All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

i think its not about "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open" i tried  permission 400 and 600 and user group is both splunk. What should i do? Please hel... See more...
i think its not about "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open" i tried  permission 400 and 600 and user group is both splunk. What should i do? Please help me.
i think its not about "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open" i tried  permission 400 and 600 and user group is both splunk. What should i do? Please hel... See more...
i think its not about "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open" i tried  permission 400 and 600 and user group is both splunk. What should i do? Please help me.  
Hi Team, could someone please help in letting me know. I have a requirement to display some events based on some search criteria and I want to create a drilldown and clicking on any of the legend. T... See more...
Hi Team, could someone please help in letting me know. I have a requirement to display some events based on some search criteria and I want to create a drilldown and clicking on any of the legend. There should be drilldown based on clicked event. 
Hello, have a nice day!   I have followed the Distributed Search document and create a dshborad.xml file and push it through the deployer, and i could find it in the search heads app as below: ... See more...
Hello, have a nice day!   I have followed the Distributed Search document and create a dshborad.xml file and push it through the deployer, and i could find it in the search heads app as below: hit Edit properties  cause the below ERROR: Also, I didn't find the dashboard under the dashboard tab to view it. =========================================================  
Sweet. Thanks, @danspav. The Splunk community rocks!
Version 1.9.0 of Event Timeline Viz is up on Splunkbase now: https://splunkbase.splunk.com/app/4370   Added support for different locales, based on what you've set in Splunk. Supported locales: ... See more...
Version 1.9.0 of Event Timeline Viz is up on Splunkbase now: https://splunkbase.splunk.com/app/4370   Added support for different locales, based on what you've set in Splunk. Supported locales: English, Italian, Dutch, German, French Note that tooltips and example dashboards will still appear in English. Fixed bug where the time shown on the visualization was reflecting the time zone of the client OS, not the user preference set in Splunk. Fixed bug with the 'Disable Zoom' option where zoom could still be enabled when it was set to false.
Thank you so much for your help! Much appreciated
Search artifacts is the collection of data produced by a search.  It includes the results of the search plus the search log, telemetry, and more.  Artifacts should be replicated so they can be retrie... See more...
Search artifacts is the collection of data produced by a search.  It includes the results of the search plus the search log, telemetry, and more.  Artifacts should be replicated so they can be retrieved by other search heads in the cluster, for example if you are disconnected and reconnect to a different SH you still have access to the artifacts. The knowledge bundle is the set of information indexers need to service a search query.  It includes .conf files, lookup files, external commands, and more.  The bundle supplies data needed for search-time operations that the indexer otherwise would not have (user KOs, for example).
Hi @PATAN, Is this a Splunk-specific question or a general web and ServiceNow development question? For Splunk, start with https://dev.splunk.com/enterprise/docs/devtools/javascript/sdk-javascript/.... See more...
Hi @PATAN, Is this a Splunk-specific question or a general web and ServiceNow development question? For Splunk, start with https://dev.splunk.com/enterprise/docs/devtools/javascript/sdk-javascript/. The old Building Splunk Solutions books are still useful but quite dated at this point. Depending on your specific use case, you may already have the functionality you need available in simpler forms. For example, Splunk Add-on for ServiceNow includes commands and workflow actions to create ServiceNow events and incidents. What do you have so far?
The default behavior is for the indexer to create enough copies of the data to meet the RF before sending an ACK.  That can be changed in server.conf, however.  See https://docs.splunk.com/Documentat... See more...
The default behavior is for the indexer to create enough copies of the data to meet the RF before sending an ACK.  That can be changed in server.conf, however.  See https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Useforwarders#How_indexer_acknowledgment_works for details.
Hi @riposans, The text doesn't appear to be syslog (see RFC 3164 and RFC 5424). Is this a raw TCP or UDP stream? You may want to try: [ABC] SHOULD_LINEMERGE = false LINE_BREAKER = ()\{"@timestamp" ... See more...
Hi @riposans, The text doesn't appear to be syslog (see RFC 3164 and RFC 5424). Is this a raw TCP or UDP stream? You may want to try: [ABC] SHOULD_LINEMERGE = false LINE_BREAKER = ()\{"@timestamp" TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9Q%Z TIME_PREFIX = {"@timestamp":" MAX_TIMESTAMP_LOOKAHEAD = 30 # for events IN THE YEAR 2000 (thanks, Conan!) MAX_DAYS_AGO = 10000  
If you still see "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open," make sure the file is owned by your Splunk user and change the permissions to user (owner) read or ... See more...
If you still see "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open," make sure the file is owned by your Splunk user and change the permissions to user (owner) read or read+write: $ chmod 0600 /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key If you're using a file system that supports extended ACLs, also make sure none are applied. You can check with getfacl: $ getfacl -p /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key # file: /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key # owner: splunk # group: splunk user::rw- group::--- other::---  
Hi @Stopplis, Similar but with input type=checkbox. If you need examples, please post a new question with more detail, and I (or someone else if they get to it first) will be happy to help. Edit: L... See more...
Hi @Stopplis, Similar but with input type=checkbox. If you need examples, please post a new question with more detail, and I (or someone else if they get to it first) will be happy to help. Edit: Looks like you did and have an answer pending. Enjoy!
Hi @Shetry, This should be posted as a new question, but briefly, Splunk Universal Forwarder and Splunk Enterprise share the same (or a similar) codebase. Binary detection, event breaking, and more ... See more...
Hi @Shetry, This should be posted as a new question, but briefly, Splunk Universal Forwarder and Splunk Enterprise share the same (or a similar) codebase. Binary detection, event breaking, and more are handled in parsingQueue. If force_local_processing is enabled in props.conf, line breaking, timestamp extraction, and transforms can also be handled by a universal forwarder. See the following for a high resolution PDF of the last (v7.2) pipeline diagram. It's still applicable today, but you'll need to cross reference Splunk documentation for the latest features. https://web.archive.org/web/20220125091543/https://wiki.splunk.com/Community:HowIndexingWorks https://web.archive.org/web/20220125091543/https://wiki.splunk.com/File:Splunk_EventProcessing_v20_1_UF_Indexer.pdf
| rex mode=sed "s/(\"Data\":\s+)\"/\1[/g s/(\"Data\":\s+\[{.*})\"/\1]/g s/\\\\\"/\"/g" | extract pairdelim="\"{,}" kvdelim=":"  Thankyou for your help, the above worked, but I want it to be impleme... See more...
| rex mode=sed "s/(\"Data\":\s+)\"/\1[/g s/(\"Data\":\s+\[{.*})\"/\1]/g s/\\\\\"/\"/g" | extract pairdelim="\"{,}" kvdelim=":"  Thankyou for your help, the above worked, but I want it to be implemented at index time , not at search time.
1. Actual Data looks like below. Data in string format " { } "   2. From UI using the below worked to some extent. Data string to list [ { } ] | rex mode=sed "s/(\"Data\":\s+)\"/\1[/g s/(\"Dat... See more...
1. Actual Data looks like below. Data in string format " { } "   2. From UI using the below worked to some extent. Data string to list [ { } ] | rex mode=sed "s/(\"Data\":\s+)\"/\1[/g s/(\"Data\":\s+\[{.*})\"/\1]/g s/\\\\\"/\"/g" Issue now is it is not automatically identifying the key value pairs inside the Data Dictionary, irrespective of the setting kv_mode =json.  
Can you tell me how to contact community support?
1. https://regex101.com/r/jPZ4yy/1 2. https://regex101.com/r/PmwS2C/1 3. https://regex101.com/r/SBMRme/1 - first regex, I have provided sample of 3 events, ( EntityValue, Name, Ids, anything in ... See more...
1. https://regex101.com/r/jPZ4yy/1 2. https://regex101.com/r/PmwS2C/1 3. https://regex101.com/r/SBMRme/1 - first regex, I have provided sample of 3 events, ( EntityValue, Name, Ids, anything in json format comes) - thrid regex, sed works on _raw but it should work only between Data dictionary value. Example see (\"Comments\": \"New alert\", ) is also changed, nothing else should be formated.
Enable the CAP_DAC_READ_SEARCH capability.  See https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/Installleastprivileged
Can anyone tell me the best practice for splunkfwd user to access  others and root own dir/logs ?   Not interested in changing dir/log ownership. We could do ACL - lots of work there. Out of the ... See more...
Can anyone tell me the best practice for splunkfwd user to access  others and root own dir/logs ?   Not interested in changing dir/log ownership. We could do ACL - lots of work there. Out of the box what is the access level of the splunkfwd post install ?