This has not worked for me, any ideas? here is my SSLconfig line in server.conf [sslConfig] sslPassword = $7$IVRDJa9zz5Rmt3ZehltRkIK2vnYpOPiMSSAZMNAUqdQ7hQAGf2GNXg No other lines in the file. I...
See more...
This has not worked for me, any ideas? here is my SSLconfig line in server.conf [sslConfig] sslPassword = $7$IVRDJa9zz5Rmt3ZehltRkIK2vnYpOPiMSSAZMNAUqdQ7hQAGf2GNXg No other lines in the file. I am open to suggestions, and get this as well: WARNING: Server Certificate Hostname Validation is disabled., see server.conf, etc Thanks, EWHolzx
OK so what information have managed to ingest into Splunk from them? Essentially, you can only query information which has been ingested (with a few exceptions).
I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But somet...
See more...
I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But something seems to have happened, because, even though the users are still showing up using the list command in the CLI, when I try to delete the user using the remove command, it says the user does not exist. Is there a config file I need to edit to get the users to stop appearing? This is also a clustered Splunk Enterprise environment, does this mean there are further steps I have to take to delete a user? Thanks
Hi, can someone help me with splunk search to identify browsers installed on a machine, im looking for a specific field where i can capture this data. thanks
Show source is not loading for only one event, getting "Failed to find target event in final sorted event list. Cannot properly prune results" after loading
Hello, and Thanks for tip. I will look into getting TLS set and/or a new cert - the cert will need to be self-signed. Splunk was re-started after each upgrade. I am not familiar with the acronym of ...
See more...
Hello, and Thanks for tip. I will look into getting TLS set and/or a new cert - the cert will need to be self-signed. Splunk was re-started after each upgrade. I am not familiar with the acronym of "SHC" -Thanks for the info. ewholz
The monitor stanza should specify an index name so Splunk knows where to put the data. Without that, everything goes in the 'main' index. Your (and everyone else's) search query should specify the ...
See more...
The monitor stanza should specify an index name so Splunk knows where to put the data. Without that, everything goes in the 'main' index. Your (and everyone else's) search query should specify the index name to search. This makes the query more efficient and avoids reliance on your default index. The index name in the query must match the index name in the monitor stanza for Splunk to find the data. The message about the tags.conf file is a symptom of a different problem and should be easy to correct. Go to line 1 of the file specified in the message and URL-encode the value.
Hi @nisheethbaxi , if you're sure to have the backslashes in your logs, you could try this regex: | rex "account_id\\\":\\\"(?<account_id>[^\\]+)" that you can test at https://regex101.com/r/maaQB...
See more...
Hi @nisheethbaxi , if you're sure to have the backslashes in your logs, you could try this regex: | rex "account_id\\\":\\\"(?<account_id>[^\\]+)" that you can test at https://regex101.com/r/maaQBE/1 or the following (there's an issue using a regex in Spunk when there's backslash) | rex "account_id\\\\\":\\\\\"(?<account_id>[^\\]+)" Ciao. Giuseppe
I have a splunk query that has following text in message field - "message":"sypher:[tokenized] build successful -\xxxxy {\"data\":{\"account_id\":\"ABC123XYZ\",\"activity\":{\"time\":\"2024-05-31T1...
See more...
I have a splunk query that has following text in message field - "message":"sypher:[tokenized] build successful -\xxxxy {\"data\":{\"account_id\":\"ABC123XYZ\",\"activity\":{\"time\":\"2024-05-31T12:37:25Z\}}"
I need to extract value ABC123XYZ which is between account_id\":\" and \",\"activity. I tried the following query but it's not returning any data. index=prod_logs app_name="abc"
| rex field=_raw "account_id\\\"\:\\\"(?<accid>[^\"]+)\\\"\,\\\"activity"
| where isnotnull (accid)
| table accid
The above suggestions are great, but what worked on my end was simply scrolling to the end of the user agreement ( I think the Splunk creators want us to read through it). I did not have to change an...
See more...
The above suggestions are great, but what worked on my end was simply scrolling to the end of the user agreement ( I think the Splunk creators want us to read through it). I did not have to change anything in any of the files listed in the first suggestion'
If the word list under your tag cloud is displaying the words you expect to see then you might just need to use the format button to define your field label and value. Next to your visual type click ...
See more...
If the word list under your tag cloud is displaying the words you expect to see then you might just need to use the format button to define your field label and value. Next to your visual type click Format. Then enter in your field name 'word' value type 'count and then the font sizes you want. I used 100 and 8.
Hi @LearningGuy, I understand that you're not an admin, but roles is the only way to restrict accesses in Splunk. So, ask to your administrators to creare different roles to enable your dashboards ...
See more...
Hi @LearningGuy, I understand that you're not an admin, but roles is the only way to restrict accesses in Splunk. So, ask to your administrators to creare different roles to enable your dashboards and knowledhe objects ony to selected (by roles) users. Ciao. Giuseppe