The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: SplunkSearchAndAlert
Topics 1–20 of 297
| Topic | Author | Replies | Latest Post |
|---|---|---|---|
|
"NOT IN" SQL kind of functionality in Splunk ?
(Not tagged)
I was looking for a "NOT IN" SQL kind of functionality in Splunk to get events from one index that are not in another index based on some field, but i couldn't find such a functionality in Splunk.
So, how do i get events from one index based on a filed value which is not in another index ?
Equivalent ...
|
4
|
13 months ago... | |
|
No Data Alert
(Not tagged)
Is possible in splunk to configure no data alert? I want to receive an email alert when, for any reason, a data source don't sends events to my splunk server for a specified time.
Thanks!
|
–
|
14 months ago... | |
|
Using "eventtype" inside "if" function of "eval" command
(Not tagged)
I have an event defined like this in eventtype.conf:
[SOME_EVENT]
search= index=SOME_INDEX (SOME_OTHER_FIELD=A OR SOME_OTHER_FIELD=B OR SOME_OTHER_FIELD=C)
If I search like this, it works:
index=SOME_INDEX | stats sum(eval(if(((SOME_OTHER_FIELD==A OR SOME_OTHER_FIELD==B OR SOME_OTHER_FIELD==C),SOME_FIELD,0))) ...
|
1
|
16 months ago... | |
|
Hostname Table Lookup, Not Working, What's the issue?
(Not tagged)
Looking to have the ip's replaced with the hostnames. Receiving the error, "The lookup table 'hosts' does not exist. It is referenced by configuration 'syslog'."
Current config:
/apps/search/lookups/hosts.csv:
ip,name
x.x.x.x,host1
y.y.y.y,host2
/apps/search/local/props.conf:
[syslog]
lookup_table ...
|
–
|
17 months ago... | |
|
Monitoring Windows Disk usage.
(Not tagged)
I am struggling with setting up a search to alert me when a windows host or linux host runs below a certain percentage of Diskspace.
I have tried to schedule alerts based upon Windows Event codes.
host="*" source="wineventlog:system"(\"EventID=4133\"OR \"EventID=1082\")
However it is not as ...
|
4
|
18 months ago... | |
|
Can only search Today's data
(Not tagged)
My search summary page indicates that my index has over 8 million entries but any search i run ends at midnight and will not search any data before the day that i initiate the search. So if i ran a search yesterday i could only search yesterday's indexed data. If i search today, i can only see data ...
|
–
|
18 months ago... | |
|
Help with subsearch
(Not tagged)
Hi,
I have one index with fields "vl" and "count" and I have one source in CSV with field "vl".
Example:
index="list_counts"
vl=vlvv3 count=5
vl=vlvv5 count=1
vl=vlvt1 count=32
vls.csv
vlvv3
vlvt1
vlvo4
I want have one result like:
vlvv3 count=5
vlvt1 count=32
vlvo4 count=0
My ...
|
1
|
19 months ago... | |
|
Alert based on subset of search
(Not tagged)
Hello,
I am running a search that returns all the failed logins across all servers that occurred in the last 15 minutes. It runs every 15 minutes and I want it to alert out if the failed logins is greater than 3 for a SINGLE server. So I don't want my threshold to be 3, but 3 for a specific server. ...
|
1
|
19 months ago... | |
|
Search Help: Syslog and Matching Security Event Log
(Not tagged)
Hello,
I am hoping to be able to right a search that does the following:
searches syslog data from a router. If criteria are met, look for login data on a specific server in a time window around the time of the syslog traffic.
We have some remote routers that are watched for SSL traffic. ...
|
–
|
19 months ago... | |
|
Get Average Count per hour over time
(Not tagged)
For some reason this search query should be pretty straight forward. However, I am not coming up with the results I expect.
We have a field - let's call it tran_type. This field returns multiple descriptions of the type of transactions. I am extracting this data from XML logs with the xmlkv command.
sourcetype=sourcetype ...
|
–
|
19 months ago... | |
|
Subsearch problem / How subsearches work ?
(Not tagged)
Folks :
I am just trying to use a subsearch, and, after reading all the material available on subsearches, reviewing my earlier (3.4.X) examples on the subject, I just don't know how to debug / know what it going on ... (actually, maybe is a problem with the way I understand subsearches)
What ...
|
24
|
20 months ago... | |
|
Saved Search on a Windows Eventlog Collection
(Not tagged)
Hi,
I am hoping to use Splunk to expose the contents of a Windows eventlog to our technical support team. My source is a application specific eventlog from several servers, I have two server farms and would need two different pages / searches to segregate the eventlogs from each farm. Ideally I ...
|
9
|
20 months ago... | |
|
stop alerts during maintenance time
(Not tagged)
I have alerts setup using Splunk. Now we do not want the alerts during a scheduled maintenance every week on sunday from 4 to 9 AM.
NOT((date_wday=sunday) AND (date_hour>=4 OR date_hour<=9))
Can some one validate if this the correct way of defining this exception time range?
thanks.
|
–
|
20 months ago... | |
|
Searching WIndows Eventlog Data
(Not tagged)
Hello,
I have a two-part question.
First, is it possible to glean privelege level from the Windows Security Event log? For example, I do not want just a list of logins, but a list of logins with administrator priveleges.
Second, is it possible to group servers into classifications for ...
|
–
|
20 months ago... | |
|
Empty csv file from CLI
(Not tagged)
Hi all,
I'm using Splunk 4.1.2 on a Windows 2008 Standard Server.
From CLI I do not manage to make this command work correctly:
splunk.exe search "host=localhost source=WinEventLog:Security sourcetype=WinEventLog:Security hourago=24" -format csv -auth admin:adminpwd > C:\temp\splunklocalhost.csv
It ...
|
4
|
21 months ago... | |
|
search for failed logins
(Not tagged)
I know how to search for failed logins for a specific user like "administrator", but how do I do a search when I don't know the username? I want to alert if there are more than 20 failed logins in an hour for a user. we have 6,000 users, so we get lots of failed logins, but I want to count by user. ...
|
1
|
21 months ago... | |
|
Sophisticated search - comparison between strings
(Not tagged)
Hello,
We've been asked to prepare an interesting search feature. Our users would like to search their logs by a loglevel. For instance:
To simplify, let's say there's a log, where one of the fileds - the loglevel - may be one of the following: DEBUG, WARNING, FATAL - which would correspond to ...
|
–
|
21 months ago... | |
|
Get time between each event in a transaction
(Not tagged)
I'm trying to figure out how to calculate the time between each event in a transaction. For instance, if I had the following:
* | transaction clientip maxpause=30m
For any transaction that had 2 or more events, the time from the earliest event would be subtracted from the 2nd earliest event. Then, ...
|
–
|
21 months ago... | |
|
Send alert only if criteria is met
(Not tagged)
I have created a search and alert that looks for only critical and warning level events. Then it alerts me. The problem I have is understanding how to setup the alert to only notify me if it finds something. I am getting e-mail alerts and the results are "no results".
|
1
|
22 months ago... | |
|
Feeding Triggered Scripts Parameters from Search Results
(Not tagged)
Hello,
I was hoping to determine how, if at all possible, one could trigger a shell script from a splunk search, and pass (defined) field values from the search results to the script.
Thank you,
Oleg
|
–
|
22 months ago... |