Hi @VijaySrrie ... you have given only very least details. pls provide us the modular input script.. the config files.. is the modular input working fine previously and just recently it started t...
See more...
Hi @VijaySrrie ... you have given only very least details. pls provide us the modular input script.. the config files.. is the modular input working fine previously and just recently it started the duplicates?
guys i have obtained routing through syslog method and i faced a problem the logs are coming when i run Tcpdump in the third-party system but i can't see them in the other SIEM how can i solve t...
See more...
guys i have obtained routing through syslog method and i faced a problem the logs are coming when i run Tcpdump in the third-party system but i can't see them in the other SIEM how can i solve this issue .... hellp
Hi @hazem , yes, there's a precedence in confoigurations at index time, but for custom apps it's related to the alphabetical precedence. Anyway, it should run because you have a duplicated configur...
See more...
Hi @hazem , yes, there's a precedence in confoigurations at index time, but for custom apps it's related to the alphabetical precedence. Anyway, it should run because you have a duplicated configuration that isn't required. Ciao. Giuseppe
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageacceleratedsearchsummaries#Restrictions_on_report_acceleration Since the search itself qualifies for acceleration, most probably y...
See more...
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageacceleratedsearchsummaries#Restrictions_on_report_acceleration Since the search itself qualifies for acceleration, most probably your user role either lacks capabilities to enable accelerations or write permissions for the report.
did you mean that the configuration in (all_UF_outputs) will override the (all_splk_outputs) because the Capital Letter (U) has the highest precedence than lower (s) ?
did you mean that the configuration in (all_UF_outputs) will override the (all_splk_outputs) because the Capital Letter (U) has the highest precedence than lower (s) ?
hi @Tzur let me understand: you want to take the last value of "monitor" field or there's a rule? if the last value, you could try: <your_search>
| stats
last(monitor) AS monitor
values...
See more...
hi @Tzur let me understand: you want to take the last value of "monitor" field or there's a rule? if the last value, you could try: <your_search>
| stats
last(monitor) AS monitor
values(ip) AS ip
values(other_fields) AS other_fields
BY hostname if there' s a rule (e.g. if ip=1.2.3.4), you can try: <your_search>
| stats
values(eval(if(ip="1.2.3.4","v","x"))) AS monitor
values(ip) AS ip
values(other_fields) AS other_fields
BY hostname Ciao. Giuseppe
Hi @hazem , let me understand: you have two apps containing the same indexers addressing, or different ones? if yes why? Anyway, it isn't correct because the configuration in the first overrides t...
See more...
Hi @hazem , let me understand: you have two apps containing the same indexers addressing, or different ones? if yes why? Anyway, it isn't correct because the configuration in the first overrides the ones in the second. Could you share your outputs.conf? Ciao. Giuseppe
Hi @KhalidAlharthi , yes (I saw your other question!). let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S....
See more...
Hi @KhalidAlharthi , yes (I saw your other question!). let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @rmo23 , at first see if there is the way (I don't know very deeply ITSI) to enable as action the email sending. If not extract the search from this dashboard and create a custom alert. Ciao. ...
See more...
Hi @rmo23 , at first see if there is the way (I don't know very deeply ITSI) to enable as action the email sending. If not extract the search from this dashboard and create a custom alert. Ciao. Giuseppe
Hi @KhalidAlharthi , let me understand: your fork is forwarding syslogs to the third party but not to Splunk, is it correct? have you a defaultGroup in outputs.conf? if yes, try to remove it. Ci...
See more...
Hi @KhalidAlharthi , let me understand: your fork is forwarding syslogs to the third party but not to Splunk, is it correct? have you a defaultGroup in outputs.conf? if yes, try to remove it. Ciao. Giuseppe
hello all, if I have 2 apps deployed on Splunk forwarder agent with outputs.conf file first one(all_UF_outputs) to send logs to indexers' ips and the other(all_splk_outputs )to send logs to index...
See more...
hello all, if I have 2 apps deployed on Splunk forwarder agent with outputs.conf file first one(all_UF_outputs) to send logs to indexers' ips and the other(all_splk_outputs )to send logs to indexers over the hostname. how I can confirm which one has the highest precedence?
The site replication factor applies to *all* buckets (except thawed) so the cluster will create a third copy of all data, not just data that arrives after the change is made.
hi Indeed, thanks to ITSI, I can have data on the metrics, the status of my servers, active or inactive, I can predict the status of my infrastructure, etc. I just want to receive email alerts only ...
See more...
hi Indeed, thanks to ITSI, I can have data on the metrics, the status of my servers, active or inactive, I can predict the status of my infrastructure, etc. I just want to receive email alerts only when my servers are inactive, I only see this status when I'm in ‘Entity Overview’ if it's possible to configure an email alert on it.
@tscroggins Thank you for your reply and help i managed to forward the logs to linux server just to test the functionality and it's working fine i receieved the packets correctly in raw formats i...
See more...
@tscroggins Thank you for your reply and help i managed to forward the logs to linux server just to test the functionality and it's working fine i receieved the packets correctly in raw formats is there a possibility to route the data to another system with parsing of splunk i think this should be done from splunk indexers ..
Hi @KhalidAlharthi, If QRadar is receiving but not processing the data, you should probably contact IBM support. If IBM indicates the data is not in the correct format, the community can help with t...
See more...
Hi @KhalidAlharthi, If QRadar is receiving but not processing the data, you should probably contact IBM support. If IBM indicates the data is not in the correct format, the community can help with transforming the output on the Splunk side. (See my response to your previous question.)