All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

1. It's more of a PowerShell question than a Splunk one. 2. For simple file monitoring it's easier to use UF (or other solutions capable of writing to a HEC endpoint if you find UF "too big" or "too... See more...
1. It's more of a PowerShell question than a Splunk one. 2. For simple file monitoring it's easier to use UF (or other solutions capable of writing to a HEC endpoint if you find UF "too big" or "too closed source"). 3. You haven't even told us at which point this error is raised.
Hi there, I'd like to have a dedicated threat intel feed which goes to a custom created lookup (non-default), is that even possible?   
Hi @bhaskar5428 , here you can find all the information https://hurricanelabs.com/splunk-tutorials/the-indexed-extractions-vs-search-time-extractions-splunk-case-study/  Anyway, you can add INDEXED... See more...
Hi @bhaskar5428 , here you can find all the information https://hurricanelabs.com/splunk-tutorials/the-indexed-extractions-vs-search-time-extractions-splunk-case-study/  Anyway, you can add INDEXED_EXTRACTIONS on the props.conf on the UFs and or the SHs or use something like this: [your_sourcetype] INDEXED_EXTRACTIONS = JSON or in search index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" | spath Ciao. Giuseppe
Hello Jubin.Patel, Thanks for posting question on the community. Controller determines status of db agents with the same name based on latest start time.  Hence we could fetch last agent start ... See more...
Hello Jubin.Patel, Thanks for posting question on the community. Controller determines status of db agents with the same name based on latest start time.  Hence we could fetch last agent start time from controller db and then judge which one is active / passive. Please access controller and use the query command below: (You need to use real account name in this SQL): select acn.name as nodeName, ag.type as agentType, ag.agent_version as agentVersion, from_unixtime(ag.last_agent_start_timestamp/1000) as lastAgentStartTime from application app inner join application_component ac on ac.application_id = app.id inner join application_component_node acn on acn.application_component_id = ac.id inner join application_component_node_agent_mapping acnm on acnm.application_component_node_id=acn.id inner join agent ag on ag.id=acnm.agent_id inner join account a on a.id = app.account_id where a.name='<account name>' and ag.type = 'DB_AGENT'; (E.g.) mysql> select acn.name as nodeName, ag.type as agentType, ag.agent_version as agentVersion, from_unixtime(ag.last_agent_start_timestamp/1000) as lastAgentStartTime from application app inner join application_component ac on ac.application_id = app.id inner join application_component_node acn on acn.application_component_id = ac.id inner join application_component_node_agent_mapping acnm on acnm.application_component_node_id=acn.id inner join agent ag on ag.id=acnm.agent_id inner join account a on a.id = app.account_id where a.name='xxxxxxxx' and ag.type = 'DB_AGENT'; +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ | nodeName | agentType | agentVersion | lastAgentStartTime | +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ | cDBAgent_Mao|host:cDBAgent-Secondary-Mao | DB_AGENT | Database Agent v24.5.0.4126 GA compatible with 4.5.2.0 Build Date 2024-05-15 | 2024-07-16 05:48:48.8930 | | cDBAgent_Mao|host:cDBAgent-Primary-Mao | DB_AGENT | Database Agent v24.5.0.4126 GA compatible with 4.5.2.0 Build Date 2024-05-15 | 2024-07-16 05:48:48.8890 | +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ 2 rows in set (0.00 sec)   Hope this helps. Best regards, Xiangning
Hi,  I try to send logs my Windows server to Splunk via Powershell but I have this type of error :   Cannot convert value to type System.String. This is my code : # Function to send log files with... See more...
Hi,  I try to send logs my Windows server to Splunk via Powershell but I have this type of error :   Cannot convert value to type System.String. This is my code : # Function to send log files with HEC function Send-LogToSplunk { param ( [string]$filePath ) $logContent = Get-Content -Path $filePath -Raw $fileName = [System.IO.Path]::GetFileName($filePath) $fileDirectory = [System.IO.Path]::GetDirectoryName($filePath) $splunkServer = "$splunkHost/services/collector/event" $header = @{"Authorization" = "Splunk $splunkToken"} $payload = @{ event = $logContent host = $env:COMPUTERNAME sourcetype = "log" source = $filePath } | ConvertTo-Json #Write-Host "Log Content $logContent"; #Write-Host "Payload to be sent: $payload"; Write-Host "FileDirectory $fileDirectory"; try { $response = Invoke-RestMethod -Method Post -Uri $splunkServer -Headers $header -Body $payload Write-Host "Log sent successfully: $fileName" } catch { Write-Host "Failed to send log: $filePath Code Error: '$global:errorConnectionCode'" Write-Host "Error details: $_" Exit $global:errorConnectionCode } } Thanks in advance
Hi, we recently installed the Veeam App for Splunk and put the logs from our Veeam Backup & Replication and Veeam One server into it. Unfortunatelly we are getting no data in the Veeam Data Platform... See more...
Hi, we recently installed the Veeam App for Splunk and put the logs from our Veeam Backup & Replication and Veeam One server into it. Unfortunatelly we are getting no data in the Veeam Data Platform Monitoring or Veeam Security Events section. We can see the raw logs and also the fileds. Does anyone has an idea why we are getting no data in the veeam app? Best regards
btw, i tried below rex , any idea why its not showing any records  
can you please suggest how to use INDEXED_EXTRACTIONS = JSON or spath. i mean any example and what are the benefits.
so basically i would like to find all error code with their order id  i want to use below main search  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" leve... See more...
so basically i would like to find all error code with their order id  i want to use below main search  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" level=TRACE so what i posted earlier part of above search  i want to extract all errorcodes and their order id  Later i am planning to put bar chart for the same based on range hope you got requirement
Hi @bhaskar5428 , this is the regex to extract the highlighted fields:   | rex "\"orderId\":\"(?<orderId>[^\"]+)\"},\"error\":\{\"errorCode\":\"(?<errorCode>[^\"]+)\""   that you can test at htt... See more...
Hi @bhaskar5428 , this is the regex to extract the highlighted fields:   | rex "\"orderId\":\"(?<orderId>[^\"]+)\"},\"error\":\{\"errorCode\":\"(?<errorCode>[^\"]+)\""   that you can test at https://regex101.com/r/XkBntG/1 but I hint to try with INDEXED_EXTRACTIONS = JSON or spath. Ciao. Giuseppe
Can the webhook payload for an Splunk alert be configured manually.?? I have Servicenow Api End Point and need to modify the payload for an alert.
I have an M1 macbook, and the pyagent provided by appdynamics has a dependency called ```appdynamics_bindeps``` similarly if i try to run the agent in linux env using utm i had the same error with t... See more...
I have an M1 macbook, and the pyagent provided by appdynamics has a dependency called ```appdynamics_bindeps``` similarly if i try to run the agent in linux env using utm i had the same error with the same dependancy
message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2... See more...
message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2170cd-35f6-4d03-b0fe-6ebbca6e00cb","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"adea3dff-8e02-433e-a2ad-94bac828989b","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bf96b534-2150-4228-843f-9fb920a1f44f","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb6e42ac-ee83-48b6-8213-7faf0311c6d0","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bdd8a76f-ddb4-4616-a793-68ddd72aad0e","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb339f2a-ad85-410c-9043-275aa1e4fe17","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595011","currencyCode":"INR"}}}],"orderStatusResponse":{"orderStatus":"ORDER_FAILURE","orderId":"b95d0d10-9709-4299-9d3e-8c65dd5a539d"},"error":{"errorCode":"SEP013","errorDescription":"Cannot find IDMS-0784 account by accNumber: 0190595009"}}]
Not working   
Please find the text message   message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={... See more...
Please find the text message   message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2170cd-35f6-4d03-b0fe-6ebbca6e00cb","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"adea3dff-8e02-433e-a2ad-94bac828989b","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bf96b534-2150-4228-843f-9fb920a1f44f","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb6e42ac-ee83-48b6-8213-7faf0311c6d0","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bdd8a76f-ddb4-4616-a793-68ddd72aad0e","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb339f2a-ad85-410c-9043-275aa1e4fe17","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595011","currencyCode":"INR"}}}],"orderStatusResponse":{"orderStatus":"ORDER_FAILURE","orderId":"b95d0d10-9709-4299-9d3e-8c65dd5a539d"},"error":{"errorCode":"SEP013","errorDescription":"Cannot find IDMS-0784 account by accNumber: 0190595009"}}] Above highlighted am trying to extract in two fields, Please help  and also below query am using  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" SEP013 But i can not use above , because eventually i need all errorcodes , and that is available on below search query.  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" level=TRACE      ---> so please suggest how can i find error code and order id by using this search
| rex \"orderId\":\"(<?orderId>[\w\-]+)\" | rex \"errorCode\":\"(<?errorCode>\w+)\"
Hi @bhaskar5428, this seems to be a json format, so if you use INDEXED_EXTRACTIONS = JSON in the props.conf or if you use the spath command (https://docs.splunk.com/Documentation/Splunk/9.2.2/Search... See more...
Hi @bhaskar5428, this seems to be a json format, so if you use INDEXED_EXTRACTIONS = JSON in the props.conf or if you use the spath command (https://docs.splunk.com/Documentation/Splunk/9.2.2/SearchReference/Spath) in the search you should be able to extract your fields. It's also possible to use the rex command to extract the field, but to do this I need an example of your data in text format (not a screenshot), using the Inser/Edit code sample button (the one with "</>"). Ciao. Giuseppe
adding command which i have tried but not working , need help correct rex patternt index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" |fields message |rex fi... See more...
adding command which i have tried but not working , need help correct rex patternt index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" |fields message |rex field=_raw "errorCode=(?<Error>[^,]*)" |rex field=_raw "orderId":(?<Order>\w+)" |table Error, Order
    Hi team , from above screenshot can you suggest how can i extract SEP013 against "errorCode": I need count of events for SEP013   Note : am planning to put dedup on order id , so i will ... See more...
    Hi team , from above screenshot can you suggest how can i extract SEP013 against "errorCode": I need count of events for SEP013   Note : am planning to put dedup on order id , so i will get correct count
| rex field=_raw max_match=0 "(?s)\<ReportItem>(?<pluginout>.*?)\<\/ReportItem\>" Having offered that, @yuanliu is correct, it is usually better to treat structured data with correct tools e.g. spat... See more...
| rex field=_raw max_match=0 "(?s)\<ReportItem>(?<pluginout>.*?)\<\/ReportItem\>" Having offered that, @yuanliu is correct, it is usually better to treat structured data with correct tools e.g. spath, However, without a complete representation of your event data, and a fuller understanding of what it is you are actually trying to achieve, the rex above meets your minimal needs.