All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@deepthi5 - Please share more details about the error and relavent lines of code that throws error so the community can help.
Hello @niketn and good day. I just noticed in this answer (super good btw) that you're using a line chart within what it seems to be a statistical table, I've been traying to replicate that same thin... See more...
Hello @niketn and good day. I just noticed in this answer (super good btw) that you're using a line chart within what it seems to be a statistical table, I've been traying to replicate that same thing, would you be so kind to share the way you accomplish this? I'm using enterprise 9.1.2 on a single node Thanks in advance and best regards.
@IlianYotov - Just to clarify the path you are trying to look at is /Users/yotov/app/.logs/.../*.log Inside /Users/youtov/app There is a hidden folder named ".log" inside that, there are sub-fol... See more...
@IlianYotov - Just to clarify the path you are trying to look at is /Users/yotov/app/.logs/.../*.log Inside /Users/youtov/app There is a hidden folder named ".log" inside that, there are sub-folders inside which there are files with .log extention at the end.   Also, is there any specific reason for using alwaysOpenFile parameter? * https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf 
@Siddharthnegi Structured Data As suggested in the doc shared by you, structured data is parsed by UF. INDEXED_EXTRACTIONS parameter in the props.conf force_local_processing As suggested by @... See more...
@Siddharthnegi Structured Data As suggested in the doc shared by you, structured data is parsed by UF. INDEXED_EXTRACTIONS parameter in the props.conf force_local_processing As suggested by @richgalloway - This will force linebreaker, aggerator, and the regexreplacement processors on UF. Reference - props.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf  I hope this helps!!!
@vijreddy30 - Please check for following things in order: Check whether Splunk is running or not? ./bin/splunk status (Run from Splunk installation folder / SplunkHome) If Splunk is not active ... See more...
@vijreddy30 - Please check for following things in order: Check whether Splunk is running or not? ./bin/splunk status (Run from Splunk installation folder / SplunkHome) If Splunk is not active then ./bin/splunk start (Start the Splunk service) ./bin/splunk status (Check the Splunk status Again Once completed and you still don't see the Splunk, look for issues in your splunkd.log file.   Just to point out in your web.conf, there is an extra a in front of privKeyPath.   Checking above should be able to help you find and fix the issue. I hope this helps!!! 
Be aware that map is a potentially unsafe command. Also your approach with both map and an intermediate lookup seems strange. That's what passing fields to the subsearch is for.  
Yeah sure, I am checking with them for one another of discussion. Thanks.
Hi @Shubham.Kadam, I would recommend contacting the same people to see if they can get on another call with you. Let me know what happens. In the meantime, I'll see if I can find any existing infor... See more...
Hi @Shubham.Kadam, I would recommend contacting the same people to see if they can get on another call with you. Let me know what happens. In the meantime, I'll see if I can find any existing information on the community or Docs 
I have been asked to create a dashboard for our threat hunters and would like some ideas. They want to know what they can breach off of webservers.  So far I have a table with just host we have. I... See more...
I have been asked to create a dashboard for our threat hunters and would like some ideas. They want to know what they can breach off of webservers.  So far I have a table with just host we have. I also have a table with http response counts. 
Your last stats command outputs two columns LastRunTime_Count and NA_Count.  Pie chart can only use one column.  Can you illustrate your intentions with column output and describe how a pie chart can... See more...
Your last stats command outputs two columns LastRunTime_Count and NA_Count.  Pie chart can only use one column.  Can you illustrate your intentions with column output and describe how a pie chart can depict both?
Hi @SplunkExplorer  Can you check on the HF's /opt/splunk/etc/apps folder if there are some outputs apps there (Left overs perhaps from testing etc) if so remove the app into a /tmp folder, restart ... See more...
Hi @SplunkExplorer  Can you check on the HF's /opt/splunk/etc/apps folder if there are some outputs apps there (Left overs perhaps from testing etc) if so remove the app into a /tmp folder, restart HF's,  and push via the deployment server only.    
You've shared the splunk enterprise manual to set up scripted authentication extensions with okta with us. Configure authentication extensions to interface with your SAML identity provider - Splunk ... See more...
You've shared the splunk enterprise manual to set up scripted authentication extensions with okta with us. Configure authentication extensions to interface with your SAML identity provider - Splunk Documentation So that should be fine if you proceed with this manual. Regarding the permissiona check the python script and the endpoints that are used in the script. Probably based on the endpoints you could figure out with your IAM colleagues which capabilities are needed.
Hi @Real_captain , try adding keeporphans =true option to the transaction command (as you can see at https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Transaction), it shoul... See more...
Hi @Real_captain , try adding keeporphans =true option to the transaction command (as you can see at https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Transaction), it should run, index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | transaction startswith="IDJO20P" endswith="PIDZJEA" keeporphans=True | bin span=1d _time | chart sum(eventcount) AS eventcount OVER _time BY NIDF otherwise use only startswith option and not also endswith option. Ciao. Giuseppe
You should check for SSL issues in your internal splunk log (%SPLUNK_HOME%/var/log/splunk/splunkd.log) Search for the keywords SSL, the name of your private key and the name of your certificate You... See more...
You should check for SSL issues in your internal splunk log (%SPLUNK_HOME%/var/log/splunk/splunkd.log) Search for the keywords SSL, the name of your private key and the name of your certificate Your screenshot shows a different location of certificates as the locations that are configured in your web.conf for private key and certificate.  
The force_local_processing setting in props.conf will have the UF do some parsing.  See props.conf.spec for details.
Hi @deepakc, following output of required checks: Check that your serverclass is taking the current config (might be some config that’s  overriding, its normally in /opt/splunk/etc/system/local/serv... See more...
Hi @deepakc, following output of required checks: Check that your serverclass is taking the current config (might be some config that’s  overriding, its normally in /opt/splunk/etc/system/local/serverclass and sometimes in a dedicated app /opt/splunk/bin/splunk btool serverclass list --debug - Done: the only 2 serverclass.conf files are the ones under $SPLUNK_HOME$/etc/system/default and $SPLUNK_HOME$/etc/system/local Check the Permissions on the HF's /opt/splunk/etc/apps/  (sudo chown -R splunk:splunk /opt/splunk/etc/apps - this is typical) - Done, folder ownership is fine Restart the HF / Deployment Server - Done Can you verify the ownership of the apps on the Deployment Server (Typically they should be splunk:splunk sudo chown -R splunk:splunk /opt/splunk/etc/deployment_apps) - Done, ownership if fine Can you verify the firewall ports are all OK 8089 (HF to DS - port 8089) - Done, HFs can reach DS on 8089 and vice versa Can you double check the apps names in serverclass.conf (I have seen app name typo's errors in the past)  - Done, app folder name and app name in serveclass.conf are the same
Well.... I appreciate you helping me confirm it's just 2022
A few things to check - (I know you have done some already)   Check that your serverclass is taking the current config (might be some config that’s  overriding, its normally in /opt/splunk/etc/syst... See more...
A few things to check - (I know you have done some already)   Check that your serverclass is taking the current config (might be some config that’s  overriding, its normally in /opt/splunk/etc/system/local/serverclass and sometimes in a dedicated app /opt/splunk/bin/splunk btool serverclass list --debug Check the Permissions on the HF's /opt/splunk/etc/apps/  (sudo chown -R splunk:splunk /opt/splunk/etc/apps - this is typical) Restart the HF / Deployment Server Can you verify the ownership of the apps on the Deployment Server (Typically they should be splunk:splunk sudo chown -R splunk:splunk /opt/splunk/etc/deployment_apps) Can you verify the firewall ports are all OK 8089 (HF to DS - port 8089) Can you double check the apps names in serverclass.conf (I have seen app name typo's errors in the past)  
Two years have passed  since this topic. Is there any news on this?
Thanks gcusello.  This solution really works when we have to extract the data of previous days.  Is it possible to have the stats of the current date when the startswith="IDJO20P" arrived but e... See more...
Thanks gcusello.  This solution really works when we have to extract the data of previous days.  Is it possible to have the stats of the current date when the startswith="IDJO20P" arrived but endswith="PIDZJEA" is still not received ???