All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It's not in the spec file, I tried and it does not work.  
Hi @Andre_ , Iì'm not sure about this: I used it on wineventlogs. Ciao. Giuseppe
Hi @sawwinnaung , if you haven't any additional HF in your infrastructure, check the regex you're using (you can test it using the regex command in Splunk). In this way you can check if there was s... See more...
Hi @sawwinnaung , if you haven't any additional HF in your infrastructure, check the regex you're using (you can test it using the regex command in Splunk). In this way you can check if there was some change in the logs structure. Then try to use backslash to escape the = in your regex. Ciao. Giuseppe
@gcusello                 The props.conf and transforms.conf files are located on the indexer under the following path: /app/splunk/etc/apps/TA-linux_auditd/local/ These configurations previously... See more...
@gcusello                 The props.conf and transforms.conf files are located on the indexer under the following path: /app/splunk/etc/apps/TA-linux_auditd/local/ These configurations previously worked successfully. However, after upgrading the Splunk version and migrating the Linux environment, the configurations no longer seem to function as expected. Thanks for your suggestions.
You can upload your own app with custom JS and css in it, as long as you are on Victoria experience in the Cloud and the JS will pass the AppInspect when you upload the app. We do this all the time ... See more...
You can upload your own app with custom JS and css in it, as long as you are on Victoria experience in the Cloud and the JS will pass the AppInspect when you upload the app. We do this all the time and have a set of JS functions that we use for our applications that are bundled with every app we created.
@PrewinThomas              Thanks for your help. Even though I updated REGEX = type=PROCTITLE in transforms.conf located on the indexer, the filtering still isn’t working.  
I think the opposite is the case:   current_only = <boolean> * Whether or not to acquire only events that arrive while the instance is running. * A value of "true" means the input only acquires ... See more...
I think the opposite is the case:   current_only = <boolean> * Whether or not to acquire only events that arrive while the instance is running. * A value of "true" means the input only acquires events that arrive while the instance runs and the input is on. The input does not read data which was stored in the Windows Event Log while the instance was not running. This means that there will be gaps in the data if you restart the instance or experiences downtime.
Hi Giuseppe, "ignoreOlderThan" only applies to log files, not windows event logs (like security events, application events, etc)   Kind Regards Andre
Hi @sawwinnaung , at first use backslash when you have = in your regexes, anyway, where do you located these conf files? they must be located in the first full Splunk instance that data are passing... See more...
Hi @sawwinnaung , at first use backslash when you have = in your regexes, anyway, where do you located these conf files? they must be located in the first full Splunk instance that data are passing through, in other words, in the first Heavy Forwarder (if present) or in the Indexers (if there are no HFs), not on Universal Forwarder. Ciao. Giuseppe
Hi @Andre_ , as you can read at https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf , to read only the events newer than 7 days, you have to use, in you inputs.conf the option ignore... See more...
Hi @Andre_ , as you can read at https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf , to read only the events newer than 7 days, you have to use, in you inputs.conf the option ignoreOlderThan: ignoreOlderThan = <non-negative integer>[s|m|h|d] * The monitor input compares the modification time on files it encounters with the current time. If the time elapsed since the modification time is greater than the value in this setting, Splunk software puts the file on the ignore list. * Files on the ignore list are not checked again until the Splunk platform restarts, or the file monitoring subsystem is reconfigured. This is true even if the file becomes newer again at a later time. * Reconfigurations occur when changes are made to monitor or batch inputs through Splunk Web or the command line. * Use 'ignoreOlderThan' to increase file monitoring performance when monitoring a directory hierarchy that contains many older, unchanging files, and when removing or adding a file to the deny list from the monitoring location is not a reasonable option. * Do NOT select a time that files you want to read could reach in age, even temporarily. Take potential downtime into consideration! * Suggested value: 14d, which means 2 weeks * For example, a time window in significant numbers of days or small numbers of weeks are probably reasonable choices. * If you need a time window in small numbers of days or hours, there are other approaches to consider for performant monitoring beyond the scope of this setting. * NOTE: Most modern Windows file access APIs do not update file modification time while the file is open and being actively written to. Windows delays updating modification time until the file is closed. Therefore you might have to choose a larger time window on Windows hosts where files may be open for long time periods. * Value must be: <number><unit>. For example, "7d" indicates one week. * Valid units are "d" (days), "h" (hours), "m" (minutes), and "s" (seconds). * No default, meaning there is no threshold and no files are ignored for modification time reasons Ciao. Giuseppe
thanks for that (API's challenge is we need Splunk application login which has been redacted for users to reduce footprint)   show-encrypted  is something I haven't tried, but seems promising. Wil... See more...
thanks for that (API's challenge is we need Splunk application login which has been redacted for users to reduce footprint)   show-encrypted  is something I haven't tried, but seems promising. Will test and get back
You're on the right track in wanting to move beyond exact latitude/longitude matches, as literal value matches are ineffective due to GPS inaccuracies and sampling rates. Instead, what you need is a ... See more...
You're on the right track in wanting to move beyond exact latitude/longitude matches, as literal value matches are ineffective due to GPS inaccuracies and sampling rates. Instead, what you need is a proximity-based approach using geospatial distance — specifically, the Haversine formula — to find the nearest segment point from your lookup file for each point in your car’s GPS trace.
With current_only = 1 On first start, the UF reads only new events that arrive after the input is enabled.It skips all historical events present in the log at the time the input is first started. I... See more...
With current_only = 1 On first start, the UF reads only new events that arrive after the input is enabled.It skips all historical events present in the log at the time the input is first started. If the UF is stopped and restarted, it will pick up where it left off (using checkpoints), so normally it will ingest events that occurred while it was down. #https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-windows-data/monitor-windows-event-log-data-with-splunk-enterprise Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
I've seen the "current_only" option but discarded that as it will not ingest any historical data.  If I set "current_only=1" during initial deployment it will not ingest old data - so far so good. ... See more...
I've seen the "current_only" option but discarded that as it will not ingest any historical data.  If I set "current_only=1" during initial deployment it will not ingest old data - so far so good. If the UF goes down for a period of time, after a restart it will not process the events that occurred whilst the UF was down - bad What happens if I deploy the UF with "current_only =1" and after a week I remove the setting? will it start ingesting all historical? Or could I use that as a temporary setting during the onboarding phase and remove for production phase?   Kind Regards Andre
@sawwinnaung  Try below, props.conf [linux_audit] TRANSFORMS-set = discard_proctitle [source::/var/log/audit/audit.log] TRANSFORMS-set = discard_proctitle transforms.conf [discard_proctitle] ... See more...
@sawwinnaung  Try below, props.conf [linux_audit] TRANSFORMS-set = discard_proctitle [source::/var/log/audit/audit.log] TRANSFORMS-set = discard_proctitle transforms.conf [discard_proctitle] REGEX = type=PROCTITLE DEST_KEY = queue FORMAT = nullQueue Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
@Andre_  You are correct. Unlike file-based inputs, Windows Event Log inputs in Splunk Universal Forwarder (UF) do not provide a built-in option in inputs.conf to exclude events based on their age a... See more...
@Andre_  You are correct. Unlike file-based inputs, Windows Event Log inputs in Splunk Universal Forwarder (UF) do not provide a built-in option in inputs.conf to exclude events based on their age at collection time. This means you cannot natively configure the UF to only ingest Windows events newer than 7 days during onboarding. But, If you want to ingest only new Windows Event Log events (and skip all historical data), set current_only = 1 in your inputs.conf. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
Hello, I am about to onboard 1000+ Windows UF. Those have windows event logs going back many years. Is there a way to exclude any windows eventlog older than 7 days from being ingested during the in... See more...
Hello, I am about to onboard 1000+ Windows UF. Those have windows event logs going back many years. Is there a way to exclude any windows eventlog older than 7 days from being ingested during the initial onboarding? For log files there's an option for inputs.conf on the UF, but nothing similar for eventlog? Kind Regards Andre
I am trying to setup props & transforms in indexers to send PROCTITLE events to null queue i tried below regex but that doesn't seem to work.  props.conf and transforms.conf location:   /app/splunk... See more...
I am trying to setup props & transforms in indexers to send PROCTITLE events to null queue i tried below regex but that doesn't seem to work.  props.conf and transforms.conf location:   /app/splunk/etc/apps/TA-linux_auditd/local/ props.conf [linux_audit] TRANSFORMS-set = discard_proctitle [source::/var/log/audit/audit.log] TRANSFORMS-set = discard_proctitle transforms.conf [discard_proctitle] REGEX = ^type=PROCTITLE.* DEST_KEY = queue FORMAT = nullQueue sample event-   type=PROCTITLE msg=audit(1750049138.587:1710xxxx): proctitle=737368643A206165705F667470757372205B70726xxxxx   type=PROCTITLE msg=audit(1750049130.891:1710xxxx): proctitle="(systemd)" type=PROCTITLE msg=audit(1750049102.068:377xxxx): proctitle="/usr/lib/systemd/systemd-logind" Could someone help me to fix this issue?  
@dinesh001kumar  1-Due to security restriction, normally you can't upload or reference custom js files directly in the cloud. You can raise a support request to include simple xml js extensions for ... See more...
@dinesh001kumar  1-Due to security restriction, normally you can't upload or reference custom js files directly in the cloud. You can raise a support request to include simple xml js extensions for review and to upload it for you. 2-You can use the <html> panel in Simple XML dashboards for custom HTML, but it is limited. Normally you cannot use inline JavaScript, and some HTML elements may be restricted. Alternative - Unfortunately use the built-in features of Dashboard Studio or Simple XML extensions. For specific needs, reach out to Splunk Cloud Support to request a review and upload of vetted JS/CSS files. Audio Support-Dashboard Studio does not natively support embedding or playing audio files. As a workaround, you could set up external alerting (e.g., send a webhook/email to a system that plays audio) Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
Hello Splunkers The time selector is not visible for a specific user, whereas it is visible for the admin role. Could anyone please suggest which capability needs to be added to the user's role to... See more...
Hello Splunkers The time selector is not visible for a specific user, whereas it is visible for the admin role. Could anyone please suggest which capability needs to be added to the user's role to make the time selector visible on the dashboard?   Time selector is visible for the admin user.