All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Oh, I see. You could use a subsearch or a join:   index=wealth OR index=transform-file OR index=ace_message earliest=-30m | rex field=_raw "inputFileName: (?<inputFileName>.*?)," | rex field=inp... See more...
Oh, I see. You could use a subsearch or a join:   index=wealth OR index=transform-file OR index=ace_message earliest=-30m | rex field=_raw "inputFileName: (?<inputFileName>.*?)," | rex field=inputFileName "file\_(?<ID>\d+_\d+)\_" | table ID | join type=inner left=L right=R where L.ID=R.ID [search index=wealth OR index=transform-file OR index=ace_message earliest=-30d latest=-30m | rex field=inputFileName "file\_(?<ID>\d+_\d+)\_" | table ID]  
Hi team, I have two indexers in a clustered environment and one of my colleague created a index in both the indexers (/opt/splunk/etc/apps/search/indexes.conf) not on the cluster master. This is ver... See more...
Hi team, I have two indexers in a clustered environment and one of my colleague created a index in both the indexers (/opt/splunk/etc/apps/search/indexes.conf) not on the cluster master. This is very old index and have more than 50GB of data If I add the same config in master (/opt/splunk/etc/master-apps/_cluster/local/indexes.conf) will it hamper anything. Would I lose any data.  
Hi Team, Can we compress the logs using Splunk HEC HttpEventCollectorLogbackAppender? Please guide here, how to compress the logs using splunk hec configuration in logback.
Clearing all bookmarks and data mappings (reset all configurations) and doing a force reset allowed the security content page to load.  preforming a data mapping immediately kills access to the secur... See more...
Clearing all bookmarks and data mappings (reset all configurations) and doing a force reset allowed the security content page to load.  preforming a data mapping immediately kills access to the security content page.
It seems I made a mistake and kept the action= in the calculated field, which is why it didn't work. Next to that while testing more it is important to wait for the test searches to time out of the ... See more...
It seems I made a mistake and kept the action= in the calculated field, which is why it didn't work. Next to that while testing more it is important to wait for the test searches to time out of the caching or to change the searches.
Hi @SamHelp , you don't have any evidence of the LB configuration on the HFs: the clients point to the VIP and the Load Balancer distribute load between the HFs. Rememeber to configure the LB in tr... See more...
Hi @SamHelp , you don't have any evidence of the LB configuration on the HFs: the clients point to the VIP and the Load Balancer distribute load between the HFs. Rememeber to configure the LB in transparent Mode to avoid to have as host the hostname of the LB. I suppose that you're speaking of syslogs or HEC, not Un iversal Forwarders that don't need the LB. Ciao. Giuseppe
Hi @SaintNick , Splunk uses the timezone of the operative system, but in the interface displays data considering the user timezone, but anyway cron remains the one of the OS. The only way is consid... See more...
Hi @SaintNick , Splunk uses the timezone of the operative system, but in the interface displays data considering the user timezone, but anyway cron remains the one of the OS. The only way is consider this in the cron definition, I don't know a method to apply timezones to the cron. Ciao. Giuseppe
Our Splunk runs in local time, and Splunk Alerts with a Cron schedule and a cron expression such as "00 4,8,12,18 * * *" will run four times a day at the given LOCAL times. How can I tell it to run a... See more...
Our Splunk runs in local time, and Splunk Alerts with a Cron schedule and a cron expression such as "00 4,8,12,18 * * *" will run four times a day at the given LOCAL times. How can I tell it to run at UTC times?
Hi @karthi2809 , are you speking of a Windows or a Linux server? if Windows you can use WMI : https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWMIdata if Linux, you can use syslogs:... See more...
Hi @karthi2809 , are you speking of a Windows or a Linux server? if Windows you can use WMI : https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWMIdata if Linux, you can use syslogs:  https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports Even if Universal Forwarder is much more efficient anf doesn't give any issue and very trascurable load on the machine. Ciao. Giuseppe
Hi @rdhdr , sorry but I don't understand what you mean with "Time restrictions" You have to define a time period for yout check in which you can have Start and End events. Obviously you could have... See more...
Hi @rdhdr , sorry but I don't understand what you mean with "Time restrictions" You have to define a time period for yout check in which you can have Start and End events. Obviously you could have events started before where the Start Event isn't in the time frame, but it's an issue inside the Splunk approach: you must define the time period to execute your searches. Eventually you could use a larger time period. Ciao. Giuseppe
Really nobody who came across this issue? 
Hi @shabana_banu , did you followed the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/InstallonLinux ? anyway the command (running Splunk as root) is  ./splunk en... See more...
Hi @shabana_banu , did you followed the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/InstallonLinux ? anyway the command (running Splunk as root) is  ./splunk enable boot-start to run Splunk as non root user see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/RunSplunkasadifferentornon-rootuser Ciao. Giuseppe
I have not made myself clear: I search for pleasent or unplesant events and would like to color the timeline bar accordingly.   Examples: timeline_bar_color=green index=windows sourcetype=Scrip... See more...
I have not made myself clear: I search for pleasent or unplesant events and would like to color the timeline bar accordingly.   Examples: timeline_bar_color=green index=windows sourcetype=Script:GoodSearch timeline_bar_color=green index=windows sourcetype=Script:Searchy SUCCESS timeline_bar_color=red index=windows sourcetype=Script:BadSearch timeline_bar_color=red index=windows sourcetype=Script:Searchy FAILURE Thank you for pointing me to eventtypes, I did not know and just applied them: a red eventtype adds a red column to the details, the timeline still uses green.      
Hey, did you get any solution on this, even I am trying the same from OCP Prometheus ALert Manager to Splunk using HEC
I'm not following you... It's a cluster of indexers (4) and a single Management node. ...and I'm failing to see how setting the volume size affects the missing queries in the management dashboard. ... See more...
I'm not following you... It's a cluster of indexers (4) and a single Management node. ...and I'm failing to see how setting the volume size affects the missing queries in the management dashboard. But to answer the questions: of course I did. I have multiple volumes per best practices.
Hi @bowesmana  I ran your example. When the lookup used in the search, "behindfirewall" field contains both 1 and 0. So, I can use if condition:   if behindfirewall contains 1, then the hostname ... See more...
Hi @bowesmana  I ran your example. When the lookup used in the search, "behindfirewall" field contains both 1 and 0. So, I can use if condition:   if behindfirewall contains 1, then the hostname is behind the firewall, correct? Thanks for your help firewall.csv after the lookup  
Hi @bowesmana  so you want all values of student-X-Y to be included for each combination of student-X-Y? >> yes, like it is in the expected result In that case, you don't need the match statem... See more...
Hi @bowesmana  so you want all values of student-X-Y to be included for each combination of student-X-Y? >> yes, like it is in the expected result In that case, you don't need the match statement, so what is the issue? >> I figured out after I posted this that I don't need the match statement, but I am curious if it also can be done  using match statement.  So, in this case it won't work using match statement, correct? Thanks for your help.
Hello, I have splunk installed on 3 servers (searchhead, index, HF) on windows server. I upgrade from 8.2.x to 9.2.1 - on the search head and index everything is working - including the kvstore (it... See more...
Hello, I have splunk installed on 3 servers (searchhead, index, HF) on windows server. I upgrade from 8.2.x to 9.2.1 - on the search head and index everything is working - including the kvstore (it was upgraded to wiredTiger before the upgrade. BUT - on the HF the kvstore failing. In the mongoDB log file I can see: CONTROL [main] Failed global initialization: InvalidSSLConfiguration: Could not read private key attached to the selected certificate, ensure it exists and check the private key permissions splunk show kvstore-status --verbose show: This member: backupRestoreStatus : Ready disabled : 0 featureCompatibilityVersion : An error occurred during the last operation ('getParameter', domain: '15', code: '13053'): No suitable servers found: `serverSelectionTimeoutMS` expired: [Failed to connect to target host: 127.0.0.1:8191] guid : xxxxxxxxxxxxxxxxxxxx port : 8191 standalone : 1 status : failed storageEngine : wiredTiger I tried to: Delete the server.pem file and also splunk clean kvstore --local but still the same error. Commenting out the "sslPassword" under the stanza "[sslConfig]"  in the server.conf  didn't help. The pfx file was added in the Windows certificate store - but not sure the right why. I will be happy for any help.
hello, has anyone worked with traces (generated with opentelemetry) of an application on a splunk enterprise? i am ingesting this information with opentelemetry. And i would like to exploit the inf... See more...
hello, has anyone worked with traces (generated with opentelemetry) of an application on a splunk enterprise? i am ingesting this information with opentelemetry. And i would like to exploit the information, tracking the traces...is there any add-on to visualize this data useful? Thanks and cheers   Jar
Thanks much for the reply, it works now!