All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

working with support for our cloud instance They removed the passwords.conf file due to the old api key still being in there and not being removed when you update it with a newly generated api key. ... See more...
working with support for our cloud instance They removed the passwords.conf file due to the old api key still being in there and not being removed when you update it with a newly generated api key. I then regenerated a new api key verified correct permissions in S1 and that resolved the issue.   Also note that sentinelone changed the length of time for a reqular user acct to have a api key to only 30 days. This was used by a previous admin so i created a new service acct just for splunk logs, and in there you can specify longer key life (30d, 60d, 90d ect).
I haven't messed with that at all, I simply have the box checked for Link to Results. 
Hi Thanks for this. I have the following on 3 indexers.   In the DB folder, the hot buckets have the same name on some indexes, so I don't think I can copy these. Perhaps I should not copy th... See more...
Hi Thanks for this. I have the following on 3 indexers.   In the DB folder, the hot buckets have the same name on some indexes, so I don't think I can copy these. Perhaps I should not copy them over and go for the other ones. I also see the data in the datamodel_summary section, but I have no data models on this data. Perhaps I don't need to copy these as well? Cheers Rob  
It is not really the search, it is how you set up the link in the alert.
Hi sir, Now I got it and your command is perfectly working fine with all scenarios. thanks much
Hi sir, thanks for your spontaneous reply.  I tried with this command and it worked. But i missed to inform that I have IP address as well under host field. Please guide me on this scenario. Thanks
Made a couple minor adjustments but this is what I needed to solve my issue. Thank you.
There may be many ways to do that.  Here's one. ... | rex field=Host "(?<part1>[^\.]+)" ``` If the field just extracted is a number then the Host field probably is an IP address ``` | eval Host = if... See more...
There may be many ways to do that.  Here's one. ... | rex field=Host "(?<part1>[^\.]+)" ``` If the field just extracted is a number then the Host field probably is an IP address ``` | eval Host = if(isnum(part1), Host, part1) ...
I came across this post for Splunk Enterprise upgrade. https://community.splunk.com/t5/Installation/What-do-I-validate-after-I-upgrade-Splunk-Enterprise-to-confirm/m-p/479261 I need details about w... See more...
I came across this post for Splunk Enterprise upgrade. https://community.splunk.com/t5/Installation/What-do-I-validate-after-I-upgrade-Splunk-Enterprise-to-confirm/m-p/479261 I need details about what to validate after ES upgrade. I already have this from Splunk docs. But I am looking for something as detailed as above post for ES. https://docs.splunk.com/Documentation/ES/7.3.1/Install/Upgradetonewerversion#Step_5._Validate_the_upgrade  
The search is very basic. The system is isolated so I can't copy/paste but it's just searching for one event code, action, and signature and tabling the results. There is nothing unique or unusual fr... See more...
The search is very basic. The system is isolated so I can't copy/paste but it's just searching for one event code, action, and signature and tabling the results. There is nothing unique or unusual from other alert searches. I don't understand how anything in the search string would cause a 404 error. 
I wonder if an outer join might have worked, but join is rarely the best answer because it performs poorly. One other approach is to use a subsearch to find the interesting transaction IDs and then ... See more...
I wonder if an outer join might have worked, but join is rarely the best answer because it performs poorly. One other approach is to use a subsearch to find the interesting transaction IDs and then search for those IDs. index="data" [search index="data" | stats values(eventtype) as eventtype by transaction_id | search eventtype="TYPE1" AND eventtype="TYPE2" | fields transaction_id | format ] | table *  
Start by creating a search which retrieves the information you are trying to find. How far have you got with that?
I am also experiencing this issue and have yet to find a solution. I am hopeful that the community will provide an answer to this problem.
It isn't in the XML code you posted
The following macro formats the time to a standard utc timezone: [utc] definition = eval time_offset=strftime(_time,"%:::z") | convert num(time_offset) | eval time_offset=if(time_offset<=0, "+" .... See more...
The following macro formats the time to a standard utc timezone: [utc] definition = eval time_offset=strftime(_time,"%:::z") | convert num(time_offset) | eval time_offset=if(time_offset<=0, "+" . -time_offset, tostring(-time_offset)), time_utc=relative_time(_time,time_offset . "h") | convert timeformat="%F %T UTC" ctime(time_utc) | convert `timeformat` ctime(_time) AS time_local The following macro sets the time to the timezone of your choice: [tz(1)] definition = eval utc_offset=strftime(_time,"%:::z") | convert num(utc_offset) | eval tz_offset = $tz$ - utc_offset, tz_offset = if(tz_offset>=0,"+".tz_offset,tz_offset), utc_offset = if(utc_offset<=0,"+".-utc_offset,tostring(-utc_offset)) | eval time_tz=relative_time(_time, tz_offset . "h"), utc_time=relative_time(_time,utc_offset . "h") | convert timeformat="%F %T UTC" ctime(utc_time) | convert timeformat="%F %T UTC$tz$" ctime(time_tz) | convert `timeformat` ctime(_time) AS my_time | fields - tz_offset utc_offset* | rename time_tz AS "time:$tz$" args = tz [timeformat] definition = timeformat="%F %T UTC%:::z %Z"
i am already using that its in xml code.
hello i'm beginner in splunk. Currently, i'm working with splunk entreprise i want to retrieve microservices depandancy and export this informations  How can i do that?
Perhaps if you elaborate on what your search is for your alert we might be able to help spot the issue?
Try this <earliest>$timepicker.earliest$</earliest> <latest>$timepicker.latest$</latest>
I am getting permission denied error on in Splunk forwarder logs ERROR DC:DeploymentClient - Failed to save manifest file to disk at='/opt/splunkforwarder/var/run/serverclass.xml': Permission denied... See more...
I am getting permission denied error on in Splunk forwarder logs ERROR DC:DeploymentClient - Failed to save manifest file to disk at='/opt/splunkforwarder/var/run/serverclass.xml': Permission denied Severclass.xml has  read/write permission to Splunk user on the server where UF is installed. Can anyone help