All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@deepakc  Actually we are using Splunk Cloud so no indexer . However we are sending the UF to an HF and then to Splunk Cloud ,so i believe we can test this on the HF and see .Also i realized that se... See more...
@deepakc  Actually we are using Splunk Cloud so no indexer . However we are sending the UF to an HF and then to Splunk Cloud ,so i believe we can test this on the HF and see .Also i realized that second empty event does have date and time being captured ,so practically its not empty event , it just does not have any valuable info .So based on your method i am planning to use this config .Hope this works ? But i have one doubt where in HF should i place it .Since its only function is to drop events .Is it in /opt/splunk/etc/system or in the /opt/splunk/etc/apps ? # props.conf [sql:audit] TRANSFORMS-null_events = strip_null_events # transforms.conf [strip_null_events] REGEX = ^\d{2}/\d{2}/\d{4} \d{1,2}:\d{2}:\d{2} [AP]M$ DEST_KEY = queue FORMAT = nullQueue
OK. Thanks for you help, gcusello.
So you are trying to exclude any event from a host if it has 4608 in the past 5 minutes.  Try index =windows product=Windows (EventCode="4609" OR EventCode="4608" OR EventCode="6008") NOT [sear... See more...
So you are trying to exclude any event from a host if it has 4608 in the past 5 minutes.  Try index =windows product=Windows (EventCode="4609" OR EventCode="4608" OR EventCode="6008") NOT [search index =windows product=Windows EventCode=4608 earliest=-5m | stats values(host) as host] | table _time name host dvc EventCode severity Message  
Line breaking describes MAX_EVENTS thus: MAX_EVENTS = <integer> * The maximum number of input lines to add to any event. * Splunk software breaks after it reads the specified number of lines. * Defa... See more...
Line breaking describes MAX_EVENTS thus: MAX_EVENTS = <integer> * The maximum number of input lines to add to any event. * Splunk software breaks after it reads the specified number of lines. * Default: 256 I looked at my broken events, maximum number of lines seems to be 257.  Knowing some of my outputs are > 1000, I added MAX_EVENTS = 2000 to the sourcetype.  Now I am seeing new events with large number of lines, no more broken events. (It took some time for this change to take effect, though.) Just to be clear: This is unrelated to REST API receivers/simple endpoint, merely a matter of lines in individual events.  The limit is set in props.conf per source type; that is why I could not find any applicable setting in limit.conf.
Thanks very much, I raelly appreciate your help. | chatgpt org=Sirt key=Splunk-Mdc  that was finally working.
i have three drop down lists. one with component(A,B,C,D). other dropdown with severity(Info,Warning) and colour dropdown list. If i select A,Info - colour dropdownlsit should be shown if i select ... See more...
i have three drop down lists. one with component(A,B,C,D). other dropdown with severity(Info,Warning) and colour dropdown list. If i select A,Info - colour dropdownlsit should be shown if i select B,Info - colour dropdownlist should not be shown. how can i achieve this?
Hello,  Thank you for your help,  I am seeing the Red status in the Health Report.  We are using on-prem.  Right now it is showing Yellow, but it frequently flips to Red.  In the Description it says ... See more...
Hello,  Thank you for your help,  I am seeing the Red status in the Health Report.  We are using on-prem.  Right now it is showing Yellow, but it frequently flips to Red.  In the Description it says to look at Root Cause for details, but I can't figure out how to look at "Root Cause"   Thanks again, Tom  
Ok try this   | chatgpt org=Sirt key=Splunk-Mdc    or use "default" for the name of the org and key and then the following will work:   | chatgpt
Hi, The file was placed in a monitored folder from the HF (so through inputs.conf), but even when we tested uploading it via the GUI -like we tested in the dev environment- it still wasn't parsed F... See more...
Hi, The file was placed in a monitored folder from the HF (so through inputs.conf), but even when we tested uploading it via the GUI -like we tested in the dev environment- it still wasn't parsed For the sourcetype, it was a custom one: [Sourcetype_1] BREAK_ONLY_BEFORE_DATE = CHARSET = UTF-8 DATETIME_CONFIG = EVAL-CREATION_DATE = EVAL-DEPT = EVAL-FIRST_NAME = EVAL-FONCTION = EVAL-FULL_NAME = if(match(Name, "(Disabled)"), substr(Name, 1, len(Name)-11), Name) EVAL-LAST_LOGON = replace(Last_Seen, "(\d+)\.(\d+)\.(\d+)", "\3.\2.\1") EVAL-LAST_NAME = EVAL-LOCKED = if(match(Name, "(Disabled)"), "Yes", "No") EVAL-LOCK_REASON = EVAL-LOGIN = Name EVAL-MAIL = Email EVAL-METROID = EVAL-PROFILE = Roles."|".Scope."|".Groups EVAL-PWD_VALID_TO = EVAL-STORE_CODE_5digits = EVAL-USER_IDENTIFICATION = "1 Firstname 1 Name" EVAL-VALID_FROM = EVAL-VALID_TO = EXTRACT-DATE_EXTRACTION = (?i)^.+_(?P<DATE_EXTRACTION>\d{8})\.csv in source EXTRACT-Name,Email,Scope,Last_Seen = EXTRACT-username,type,firstname,lastname,email = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Custom disabled = false pulldown_type = 1 EXTRACT-Name,Roles,Email,Groups,Language,Agent_Type,Scope,Last_Seen = ^(?<Name>[^;]*);(?<Roles>[^;]*);(?<Email>[^;]*);(?<Groups>[^;]*);(?<Language>[^;]*);(?<Agent_Type>[^;]*);(?<Scope>[^;]*);(?<Last_Seen>[^;]*) #MAX_TIMESTAMP_LOOKAHEAD = 1000 #HEADER_FIELD_LINE_NUMBER = 1 I know the sourcetype isn't clean or anything but why would he work on standalone, and not in distributed environment ?
Hello, The Event Timeline Viz is well suited for some work I am doing for a customer to understand jobs/alerts. I have discovered that it appears to display based on Computer/Browser timezone a... See more...
Hello, The Event Timeline Viz is well suited for some work I am doing for a customer to understand jobs/alerts. I have discovered that it appears to display based on Computer/Browser timezone and NOT Splunk timezone settings in user preferences, which doesn't agree with everything else in Splunk and will be difficult/confusing to explain.  If I change my Splunk user preference timezone, and was surprised to find that the Event Timeline Viz does not change the displayed times. Other visualizations and Splunk time does change for the same search results. If I change my Computer timezone, Event Timeline viz does change how time is displayed and the "Now" line reflects that the new computer timezone.  I emailed the author but wanted to post here to see if anyone else had seen this issue and/or addressed it. Screenshot below was taken with Splunk UI set to Pacific/Honolulu time. The Now line aligns with computer timezone, not Splunk. Thanks in advance for the help. Ian
HI @yuanliu , Thanks for sharing query on this matter.   Have reviewed your query concern is like you have excluded the windows starting up event within 5 minutes but it how it will consider the... See more...
HI @yuanliu , Thanks for sharing query on this matter.   Have reviewed your query concern is like you have excluded the windows starting up event within 5 minutes but it how it will consider the specific "host". As per my understanding it should be host specific if single host got shutdown and got started up again within 5 minute should not trigger any alert.
No, I inserted my org-id
Sirt is the Organization name of my openAI account. on the organization Value I entered the organization id of my OpenAI account Splunk-Mdc is the name of the key I created for that and in th... See more...
Sirt is the Organization name of my openAI account. on the organization Value I entered the organization id of my OpenAI account Splunk-Mdc is the name of the key I created for that and in the API key value I inserted the key
It looks like time is displayed in this viz based on browser/computer timezone and not Splunk UI prefs.
Hello, I need to create a simple alert that would satisfy the below DOD STIG: SPLK-CL-000320 - Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Se... See more...
Hello, I need to create a simple alert that would satisfy the below DOD STIG: SPLK-CL-000320 - Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. We do not have a budget to buy the paid splunk security app. But we haveSPLUNK enterprise 9 installed.  Moreover, we are inside an intranet so attacks, if any, would be minimal. therefore, I would like to get any ideas of what would be considered an attack? for example I have the below ideas myself: 1. user logs in but is denied access for whatever reason. 2. user attempts to open a file he/she does not have rights to. I am experienced on splunk more than linux security so any help would be apreciated.    
Hang on, one of the questions is suddenly visible again. I don't know what this forum is doing at all: https://community.splunk.com/t5/Getting-Data-In/How-to-connect-OpenTelemetry-Java-agent-to-Splun... See more...
Hang on, one of the questions is suddenly visible again. I don't know what this forum is doing at all: https://community.splunk.com/t5/Getting-Data-In/How-to-connect-OpenTelemetry-Java-agent-to-Splunk-Collector-in/m-p/689993#M114821
In Splunk Answers. I can't link to the question because both questions have been removed. I don't know what else to do
sure! I am using Splunk>enterprise. This is my first time trying to install add on (cisco WSA). I go to Apps>Find More Apps and hit install which prompt me to a login page. I try my user and pass bu... See more...
sure! I am using Splunk>enterprise. This is my first time trying to install add on (cisco WSA). I go to Apps>Find More Apps and hit install which prompt me to a login page. I try my user and pass but it says your user or pass is incorrect. I have tried to change my password and retried but same result.    
So i figured out how to move past this. I had to find the msi product code for the previous 3 versions and then search the registry for them  one by one.  If they exist they will be in the registry u... See more...
So i figured out how to move past this. I had to find the msi product code for the previous 3 versions and then search the registry for them  one by one.  If they exist they will be in the registry under windows installer\"theproductcode" . This entry has neither splunk nor universal forwarder in the string so it was unfound prior to this. Once i deleted the previous entries, i was able to install the new version.
Hi @Cyner__  from the UF, are you able to ping the indexer? from the UF to indexer, is telnet working fine? telnet index:9997 .. is it working fine or not..