All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, in our organization we use wef to monitor windows. we configure an inputs.conf for monitoring from the Event viewer. the powershell events (mainly event code 800 and 4103) logs received too... See more...
Hi, in our organization we use wef to monitor windows. we configure an inputs.conf for monitoring from the Event viewer. the powershell events (mainly event code 800 and 4103) logs received too long and we want to cut duplicated data. we tried various test with props.conf and transforms.conf and nothing works, here some of our stanzas we tried in props.conf [source::"XmlWinEventLog:Windows PowerShell"] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g [source::XmlWinEventLog:Microsoft-Windows-PowerShell/Operational] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g [WinEventLog://Microsoft-Windows-PowerShell/Operational] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g   also i wanted to make sure the inputs.conf stanza for powershell is correctly when i used : renderXml = true over: wec_event_format = rendered_event
Correct. The _raw field contains the data in the event that is indexed in Splunk. This data can differ from the raw data of the sending device depending on the index-time processing has been applied ... See more...
Correct. The _raw field contains the data in the event that is indexed in Splunk. This data can differ from the raw data of the sending device depending on the index-time processing has been applied to it.
_raw data exported from a search query. This not the actual raw data stream from the sending device, correct? This is the data after any default rules have been applied at index time. 
It's not that those indexes *should* not be replicated, it's that it's not a big deal if data is lost from them so you can save storage by not replicating them.  If you have a low risk tolerance then... See more...
It's not that those indexes *should* not be replicated, it's that it's not a big deal if data is lost from them so you can save storage by not replicating them.  If you have a low risk tolerance then feel free to set repFactor = auto for those indexes (it won't hurt anything).
I apologize. It does in fact work in a standard search window. However, the panel in the dashboard studio does not. Thanks for your time. 
OK Please share some representative sample events (anonymised as necessary) demonstrating how this solution fails.
Thanks, but no dice. 
Let's get back to basics: When your events are broken, using search technique to cope is the last thing to consider. Can you post sample raw file, the exact event contents Splunk receives, and your ... See more...
Let's get back to basics: When your events are broken, using search technique to cope is the last thing to consider. Can you post sample raw file, the exact event contents Splunk receives, and your properties.conf stanza corresponding to this sourcetype?  Without data, volunteers have nothing to go on.
DS is not aware of the structure and functionality of deployment apps. What is your use case? What do you want to achieve?
Try something like this | appendpipe [| stats count as "Total impact %"| where 'Total impact %'=0]
Hi @Naa_Win , it's always a best practice that all the Splunk Servers (so also DS) send their logs to the Indexers. So you could create an input on the DS that monitors the files in the /opt/splunk... See more...
Hi @Naa_Win , it's always a best practice that all the Splunk Servers (so also DS) send their logs to the Indexers. So you could create an input on the DS that monitors the files in the /opt/splunk/etc/deployment-apps folder, so they are indexed. Then you could display them in a custom dashboard, but it's all to develop, I don't know anything already existent. Ciao. Giuseppe
Hi @anil1219 , there a request in Splunk ideas to add a feature to do this, please upvote it! Anyway, using the solution you shared you should have 0 instead of "no results found". For the green c... See more...
Hi @anil1219 , there a request in Splunk ideas to add a feature to do this, please upvote it! Anyway, using the solution you shared you should have 0 instead of "no results found". For the green colour, in the classical interface dashboards (I'm not srìtill using Dashboard Studio) you should click on the pencil button in the panel of your dashboard. Then you can choose the colour and set the range for your colours. Ciao. Giuseppe
Hi @marka3721 , in this case, check the regexes used in transformations: take some log samples and put them in tegex101.com; then use this regex and see what it captures as group1 ^.+?devid=\"?F(?... See more...
Hi @marka3721 , in this case, check the regexes used in transformations: take some log samples and put them in tegex101.com; then use this regex and see what it captures as group1 ^.+?devid=\"?F(?:G|W|\dK).+?(?:\s|\,|\,\s)type=\"?(traffic|utm|event|anomaly) if it captures the correct extension of the sourcetype it's correct, otherwise, modify it to adapt it to your different log format. Only one final question: what's the sourcetype of your logs? it should be fortigate_log or fgt_log, otherwise transformations aren't taken in consideration. Ciao. Giuseppe
Hi @Naa_Win , try this, even if I did it more than five years ago, but it should still run! | rest splunk_server=local /services/deployment/server/clients\ | table hostname ip utsname *.restartSplu... See more...
Hi @Naa_Win , try this, even if I did it more than five years ago, but it should still run! | rest splunk_server=local /services/deployment/server/clients\ | table hostname ip utsname *.restartSplunkd\ Ciao. Giuseppe
| eval "Plugin ID"=mvjoin('Plugin ID',", ")." "
Dozens of posts on these topics.. I've tried makemv, fieldformat, tostring, tonumber all to no avail. So I'm just going to past my query in hopes someone can help me out. I have placed them after the... See more...
Dozens of posts on these topics.. I've tried makemv, fieldformat, tostring, tonumber all to no avail. So I'm just going to past my query in hopes someone can help me out. I have placed them after the stats call but having no luck.  query | stats list(Plugin) by Host, OS, App, Manager | rename list(Plugin) as "Plugin ID" The result is either one or several numbers in a single field - Plugin ID. I would prefer to delimit those results by comma (and align left for the single value results if possible).  Instead of (the lines are supposed to represent the cell/field): ______________ 204188 193574_______ ______193574__   I would like them on a single line, wrapping where necessary: 204188, 193574  193574_______   Any assistance would be appreciated. 
In the _cluster app on the cluster manager there is an indexes.conf file that specifically sets repFactor to 0 for the _introspection, _telemetry, _metrics, and _metrics_rollup indexes. Is there a re... See more...
In the _cluster app on the cluster manager there is an indexes.conf file that specifically sets repFactor to 0 for the _introspection, _telemetry, _metrics, and _metrics_rollup indexes. Is there a reason these indexes should not be replicated? Thanks.
Hi @woodcock, do you know if this effort to re-architect Splunk you were referring to back in 2019 has been finished/released at all?  I'm interested in what the vision was to be back then.  Thank you!
Hi Rajesh, Sorry for the delay in my reply, I tried to made the curl that you asked me, but I'm afraid can't do it, or install it. Should I re-install the operator? Thank you very much for t... See more...
Hi Rajesh, Sorry for the delay in my reply, I tried to made the curl that you asked me, but I'm afraid can't do it, or install it. Should I re-install the operator? Thank you very much for the help. Regards Gustavo Marconi