license and have tried configuring pool in MB and GB, but the pool continues to show as 0MB. Does anyone know what's wrong?

Other info: The Splunk Enterprise stack shows, "Effective daily volume" of "0 MB". The enterprise license "Status" shows, "FROM_THE_FUTURE". "auto_generated_pool_enterprise" shows volume used today as, "57 MB / 0 MB".

Thanks for any help.

↧

SNMP modular input not indexing data for multiple oid's in v3

June 18, 2014, 2:06 am

≫ Next: Does the account that the Splunk service uses require interactive logon rights to execute scripts?

≪ Previous: License Pool daily volume configuration not working

SNMP v3 (AuthNoPriv) is not indexing data when it contains multiple comma separated OID's in configuration. [snmp://<ip>] destination = <ip> do_bulk_get = 1 host = <ip> index = netapp ipv6 = 0 mib_names = NETWORK-APPLIANCE-MIB object_names = 1.3.6.1.4.1.789.1.5.11.1.9,1.3.6.1.4.1.789.1.5.4.1.1,1.3.6.1.4.1.789.1.5.4.1.10,1.3.6.1.4.1.789.1.5.4.1.14,1.3.6.1.4.1.789.1.5.4.1.15,1.3.6.1.4.1.789.1.5.4.1.16,1.3.6.1.4.1.789.1.5.4.1.17,1.3.6.1.4.1.789.1.5.4.1.18,1.3.6.1.4.1.789.1.5.4.1.19 snmp_mode = attributes snmp_version = 3 snmpinterval = 60 sourcetype = IP split_bulk_output = 1 v3_authProtocol = usmHMACMD5AuthProtocol v3_privProtocol = usmDESPrivProtocol v3_securityName = User_name v3_authKey = PassWord

But if I configure it with only one OID then it is getting data into Splunk.

object_names = 1.3.6.1.4.1.789.1.5.11.1.9

This problem is with SNMP v3 version please help.

Thanks in advance Harshal

↧

Does the account that the Splunk service uses require interactive logon rights to execute scripts?

June 19, 2014, 3:30 pm

≫ Next: Is there an updated version of SCOM and Hyperv app or TA for server 2012?

≪ Previous: SNMP modular input not indexing data for multiple oid's in v3

We have SOS and the Windows Infrastructure apps installed. Just curious if the scripts are executed by the Splunk Search server remotely on the target systems, or by the UF on the target systems? Either way, does the account the Splunk service is started with require interactive logon rights to execute scripts?

↧