All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Roy_9 - Yes, you need to set the Lookup file and Lookup definition permission to set as "Global" instead of Private or App. You can do that from from UI on their respective page under Settings on S... See more...
@Roy_9 - Yes, you need to set the Lookup file and Lookup definition permission to set as "Global" instead of Private or App. You can do that from from UI on their respective page under Settings on Splunk.   I hope this helps!!! Kindly upvote if it does!!!
Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $   I saw this trick of passing... See more...
Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $   I saw this trick of passing the fields like $this$ in some other pre-configured correlation searches in Enterprise Security, but in my own correlation search it does not work for some reason:    Can someone please tell me how can I make it work? Let me know if you want me to share some other configurations that I did, that might be relevant to this issue. Thanks for taking your time reading and replying to my post
Hi @VatsalJagani  1. Checkpoint file is not getting update 2. It happens only in DC1 3.  modinput_tyk_analytics_mongodb is the app having the python script 4. Whenever we see error in splunk inte... See more...
Hi @VatsalJagani  1. Checkpoint file is not getting update 2. It happens only in DC1 3.  modinput_tyk_analytics_mongodb is the app having the python script 4. Whenever we see error in splunk internal logs, duplicate logs are seen
You mean, I can use 2 folder for two Indexer in a disk? I wanna ask If I just use one folder and save one Frozen' s Indexer 1 which can be used for backup data for all Indexer Cluster (both Indexer 1... See more...
You mean, I can use 2 folder for two Indexer in a disk? I wanna ask If I just use one folder and save one Frozen' s Indexer 1 which can be used for backup data for all Indexer Cluster (both Indexer 1 and 2), Is that ok? I'm very hard to find document say clearly about this. My customer wanna know about that. Do you know any documents Splunk say about this situation?
Hi All, I setup splunk and trying to capture security logs from the client machine.My VM is setup as server / client with active directory group setting.But i am getting diskspace error."The diskspa... See more...
Hi All, I setup splunk and trying to capture security logs from the client machine.My VM is setup as server / client with active directory group setting.But i am getting diskspace error."The diskspace remaining =9620 has breached the yellow threshold for filesystems=C:]Program Files \splunk\var\lib\splunk\_metrics\colddb. But i have free space in c drive.Please clarify  
Thanks @PickleRick ,  the query line you posted is not supported, not if it was before. Splunk is erring out saying unknown value 0
Hi, We re measuring with a code snippet like the below, the time before we called the logger subtract the time the logger completed. Long start1 = System.currentTimeMillis(); log.info("Test loggin... See more...
Hi, We re measuring with a code snippet like the below, the time before we called the logger subtract the time the logger completed. Long start1 = System.currentTimeMillis(); log.info("Test logging"); Long start2 = System.currentTimeMillis(); log.info("logTime={}", start2 - start1); We have not use a tcpdump yet as this is running on a container, not able to use batch too since we needed type=raw which don't support batch configs from my understanding. Is there a way to work with Raw type and send as batch? Thanks.
So there's a bug with installing Splunk Enterprise 9.2.x and the universal forwarder on the same server, something that should work. I have opened a case with Splunk and requested them to document th... See more...
So there's a bug with installing Splunk Enterprise 9.2.x and the universal forwarder on the same server, something that should work. I have opened a case with Splunk and requested them to document the issue in the known issues. They have not done that yet. 
Ah, then I guess we have different understandings of what "download a dashboard" means. The software you want is Splunk Enterprise Security.  It's a premium product, meaning it is available for down... See more...
Ah, then I guess we have different understandings of what "download a dashboard" means. The software you want is Splunk Enterprise Security.  It's a premium product, meaning it is available for download only by customers who have paid for it.  Contact your Splunk account team for more information.
Hi Giuseppe, Thank you for highlighting the mistake. I corrected the variable to newValue2 but unfortunately I found no luck  with the  query.
@andrew_nelson  I was able to set it up with a calculated field! It was a basic thing, but it was very helpful. I'm going to study! thank you very much.
I don't want a pdf.  I want a piece of software running in my Splunk Enterprise.   Thanks
Thank you so much, one of our stanzas looks like the following -   [script://./bin/ulimit.sh] interval = 27 5 * * * source = scripted_input sourcetype = virtualization:sanity:ulimit index = os disa... See more...
Thank you so much, one of our stanzas looks like the following -   [script://./bin/ulimit.sh] interval = 27 5 * * * source = scripted_input sourcetype = virtualization:sanity:ulimit index = os disabled = false     Based on the link you provided, a reload should be fine. How would we run a "reload"? inputs.conf http reload inputs.conf script reload inputs.conf monitor reload inputs.conf <modular_input> reload inputs.conf batch reload
hey, how did you solve it then. i am having the same issue. is there a way to switch to 32? i am very very new in this
Have you tried printing the dashboard to a PDF?
I would like to download the Security Posture Dashboard.   The document “Security Posture dashboard” does not include a download link: https://docs.splunk.com/Documentation/ES/7.3.1/User/SecurityP... See more...
I would like to download the Security Posture Dashboard.   The document “Security Posture dashboard” does not include a download link: https://docs.splunk.com/Documentation/ES/7.3.1/User/SecurityPosturedashboard
What are some good dashboards for displaying data ingested from AWS CloudWatch/CloudTrail?   thanks in advance 
I fixed the error of "Can't read key file" by putting the contents of my server private key into the pem file. Using this two commands can properly show information now: openssl rsa -in /opt/splunk... See more...
I fixed the error of "Can't read key file" by putting the contents of my server private key into the pem file. Using this two commands can properly show information now: openssl rsa -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text openssl x509 -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text -noout openssl rsa is properly showing the rsa private key (modulus, prime etcetc) now. openssl x509 works fine as i mentioned before. However, splunkd.log still shows sslv3 alert certificate unknown. Thanks.  
|rest /servicesNS/-/-/data/ui/views splunk_server=local ``` Produces all views that are present in local searchhead ``` | table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells ... See more...
|rest /servicesNS/-/-/data/ui/views splunk_server=local ``` Produces all views that are present in local searchhead ``` | table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells whether the dashboard can be deleted or not. removable=1 means can be deleted. removable=0 means could be system dashboard``` | rename eai:acl.* as * | rex field=id ".*\/(?<dashboard>.*)$" | table app dashboard updated removable | join type=left dashboard app [search index=_audit ```earliest=<setasperyourneeds> host=<yoursearchhead>``` action=search provenance="UI:Dashboard:*" sourcetype=audittrail savedsearch_name!="" | stats earliest(_time) as earliest_time latest(_time) as latest_time by app provenance | convert ctime(*_time) | rex field=provenance ".*\:(?<dashboard>.*)$" | table earliest_time latest_time app dashboard ```produces dashboards that are used in timerange given in earliest/global time range```] | where isnull(earliest_time) AND removable=1 ``` condition to return only dashboards that are not viewed ``` | stats values(dashboard) as dashbaord by app
Hi @splunky_diamond , it's always a pleasure! Ciao. Giuseppe