All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I just installed a index cluster and i already know that i shoud place Apps to $SPLUNK_HOME/etc/master-apps/ directoty at my manager node to distribute it accross all indexers but i have 2 questi... See more...
Hi, I just installed a index cluster and i already know that i shoud place Apps to $SPLUNK_HOME/etc/master-apps/ directoty at my manager node to distribute it accross all indexers but i have 2 questions. 1. If an app that I deployed on the indexers uses Python scripts to fetch data, will this data be duplicated? 2. Do I need to prepare an app before deploying it to my indexers (remove unnecessary dashboards, eventtypes, etc)? Or can i leave it without changes?
Hi All, How to resolve the issue when the queues are full in indexer. Kindly let me know.
Hi All, Do we have SPL query to find SPL to identify the line breaking and event breaking issues through search heads.
As @ITWhisperer says, "not working as expected", "doesn't work", etc., should be forbidden in this forum.  More specifically, if your raw events contain things like "letterIdAndDeliveryIndicatorMap=[... See more...
As @ITWhisperer says, "not working as expected", "doesn't work", etc., should be forbidden in this forum.  More specifically, if your raw events contain things like "letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E]", Splunk's default extraction should have given you abc, efg, HijKlmlo without you asking. (It also gives you a field letterIdAndDeliveryIndicatorMap.) If you do table *, what do you see? Here is an emulation | makeresults | eval _raw="letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E]" | extract  
Hi @uagraw01  1) pls check if all good with license.. do you see any warnings/errors related to license? 2) On the forwarder, pls check this: $SPLUNK_HOME/bin/splunk btool outputs list --debug 3)... See more...
Hi @uagraw01  1) pls check if all good with license.. do you see any warnings/errors related to license? 2) On the forwarder, pls check this: $SPLUNK_HOME/bin/splunk btool outputs list --debug 3) On the indexer, pls check this: $SPLUNK_HOME/bin/splunk btool inputs list --debug (if $SPLUNK_HOME not setup properly, then add the exact path, like /opt/splunk) 4) from the UF, try to ping the indexer 5) from the UF, pls try to telnet the indexer at the receiving port
Permissions seem to be fine, and the deleted users do not show up in the passwd file.  However, the users still show up in the GUI and when I run  list user
Hi, Could someone please suggest an alternative product for Splunk Business Flow, as this particular product was deprecated post 2020? If there is no single product that provides the same functional... See more...
Hi, Could someone please suggest an alternative product for Splunk Business Flow, as this particular product was deprecated post 2020? If there is no single product that provides the same functionality, is there a different way to monitoring business flows?  thanks, pradeep. 
Just ran into this "bug" again in V9.1.1.  It is now called the Monitoring Console but otherwise the fix is the same.
You should be able to use the split function after extracting which will convert it to a MV field and then utilize a stats against that MV field. Something like this <base_search> | rex fie... See more...
You should be able to use the split function after extracting which will convert it to a MV field and then utilize a stats against that MV field. Something like this <base_search> | rex field=_raw "letterIdAndDeliveryIndicatorMap=\[(?<letterIdAry>[^\]]+)" | eval letterIdAry=split(letterIdAry, ","), letterIdAry=case( mvcount(letterIdAry)==1, trim(letterIdAry, " "), mvcount(letterIdAry)>1, mvmap(letterIdAry, trim(letterIdAry, " ")) ) | stats count as event_count by letterIdAry Example output:  
yes, found that my regex had a space between ]], once fixed, was able to extract them as "abc=P, efg=P, HijKlmno=E" , thanks. next trying to get stats on count of abc=P.
What do you mean by "not working as expected" (because it looks like you should have extracted something at least)?
Hi @Anthony.Dahanne, I'm glad you were able to figure it out. Thanks for coming back and sharing the solution too!
Another thing that comes to mind - local file permissions? (splunk process unable to alter the passwd file)
Hi @dtburrows3, Thanks so much it helped me a lot your suggestions, for now I will go with eventstats solutions. For  foreach command I need to go deep on it since it is more complex. @Pickl... See more...
Hi @dtburrows3, Thanks so much it helped me a lot your suggestions, for now I will go with eventstats solutions. For  foreach command I need to go deep on it since it is more complex. @PickleRick I will try xyseries, same as I did before to have the expected single values for the productcat# fields. Need to push this report to Production ASAP.
Removing users is a standard splunk admin task, so this is odd!. If you look at your config, what does this state?  If you run the btool command and check your authentication config?    /opt/sp... See more...
Removing users is a standard splunk admin task, so this is odd!. If you look at your config, what does this state?  If you run the btool command and check your authentication config?    /opt/splunk/bin/splunk cmd btool authentication list --debug    
trying to use rex to get the contents for the field letterIdAndDeliveryIndicatorMap. For example, Logged string letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E] I want to extract the cont... See more...
trying to use rex to get the contents for the field letterIdAndDeliveryIndicatorMap. For example, Logged string letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E] I want to extract the contents between the [] , which is abc=P, efg=P, HijKlmno=E and then find stats on them. I was trying something like  rex  field=_raw "letterIdAndDeliveryIndicatorMap=\[(?<letterIdAry>[^\] ]+)" but, its not working as expected. Thanks in advance!  
Additional idea on this thought is based on baseline of probing network.  You can use this information to assign a risk base alert.  Just a thought... 
Splunk can't find something that's not there.  You'll need to use makeresults or a lookup to populate what you expect and then replace that with actual indexed data.
This could be a number of things causing issues, that said tcp ouput is normally something related to the network or setup. A few things to check: What does the inputs.conf look like on your indexe... See more...
This could be a number of things causing issues, that said tcp ouput is normally something related to the network or setup. A few things to check: What does the inputs.conf look like on your indexer? Check on the indexer the port - should show your configured port 9997 netstat -tupln Is there a firewall blocking this port? Can your UF communicate to Indexer?
Thanks for quick response! Actually i was looking for the output like below. File missed in between time 6-7:30AM and 9-10:05PM File  Date TI7L 03-06-2024 06:52   file missing TI8L... See more...
Thanks for quick response! Actually i was looking for the output like below. File missed in between time 6-7:30AM and 9-10:05PM File  Date TI7L 03-06-2024 06:52   file missing TI8L 03-06-2024 11:51 TI8L 03-06-2024 11:50 TI9L 03-06-2024 19:06 TI9L 03-06-2024 19:10 TI5L 03-06-2024 22:16   File missing