is there a way to remove the header comes with non syslog source types that include hostname and timestamp with priority at the begnning of the event sended i have configuered outputs.conf,props....
See more...
is there a way to remove the header comes with non syslog source types that include hostname and timestamp with priority at the begnning of the event sended i have configuered outputs.conf,props.conf,transforms.conf is there a way to remove the priority and hostname associated with timestamp on the third-party system thanks
I believe the SEDCMD in props.conf will only replace the substring that is matched with the specified regex. It sounds like you need to have the entire event containing the matched regex to not be in...
See more...
I believe the SEDCMD in props.conf will only replace the substring that is matched with the specified regex. It sounds like you need to have the entire event containing the matched regex to not be indexed at all. If that is the case then you could set up a props/transform to route those events to nullQueue.
This line works for this specific example | rex field=_raw "\.(?<extacted_fieldname_here>\w+);" Assuming that your targeted extraction field always lies between the period and semi-colon I t...
See more...
This line works for this specific example | rex field=_raw "\.(?<extacted_fieldname_here>\w+);" Assuming that your targeted extraction field always lies between the period and semi-colon I think it should do it. the "\w+" could potentially need to be change depending on what the characters are between the 2 special characters. But for this example it looks to be camelCase so \w+ should work.
I use Splunk to ingest events from the windows Security, Application and System event logs. We have a scanner that is very noisy and I would like for Splunk not ingest the events that the scanner cre...
See more...
I use Splunk to ingest events from the windows Security, Application and System event logs. We have a scanner that is very noisy and I would like for Splunk not ingest the events that the scanner creates.
I have tried without success to use SEDCMD on my indexer's Props.conf:
SEDCMD-Remove_Scanner_IP_Address = s/\b12\.34\.567\.89\b//g
SEDCMD-Remove_Scanner_Host_Name = s/Workstation_Name\s*=\s*scanner-name01\s*//g
I have also tried to blacklist the IP on each of the host's Splunk UF inputs.conf file:
blacklist = 12\.34\.567\.89
Would appreciate any assistance\suggestions given.
How do I trace if a server in a network path behind a firewall? The data is presented in the table below. For example: IP 192.168.1.7 of server-A is connected to "LoadBalancer-to-Server" network,...
See more...
How do I trace if a server in a network path behind a firewall? The data is presented in the table below. For example: IP 192.168.1.7 of server-A is connected to "LoadBalancer-to-Server" network, LoadBalancer-A is connected to "LoadBalancer-to-Server" network and "Firewall-to-Loadbalancer" network. So, server-A is behind a firewall. Please suggest. Thanks
ip
name
network
behindfirewall
192.168.1.1
LoadBalancer-A
Loadbalancer-to-Server
yes
172.168.1.1
LoadBalancer-A
Firewall-to-Loadbalancer
yes
192.168.1.7
server-A
Loadbalancer-to-Server
yes
192.168.1.8
server-B
Loadbalancer-to-Server
yes
192.168.1.9
server-C
network-1
no
192.168.1.9
server-D
network-2
no
Generally when I come across this it is usually timezones, whitelisted indexes and/or default indexes configured for the user's roles. Since you said it is not time zones I would check the user's rol...
See more...
Generally when I come across this it is usually timezones, whitelisted indexes and/or default indexes configured for the user's roles. Since you said it is not time zones I would check the user's role allowed indexes and (if the index is not specified in the search) what are the default searched indexes for their role. If no luck there you can take a deeper look at the user's role search restrictions and see if there is anything there that may be the cause of the discrepancy.
Hi Team, I need to extract the string which is between the two different special characters using regex. Could you please assist on this? Thank you. Here is the string below where I need to extract ...
See more...
Hi Team, I need to extract the string which is between the two different special characters using regex. Could you please assist on this? Thank you. Here is the string below where I need to extract the string provisionById which is between the semicolon and period charcter. Method End: com.bi.gb.rest.endpoint.PolicyAdminEndPoint.provisionById; Execution Time: 7
I've made a dashboard to show some statistics on it. The information that appears on my dashboard differs from that of my users. A Studio Dashboard is used to design the dashboard. I checked the time...
See more...
I've made a dashboard to show some statistics on it. The information that appears on my dashboard differs from that of my users. A Studio Dashboard is used to design the dashboard. I checked the time zone and me and other user both are in same time zone. What could be the issue? Please guide me.
I am also experiencing the same issue since May. No push notifications all of a sudden, but when I open the app the alerts are there. Haven't had any changes or anything since it was originally set up.
"join is one of the most inefficient SPL commands, and has a lot of limitations, by using sub searches, that you can hit even without knowing you hit them" Then deprecate its use.
Hi @tuts , this is a design job for a Certified Splunk Architectnot for the Community! anyway, there are other parameters to consider: volume of data to daily index, number of Correlation Searc...
See more...
Hi @tuts , this is a design job for a Certified Splunk Architectnot for the Community! anyway, there are other parameters to consider: volume of data to daily index, number of Correlation Search, number of users, HA both on Indexers and Search Heads, DR yes or not (multisite clustering). Ciao. Giuseppe
I resolved this by rebuilding the operating system of the affected host. It previously had a Splunk 6.x forwarder and I uninstalled the old version before I installed the new one. I also did a rm -...
See more...
I resolved this by rebuilding the operating system of the affected host. It previously had a Splunk 6.x forwarder and I uninstalled the old version before I installed the new one. I also did a rm -rf on the old forwarder path. I had thought removal of the /opt/path_where_forwarder_was_installed would be enough. Are their other files/directories that I should also include in my uninstall script?
Environment requirements according to best practices for large companies in Splunk, installing Splunk ES in it, activating more than 10,000roal, and connecting 4,000 devices. What are the best requir...
See more...
Environment requirements according to best practices for large companies in Splunk, installing Splunk ES in it, activating more than 10,000roal, and connecting 4,000 devices. What are the best requirements for RAM, CPU, and storage?
Hi community, I need to write a query which can adjust its search string based on event time. For example, if the event time is before 2024/01/01, events should include string "A" OR "B"; ind...
See more...
Hi community, I need to write a query which can adjust its search string based on event time. For example, if the event time is before 2024/01/01, events should include string "A" OR "B"; index="aws" sourcetype="dev" ("A" OR "B") Else, events should include string "C" OR "D". index="aws" sourcetype="dev" ("C" OR "D") I have written this to get the search string, but have no idea how to make use of it. index="aws" sourcetype="dev"
| eval search_string=if(_time < strptime("2024-01-01", "%Y-%m-%d"), "(\"A\" OR \"B\")", "(\"C\" OR \"D\")")
| search search_string I've got a lot of help here, and really appreciate it!
I realize this is an old thread, but I was looking the same thing and came across this post. As of 2024, the Splunk Python SDK doesn't support an "embed()" method on the saved search object, but you ...
See more...
I realize this is an old thread, but I was looking the same thing and came across this post. As of 2024, the Splunk Python SDK doesn't support an "embed()" method on the saved search object, but you can call the post() method with the "embed" or "unembed" parameter. For example, s = service.saved_searches[ "my_report", splunklib.client.namespace(app="my_app", owner="me", sharing="app") ] s.post("embed") s.refresh() is_embedded = bool(int(s.content.embed.enabled)) report_token = s.content.embed.token s.post("unembed") s.refresh() is_embedded = bool(int(s.content.embed.enabled))
Hi All, Has anyone used TA https://github.com/SplunkBAUG/CCA/blob/main/TA_genesys_cloud-1.0.14.spl and splunk genesys app https://splunkbase.splunk.com/app/6552 ? I am having issues with TA w...
See more...
Hi All, Has anyone used TA https://github.com/SplunkBAUG/CCA/blob/main/TA_genesys_cloud-1.0.14.spl and splunk genesys app https://splunkbase.splunk.com/app/6552 ? I am having issues with TA where the data is stopping after 24 hours, has anyone faced similar issue with genesys cloud TA?
Hi All, I have created a react component, which contains 3 things. School Name, Description & link to school website. These details are stored in a lookup file called School-details.csv. How do I r...
See more...
Hi All, I have created a react component, which contains 3 things. School Name, Description & link to school website. These details are stored in a lookup file called School-details.csv. How do I run the Splunk input command/any search query to fetch results and map them on the react component built using Splunk UI toolkit?