All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

i'm facing problem with the storage of splunk i tried multiple way to minimize the heavy data stored at hot/warm DB but nothing went ok since the cold data won't accept and migartions from the hot/wa... See more...
i'm facing problem with the storage of splunk i tried multiple way to minimize the heavy data stored at hot/warm DB but nothing went ok since the cold data won't accept and migartions from the hot/warm data       any suggestions?
Honestly (yes, I know it is not helping in the immediate problem at hand but might save you some time in the future), this is a very ugly data format. I suspect that someone just receives data with a... See more...
Honestly (yes, I know it is not helping in the immediate problem at hand but might save you some time in the future), this is a very ugly data format. I suspect that someone just receives data with a third-party solution which adds its own headers and forwards it to Splunk. The result is that you have some structure which Splunk is able to parse (the "outer json") and within that you have completely unparsed message field. And this field is "kinda like a json but not quite" so it doesn't parse properly (and I suspect there can be other types of events in that message field so no single parsing schema would work here). In the long run it would be best if you could force admins of your source solution to provide data in a more sane format.
dont post wrong answers to delete all the data
1. It's more of a PowerShell question than a Splunk one. 2. For simple file monitoring it's easier to use UF (or other solutions capable of writing to a HEC endpoint if you find UF "too big" or "too... See more...
1. It's more of a PowerShell question than a Splunk one. 2. For simple file monitoring it's easier to use UF (or other solutions capable of writing to a HEC endpoint if you find UF "too big" or "too closed source"). 3. You haven't even told us at which point this error is raised.
Hi there, I'd like to have a dedicated threat intel feed which goes to a custom created lookup (non-default), is that even possible?   
Hi @bhaskar5428 , here you can find all the information https://hurricanelabs.com/splunk-tutorials/the-indexed-extractions-vs-search-time-extractions-splunk-case-study/  Anyway, you can add INDEXED... See more...
Hi @bhaskar5428 , here you can find all the information https://hurricanelabs.com/splunk-tutorials/the-indexed-extractions-vs-search-time-extractions-splunk-case-study/  Anyway, you can add INDEXED_EXTRACTIONS on the props.conf on the UFs and or the SHs or use something like this: [your_sourcetype] INDEXED_EXTRACTIONS = JSON or in search index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" | spath Ciao. Giuseppe
Hello Jubin.Patel, Thanks for posting question on the community. Controller determines status of db agents with the same name based on latest start time.  Hence we could fetch last agent start ... See more...
Hello Jubin.Patel, Thanks for posting question on the community. Controller determines status of db agents with the same name based on latest start time.  Hence we could fetch last agent start time from controller db and then judge which one is active / passive. Please access controller and use the query command below: (You need to use real account name in this SQL): select acn.name as nodeName, ag.type as agentType, ag.agent_version as agentVersion, from_unixtime(ag.last_agent_start_timestamp/1000) as lastAgentStartTime from application app inner join application_component ac on ac.application_id = app.id inner join application_component_node acn on acn.application_component_id = ac.id inner join application_component_node_agent_mapping acnm on acnm.application_component_node_id=acn.id inner join agent ag on ag.id=acnm.agent_id inner join account a on a.id = app.account_id where a.name='<account name>' and ag.type = 'DB_AGENT'; (E.g.) mysql> select acn.name as nodeName, ag.type as agentType, ag.agent_version as agentVersion, from_unixtime(ag.last_agent_start_timestamp/1000) as lastAgentStartTime from application app inner join application_component ac on ac.application_id = app.id inner join application_component_node acn on acn.application_component_id = ac.id inner join application_component_node_agent_mapping acnm on acnm.application_component_node_id=acn.id inner join agent ag on ag.id=acnm.agent_id inner join account a on a.id = app.account_id where a.name='xxxxxxxx' and ag.type = 'DB_AGENT'; +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ | nodeName | agentType | agentVersion | lastAgentStartTime | +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ | cDBAgent_Mao|host:cDBAgent-Secondary-Mao | DB_AGENT | Database Agent v24.5.0.4126 GA compatible with 4.5.2.0 Build Date 2024-05-15 | 2024-07-16 05:48:48.8930 | | cDBAgent_Mao|host:cDBAgent-Primary-Mao | DB_AGENT | Database Agent v24.5.0.4126 GA compatible with 4.5.2.0 Build Date 2024-05-15 | 2024-07-16 05:48:48.8890 | +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ 2 rows in set (0.00 sec)   Hope this helps. Best regards, Xiangning
Hi,  I try to send logs my Windows server to Splunk via Powershell but I have this type of error :   Cannot convert value to type System.String. This is my code : # Function to send log files with... See more...
Hi,  I try to send logs my Windows server to Splunk via Powershell but I have this type of error :   Cannot convert value to type System.String. This is my code : # Function to send log files with HEC function Send-LogToSplunk { param ( [string]$filePath ) $logContent = Get-Content -Path $filePath -Raw $fileName = [System.IO.Path]::GetFileName($filePath) $fileDirectory = [System.IO.Path]::GetDirectoryName($filePath) $splunkServer = "$splunkHost/services/collector/event" $header = @{"Authorization" = "Splunk $splunkToken"} $payload = @{ event = $logContent host = $env:COMPUTERNAME sourcetype = "log" source = $filePath } | ConvertTo-Json #Write-Host "Log Content $logContent"; #Write-Host "Payload to be sent: $payload"; Write-Host "FileDirectory $fileDirectory"; try { $response = Invoke-RestMethod -Method Post -Uri $splunkServer -Headers $header -Body $payload Write-Host "Log sent successfully: $fileName" } catch { Write-Host "Failed to send log: $filePath Code Error: '$global:errorConnectionCode'" Write-Host "Error details: $_" Exit $global:errorConnectionCode } } Thanks in advance
Hi, we recently installed the Veeam App for Splunk and put the logs from our Veeam Backup & Replication and Veeam One server into it. Unfortunatelly we are getting no data in the Veeam Data Platform... See more...
Hi, we recently installed the Veeam App for Splunk and put the logs from our Veeam Backup & Replication and Veeam One server into it. Unfortunatelly we are getting no data in the Veeam Data Platform Monitoring or Veeam Security Events section. We can see the raw logs and also the fileds. Does anyone has an idea why we are getting no data in the veeam app? Best regards
btw, i tried below rex , any idea why its not showing any records  
can you please suggest how to use INDEXED_EXTRACTIONS = JSON or spath. i mean any example and what are the benefits.
so basically i would like to find all error code with their order id  i want to use below main search  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" leve... See more...
so basically i would like to find all error code with their order id  i want to use below main search  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" level=TRACE so what i posted earlier part of above search  i want to extract all errorcodes and their order id  Later i am planning to put bar chart for the same based on range hope you got requirement
Hi @bhaskar5428 , this is the regex to extract the highlighted fields:   | rex "\"orderId\":\"(?<orderId>[^\"]+)\"},\"error\":\{\"errorCode\":\"(?<errorCode>[^\"]+)\""   that you can test at htt... See more...
Hi @bhaskar5428 , this is the regex to extract the highlighted fields:   | rex "\"orderId\":\"(?<orderId>[^\"]+)\"},\"error\":\{\"errorCode\":\"(?<errorCode>[^\"]+)\""   that you can test at https://regex101.com/r/XkBntG/1 but I hint to try with INDEXED_EXTRACTIONS = JSON or spath. Ciao. Giuseppe
Can the webhook payload for an Splunk alert be configured manually.?? I have Servicenow Api End Point and need to modify the payload for an alert.
I have an M1 macbook, and the pyagent provided by appdynamics has a dependency called ```appdynamics_bindeps``` similarly if i try to run the agent in linux env using utm i had the same error with t... See more...
I have an M1 macbook, and the pyagent provided by appdynamics has a dependency called ```appdynamics_bindeps``` similarly if i try to run the agent in linux env using utm i had the same error with the same dependancy
message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2... See more...
message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2170cd-35f6-4d03-b0fe-6ebbca6e00cb","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"adea3dff-8e02-433e-a2ad-94bac828989b","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bf96b534-2150-4228-843f-9fb920a1f44f","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb6e42ac-ee83-48b6-8213-7faf0311c6d0","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bdd8a76f-ddb4-4616-a793-68ddd72aad0e","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb339f2a-ad85-410c-9043-275aa1e4fe17","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595011","currencyCode":"INR"}}}],"orderStatusResponse":{"orderStatus":"ORDER_FAILURE","orderId":"b95d0d10-9709-4299-9d3e-8c65dd5a539d"},"error":{"errorCode":"SEP013","errorDescription":"Cannot find IDMS-0784 account by accNumber: 0190595009"}}]
Not working   
Please find the text message   message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={... See more...
Please find the text message   message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2170cd-35f6-4d03-b0fe-6ebbca6e00cb","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"adea3dff-8e02-433e-a2ad-94bac828989b","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bf96b534-2150-4228-843f-9fb920a1f44f","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb6e42ac-ee83-48b6-8213-7faf0311c6d0","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bdd8a76f-ddb4-4616-a793-68ddd72aad0e","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb339f2a-ad85-410c-9043-275aa1e4fe17","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595011","currencyCode":"INR"}}}],"orderStatusResponse":{"orderStatus":"ORDER_FAILURE","orderId":"b95d0d10-9709-4299-9d3e-8c65dd5a539d"},"error":{"errorCode":"SEP013","errorDescription":"Cannot find IDMS-0784 account by accNumber: 0190595009"}}] Above highlighted am trying to extract in two fields, Please help  and also below query am using  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" SEP013 But i can not use above , because eventually i need all errorcodes , and that is available on below search query.  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" level=TRACE      ---> so please suggest how can i find error code and order id by using this search
| rex \"orderId\":\"(<?orderId>[\w\-]+)\" | rex \"errorCode\":\"(<?errorCode>\w+)\"
Hi @bhaskar5428, this seems to be a json format, so if you use INDEXED_EXTRACTIONS = JSON in the props.conf or if you use the spath command (https://docs.splunk.com/Documentation/Splunk/9.2.2/Search... See more...
Hi @bhaskar5428, this seems to be a json format, so if you use INDEXED_EXTRACTIONS = JSON in the props.conf or if you use the spath command (https://docs.splunk.com/Documentation/Splunk/9.2.2/SearchReference/Spath) in the search you should be able to extract your fields. It's also possible to use the rex command to extract the field, but to do this I need an example of your data in text format (not a screenshot), using the Inser/Edit code sample button (the one with "</>"). Ciao. Giuseppe