All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Right. That was !=, not =. You're mostly interested in index=_internal component=AutoLoadBalancedConnectionStrategy host=<your_forwarder>
I have two weeks off, so I'll continue troubleshooting after that. In my opinion there are not any interesting stuff in _internal log. You can see it on the screenshot. I used cluster command to red... See more...
I have two weeks off, so I'll continue troubleshooting after that. In my opinion there are not any interesting stuff in _internal log. You can see it on the screenshot. I used cluster command to reduce log number. There is component != metric in SPL.    
Yes but keep in mind that this will not affect events that are currently in the one big index. New incoming events will be routed to other indexes if they match the corresponding transform regex. Ev... See more...
Yes but keep in mind that this will not affect events that are currently in the one big index. New incoming events will be routed to other indexes if they match the corresponding transform regex. Every transform in props.conf will be tried against the logs that match the stanza. This means that if a regex in a transform matches the event, then the index value of the event will be overwritten. If multiple regexes in the transforms match an event, then that event will be overwritten multiple times and will retain the value of the last transform whose regex matched. Therefore you should make the regexes strict so that logs that should go to newIndex do not accidentally go into newIndex1.
Hello I have one big index with lots of files which I want to reroute logs from there to different indexes The reroute will be by regex who is looking for the domain name in the logs For each doma... See more...
Hello I have one big index with lots of files which I want to reroute logs from there to different indexes The reroute will be by regex who is looking for the domain name in the logs For each domain i will create separate stanza in transforms.conf  for example : [setIdx-index1] REGEX = ^(?!.*{ "workflow_id": .*, "workflow_type": .*, "workflow_name": .*, "jira_ticket": .*, "actor": .*, "deployment_status": .*, "start_time": .*, "end_time": .*, ("app_name"|"additional_data"): .* }).*$ FORMAT = new_index DEST_KEY = _MetaData:Index LOOKAHEAD = 40000 my question is about props.conf how should i configure it if i have more than 1 index ? [index1] TRANSFORMS-setIdx = setIdx-index1 TRANSFORMS-setIdx2 = newIndex TRANSFORMS-setIdx3 = newIndex1 TRANSFORMS-setIdx4 = newIndex2 should it work ?
That means that your installation has not completed successfully. If you try to run the installer again does it start a clean installation or does it offer to repair/uninstall? Do you have a service ... See more...
That means that your installation has not completed successfully. If you try to run the installer again does it start a clean installation or does it offer to repair/uninstall? Do you have a service which should be starting the Splunk process in your system? Do your eventlogs say anything reasonable about the installation process? There might also be a log file from the installation in the %temp% directory (it should be called MSIsomething.log). You can also try to install Splunk again this time explicitly requesting to create a installation log. https://learn.microsoft.com/en-gb/windows/win32/msi/command-line-options?redirectedfrom=MSDN https://docs.splunk.com/Documentation/Splunk/9.2.2/Installation/InstallonWindowsviathecommandline
Hello Splunk Community, For compliance reasons, I need to figure out an efficient way to archive notable events that is generated from the correlation searches in enterprise security. My first thoug... See more...
Hello Splunk Community, For compliance reasons, I need to figure out an efficient way to archive notable events that is generated from the correlation searches in enterprise security. My first thought is to create an index for these notable events and configure dynamic data self storage. Is this a good solution and feasable in splunk enterprise ? I would appreciate any support here and thank you in advance !
Hello All, I have tried installing .net agent 24x version on my windows machine and used the .net agent configuration wizard to create tier for the default web site under the IIS pool and restarted... See more...
Hello All, I have tried installing .net agent 24x version on my windows machine and used the .net agent configuration wizard to create tier for the default web site under the IIS pool and restarted the IIS/Co-ordinator service I could see that in the SaaS controller only the machine agent is reporting but I don’t find the app agent in up status and the tier is not visible Note : Tried re-installing and restarting the services multiple times but it did not make any difference and enabled debug as well but in logs I don’t find any error only the messages of metric registration which is successful Any suggestions would be helpful Thanks in advance
No I do not. I have a folder under my user tab named .splunk and it was downloaded around the same time I initially installed the trial Splunk Enterprise. In this .splunk folder there is nothing as w... See more...
No I do not. I have a folder under my user tab named .splunk and it was downloaded around the same time I initially installed the trial Splunk Enterprise. In this .splunk folder there is nothing as well.
1. And you have the add-on installed on the HF? 2. Have you configured your F5 to properly export the data (AFAIR there's a section in the docs describing required configuration which needs to be pe... See more...
1. And you have the add-on installed on the HF? 2. Have you configured your F5 to properly export the data (AFAIR there's a section in the docs describing required configuration which needs to be performed on the F5's side)
You can write your own scripted or modular input calling the REST API and returning the downloaded results. Or write a script calling the API by curl or similar way and write results to a file. Then ... See more...
You can write your own scripted or modular input calling the REST API and returning the downloaded results. Or write a script calling the API by curl or similar way and write results to a file. Then you'd ingest the file contents.
There is indeed no link to docs on any kind provided with the app on Splunkbase. Judging by the description though (haven't downloaded the app myself) it's meant to run a scheduled search which will... See more...
There is indeed no link to docs on any kind provided with the app on Splunkbase. Judging by the description though (haven't downloaded the app myself) it's meant to run a scheduled search which will get the CIM-compliant data from one or more datamodels and then upload it to Trend Micro's environment for further processing.
If you installed the windows version of Splunk with the default settings it should have installed itself into C:\Program Files\Splunk directory. Do you have this directory?
I apologize. Yes the system I'm talking about is windows. I installed the trial version of Splunk Enterprise software onto my laptop. When the installation wizard popped up I left everything as defau... See more...
I apologize. Yes the system I'm talking about is windows. I installed the trial version of Splunk Enterprise software onto my laptop. When the installation wizard popped up I left everything as default settings and let the installation complete. What I was trying to do is open the bin, etc, and lib folders to follow along with a udemy class I was taking to see the /default and /local folders.
That app is an externally-developed app so the support is on the author. Unfortunately the app hasn't been updated since 2021 and it doesn't list Cloud compatibility on Splunkbase so I think it'd be ... See more...
That app is an externally-developed app so the support is on the author. Unfortunately the app hasn't been updated since 2021 and it doesn't list Cloud compatibility on Splunkbase so I think it'd be safe to assume the inputs should be configured on an on-prem HF.
There is no single good answer for this question. Firstly, you don't "query through firewalls". Splunk analyzes data it already has. So if you have the logs containing information about network sess... See more...
There is no single good answer for this question. Firstly, you don't "query through firewalls". Splunk analyzes data it already has. So if you have the logs containing information about network sessions from your firewalls, you can search that data. Secondly, searches are very powerful but are in some aspects limited. Most importantly, SPL is not your normal imperative programming language so "dynamically" tracking such sessions across not-predefined set of hops would be impossible to implement. You could however do a search matching sessions from one fw to another (or even to third and fourth). It might though - especially with bigger data sets - not be a very good solution performancewise. It could be possible thought to make a dynamic dashboard (it would require some client-side JS programming though to do it "nicely") to trace such sessions dynamically. It all depends on particular use case if the detailed goal is achievable and if it makes sense from the performance point of view.
We have no way of knowing what you're talking about. 1. What system are you talking about? Windows I presume. 2. Did you install the Splunk software on the machine? 3. Which one? Splunk Enterprise... See more...
We have no way of knowing what you're talking about. 1. What system are you talking about? Windows I presume. 2. Did you install the Splunk software on the machine? 3. Which one? Splunk Enterprise or Universal Forwarder? 4. Did you alter the installation process in any way? 5. Did the installation complete successfully? 6. What exactly are your trying to do now?
Hello, I am on Windows and am newer to Splunk and I have been doing so learning, so I was getting ready to follow along some modules. But when I went to try and open the \bin, I come to find out tha... See more...
Hello, I am on Windows and am newer to Splunk and I have been doing so learning, so I was getting ready to follow along some modules. But when I went to try and open the \bin, I come to find out that I don't even have the Splunk folder in my Windows folder! The only folder I can find with the name Splunk is a .splunk folder under my laptop user. Did I do something wrong in the installation process, and is there a way to resolve this?
I was wondering if there was a query to track flows through multiple firewalls For example I want to track the flow source IP ---> FIrewall A ---> Firewall B ----> Firewall N---> Destination ip ... See more...
I was wondering if there was a query to track flows through multiple firewalls For example I want to track the flow source IP ---> FIrewall A ---> Firewall B ----> Firewall N---> Destination ip I understand that accuracy is not going to be there when dealing with NATs/PAts and of course delays along the path.   However, if there are no delays and no nats I am wondering if this would be possible and what that would look like
Hi, We installed splunk_TA_onelogin app on Splunk cloud, however the set up page keeps on failing with message "The "OneLogin - Setup Page" app has not been fully configured yet.".   We verified the... See more...
Hi, We installed splunk_TA_onelogin app on Splunk cloud, however the set up page keeps on failing with message "The "OneLogin - Setup Page" app has not been fully configured yet.".   We verified the onelogin credentials working correctly. Question: Does the app works in Splunk cloud? Should we install it on heavy forwarder as there are input.conf and props.conf files inside the TA package. Thanks, FL
I figured it out. I was just missing the host and guest port numbers in the oracle VM, NAT Network "port forwarding" setting