Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kitkit321
kitkit321
Explorer
Member since:
09-03-2020
11-14-2023
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 09-03-2020 |
Activity Feed
- Posted Re: How to get the sourcetype in an index and its types like int, string or char etc by api on Splunk Search. 07-09-2023 11:28 PM
- Posted How to get the sourcetype in an index and its types like int, string or char etc by api? on Splunk Search. 07-06-2023 07:27 PM
- Tagged How to get the sourcetype in an index and its types like int, string or char etc by api? on Splunk Search. 07-06-2023 07:27 PM
- Posted How to redirect uf log to specific index in indexer on Getting Data In. 01-14-2021 04:24 AM
- Posted Re: How to group different ip in the input.conf and props.conf on Getting Data In. 10-20-2020 11:48 PM
- Posted How to group different ip in the input.conf and props.conf on Getting Data In. 10-20-2020 09:51 PM
- Posted Re: Question for lookup a large blacklist IP on Splunk Search. 09-06-2020 06:44 PM
- Karma Re: Question for lookup a large blacklist IP for bowesmana. 09-06-2020 06:43 PM
- Posted Re: Question for lookup a large blacklist IP on Splunk Search. 09-04-2020 02:50 AM
- Posted Re: Question for lookup a large blacklist IP on Splunk Search. 09-04-2020 12:18 AM
- Posted Re: Question for lookup a large blacklist IP on Splunk Search. 09-03-2020 11:17 PM
- Posted Question for lookup a large blacklist IP on Splunk Search. 09-03-2020 10:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-09-2023
11:28 PM
How can i use the api to do it?
... View more
07-06-2023
07:27 PM
Hi all, I am new to API. I want to use api to get all the sourcetype and its type in the index. what should I do ? Many Thanks.
... View more
- Tags:
- api
Labels
- Labels:
-
other
01-14-2021
04:24 AM
Hi everyone, I would like to ask how to redirect uf log to a specific index in indexer. I cannot modify the uf outputs.conf so is there any other method that can allow me to put the log in other index rather than the main index(UF default setting). the source type is WinEventLog Or is there any method that can control the outputs.conf in indexer level? assuming there is only one indexer and one uf
... View more
Labels
- Labels:
-
indexer
-
universal forwarder
10-20-2020
11:48 PM
is that possible listen in the same port?
... View more
10-20-2020
09:51 PM
Hi All, here is the question. I have some logs form 4 ips and received them at udp 514, for example is 1.1.1.1, 2.2.2.2, 3.3.3.3 and 4.4.4.4 1.1.1.1 and 2.2.2.2 are same sourcetype 3.3.3.3 and 4.4.4.4 are same sourcetype. For now, my approach is input.conf [udp://1.1.1.1:514] index = test sourcetype = pan:firewall [udp://2.2.2.2:514] index = test sourcetype = pan:firewall [udp://3.3.3.3:514] index = test sourcetype = cp_log [udp://4.4.4.4:514] index = test sourcetype = cp_log prof.conf [host::1.1.1.1] TRANSFORMS-throw_dns = throwdns [host::2.2.2.2] TRANSFORMS-throw_dns = throwdns [host::3.3.3.3] TRANSFORMS-throw_ntp = throwntp [host::4.4.4.4] TRANSFORMS-throw_ntp = throwntp As you can see it in the input.conf and props.conf 1.1.1.1 and 2.2.2.2 share the same configuration. 3.3.3.3 and 4.4.4.4 share the same configuration. Is there any method to group them up ?
... View more
Labels
- Labels:
-
inputs.conf
-
props.conf
09-04-2020
02:50 AM
Thank you for your help. If I don't use lookup, is there any suggestion to perform the blacklist?
... View more
09-04-2020
12:18 AM
index=test dst_ip=* OR src_ip=* | lookup blacklist.csv src_ip as ip OUTPUT ip as foundIp | where !isnull(foundIp) After i perform the search, the error message is Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
... View more
09-03-2020
11:17 PM
However, the csv is one contain 1 column, it is just like ip 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4. Since there is no 2 columns in the csv, i think i cannot use the lookup command. In other word, how can i use dst_ip or src_ip to search in the blacklist.csv?
... View more
09-03-2020
10:07 PM
Dear All, I encounter a question on setting up a blacklist ip use case. I create a blacklist.csv which stored over 500,000 record and the format is like BlacklistIP x.x.x.x abc.com y.y.y.y bcd.com I use the following search index=test dst_ip=* OR src_ip=* [ | inputlookup blacklist.csv | fields BlacklistIP | rename BlacklistIP as query] however, I discovered that splunk is limited the subsearch to 10000 result. If the 1.1.1.1 is in col 1000 and the src_ip/dst_ip is 1.1.1.1, it appears in the search result. If the 3.3.3.3 is in col 30000, even the src_ip/dst_ip is 3.3.3.3, it is not appear in the search result. If the 4.4.4.4 is in col 50000, even the src_ip/dst_ip is 4.4.4.4, it is not appear in the search result. After i change the subsearch limit in the limit.conf, maxout = 1,000,000 maxtime = 240 ttl = 600 The result contain 3.3.3.3 but 4.4.4.4 is still not appear. Also, the search is taking a long time, may be around 5 to 6 mins. here is the hardware spec. Splunk Enterprise Server 8.0.4 Linux, 7.64 GB Physical Memory, 8 CPU Cores Mode: Standalone Is there any suggestion for me? Thank you for help!
... View more
Labels
- Labels:
-
lookup
-
search job inspector
