However I am plotting 5m intervals and not hours like in the example above: Hi guys, I am trying to chart multiple days on the same line chart, kind of like in this (). Does anyone have any thoughts? Need help. I understand that this could be a two-fold problem, one is that my syntax is not optimized for the job at hand and the other being something that broke permissions on upgrade. ** 10:56:41,391 -0400 ERROR sendemail:1422 - Client is not authorized to perform requested action ** It complains about authorization to run the subsearch I guess? I've checked and reapplied capabilities to my account and I'm a full admin. The error in python.log probably as something to do with it. **| inputlookup vulnreporthostlookup.csv | stats values(Vulnerability) AS Vulnerability by Hostname | map maxsearches=25 search="|inputlookup vulnreporthostlookup.csv | search Hostname=\"$Hostname$\"| table Hostname, Vulnerability, Priority, Responsibility | sendemail subject=\"Scan result data for $result.Responsibility$ : $Hostname$\" message="" sendresults=true inline=true sendcsv=true"** So in this example, the subsearch would find up to 25 hosts and send 25 separate emails to an email address. What I'm trying to accomplish and what has been working up until the upgrade was that a map search would iterate over the hostnames, group all vulnerabilities for that host into a table, and send that as a separate email per host. The search pulls from a lookup table that contains vulnerability scan data containing four fields: Hostname, Vulnerability, Priority, and Responsibility. Recently upgraded from 7.2.3 to 8.0 and a previously configured scheduled alert is not longer sending emails correctly. Thanks in advance for your assistance with this undocumented error (at least in my search of the Internet), and for dealing with my pet peeve. | table _time, appName, transMethod, localrefid, token, eventcount, methodTime, _raw Which in turn leads to NOWHERE, none of the links work.ĪND (localrefid!="12345" AND localrefid!="null" OR localrefid!="") Searching this page for **literal** leads to If I Google this error **"Unable to parse the search: Right hand side of IN must be a collection of literals. **"Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals. However, most software has a vast black hole around such messages. Obviously, a developer wrote the error code and its associated message. The difficult part that I have been struggling with is trying to add that step into the search above.Īny guidance or information that can be provided to help me learn would be appreciated.One of my biggest pet peeves about software is the lack of information around error messages. I have setup the input lookup table and the definition and I am able to run the lookup and extract the fields i need. I need to add an inputlookup command to display other fields associated to each host that is displayed in the search above. | table host, OS, CPU, "RAM (GB)", "LogicalDiskSpace (GB)" | eventstats sum(TotalDiskSpace) as "LogicalDiskSpace (GB)" by host ![]() | stats values(os) as OS, values(NumberOfProcessors) as CPU, values(RAM) as "RAM (GB)", values(DiskSpace) as TotalDiskSpace by host Index="index1" OR index="index2" sourcetype=WinHostMon (source=operatingsystem os="*" TotalPhysicalMemoryKB="*") OR (source=processor NumberOfProcessors="*") OR (source=disk DriveType=fixed TotalSpaceKB) I have the following search that lists the hosts with system information: As I am new to Splunk, sometimes I need to try things that are beyond my comprehension at this time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |