All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hey Thank you for being so helpful Glad to say I solved it It turns out I forgot to set it as a stats....
Quoting from the details tab - Vault Enterprise users can complete the Splunk app request form to request access to the app.
I note that it does not alert the field that does not exist, When I make another file that doesn't have the field, it does warn
Hi @manjunathmeti  thanks for reply I tried OUTPUT and its the same behavior
Your question is so vague we have no way of knowing what your problem is. I'm assuming you have an all-in-one installation (just one instance of Splunk Enterprise) installed on a single computer. Ap... See more...
Your question is so vague we have no way of knowing what your problem is. I'm assuming you have an all-in-one installation (just one instance of Splunk Enterprise) installed on a single computer. Apart from that we know nothing. What data you have in yoir Splunk environment? What are you doing when you say you're trying to search? What results do you get? Help us help you.
There is a typo on @richgalloway's suggestion, please try below; index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | timechart span=1d sum(b) as usage | eval us... See more...
There is a typo on @richgalloway's suggestion, please try below; index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | timechart span=1d sum(b) as usage | eval usage=round(usage/1024/1024/1024) | eval usage = tostring(usage, "commas")  
Hi @cybersecnutant, Yes, you should be covered. As @PickleRick describe, there will be no change on remote storage, only your hot buckets will ve replicated between indexers local storage until they... See more...
Hi @cybersecnutant, Yes, you should be covered. As @PickleRick describe, there will be no change on remote storage, only your hot buckets will ve replicated between indexers local storage until they rolled to warm.  
Ah that makes sense - thanks @manjunathmeti  I will hassle my servicenow contact and see if I can understand what he has done
The link was just for reference, usually, you need to deploy an app or integration in Service Now first so that the add-on on Splunk integrates with Service Now.
Hello, I'm so please to find this burgeoning community of professionals here. Please I can't do any search whatsoever in my Splunk installation. It is installed locally on a windows 11 machine and ... See more...
Hello, I'm so please to find this burgeoning community of professionals here. Please I can't do any search whatsoever in my Splunk installation. It is installed locally on a windows 11 machine and after a lot of trails and error I had to install again on a second machine and yet the same is the case.  I can search from a pre constructed query f I select d=from there but I can't type a thing myself into the search head. Please I need your help.   
index=imdc_nagios_hadoop sourcetype=icinga host=* "Load_per_CPU_core" "PROBLEM" | fields host | transaction host startswith="To:" | search "To: <mail-addr>" | rex field=_raw "Host:(?<src_host_1>.*... See more...
index=imdc_nagios_hadoop sourcetype=icinga host=* "Load_per_CPU_core" "PROBLEM" | fields host | transaction host startswith="To:" | search "To: <mail-addr>" | rex field=_raw "Host:(?<src_host_1>.*) - Service:(?<Service_1>.*) State:(?<State_1>.*)" | rex field=_raw "Subject: (?<Subject>.*)" | rex field=Subject "PROBLEM - (?<src_host_2>.*) - (?<Service_2>.*) is (?<State_2>.*)" | rex field=_raw "(?<Additional_Info>.*)\nTo:" | eval Service= if(isnull(Service_1),Service_2,Service_1) ,src_host= if(isnull(src_host_1),src_host_2,src_host_1) ,State= if(isnull(State_1),State_2,State_1) | fields host ,Service,src_host,State,Subject,Additional_Info | lookup hostdata_lookup.csv host as src_host | table src_host,Service,State,_time, cluster, isvm | rename _time as Start_time | search isvm=N AND cluster=*EDGE* | eval Start_time=strftime(Start_time, "%m/%d/%Y - %H:%M:%S") | sort Start_time   index=imdc_nagios_hadoop sourcetype=icinga host=* "Load_per_CPU_core" "RECOVERY" | fields host | transaction host startswith="To:" | search "To: <mail-addr>" | rex field=_raw "Host:(?<src_host_1>.*) - Service:(?<Service_1>.*) State:(?<State_1>.*)" | rex field=_raw "Subject: (?<Subject>.*)" | rex field=Subject "RECOVERY - (?<src_host_2>.*) - (?<Service_2>.*) is (?<State_2>.*)" | rex field=_raw "(?<Additional_Info>.*)\nTo:" | eval Service= if(isnull(Service_1),Service_2,Service_1) ,src_host= if(isnull(src_host_1),src_host_2,src_host_1) ,State= if(isnull(State_1),State_2,State_1) | fields host ,Service,src_host,State,Subject,Additional_Info | lookup hostdata_lookup.csv host as src_host | table src_host,Service,State,_time, cluster, isvm | rename _time as End_time | search isvm=N AND cluster=*EDGE* | eval End_time=strftime(End_time, "%m/%d/%Y - %H:%M:%S") | sort End_time   No, recovery has events. As i said, one search will give us "Icinga Problem" and i have another search that will give us "Icinga Recovery". Using join, Icinga Problem Start time and Icinga Recovery End time, if the recovery is more than 15 minutes, need to trigger alert.
Hi @manjunathmeti  thanks for the suggestion but why would I do that.  The link you sent relates to app the "Splunk Add-on for ServiceNow" whereas I am using the app "ServiceNow Security Operation... See more...
Hi @manjunathmeti  thanks for the suggestion but why would I do that.  The link you sent relates to app the "Splunk Add-on for ServiceNow" whereas I am using the app "ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise" Thanks
Hi @KeithH, Did you configure Service Now to integrate with your Splunk? If not, you can refer to this: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegr... See more...
Hi @KeithH, Did you configure Service Now to integrate with your Splunk? If not, you can refer to this: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithSplunkEnterprise.
hi @Bracha, Try with OUTPUT.  If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist in the events. If the OUTPU T clause is spec... See more...
hi @Bracha, Try with OUTPUT.  If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist in the events. If the OUTPU T clause is specified, the output lookup fields overwrite existing fields in the events.
お世話になります。 SplunkWebからソースタイプを作成する際にCHARSETの項目から、 様々な文字コードを宣言できますが、shift-jis形式の文字コードだけでも SHIFT-JISやSJISなどの複数のパターンが用意されていたと認識しています。 これらの違いについて、説明できる方はいらっしゃいますか?    
Hi,  I have installed the "ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise" app and configured it using Basic Auth. When I try to send an event I get error:    command="s... See more...
Hi,  I have installed the "ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise" app and configured it using Basic Auth. When I try to send an event I get error:    command="snsecingest", Unable to forward notable event  after putting some logging in the python I can see the error behind that is  {"error":{"message":"Requested URI does not represent any resource","detail":null},"status":"failure"} Even a simple curl straight to the endpoint fails with the same error. Does anyone know if this endpoint (supplied with the app) might have changed or does it need to be created for each domain? Endpoint I have is: https://XXXXXXdev.service-now.com/api/sn_sec_splunk_v2/event_ingestion   Any suggestions would be appreciated. Thanks
I plan on going from RF1/SF1 to RF2/SF2 at the time. So should I be covered then?
The developer of the app has decided to make the app restricted, so only approved users can download it. If you are a Hashicorp Vault Enterprise user, there are instructions under the Details tab of... See more...
The developer of the app has decided to make the app restricted, so only approved users can download it. If you are a Hashicorp Vault Enterprise user, there are instructions under the Details tab of the splunkbase page with a link to the form for requesting access to the app.  
I'm not aware of an app that can make an editable column in a table which would save to a lookup table. It sounds like a nice idea. Best thing I can suggest is to use a lookup in your search and the... See more...
I'm not aware of an app that can make an editable column in a table which would save to a lookup table. It sounds like a nice idea. Best thing I can suggest is to use a lookup in your search and then near the table you can put a link to the lookup table when viewed with the lookup editor app. This way, users can see the comments in the table, then click on the link to open the lookup editor and make new comments. (assuming the permissions allow it.)
When I view this app (https://splunkbase.splunk.com/app/5093) on Splunkbase it shows that the download is restricted.  Why is that?  I would like to install it on our cloud stack.