All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What you have on raw event and how you have define timestamp extraction on props.conf?
I recommend first running a search using only inputlookup to ensure that your IP addresses are returning properly: | inputlookup known_addresses.csv You should get a single column of addresses with... See more...
I recommend first running a search using only inputlookup to ensure that your IP addresses are returning properly: | inputlookup known_addresses.csv You should get a single column of addresses with the "ip" field name. ip 192.168.1.1 123.123.123.123 222.111.133.111 Then you can put it into a negated search filter in your main search: (I haven't checked your regex, so assume it works to create a field of "ip" with an ip address value.) index=myindex | rex field=_raw "(?<ip>\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)" | search NOT [| inputlookup known_addresses.csv] | sort ip | table ip If the regex does not work, you can try this one: index=myindex | rex field=_raw "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | search NOT [| inputlookup known_addresses.csv] | sort ip | table ip You may also want to put dedup at the end, to remove duplicate ip addresses: ... | dedup ip  
Currently working on data retention log collection policy to meet M-21-31  and not sure if the below config would meet the requirement Current Requirement:   Hot: 6 months   Warm: 24 months   ... See more...
Currently working on data retention log collection policy to meet M-21-31  and not sure if the below config would meet the requirement Current Requirement:   Hot: 6 months   Warm: 24 months    Cold:  18 months     Archive or Frozen: 18 months  with data ceiling and data deletion add these config to the Index Stanza to meet the above requirements If not please let me know what the setting and or config would look like  Index.conf  (add the below config to the Index Stanza)    maxHotSpanSecs = 15778476 - would provide around 6 months of hot bucket data     maxHotIdleSecs = 15778476 NOT sure about warm bucket setting to get 24 months of warm bucket data     coldPath.maxDataSizeMB = 47335428 - would provide around 18 months of cold bucket data     frozenTimePeriodInSecs = 47335428 - would provide around 18 months data archive / frozen data    coldToFrozenDir = "$SPLUNK_HOME/myfrozenarchive - send archive/froze to this location so it not deleted data     
Hello, I have time stamps that are not matching. How do I table the actual "Event log time stamp" ?   Splunk Time stamp Event log time stamp 8/14/24 4:29:21.000 AM 2024-08-13 17:49:23... See more...
Hello, I have time stamps that are not matching. How do I table the actual "Event log time stamp" ?   Splunk Time stamp Event log time stamp 8/14/24 4:29:21.000 AM 2024-08-13 17:49:23,006 [https-mmme-nio-1111-exec-2] ERROR
Currently you must create an idea for this to ideas.splunk.com if there haven’t been that already.
At least some changes could found from index _configtracker.
I don't necessarily need the eval, I just need it to output to the extra field in the table.  Output by running the custom command looks like the following:  | nslookupsearch testcmd Output exampl... See more...
I don't necessarily need the eval, I just need it to output to the extra field in the table.  Output by running the custom command looks like the following:  | nslookupsearch testcmd Output example: 10.10.10.10
I have a csv with ip addresses. I would like to conduct a search for addresses that are NOT listed in that csv.  I was attempting the following but it does not render the results I was expecting. I... See more...
I have a csv with ip addresses. I would like to conduct a search for addresses that are NOT listed in that csv.  I was attempting the following but it does not render the results I was expecting. I want to search for ip addresses that are not in that list.           IE: unknown address...  Splunk Enterprise Security  index=myindex | rex "(?<ip>\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)" | sort ip | table ip NOT [inputlookup known_addresses.csv]
You didn’t tell why you are needing eval. Can you show real output of your custom command?
I suspect you want to know about priority alerts, but how will Splunk magically know about this?  Its always better to give good context to the Splunk communiy, so what is P1C? and JMET sounds like ... See more...
I suspect you want to know about priority alerts, but how will Splunk magically know about this?  Its always better to give good context to the Splunk communiy, so what is P1C? and JMET sounds like some internal Splunk environment company code (which you should anonymise)  Unless you have say for instance in the saved search title name P1C, example, my_search_P1C, Splunk will not be able to find it or filter on it. Or you will need to use the eval command and for each saveded that you know is a P1C and assign a eval field called priority, but will require a lot of work.  Tip: As ever its always best practise to have good business naming conventions, makes things easier in the long run Example using makeresults to assign PC1 | makeresults count=2 | streamstats count as search_num | eval title=case(search_num=1, "my_savedsearch1", search_num=2, "my_savedsearch2") | eval priority=if(title=="my_savedsearch1", "P1C", null()) | fields - search_num      
Please read this https://docs.splunk.com/Documentation/Splunk/9.3.0/Installation/ChoosetheuserSplunkshouldrunas  It describes how splunk works in windows and which kind of user you should select to ... See more...
Please read this https://docs.splunk.com/Documentation/Splunk/9.3.0/Installation/ChoosetheuserSplunkshouldrunas  It describes how splunk works in windows and which kind of user you should select to fulfill your requirements.
Have you read and followed the steps in this document https://docs.splunk.com/Documentation/Splunk/9.3.0/Indexer/Migratenon-clusteredindexerstoaclusteredenvironment ? Based on your comments and ques... See more...
Have you read and followed the steps in this document https://docs.splunk.com/Documentation/Splunk/9.3.0/Indexer/Migratenon-clusteredindexerstoaclusteredenvironment ? Based on your comments and questions and where you currently are, I doubt it!  We cannot help you without knowing what you have exactly done! I hope that you have write down journal and you could share it.  Also you must check what you have on nodes’ splunkd.log.
If the DB connect is not supported with your current Splunk version, then plan to upgrade Splunk to the supported levels to do what you want. If its not supported, sometimes you can still install an... See more...
If the DB connect is not supported with your current Splunk version, then plan to upgrade Splunk to the supported levels to do what you want. If its not supported, sometimes you can still install and it may work, but you take this risk and that not advisable for production environments.   
Hey Giuseppe,   I followed all of your steps for HA configuration. Built a new Search head, master node, and new indexer. I enabled clustering and added the search head and newly built indexer to ... See more...
Hey Giuseppe,   I followed all of your steps for HA configuration. Built a new Search head, master node, and new indexer. I enabled clustering and added the search head and newly built indexer to the cluster. Once i added the once standalone splunk server to the cluster the splunk service wouldnt start. And now if fails when i try starting it. Any idea on why this would be?
Getting data in requires a number of steps and investigation work. Some high level notes/tips 1. The first thing you need to do is to determine what data you want from Cloudflare, they offer a numb... See more...
Getting data in requires a number of steps and investigation work. Some high level notes/tips 1. The first thing you need to do is to determine what data you want from Cloudflare, they offer a number of services right?. 2. Investigate what options they provide in getting the data you want, logs, API, syslog etc. 3. You then look and explore Splunkbase (type in Cloudflare) and see if there is a Add-on (this is what typically helps you collect the data) you will need to do some homework and find out if it meets your methods of getting the data from step 2. Once you have this you need to Deploy the TA as per the instructions and connect to the data source.
Hello, Thank you for the response I had taken captues, there's only 2 lines followed by an ACK and a FIN, ACK: TLSv1.2 Client Hello TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server ... See more...
Hello, Thank you for the response I had taken captues, there's only 2 lines followed by an ACK and a FIN, ACK: TLSv1.2 Client Hello TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done TCP [ACK] TCP [FIN, ACK] I understood the issue is with Client certificate. Can you kindly help me answer the below: Where do I find the certificates that is used by TA-cisco-cloud-security-umbrella-addon in Splunk ? What is the path/location of the certificate store used by the TA-cisco-cloud-security-umbrella-addon ?
Can i keep my once standalone server now one of my indexers as the deployment server? Or do i need to designate another server as the deployment server?
Currently working on these steps. I have copied the indexes.conf from the standalone to the master node. Will i need to copy that config file to the new indexer as well?
This indicates that the SSL certificate is either missing from the certificate store or has expired in the add-on. Additionally, if the server is configured to use a self-signed or third-party c... See more...
This indicates that the SSL certificate is either missing from the certificate store or has expired in the add-on. Additionally, if the server is configured to use a self-signed or third-party certificate, it may not be included in the certificate store used by the add-on.
Hi @Jonathan.Wang, I found this existing post that talks about the same issue. Check it out and let me know if it helps. https://community.appdynamics.com/t5/Java-Java-Agent-Installation-JVM/Inst... See more...
Hi @Jonathan.Wang, I found this existing post that talks about the same issue. Check it out and let me know if it helps. https://community.appdynamics.com/t5/Java-Java-Agent-Installation-JVM/Install-Events-service-Error/m-p/52419