All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

that does not work, once you remove the blacklist, it ingests the old events.....
I've done a rolling restart of the cluster and checked. Looks like it "should" work but doesn't. Since then, I tried this approach: put a "blacklist_all_WinEvent" app on the UF during initial start... See more...
I've done a rolling restart of the cluster and checked. Looks like it "should" work but doesn't. Since then, I tried this approach: put a "blacklist_all_WinEvent" app on the UF during initial start. Just an inputs.conf that has "blacklist1 = ." for all winevent sources. let the UF do it's initial thing and an hour later I remove that app from the UF and restart the UF whilst not optimal, that would do the trick for onboarding existing servers and automating that is easy enough.   Kind Regards Andre
Hi @Andre_  1) after props.conf 's update/creation, did you restart the splunkd on the indexer? 2) if yes for above, then pls use the btool command to check if the props.conf got applied or not(you... See more...
Hi @Andre_  1) after props.conf 's update/creation, did you restart the splunkd on the indexer? 2) if yes for above, then pls use the btool command to check if the props.conf got applied or not(you can search for splunk btool options here in communities).   if any reply helps you in any way, a karma point / upvote would be helpful for the author, thanks. 
I fix it by reset the proxy setting. I am able to access the web ui.  Thank you very much!!
The Splunk’s TZ has set to UTC on browser and workstation has correct PT TZ? What SSO/idp you are using?
yes, the time zone is wrong, I check with a user, they're located in PT time zone but their default time zone is UTC.
thanks for that. Exactly i was looking for
If they haven’t set any time zone then it’s their workstation’s time zone. Is this tz wrong or what is the issue? I’m afraid that you are trying to solve an issue which doesn’t exists!
As @gcusello , don't use join, that's the wrong way to do this, however, you are using the wrong field. Your rex statement is extracting the field called clients but your join is using client (singul... See more...
As @gcusello , don't use join, that's the wrong way to do this, however, you are using the wrong field. Your rex statement is extracting the field called clients but your join is using client (singular). Please use the lookup way to do this, not join.  
I use proxy to work around the port issue. I get the same thing as the curl command now. the web ui show nothing, and I inspect it,  "browser-not-supported"? I try multiple browser(Chrome, Edge,... See more...
I use proxy to work around the port issue. I get the same thing as the curl command now. the web ui show nothing, and I inspect it,  "browser-not-supported"? I try multiple browser(Chrome, Edge, Firefox)  
I created roles using SAML config then assign the role to user when they are created. I looked into all users and they don't have a default time zone set to their account. Yes they can set it through... See more...
I created roles using SAML config then assign the role to user when they are created. I looked into all users and they don't have a default time zone set to their account. Yes they can set it through preference and I also can manually change it in Setting for all of the users but it's tedious to do one by one. I want to config it so that all the old and future users would have PT time zone automatically.
What you are meaning with “change tz for all users”? If they are sitting in PT time zone and they are using “use system TZ settings” then it is already in PT time zone if their workstations/ laptops ... See more...
What you are meaning with “change tz for all users”? If they are sitting in PT time zone and they are using “use system TZ settings” then it is already in PT time zone if their workstations/ laptops are correctly configured. If you want to change that also for people which are not sitting in PT zone, then I ask why? In internally splunk is storing all times as UTC. Then it shows times by users time zone or what they have set in their account preferences.
This confirms that there are some filtering on network side or even this splunk server. You could check if there is e.g. iptables running with “iptables -vL” command (if I recall right). But as @Pick... See more...
This confirms that there are some filtering on network side or even this splunk server. You could check if there is e.g. iptables running with “iptables -vL” command (if I recall right). But as @PickleRick said, more probable there is network level FW between your workstation and splunk server. In this case your options are: ask help from your network admins and/or try ssh tunneling from your local node to splunk server. But check first that this is allowed in your organization!
Now there is Splunk Enterprise 10.2.0 beta available on voc.splunk.com. If you want to participate this beta program you need to go that site and apply to this beta. Beta license seems to be valid un... See more...
Now there is Splunk Enterprise 10.2.0 beta available on voc.splunk.com. If you want to participate this beta program you need to go that site and apply to this beta. Beta license seems to be valid until November, so probably there are still lot of things which are not ready yet? I just installed this on M3 max and at least it starts
Hello, so I've created a props.conf on the indexer under the Windows_TA local folder and put his in: [WinEventLog] MAX_DAYS_AGO = 7 [XmlWinEventLog] MAX_DAYS_AGO = 7 onboarded another Windows S... See more...
Hello, so I've created a props.conf on the indexer under the Windows_TA local folder and put his in: [WinEventLog] MAX_DAYS_AGO = 7 [XmlWinEventLog] MAX_DAYS_AGO = 7 onboarded another Windows Server - still ingested windows event logs going back a few years. Any ideas why that's not working? Kind Regards Andre
Hi,    I would like to ask to how change all user timezone to Pacific time. I did some research and see people recommend to config this file - SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf.... See more...
Hi,    I would like to ask to how change all user timezone to Pacific time. I did some research and see people recommend to config this file - SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf. But from what I know, or at learst how my Splunk was set up. It's a Saas, they provided me a link to my domain and I start using it. I'm not quite sure where exactly is the mentioned file.   Thanks, Brian 
I am able to curl it from the splunk machine, but I am not able to do that on my endpoint. It seems port 8000 port on my endpoint is not allowed in my organization.
that's for the help I will play with the data model when I have time I noticed parts were giving any records in the preview unless I manually added the index. I tried adding the index to various s... See more...
that's for the help I will play with the data model when I have time I noticed parts were giving any records in the preview unless I manually added the index. I tried adding the index to various steps and enabling acceleration but it still didn't work  
@heathramos  yeah this is going to be a fun one. You've got data model issues, which is way more involved than just fixing a macro. Data models are these complex hierarchical things with par... See more...
@heathramos  yeah this is going to be a fun one. You've got data model issues, which is way more involved than just fixing a macro. Data models are these complex hierarchical things with parent/child datasets that need to be built and accelerated properly - it's a whole thing. Looking at that search, it's trying to pull from datamodel=pan_firewall with specific node relationships. If that's not set up right (or at all), nothing's going to work. And troubleshooting data models means digging into dataset structures, field mappings, acceleration status - it's honestly not a quick fix. If you need this dashboard working soon and it's important to the business, you might want to just work with Splunk ondemand services. They can sort out your data models properly instead of you spending days figuring out why the acceleration isn't working or why the field extractions are wrong. If you want to try,  spend  some time in Settings > Data Models, checking what's actually there vs what the dashboard expects. You'll probably end up either rebuilding data models from scratch or rewriting all these tstats searches to use regular SPL. It's more like -audit your entire Palo Alto data ingestion and modeling setup. If this Helps Please Upvote.  
I see searches like the following:  | tstats summariesonly=t values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_nam... See more...
I see searches like the following:  | tstats summariesonly=t values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_name log.app:category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(count) AS count values(app) AS app values(category) AS category BY dest_name | table dest_name app category count | sort -count