All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What exactly did you change and what were the expected results? The comments in transforms.conf and props.conf must not be un-commented because they are not valid settings.
Hi @ITWhisperer  You provided rex is also not working as expected. 
we are collecting data over VPN site to site, so to manage properly and for security policies, instead of allowing all ips to communicate with IDX we only allowed HF working as IF to connect to IDX a... See more...
we are collecting data over VPN site to site, so to manage properly and for security policies, instead of allowing all ips to communicate with IDX we only allowed HF working as IF to connect to IDX and all UFs are connected to IF   btw thanks for your response. can you provide some documentation for this
Hi @Nawab , compression must be applied both on connections between UFs and IF and IF and IDXs. Only one question: why do you need an IF? Ciao. Giuseppe
Thank you for your supporting, i have updated the information, sorry because i did not capture it  
We have multiple forwarders sending data to an Intermediary forwarder and that IF is sending data to IDXs. IF is not storing any data in this case.   If we do compression on IF, will it automatical... See more...
We have multiple forwarders sending data to an Intermediary forwarder and that IF is sending data to IDXs. IF is not storing any data in this case.   If we do compression on IF, will it automatically apply on data coming from UFs or should we do this config on all UFs as well.
Here are the content of the local.meta file: [app/install/install_source_checksum] version = 9.2.1 modtime = 1719187793.873274000 [] access = read : [ * ], write : [ * ] export = system versio... See more...
Here are the content of the local.meta file: [app/install/install_source_checksum] version = 9.2.1 modtime = 1719187793.873274000 [] access = read : [ * ], write : [ * ] export = system version = 9.2.1 modtime = 1719188413.914413000
Hi @ITWhisperer  the below error message I got The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within lon... See more...
Hi @ITWhisperer  the below error message I got The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
Please provide more specific examples of the events you are dealing with.
Dashboards are essentially representations of search results. Do you have some searches that provide the information you want from your logs?
Firstly, this looks like JSON so you should probably look to use JSON extractions. If you are getting errors with this, then perhaps you could share what you tried and what errors you got, and perhap... See more...
Firstly, this looks like JSON so you should probably look to use JSON extractions. If you are getting errors with this, then perhaps you could share what you tried and what errors you got, and perhaps it can be resolved that way. However, if you want to continue down the rex track (not recommended), you could try something like this | rex "\"CrmId\": \"(?<CrmId>[^\"]+).*\"status\": \"(?<status>[^\"]+).*\"source\": \"(?<source>[^\"]+).*\"leadId\": \"(?<leadId>[^\"]+).*\"isFirstLead\": \"(?<isFirstLead>[^\"]+).*\"offersinPrinciple\": \"(?<offersinPrinciple>[^\"]+).*\"sourceSiteId\": \"(?<sourceSiteId>[^\"]+).*\"howDidYouHear\": \"(?<howDidYouHear>[^\"]+)"
Hi team, I need to extract the highlighted field in the below messege using regex... I have tried Splunk inbuilt field extraction it is throwing error when i use multiple field...   { "eventTime":... See more...
Hi team, I need to extract the highlighted field in the below messege using regex... I have tried Splunk inbuilt field extraction it is throwing error when i use multiple field...   { "eventTime": "2024-06-24T06:15:42Z", "leaduuid": "1234455", "CrmId": "11111111", "studentCrmUuid": "634543564", "externalId": "", "SiteId": "xxxx", "subCategory": "", "category": "Course Enquiry", "eventId": "", "eventRegistrationId": "", "status": "Open", "source": "Online Enquiry", "leadId": "22222222",  "assignmentStatusCode": "", "assignmentStatus": "", "isFirstLead": "yes", "c4cEventId": "", "channelPartnerApplication": "no", "applicationReceivedDate": "", "referredBy": "", "referrerCounsellor": "", "createdBy": "Technical User",  "lastChangedBy": "Technical User" , "leadSubAgentID": "", "cancelReason": ""}, "offersInPrinciple": {"offersinPrinciple": "no", "oipReferenceNumber": "", "oipVerificationStatus": ""}, "qualification": {"qualification": "Unqualified", "primaryFinancialSource": ""}, "online": {"referringUrl": "", "idpNearestOffice": "", "sourceSiteId": "xxxxx", "preferredCounsellingMode": "", "institutionInfo": "", "courseName": "", "howDidYouHear": "Social Media"}
Hi Team, We are setting up minimalistic dashboards for application logs. application logs include local server logs, application logs, tibco logs, kibana logs. is there a standard dashboard setup ... See more...
Hi Team, We are setting up minimalistic dashboards for application logs. application logs include local server logs, application logs, tibco logs, kibana logs. is there a standard dashboard setup available for application log monitoring dashboard. Please guide me to create one dashboard for application log monitoring.   Thanks, 
Hello everyone, I am a newbie in this field, I am looking forward to your help. I am using Eventgen to create data samples for Splunk Enterprise.  I have a datamodel "Test", a dataset "datasetA" in... See more...
Hello everyone, I am a newbie in this field, I am looking forward to your help. I am using Eventgen to create data samples for Splunk Enterprise.  I have a datamodel "Test", a dataset "datasetA" in that datamodel, "datasetB" inherited from "datasetA" and "datasetC" inherited from "datasetB". All the data samples are satisfy with the base search and constraints of all datasets. It means all data samples are the sample in 3 datasets above. The problem is there are values of datasetA.fieldname, but not for datasetB.fieldname even datasetB is inherited from datasetA. Is there anyone have the same problem? More information: Sorry because i do not capture it   example: |tstats values(datasetA.action) from datamodel=Test ->result: 3 actions |stats values(datasetA.datasetB.action) from datamodel=Test ->result: no result found The data samples in datasetA and datasetB is the same Thank you for reading  
Hi , Sure let me try this regex and see. Yes there are no blank spaces after each line containing null values
Yes, the result would be the same whenever it runs but I would prefer it to execute only after the user click on Submit button. 
This is expected behaviour - if the panel search has no dependencies, it will execute - why would this be a problem, since there are no dependencies, shouldn't the result be the same whenever it runs?
Hi all, I recently installed this add-one on my cluster (hfs, idxs, shs). I copied props.conf and transforms.conf into local directory and uncomment the mappings to sourcetype elastic:auditbeat:log.... See more...
Hi all, I recently installed this add-one on my cluster (hfs, idxs, shs). I copied props.conf and transforms.conf into local directory and uncomment the mappings to sourcetype elastic:auditbeat:log. But this action had no effect and yet I just see one sourcetype: elastic:auditbeat:log any ideas are appreciated. Thanks.
hello @ITWhisperer This worked. Thanks for your help
Hello @ITWhisperer this worked. Thanks for your help