All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That sounds like a good recipe for indexer confusion, as they both assume that the buckets on the share are only managed by themselves. On the off-chance that your SAN supports a S3 API, you may be ... See more...
That sounds like a good recipe for indexer confusion, as they both assume that the buckets on the share are only managed by themselves. On the off-chance that your SAN supports a S3 API, you may be able to set up SmartStore, which would put the data redundancy and availability responsibilities on the SAN instead of the indexers. https://docs.splunk.com/Documentation/Splunk/9.2.2/Indexer/AboutSmartStore
It would be nice if you wrote what solved your problem. My suspicion is that either you had your setting on a wrong component or you referenced wrong source (with WEF-forwarded events the addon does... See more...
It would be nice if you wrote what solved your problem. My suspicion is that either you had your setting on a wrong component or you referenced wrong source (with WEF-forwarded events the addon does rewrite of the source from the ForwardedEvents eventlog to the original eventlog the event was forwarded fron)
Thanks for the response and the suggestion.  I want to match on either "Host_Name" or "IP" from the lookup table. The splunk "host" field in our configuration (misconfiguration) returns DNS name for... See more...
Thanks for the response and the suggestion.  I want to match on either "Host_Name" or "IP" from the lookup table. The splunk "host" field in our configuration (misconfiguration) returns DNS name for some hosts and IP address for others. (Long Story.) The lookup table has maybe 150 rows, so the subsearch isn't that resource-intensive. Using lookup instead of inputlookup seems like it would be clunky but at this point I just want to make something work, so I'm all ears. To respond to your suggestions/comments:  1. "Join" seems the intuitive, clean option for my use case. The lookup table is small. 2. I don't want to "enrich" my events/logs, I want to filter  them to only return logs based on the Splunk host field matching with Host_Name OR IP fields from the lookup. (But at this point, I will take matching just one of the fields from the lookup table.) Can we construct a query that accomplishes this filter without using join and inputlookup? 3. Can anyone tell me why my query won't work????
1. Don't use the join command unless there is absolutely no other way. Usually there is. Yes, there are some valid use cases for join but typically the same result can be achieved much "splunkier" in... See more...
1. Don't use the join command unless there is absolutely no other way. Usually there is. Yes, there are some valid use cases for join but typically the same result can be achieved much "splunkier" in a different way. 2. If you have a lookup, use the lookup command instead of doing some strange tricks with join <your initial search> | lookup System_Hosts.csv Host_Name IP And you're good to go - you'll get your events enriched with the lookup contents. One thing though - are you sure you want to match on both IP and hostname? Unless you have some strange environments with duplicate network addresses IP alone should identify the host.
 I've been debugging my inner join query for hours, and that's why I'm here with my first question for this community. We have a csv lookup table with fields "Host_Name", "IP", and others, based on o... See more...
 I've been debugging my inner join query for hours, and that's why I'm here with my first question for this community. We have a csv lookup table with fields "Host_Name", "IP", and others, based on our known hosts that should be reporting. Note: in our Splunk logs, for some hosts the splunk "host" field matches the lookup table "Host_Name" field, and some hosts match the "IP" field. For this reason, when we add a new host, we add 2 rows to the lookup, and place the host name and the IP in both fields of the lookup. (Long story.) Our Lookup ("System_Hosts.csv") looks like this: Host_Name          IP Foo Bar ServerA 123.45.6.7 xyz abc 123.45.6.7 ServerA def ghi ServerB ...and so on       Queries that don't work. (This is a very oversimplified stub of the query, but I'm debugging and brought it down to the smallest code that doesn't function): index=myindex | join type=inner host [|inputlookup System_Hosts.csv | fields Host_Name, IP] | table host (Removing one of the fields from the lookup, just in case I don't understand inner join, and the splunk host has to match both "Host_Name" and "IP" lookup fields to return results): index=myindex | join type=inner host [|inputlookup System_Hosts.csv | fields Host_Name] (Removing "type=inner" optional parameter also doesn't work as expected. Inner is default type.)  Queries that DO work: (To verify logs and hosts exist, and visually match the hosts to lookup table:) index=myindex | table host (To verify lookup is accessible, fields and syntax are accurate:) index=myindex | inputlookup System_Hosts.csv | fields Host_Name, IP | table Host_Name, IP (To make me crazy? Outer join works. But this just returns all hosts from every log.) index=myindex | join type=outer host [|inputlookup System_Hosts.csv | fields Host_Name, IP | table host  So these have been verified: spelling of the lookup spelling of the lookup fields permission to access the lookup syntax of the entire query without the "type=inner" optional argument  From my understanding, when this works, the query will return a table with hosts that match entries in the "Host_Name" OR "IP" fields from the lookup. If I don't understand inner join please tell me, but this is secondary to making inner join work at all, because as you can see above, I try to match only the "Host_Name" field with no success. I'm pulling my hair out! Please help!
https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers Generally. Unless you're using httpout, you're good whatever combination of versio... See more...
https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers Generally. Unless you're using httpout, you're good whatever combination of versions from not-so-ancient releases you choose (actually I ran forwarders as farback as 6.6 with 9.0 indexers but that's not officially supported). The only annoyance is with 9.x UF and pre-9.0 indexers because 9.x UFs generate internal events for an indexer non-existent on pre-9.0 indexers so you end up with either warnings in splunk logs or events in your last-resort index.
Check the usage by sourcetype, index... Then check what kind of logs these are. We don't know yohr environment, we don't know your data.
I'm currently running Universal Forwarders with version 9.0.0 and 9.0.1.  These UFs were flagged for vulnerabilities associated with (SVD-2023-0809).  The fix would be to upgrade to 9.0.6.  I'm runni... See more...
I'm currently running Universal Forwarders with version 9.0.0 and 9.0.1.  These UFs were flagged for vulnerabilities associated with (SVD-2023-0809).  The fix would be to upgrade to 9.0.6.  I'm running Splunk Enterprise 9.0.5.  I need to know if UF 9.0.6 will be compatible with Splunk ES 9.0.5.
Yes. The license is generally version-agnostic.
@richgalloway , thank you so much it worked 
We have it set to f5:bigip:syslog
Hi I have developped a dashbord relative to firewall metrics. I need to make my dashboard CIM compliant  Do i need my searches linked to the firewall datamodel with the firewall tstats datamodel (... See more...
Hi I have developped a dashbord relative to firewall metrics. I need to make my dashboard CIM compliant  Do i need my searches linked to the firewall datamodel with the firewall tstats datamodel (tstats where datamodel=....) or do i just need to create tags and eventtypes following the firewall datamodel ? I understand anything so is someone can d'escrime clearly all the steps for having my apps CIM compliant ? Thanks  
We still don't know *how* you are trying to extract fields.  The erex command and the extraction wizard struggle with complex events so consider using one of the commands suggested by @yuanliu . If ... See more...
We still don't know *how* you are trying to extract fields.  The erex command and the extraction wizard struggle with complex events so consider using one of the commands suggested by @yuanliu . If you only need a few fields, you may have some luck using the rex command to extract them.
I have a Splunk 8.2.9 and I wanted to upgrade to version 9. Can i use the same license after upgrade?
No, limits.conf has noting to do with the fact that the "graphical" extractor  can guess your settings in only relatively basic cases (and can do it well in even rarer ones). If your events are prope... See more...
No, limits.conf has noting to do with the fact that the "graphical" extractor  can guess your settings in only relatively basic cases (and can do it well in even rarer ones). If your events are properly formated xml entities, you should rather use KV_MODE=xml in your sourcetype settings.
Try connecting directly to one of your search heads (through ssh tunnel if needed) and see if IR is showing now and investigate your haproxy.conf
Hello, if you have these errors while loading Incident review and you are behing haproxy server, probably there is a misconfiguration. Possible web errors:   Error loading some filters Updating.... See more...
Hello, if you have these errors while loading Incident review and you are behing haproxy server, probably there is a misconfiguration. Possible web errors:   Error loading some filters Updating... Waiting for data...  
Hello @., Did the reply from Sunil help? If so, please click the 'Accept as Solution' button. If not, rely on this thread to keep the conversation going. 
Subject moved to https://community.splunk.com/t5/All-Apps-and-Add-ons/Solution-Splunk-Enterprise-Security-ES-incident-review-not/m-p/694084/thread-id/80869#M80870
Subject moved to https://community.splunk.com/t5/All-Apps-and-Add-ons/Solution-Splunk-Enterprise-Security-ES-incident-review-not/m-p/694084/thread-id/80869#M80870