All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Also requesting a working way of adding newline to description in a servicenow incident generated by this addon
Hello everyone, Please check the below data : ERROR 2024-08-09 14:19:22,707 email-slack-notification-impl-flow.BLOCKING @3372f96f] [processor: email-slack-notification-impl-flow/processors/2/rout... See more...
Hello everyone, Please check the below data : ERROR 2024-08-09 14:19:22,707 email-slack-notification-impl-flow.BLOCKING @3372f96f] [processor: email-slack-notification-impl-flow/processors/2/route/0/processors/0; event: 5-03aca501-42b3-11ef-ad89-0a2944cc61cb] error.notification.details: { "correlationId" : "5-03aca501-42b3-11ef-ad89-0a2944cc61cb", "message" : "Error Details", "tracePoint" : "FLOW", "priority" : "ERROR", } ERROR 2024-08-09 14:19:31,389 email-slack-notification-impl-flow.BLOCKING @22feab4f] [processor: email-slack-notification-impl-flow/processors/2/route/0/processors/0; event: 38de9c30-49eb-11ef-8a9e-02cfc6727565] error.notification.details: { "correlationId" : "38de9c30-49eb-11ef-8a9e-02cfc6727565", "message" : "Error Details", "priority" : "ERROR", } The above 2 blocks of data are coming as one event but I want them to be 2 events each starting from keyword "Error". Below is my props.config entry for same but not working: applog_test] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true BREAK_ONLY_BEFORE = date SHOULD_LINEMERGE = true TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N TIME_PREFIX=ERROR\s+ Please help how to fix this. Thanks in advance!    
Following up... I am facing the same issue...running Splunk Enterprise  version 8.2.6.1.
Hi @rajan_kumar_rai , I didn't have experience on this issue after thst (8 years ago). If you still have this issue, open a case to Splunk Support. But before update you Splunk becaue I'm not sure... See more...
Hi @rajan_kumar_rai , I didn't have experience on this issue after thst (8 years ago). If you still have this issue, open a case to Splunk Support. But before update you Splunk becaue I'm not sure that your release is still under maintenance. Ciao. Giuseppe
Facing the same issue in Splunk Enterprise version  - 8.2.6.1    Any fix? workaround? please share !!
Exactly the same issue facing in Splunk Enterprise version 8.2.6.1   Any fix? or workaround? 
Hi @gcusello , Did you get the solution for this issue?  I am using Splunk v8.2.6.1 and I am facing the same issue. Please help if you have any solution for this!
Hi Splunkers, I am monitoring my websites using Splunk website monitoring, I have configured an alert which sends me email alert whenever my website goes down or takes time to response. Now I want t... See more...
Hi Splunkers, I am monitoring my websites using Splunk website monitoring, I have configured an alert which sends me email alert whenever my website goes down or takes time to response. Now I want that whenever my website came back UP again or functions normally then I should receive and alert email also to notify me that website is working fine now. Could you please shower you knowledge here and help me to setup this alert.  TIA.
Hi Ismo, This solution seems to be amazing. However, I will have to try to solve this as far as possible without installing an extra app. Best regards, Sherwin
Hi this is known issue. You cannot disable some apps via GUI. Fortunately you could try this app to disable SSG and some other https://splunkbase.splunk.com/app/7319 r. Ismo
Hi @sherwin_r , this should occur if you try to enable some input in Secure Gateway not by itself, did you do it? Ciao. Giuseppe
Hi @sidnakvee , did you installed the Splunk_TA_Windows add-on (https://splunkbase.splunk.com/app/742) on your pc? in addition remember that, as @KendallW hinted, you need to enable the inputs you ... See more...
Hi @sidnakvee , did you installed the Splunk_TA_Windows add-on (https://splunkbase.splunk.com/app/742) on your pc? in addition remember that, as @KendallW hinted, you need to enable the inputs you want, copying the inputs.conf from the default to the local folder. In affition in these stanzas, you have to add the row: index = winpc There's another check that you could perform: running this search: index=_internal and viewing the hosts, do you see the hostnames of your pcs? Same procedure for sysmon: download and install the Splunk Add-On for Sysmon (https://splunkbase.splunk.com/app/5709) on your pcs, check the enablement state of the inputs and enable the ones you like, adding the index option. Ciao. Giuseppe
Hi @gcusello , Thanks for the quick response.   I want to do this because my Splunk installation does not have access to the internet and Secure Gateway therefore logs a lot of errors. Regard... See more...
Hi @gcusello , Thanks for the quick response.   I want to do this because my Splunk installation does not have access to the internet and Secure Gateway therefore logs a lot of errors. Regards, Sherwin
Hi @sherwin_r , the only way to disable an app in a clustered environament is to modify the app.conf file in the app's local folder (if not present, copying it from default) of the deployer (app loc... See more...
Hi @sherwin_r , the only way to disable an app in a clustered environament is to modify the app.conf file in the app's local folder (if not present, copying it from default) of the deployer (app located in shcluster folder) and pushing the modified app to the cluster. But why do you want to do this? Ciao. Giuseppe
I'll try this next , okay
I am trying to disable the Splunk Secure Gateway app in a clustered environment. However I dont see an option to disable the app in Apps -> Manage Apps. It only displays the current status of the app... See more...
I am trying to disable the Splunk Secure Gateway app in a clustered environment. However I dont see an option to disable the app in Apps -> Manage Apps. It only displays the current status of the app, which is "Active". I also tried the same in a single node installation, where there is an option to disable the app just next to its current status in the same menu, i.e. Apps -> Manage Apps.   So, how can I disable the Splunk Secure Gateway in the clustered environment ?
Another remarks. You shouldn't ever install any additional module directly into Splunk's python! If there is something what you are needing, then create on app (see dev.splunk.com) and add those lib... See more...
Another remarks. You shouldn't ever install any additional module directly into Splunk's python! If there is something what you are needing, then create on app (see dev.splunk.com) and add those libraries under it.
Case does matter - as far as Splunk is concerned they are two different hosts - you could try converting to lower case (index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*) | ev... See more...
Case does matter - as far as Splunk is concerned they are two different hosts - you could try converting to lower case (index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*) | eval asset_name=lower(coalesce(dv_name, host)) | stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by asset_name
Try running the search in the search app and look at the job - here I have done a similar search but I don't have access to your data and my indexes don't hold any data as far back as a year so I hav... See more...
Try running the search in the search app and look at the job - here I have done a similar search but I don't have access to your data and my indexes don't hold any data as far back as a year so I have used the last hour and the same time the previous day index=_audit [| makeresults | eval latest=relative_time(now(),"@h") | eval row=mvrange(0,2) | mvexpand row | eval latest=relative_time(latest,"@h-".row."d") | eval earliest=relative_time(latest,"-1h") | table earliest latest] | bin span=1h _time | stats count by _time Go to Inspect Job Then Job Details Dashboard and look at the Map Phase Search String You should see the time periods being searched. They will be in epoch time so you can copy them into another search to show their formatted versions Do yours correlate to the values you were expecting
Hi @KendallW  Does the coalesce or rename command treat the hostnames differently if they are different in cases? One is lower case in one index and other index has the same hostname in Upper case. I... See more...
Hi @KendallW  Does the coalesce or rename command treat the hostnames differently if they are different in cases? One is lower case in one index and other index has the same hostname in Upper case. Is the merge case sensitive ?  For example,  HOST01 which is one of the values in host field of index=windows, is actually  host01 in index=cmdb ( under the dv_name) field.   That explains why the consolidation via coalesce or rename ain't working.