Smart AnSwerS #94

Hello, Splunk enthusiasts, and Happy New Year!

If you made a New Year’s resolution, I hope it's going well. Perhaps you promised to clean up your logs, to better define your source types, or to participate more on Splunk Answers (our community Q&A forum).

Whatever your resolution is, don’t worry if on some days you stumble like an overloaded server. New Year’s resolutions should be a road map for growth rather than a cause for disappointment. So if you’re experiencing those late-January resolution-blues, stay the course! You’re one step closer to achieving that goal than you were in 2018.

Okay, pep talk over. Welcome to the 94th installment of the Smart AnSwerS blog series! The purpose of this blog is to shine a spotlight on helpful solutions from the Splunk Answers forum.

Here are three answers that really knocked our fez caps off.

How do you change the background color of a timechart if there is a value of zero?

Our first featured post was written by DEAD_BEEF, whose strange username is a favorite around the Splunk Community office. Is DEAD_BEEF the name of a low-budget horror movie about zombie cows or the name of a cattle-centric death metal band (\m/ (-_-) \m/)? We are dying to know!

Anyway, DEAD_BEEF is in charge of a Splunk environment that monitors hosts in a network. DEAD_BEEF wants to be certain that users in the network know when hosts go down (kind of important, right?). To achieve this, when 0 logs are indexed from any host, DEAD_BEEF wants to alert users and display a warning on a dashboard.

But to be extra certain that a downed-host would catch the attention of users, DEAD_BEEF created a dashboard with customizable panels, so when 0 logs were indexed from a host, the corresponding panel would turn red.

To make this dashboard, DEAD_BEEF wrote a query that searched the index and displayed the count of logs by host in a timechart. Then DEAD_BEEF used the trellis layout, which returned an individual chart for the log count of each host.

However, something broke along the way. Thankfully SplunkTrust member and Answers moderator DalJeanis stumbled upon the post. If you want to see what DEAD_BEEF and DalJeanis cooked up, check out the entire post here.

How should I go about using one forwarder for all servers?

This post is for all those Microsoft system administrators out there; we see you!

If you want to forward your Microsoft server data to Splunk, you have a lot of options. However, user thijsvl has some specific needs for their Splunk setup. They don’t want to have a universal forwarder on each of their domain controllers; they want to use a single forwarder for all of their domain controllers.

Unfortunately, thijsvl was a bit stumped on how to achieve that goal.

Luckily, SplunkTrust member and Answers moderator rich7177 saw thijsvl’s question and rose to action! Not only did he give a beautiful rundown of the options available to thijsvl, rich7177 also listed the pros and cons of each setup. If you love forwarder setups as much as we do (✿╹◡╹), you’re going to want to read rich7177‘s answer for yourself.

How do I make a Splunk query that generates stats grouped by account name?

Answers user bm1391 wants to make a query that, on a daily basis, groups failed login attempts by account name. That way, they could define normal behavior for accounts on their network so if someone attempts to log in outside of those parameters, the suspicious action could be labeled anomalous and investigated as a possible security threat.

For the most part, bm1391‘s SPL does the trick. However, it did result in a problem. Instead of generating the statistics on only the account responsible for the failed login attempts, the query returned information on all accounts on the network. That was overkill!

Thankfully, Answers user kmaron came to their aid.

As it turned out, the problem was with the SPL—after the eventstats command, there was no clause to list the returned information by each account. So kmaron suggested adding “by account” after the eventstats command, which fixed the issue.

Thanks kmaron for helping make Microsoft networks safer, one answer at a time.

You can check out the full post here.

Okay, in the words of Tigger the tiger: "TTFN, ta ta for now!"

If you’re not ready for this blog to end, be sure to check out previous entries from the Smart AnSwerS series.

Also, If you want to learn more about Splunk and help others along the way, the Splunk community has you covered. Jump into a conversation on the Splunk Answers forum or the Splunk Community chat on Slack.The Splunk community would benefit from your insight!

Thanks for reading, and see you next time!

Matt St. John

Posted by


Show All Tags
Show Less Tags