All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have this most wired situation, where I use inputs.conf on the UF:       [monitor://C:\Users\xxx\OneDrive - xxx\xxx\Sources\On-Board\Splunk\test\eManager] disabled = 0 index = main sourcetype =... See more...
I have this most wired situation, where I use inputs.conf on the UF:       [monitor://C:\Users\xxx\OneDrive - xxx\xxx\Sources\On-Board\Splunk\test\eManager] disabled = 0 index = main sourcetype = el:PoC:eManager         On the HF (before Indexers) I use: props.conf       # For eManager PoC [el:PoC:eManager] INDEXED_EXTRACTIONS=JSON TIMESTAMP_FIELDS=timestampUtc TZ = UTC SHOULD_LINEMERGE = false AUTO_KV_JSON = false KV_MODE = none TRANSFORMS-sourcetype = change-eManagerSourcetype       transforms.conf       [change-eManagerSourcetype] SOURCE_KEY = MetaData:Sourcetype REGEX = (.*?) FORMAT = sourcetype::el:eManager DEST_KEY = MetaData:Sourcetype         Data get ingested, and it all look ok - EXCEPT when using  this search:       index=main source=*_8.* | rename _indextime as iTime | foreach *Time [ | eval <<FIELD>>=strftime(<<FIELD>>,"%Y-%m-%d %H:%M:%S") ] | stats latest(_time) AS _time count BY index sourcetype       I get this result:       index sourcetype _time count main el:eManager 2024-07-02 19:26:36.000 363 main el:eOperator 2024-06-06 14:02:02.986 198       And when adding sourcetype="el:eManager" or just sourcetype="*" I get this:       index sourcetype _time count main el:eOperator 2024-06-06 14:02:02.986 198         It like sourcetype is kind-of hidden, but not hidden after rename in transforms from: "el:PoC:eManager" to "el:eManager". I can search by index and source and show it, but not use sourcetype anymore in a direct search. Can anyone explain please?
looks like this is the issue https://community.splunk.com/t5/Splunk-Search/Unable-to-access-Metrics-Indexes/m-p/516204
Continuation... as I said, received mail once but later then, stopped receiving mail. Please help me on this further. Thanks
Same issue. were you able to get solution for this ? 
I see your point.  It’s not necessarily 1 big file.  The files are do share a base name, but is then automatically appended with the Unix time in the file name.  But to your point, I could rea... See more...
I see your point.  It’s not necessarily 1 big file.  The files are do share a base name, but is then automatically appended with the Unix time in the file name.  But to your point, I could reach out to the SysAdmins if they could have the file names be associated by network device family, and then append with the Unix time.  Or create a sub directory in that path named for each network device family.   A little more granular, but I’m not sure what they can do on their end. 
Hi Sir, thanks for your valuable suggestions. I tried the below SPL  index=_internal "sendemail" I received 1 event with details like "Sending email" (As I said already, I received an alert mail to... See more...
Hi Sir, thanks for your valuable suggestions. I tried the below SPL  index=_internal "sendemail" I received 1 event with details like "Sending email" (As I said already, I received an alert mail to my mailbox once and after that it stopped sending mail).   
Your best bet is going to be deciding which labels you want to set on certain containers. After that, you can set Label Permissions so roles don't have View permissions on labels they shouldn't see o... See more...
Your best bet is going to be deciding which labels you want to set on certain containers. After that, you can set Label Permissions so roles don't have View permissions on labels they shouldn't see or be assigned to.
If splunk hangs and there are timeout issues, it could be a number of things, what I have seen in the wild , is this normally relates to performance or the undelying storage system and the amount of ... See more...
If splunk hangs and there are timeout issues, it could be a number of things, what I have seen in the wild , is this normally relates to performance or the undelying storage system and the amount of ingest that may and can cause these types of issues.  Timeouts could relate to the network, whats the latency like between the Splunk instances.  How much volume of data are you ingesting, can the Splunk instances handle this? https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Summaryofperformancerecommendations 1. Check that your CPU/MEM, DIsk I/O meets the requirments, if thats ok then its something else that needs investigation.  #Reference hardware https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Referencehardware 2. Check that THP has been disabled - plenty of topics on this on google and this community https://docs.splunk.com/Documentation/Splunk/9.2.1/ReleaseNotes/SplunkandTHP 3. Check that ulimits has been configured again, plenty of topics on this on google and this community Check ulimits have been configured
Why not provide a better summary of your issues, so the Splunk community can then respond. It’s much better to a summary your Splunk environment, what you are trying to do, what have you done to trou... See more...
Why not provide a better summary of your issues, so the Splunk community can then respond. It’s much better to a summary your Splunk environment, what you are trying to do, what have you done to troubleshoot and provide any errors in logs. (Also redact and sensitive information).
This is most likley not possible due to security risks
It seems like you're looking to pull browser and mail syslog data in Splunk, but you're facing several problems. To clarify your request: you want to know the correct method to track users who have v... See more...
It seems like you're looking to pull browser and mail syslog data in Splunk, but you're facing several problems. To clarify your request: you want to know the correct method to track users who have visited specific websites and made changes, correct?
- Recently AppDynamics has joined with Cisco to provide user identity (sign-in credentials) capabilities for all SAAS AppDynamics-based products and services. Users whose passwords are verified by th... See more...
- Recently AppDynamics has joined with Cisco to provide user identity (sign-in credentials) capabilities for all SAAS AppDynamics-based products and services. Users whose passwords are verified by the AppDynamics Identity Platform (not user accounts that sign in using their company’s SSO credentials) will be moved to the Cisco Customer Identity platform (id.cisco.com) for verification. - Every need to follow few steps mentioned in transition documents to see to help in successful login to controller.User to follow instructions mentioned in Documents below. User to follow instructions mentioned in Documents below. - https://community.appdynamics.com/t5/Knowledge-Base/AppDynamics-Identity-is-changing-to-Cisco-Identity/ta-p/53076
Hi @tuts , debug your situation: are you sure that the routes between endpoints and the syslog receiver are open? did you configured the syslog receiver as described in the above documentation (i... See more...
Hi @tuts , debug your situation: are you sure that the routes between endpoints and the syslog receiver are open? did you configured the syslog receiver as described in the above documentation (inputs)? did you disabled the local firewall on the Splunk receiver? For syslog, instead of the syslog receiving inside Splunk (Splunk Network Inputs) I hint to use an rsyslog receiver that writes syslogs on a file and then with Splunk you can read these files Ciao. Giuseppe
Hello,   I have a dashboard and I'd like to add a submit button because if I change something the search is launch by automatically. I'd like to set everything first in the checkbox then the input... See more...
Hello,   I have a dashboard and I'd like to add a submit button because if I change something the search is launch by automatically. I'd like to set everything first in the checkbox then the input field then launch the search with a submit button. I've tried to add a button but in this case I'm not able to choose the other checkbox options, only the 'Any field'. Could you please help the modification?     <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>index=* $tokfilter$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>     Thank you very much in advance!
Thanks for the answer. The saved search is working just fine since this accident. For testing reason I created a new index and rerun the search with the relevant timeframe. It was working fine with ... See more...
Thanks for the answer. The saved search is working just fine since this accident. For testing reason I created a new index and rerun the search with the relevant timeframe. It was working fine with the test index. However when I rerun the search to send the missing events to the real destination index, nothing happens. The search gives results but these results don't show up in the destination index. I found this log event: 06-21-2024 09:55:08.916 +0200 INFO SavedSearchHistory - pruning saved search history for savedsearch_id=<my_user_name>;vpn;SUM - VPN - Logout events reason=user=<my_user_name> does not exist It looks like as if something happened to my user during this period.
The foreach command goes through each field listed in the foreach command, in this instance, fieldnames beginning with 1 followed by anything. The time values are all epoch times, which are the numbe... See more...
The foreach command goes through each field listed in the foreach command, in this instance, fieldnames beginning with 1 followed by anything. The time values are all epoch times, which are the number of seconds since the beginning of 1970. At present, these all start with 1. Eventually, in a about 9 years time, this will start with 2. So, within the subsearch of the foreach command (within the square brackets []), the <<FIELD>> value in the subsearch is replaced by the field name from the list. Since, in this case, this is a number, the <<FIELD>> is placed in single quotes '<<FIELD>>' to tell Splunk that it is to be interpreted as a field name (not a number).
That's why my solution uses addinfo which gives you the "earliest" and "latest" times from the timepicker
Thank you engineer for me sysmon it worked and I received endpoint data but syslog did not work I want to know the links that the user visits and remove them from network sources
Hi @michaelteck , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Thanks, this seem to be producing something like what I am looking for. Can I ask, what is the significance of this? I don't really understand it '<<FIELD>>'  Thanks