All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Michael.Mom, Have any of the replies helped answer your question? If so, please click the "Accept as Solution" button, so we know your question has been resolved. If you still need more help, p... See more...
Hi @Michael.Mom, Have any of the replies helped answer your question? If so, please click the "Accept as Solution" button, so we know your question has been resolved. If you still need more help, please reply and keep the conversation going.
Hi @vijreddy30  the props.conf is needed to understand the line breaking.  then only the it can be troubleshooted, thanks. 
The above screen shot Blue color line event into one Event and above Blue color lines in to single event  please provide line break event queries.  
Hi! Yes, my end goal is to setup splunk to recieve all the github logs.   I got audit logs to go, but its missing quite a bit of data.
Hi @Zhanali ..  "OEL 8" ,...you meant RHEL 8? i assume you have got the Splunk Support.. may i know if you have contacted the Splunk Support team
Hello, do you found out, where the problem was?  It looks like, that i have also an performance issues with this TA. After deaktivation, i can run the search in seconds... When it´s active, the se... See more...
Hello, do you found out, where the problem was?  It looks like, that i have also an performance issues with this TA. After deaktivation, i can run the search in seconds... When it´s active, the search don´t finish...  Thanks for your answer!
Hello, Anyone knows if we can use eval-ingest with lookup command in Splunk Cloud? The problem is that in Splunk Cloud we can only add configuration via custom app in SH.  Eval-ingest in genera... See more...
Hello, Anyone knows if we can use eval-ingest with lookup command in Splunk Cloud? The problem is that in Splunk Cloud we can only add configuration via custom app in SH.  Eval-ingest in general working, but when I'm trying to use lookup command I'm receiving error that lookup was not found. I guess that problem is in this that lookup is on SH level, not on IDX level. but maybe I'm doing something wrong. Fields.conf - ok props.conf - ok transforms.conf - ok for simple eval-ingest without lookup command   Example from transforms.conf [test_lookup_manual2] INGEST_EVAL = test_lookup=json_extract(lookup("test.csv",json_object("hostname_test",hostname_test), json_array(value)),"value")   lookup added in directory lookups, permissions are ok, visible in splunk from every context
@PickleRick No, I am using standalone windows machine. On the same machine I am using props.
We are currently using "MIME Decoder Add-on for Cisco ESA" to decode email subjects. It seems that this add-on is not supported in the cloud. Is there another way to decode UTF-8  
I've read the documentation for how to accept input for things like "Interval" (typically in seconds) which I think is your point #1.  That explains how to get the settings configured, but not how to... See more...
I've read the documentation for how to accept input for things like "Interval" (typically in seconds) which I think is your point #1.  That explains how to get the settings configured, but not how to actually achieve the scheduled interval when running your API calls. As for alerts and scheduled reports - it seems like what you are saying is one approach is to write some code that will generate custom SPL functions that will call your API, then use the normal search scheduler to make that custom function run on a regular basis.  That sounds oddly difficult - is that a common approach that technical app developers use for scheduling their API calls?
Hello, Splunk Cloud does not support "MIME Decoder Add-on for Cisco ESA". Did your colleague publish a decoder? I haven't found anything on Splunkbase.
OK. And you have your props.conf on that HF?
@PickleRick Here I am monitoring the network files from the network folder. No UF, No HF I am using.
Fisrtly, https://docs.splunk.com/Documentation/SecureGateway/3.5.15/Admin/ConfigureSecureGatewayConf "In Splunk Secure Gateway version 3.4.25 and higher, Splunk Secure Gateway no longer reads from t... See more...
Fisrtly, https://docs.splunk.com/Documentation/SecureGateway/3.5.15/Admin/ConfigureSecureGatewayConf "In Splunk Secure Gateway version 3.4.25 and higher, Splunk Secure Gateway no longer reads from the securegateway.conf file. Configure Secure Gateway using the UI in Administration > Deployment configuration > Advanced settings" Secondly, you should not need SSG on HFs.
No, no, no. Don't add it anywhere. Where are you ingesing the data from? A file on this Splunk server or by means of a remote UF?
@PickleRick I am using the standalone machine ( act as search head and indexer both ). So its good to add this attribute in props ?
Yes, INDEXED_EXTRACTIONS can alter the procesing path of your event. Without it the event is parsed on the first "heavy" component the event goes through - typically either the intermediate HF or the... See more...
Yes, INDEXED_EXTRACTIONS can alter the procesing path of your event. Without it the event is parsed on the first "heavy" component the event goes through - typically either the intermediate HF or the destination indexer. When you enable indexed extractions on a UF, the data is parsed directly on the originating UF and is not touched after that (apart from possible ingest actions).
I am getting below error on HFs  Invalid key in stanza [setup] in "/opt/splunk/etc/apps/splunk_secure_gateway/default/securegateway.conf", line 20: cluster_mode_enabled (value: false). Can anyb... See more...
I am getting below error on HFs  Invalid key in stanza [setup] in "/opt/splunk/etc/apps/splunk_secure_gateway/default/securegateway.conf", line 20: cluster_mode_enabled (value: false). Can anybody tell us why?
It's a bit older but it seems to be some confusion around: Your second example is completely different from the first one as you use double quotes, i.e.   | eval var_type = typeof("num")   "num"... See more...
It's a bit older but it seems to be some confusion around: Your second example is completely different from the first one as you use double quotes, i.e.   | eval var_type = typeof("num")   "num" is a literal string which has nothing to do with your variable! Take care about using double quotes (for strings), single quotes (for field names, e.g. containing spaces (for whatever reason... )) or no quotes at all (also for field names). Besides that to me it seems that this `tostring` function is buggy. If I convert any number using `tostring(number)` that should(!) become a string, regardless of any "format"-argument. And the "typeof()" function should then return "String" for this string.
@inventsekar thanks for the response. I am referring to Splunk Enterprise 9.2.0.1. When I trying installing this using my Domain account it keeps rolling back. This is the issue I am facing