All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @richgalloway  thank you for your reply  you said that the cluster immediately will create additional copies of all hot, warm, and cold buckets.  Do you mean that the additional copy will be cop... See more...
Hi @richgalloway  thank you for your reply  you said that the cluster immediately will create additional copies of all hot, warm, and cold buckets.  Do you mean that the additional copy will be copied to the DR site? but if I have data in the main site like 8TB in hot/warm and 12TB for cold .the cluster will replicate all  8TB and 12 TB logs to DR indexers?    
Once the RF is increased, the cluster immediately will create additional copies of all hot, warm, and cold buckets.
The coldPath setting must be defined and the location must exist.  It's not possible (and not advised to try) to have a different configuration for the "DR" indexers. To avoid using the cold path, c... See more...
The coldPath setting must be defined and the location must exist.  It's not possible (and not advised to try) to have a different configuration for the "DR" indexers. To avoid using the cold path, create a script that deletes buckets and define it as the warmToColdScript for the index(es).   You also could assign the coldPath to a volume and make that volume large enough for a single bucket so cold buckets are frozen almost immediately.
Hi Team, We are using modular input to ingest the logs into splunk, we have checkpoint file, but we see duplicate logs are ingested into splunk. How to eliminate duplicates? application from which ... See more...
Hi Team, We are using modular input to ingest the logs into splunk, we have checkpoint file, but we see duplicate logs are ingested into splunk. How to eliminate duplicates? application from which the logs are ingested - Tyk analytics
hello all,   we have multi-site cluster master and  we do not want a cold mount in the DR indexers. is it applicable?   If  indexer  hits hot/warm retention and not found the cold path will dele... See more...
hello all,   we have multi-site cluster master and  we do not want a cold mount in the DR indexers. is it applicable?   If  indexer  hits hot/warm retention and not found the cold path will delete the data  ?
  We have been running our indexer cluster as a multisite cluster with 3 indexers in our main site for the past year.with the below configuration: site_replication_factor = origin:2,total:2 site_s... See more...
  We have been running our indexer cluster as a multisite cluster with 3 indexers in our main site for the past year.with the below configuration: site_replication_factor = origin:2,total:2 site_search_factor = origin:1,total:1 now we have decided to establish a disaster recovery site with an additional 3 indexers. The expected configuration for the new DR site will be as follows: site_replication_factor = origin:2, total:3 site_search_factor = origin:1, total:2 I would like to address the question about how replication will work once the DR indexer is configured? will the replication process start syncing all logs in the hot, warm and cold buckets or will start real-time hot  logs only??
Thanks @gcusello  is it possible to define it like what you did    [TMAO_sourcetype]     and if yes sourcetype of data source right?
Hi @KhalidAlharthi , in props.conf, you have to use only the sourcetype of the logs to send to syslog. If they are more than one, put more stanzas in props. # props.conf [TMAO_sourcetype] TRANSFO... See more...
Hi @KhalidAlharthi , in props.conf, you have to use only the sourcetype of the logs to send to syslog. If they are more than one, put more stanzas in props. # props.conf [TMAO_sourcetype] TRANSFORMS-send_foo_to_remote_siem = send_foo_to_remote_siem # transforms.conf [send_foo_to_remote_siem] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = remote_siem # outputs.conf [tcpout:remote_siem] server = remotesiem:1234 sendCookedData = false AS I said, check the exact sourcetype name: I recently solved an issue near your, where the error was the sourcetype exact name. Ciao. Giuseppe
Hi @rmo23 , as also @yuanliu said, you should share more details about your infrastructure. Anyway, in ITSI there's an asset inventory that should be complete (otherwise you have a very bigger issu... See more...
Hi @rmo23 , as also @yuanliu said, you should share more details about your infrastructure. Anyway, in ITSI there's an asset inventory that should be complete (otherwise you have a very bigger issue!). So,  you could use the lookup containing these asset (I don' t remember its name) and run a search like the following: | tstats count where index=* BY host | append [ | inputlookup your_asset_lookup | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 Ciao. Giuseppe
by this you are sending all the event to remote siem    i need to send just TMAO trend micro  soo what the best approach to do this using syslog ...
Hi @shimada-k , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma P... See more...
Hi @shimada-k , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @irisk , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @KhalidAlharthi , does it run your solution? I found an error: the transformation is missed in the props.conf. I'm not sure that you can put the TRANSFORMS in Default stanza and I don't like to... See more...
Hi @KhalidAlharthi , does it run your solution? I found an error: the transformation is missed in the props.conf. I'm not sure that you can put the TRANSFORMS in Default stanza and I don't like to use a regex on index field, I'd use a different approach: # props.conf [your_sourcetype] TRANSFORMS-send_foo_to_remote_siem = send_foo_to_remote_siem # transforms.conf [send_foo_to_remote_siem] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = remote_siem # outputs.conf [tcpout:remote_siem] server = remotesiem:1234 sendCookedData = false then put attention to the sourcetype: you must be sure that you are using, in the props.conf, the original sourcetype and not a transformed (by the add-on) one.  Ciao. Giuseppe
I used splunk web interface, went to reports > edit acceleration for the specific report > clicked save and it says "This search cannot be accelerated". Please find screenshot in the other reply.  
Splunk says "This search cannot be accelerated" when I go to enable acceleration for the report and hit save,
@VatsalJagani  1. Duplicate logs are ingested into splunk, we tried to change the checkpoint file value, even after that at 2 am duplicated are ingested 2. We are using python script to ingest TYK ... See more...
@VatsalJagani  1. Duplicate logs are ingested into splunk, we tried to change the checkpoint file value, even after that at 2 am duplicated are ingested 2. We are using python script to ingest TYK mongoDB logs into splunk
I am not particularly concerned about the vulnerability right now. But this old OpenSSL version is causing problems when I try to develop new apps. I know it might not be a Splunk problem. urllib3 v2... See more...
I am not particularly concerned about the vulnerability right now. But this old OpenSSL version is causing problems when I try to develop new apps. I know it might not be a Splunk problem. urllib3 v2 is a dependency of a package that I need to use. As I understand this version of OpenSSL is not supported by the library or newer version of Python. The error message is:     urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.0.2zi-fips 1 Aug 2023'. See: https://github.com/urllib3/urllib3/issues/2168    
i have used this approach to forward logs from specific index to third-party system in my case Qradar   so i need to do the same forwarding specific index using syslog not TCP cuz it's takes time (... See more...
i have used this approach to forward logs from specific index to third-party system in my case Qradar   so i need to do the same forwarding specific index using syslog not TCP cuz it's takes time ( i did tcpdump to figure that)   this approach i follow  # props.conf [default] TRANSFORMS-send_foo_to_remote_siem # transforms.conf [send_foo_to_remote_siem] REGEX = foo SOURCE_KEY = _MetaData:Index DEST_KEY = _TCP_ROUTING FORMAT = remote_siem # outputs.conf [tcpout:remote_siem] server = remotesiem:1234 sendCookedData = false thanks
thanks for your reply    @tscroggins can i forward using syslog not TCP because take time to handshaking ...   thanks again....
The problem was with the JSON because of the single quote instead of double quote, thanks for the help