Option 1 - If the app can send direct to HEC then that is least path of resistance, so try that first as Json and ensure it has a timestamp in the data and then create a sourcetype based on props and...
See more...
Option 1 - If the app can send direct to HEC then that is least path of resistance, so try that first as Json and ensure it has a timestamp in the data and then create a sourcetype based on props and transforms. You will need to send to the HEC/event or HEC/Raw - most likely event HEC end point - so you will need to test this out first https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Data/HECRESTendpoints Option 2 - A possible Splunk component is to use the Splunk Add-builder, this requires you install this onto a Splunk instance such a lab / test environment or Splunk Heavy Forwarder, not onto production Splunk Servers . You then develop a custom app to poll the API and collect data for indexing purposes. See the below for reference. https://docs.splunk.com/Documentation/AddonBuilder/4.2.0/UserGuide/ConfigureDataCollection Option 3 is to write python code and pull the data and send to HEC(This obviously requires code development) Option 4 - There some API collection Apps on Splunk base, but I think those are by third-party and may require licence. https://splunkbase.splunk.com/app/1546
According to your reply and https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself splunk does not mange python.log rotation, but then how it is being rotated? ...
See more...
According to your reply and https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself splunk does not mange python.log rotation, but then how it is being rotated? I've made python.log around 100MB with stopped splunk service and the python.log was NOT rotated. Once I've started splunk, log was immediately rotated to python.log.1, additionally the newly created python.log (size only few bites) I've also made it well over 25MB and it was rotated once again.
Hi ITWhisperer, first I want to say Thanks !, now I have this with your suggestion, Now I need to compare the start time with previous right_time to set the bool field for every line, how I can...
See more...
Hi ITWhisperer, first I want to say Thanks !, now I have this with your suggestion, Now I need to compare the start time with previous right_time to set the bool field for every line, how I can do this please? Thanks you !
Sounds like you need certs on the UF You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. Examp...
See more...
Sounds like you need certs on the UF You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. Example config outputs.conf clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE> server.conf [sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
When I run the search as per your suggestion I get: Could not load lookup=LOOKUP-splunk_security_essentials. However I have noticed another issue today. Up until the last couple of days the main s...
See more...
When I run the search as per your suggestion I get: Could not load lookup=LOOKUP-splunk_security_essentials. However I have noticed another issue today. Up until the last couple of days the main search would give me no results, or results that don't make sense because the data would be pulled form a Report.csv which was few days old. I would still see the data properly indexed though, if i did: index="BBB". When I ran index="BBB" today, I noticed that the Report.csv from the last two days have not been indexed. This has never happened before, and not sure why it would suddenly stop indexing. I couldn't find any errors in the logs related to the index.
You say you have network user account - I would first start by using a local system account if you can. To me it sounds like a user permissions / access type of issue - sometimes the GPO if used can ...
See more...
You say you have network user account - I would first start by using a local system account if you can. To me it sounds like a user permissions / access type of issue - sometimes the GPO if used can prevent access or less privileges Have a look at these links, they have some information on permissions for local accounts. https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/MonitorWMIdata
Hi @zijian, you have two choices: 1) schedule an alert adding csv as attachement, to receive the csv via email. 2) you could schedule a report adding the outputcsv command at the end. In this w...
See more...
Hi @zijian, you have two choices: 1) schedule an alert adding csv as attachement, to receive the csv via email. 2) you could schedule a report adding the outputcsv command at the end. In this way, you save your report as csv in a pre-defined folder (not changeable!). then you should create a script to copy it in the location you like. Ciao. Giuseppe
I have extracted this data with the stats command. The goal is to compare left timestamp (start time) of the second line with right timestamp of previous line (end time) and the condition will b...
See more...
I have extracted this data with the stats command. The goal is to compare left timestamp (start time) of the second line with right timestamp of previous line (end time) and the condition will be like this if (start next row > end previous row) 1:0; in this way I want to mark this lines with bool=1 if not bool=0 Please someone has some suggestion about how can I implement this? Thanks in advance
Hi, there are 72 links to scheduled splunk reports that I have to access and download the reports individually on a monthly basis. I would like to know if there are any faster ways to download them...
See more...
Hi, there are 72 links to scheduled splunk reports that I have to access and download the reports individually on a monthly basis. I would like to know if there are any faster ways to download them. Regards, Zijian
I have a cycle so data will come in between 6-7 AM, 11-12 PM, 6-7 PM, 9-9:35 PM. So i want to display the color for the time After 7 AM, 12 PM, 7 PM, 9:35 PM - Red and Before 7 AM, 12 PM, 7 PM, 9:3...
See more...
I have a cycle so data will come in between 6-7 AM, 11-12 PM, 6-7 PM, 9-9:35 PM. So i want to display the color for the time After 7 AM, 12 PM, 7 PM, 9:35 PM - Red and Before 7 AM, 12 PM, 7 PM, 9:35 PM - Green.
As I said, in classic dashboards, you have rows with panels. Since your composite panels still align as rows, you may be able spoof what you want by using html "filler" panels in the rows between the...
See more...
As I said, in classic dashboards, you have rows with panels. Since your composite panels still align as rows, you may be able spoof what you want by using html "filler" panels in the rows between the elements in same row. You may need to use CSS to try and set the width of the panels, but this is very tricky to do.
I am trying to install controller on v.24.4.0(latest).while installing getting below error: "Connection to [AppDynamics Controller Application Server] failed due to Controller I arations[[SC] EnumQ...
See more...
I am trying to install controller on v.24.4.0(latest).while installing getting below error: "Connection to [AppDynamics Controller Application Server] failed due to Controller I arations[[SC] EnumQueryServices Status: OpenService FAILED 1060: The specified service does not exist as an installed service"