Smart AnSwerS #92

Hello community, and welcome to the 92nd installment of the Smart AnSwerS blog series, where we feature Splunk tips and tricks created by users in the Splunk Answers community.

And speaking of tricks (or treats), happy Halloween from everyone at Splunk headquarters in San Francisco! Hopefully, you already have your costume picked out; but for those still looking, how about being Splunk’s mascot Buttercup?

Also, a big thank you to everyone who made it out to Orlando earlier this month for Splunk’s annual extravaganza, .conf18. If you went, hopefully you got a chance to meet Patrick Pablo, the master of all things related to Splunk Community. Patrick was working the Community Lounge at .conf, and if you snagged a selfie with him, our buddies over at Bucketlist would’ve given you some points!

If you aren’t familiar with Bucketlist, it’s a place where you turn all that hard earned Splunk wisdom into fun prizes.

But if you weren’t able to make it out to Florida this year, don’t worry! You can experience the highlights of .conf18 from the comfort of your computer. At the .conf Online page, you can check out videos and slides from this year’s event, including technical sessions, the Visionary and Roadmap keynote, exciting product releases, and much, much more.

But now, .conf is over and the Splunk must go, something like that. And, after all the excitement, we at Splunk Answers are getting back to what we do best: helping you get the most out of your Splunk products and connecting you with our vast community of Splunk enthusiasts.

Here are a couple of our favorite recent posts from Splunk Answers.

Is it possible to edit a sourcetype after its creation?

According to Splunk Docs, “the source type is a key way to categorize your data.” Saying data comes in many shapes and sizes is an understatement. Splunk CEO Doug Merritt often refers to raw, unstructured data as chaos. Yikes! Fortunately, we have source types which help make sense of that chaos. Source types tell Splunk how to categorize your data so that it can be structured and labeled properly for your searching needs.

However, what happens if you want to change that source type after indexing?

atemourt had that exact problem, but luckily, mayurr98 and florianduhme came to the rescue. As it turns out, there are multiple ways to edit a source type in Splunk. Florianduhme suggested that the user go into the settings and edit the source type from there. For detailed instructions about editing source types through settings, head over to the Splunk Docs page for managing source types.

In addition to that answer, SplunkTrust member mayurr98 added the following fix: editing the props.conf file through the Command Line Interface (CLI). If you don’t know how to modify the props.conf file, again, Splunk Docs has you covered.

However, heed mayurr98‘s reminder: these changes to the source type will only reflect data indexed after the change. If you want that brand spanking new source type applied to data that was ingested previously, that data will have to be wiped clean and reindexed.

If you want to read the entire post, you can check that out on Splunk Answers.

How to create a search which detects password changes and finds the last time the password was changed?

One of the beautiful things about Splunk Enterprise is its customizable alerting abilities. This feature gives you the ability to define what qualifies as suspicious behavior for your unique network and data setup, keeping you one step ahead of security threats.

The first step to setting up such an alert is creating a search which returns the suspicious conditions that you define.

For example, the user eputnam wanted to create an alert that would be triggered if a user changed their password too often. Of course, such behavior may be as innocent as your coworker forgetting their password over and over again.

Or, it could be evidence that something foul is afoot in your network.

So eputnam knew the alert he wanted to set up (which is half the battle), and they had a decent foundation for a search that would return the password information they wanted. But, while eputnam’s search returned the total number of password changes successfully, it was too broad. He didn’t need a search for all password changes; he needed a search that would return multiple password changes throughout a 24-hour period.

Splunk Answers moderator and SplunkTrust member DalJeanis helped him achieve his goal. The user used the earliest and latest time modifiers to search for password changes that occured over a 15-minute time period, and added up the number of password changes each user made over 24 hours. Then, he used the eventstats command to calculate the results and put them in a field called “PwdChanges.” After that, all they had to do was set the password parameters as greater than 3, and eputnam was on their way to a safer network.

You can read the entire post on Splunk Answers. Also, check out the Splunk Docs section on creating alerts if you want to learn more.

In a chart count where days are the column header, how do I get the days to list in chronological order?

Ah, the chart command. That useful tool that lets you transform your data into into a nice, readable table format. Charting results over time can give you all sorts of insights into your data, at least that was what user rossblassingame was hoping for.

However, there was a problem with his search.

The user wanted Splunk to make a chart that had days of the week as the column headers and hours in a day as row headers. Seems simple enough, right?

Unfortunately, it was a little more difficult than he had originally thought. Instead of listing the days of the week chronologically, Splunk listed them alphabetically: “Friday | Monday | Saturday | Sunday | Thursday | Tuesday | Wednesday”.

What the Splunk is going on here, the user wondered?

The problem is that Splunk can only sort alphanumeric strings—such as days of the weeks or months of the year—if you tell it how to sort them. Splunk can’t derive meaning from words, such as days of the week, like us humans can. So, if you don’t properly define words like Monday and Tuesday for Splunk, its default mode will return it alphabetically.

New moderator and SplunkTrust member renjith.nair provided a search that instructed Splunk how to correctly organize the days of the week. They tweaked rossblassingame’s original search by piping in a fields command, and then listed the days of the week in the proper format: “| chart count over date_hour by date_wday | fields date_hour, sunday, monday, tuesday, wednesday, thursday, friday, saturday.”

You can check out that entire post on Splunk Answers.

And if you want to join in on the fun, there are a bunch of ways that you can be a part of the Splunk Community. Post a question or a solution at the Splunk Answers forum, meet some new friends in our Splunk community chat, or hit up a Splunk user group meeting in your area.

Matt St. John

Posted by


Show All Tags
Show Less Tags