Search on an eval variable - find filenames with yesterday's date
I used eval to create a field with the yesterday's date: | eval today=strftime(now(),"%Y%m%d") I want to search on events where the filename field contains that today variable / yesterday's date. The...
View Articlehow do I change the Splunk logo in Splunk Web?
I want to change the Splunk> logo present it every page. I want it to be as DEV-Splunk> . Can you plesae tell me where this logo resides?
View ArticleArchiving the Indexed data in Clustering to a single location
I'm trying to setup a single external storage to my peer nodes and archive the data to that location once it crosses certain time period ? How can i do that without storing multiple copies to the same...
View ArticleDo external script lookups allow command-line switches?
I have defined the following external field lookup in my transforms.conf:[virustotal_hash_lookup] external_type = python external_cmd = virusTotal.py -fr hash fields_list = hash, total, positivesIf I...
View ArticleClik here to view.
Timechart values not working
I've been trying to chart some data and every way I try, it just doesn't work.I'm able to create a table of my data fine. I use the search:sourcetype="ec2_web" "[EVENTS]" | rex field=_raw...
View ArticleWhat is the best way to migrate old data from a single Splunk server to a new...
Is there any way to point my old Splunk server at the new cluster and have it forward all of my previously indexed events to the cluster so that they are evenly distributed across the nodes and can...
View ArticleGoogle Maps GeoIP Not Working Right?
I'm using the Google Maps App for Splunk. When attempting to use the geoip command, it only appears to actually show a small fraction of a percentage (around .0008%) of IPs as having geographical...
View ArticleHow to use lookup to exclude a list of user_names and service_file_names
I am trying to run a search that shows executibles that are run by any user on my network. Yet I want to exclude the search with typically run service .exe's and assocuated service user accounts. I...
View ArticleCisco Firewall Addon - no input, no setup option in Manager
I have the Splunk for Cisco Firewalls Addon installed, and I'm trying to get data into it. The Readme has this line in it for configuring the data inputs. (I'm using version 2.0)"Click Manager >...
View ArticleWhere to get 32-bit glibc.i686 and pam.i686 packages for Check Point OPSEC...
Hi,I tried installing the Splunk add-on for Check Point OPSEC LEA and was stuck at trying to obtain the 2 required 32-bit packages, glibc.i686 and pam.i686.I'm installing Splunk on RHEL Server 6.4, and...
View ArticleLookup with CIDR
Greetings, I feel like this shouldn't be rocket science,but I just can't make it work.Our internal network is pretty complicated with IPs assigned to departments in pretty granular form. I would like...
View ArticleWildcard in props.conf while using transforms.conf
Hi,I'm using transforms.conf to extract my fields, but I have a lot of different stanzas, all starting the same (abc_red, abc_green etc..).Is there a way to use wildcards in the REPORT attribute in...
View Articlecalculate top talkers by application
I would like to calculate the top talkers by application (name/ID) but I have run into a snag. The firewall returns "connection closed" messages which include the sent/received bytes but it does not...
View ArticleSplunk's $SPLUNK_HOME/etc/passwd File syntax and encryption/hashing algorithm
I've searched around a good bit.. haven't found any official documentation on the topic.On Splunk forwarders and indexers, Splunk stores users and their info in $SPLUNK_HOME/etc/passwdCat-ing the file...
View ArticleOPSEC LEA Linux App - does not connect
I am using Splunk 5.03 installed on Ubuntu. I installed the OPSEC LEA App for Checkpoint log analysis. I was able to establish a connection with our Checkpoint firewall, but now the connection is...
View Articlecalculate duration of connection
I have these two log messagesJul 2 10:21:50 10.197.1.254 id=firewall sn=0017C5C027C1 time="2013-07-02 17:21:50 UTC" fw=67.115.118.49 pri=6 c=262144 m=98 msg="Connection Opened" n=565679...
View ArticleSplunk LEA - opsec_pull_cert issue
I've followed the documentation and I've arrived at this stage many times but can't figure it out. I'm not much of *nix expert so I'm hoping it's something others will find simple.My configuration is...
View ArticleSplunk indexer is trying to establish connections on forwarder systems on...
I have had a number of systems set up with a splunk forwarder. The forwarders are sending data, and our main splunk instance is happily indexing it. But today the person who runs the firewall that sits...
View ArticleRemove ::ffff: from logs
I am looking to remove the ::ffff: from Windows event logs:Network Information: Client Address: ::ffff:XX.XX.XX.XX Client Port: 51806Any assistance would be appreciated.
View ArticleUsing ResultValueSetter with Switcher : stop printing the resultvaluesetter's...
A snippet of my code is below. My problem is that the ResultVaueSetter's 'field' value (in this case the value of 'leaf') is printed by downstream modules (in this case by the table chosen by Switcher)...
View Article