All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) fo... See more...
Hello, I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) for a specific path. Baiscally I created a server class for the inputs.conf deployment, adding this: ###### OS Logs ###### [WinEventLog://Security] disabled = 0 index = windows_tmp followTail=true start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = (EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)) renderXml=false     I already tested the regex in regex101 https://regex101.com/r/LIaMnU/1 and it seems working fine, but in Splunk I'm receiving all the events as the whitelist is not applied. Am I missing something?    
Hi @splunky_diamond , you can use the parameter maxQueueSize in outputs.conf. about the location,, I'm not sure, but it should be in the $SPLUNK_HOME/var/run/spunk let me know if I can help you mo... See more...
Hi @splunky_diamond , you can use the parameter maxQueueSize in outputs.conf. about the location,, I'm not sure, but it should be in the $SPLUNK_HOME/var/run/spunk let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated Ciao. Giuseppe
Here's a query that will find most KOs owned by inactive users.  You may want to enhance it to also look for lookups.  Of course, change the '90' to whatever value you deem to be 'inactive'. | rest ... See more...
Here's a query that will find most KOs owned by inactive users.  You may want to enhance it to also look for lookups.  Of course, change the '90' to whatever value you deem to be 'inactive'. | rest splunk_server=local /servicesNS/-/-/admin/directory | fields title eai:acl.app eai:acl.owner eai:type eai:acl.sharing | rename eai:acl.* as * | where (owner!="nobody" AND owner!="admin") | search [| rest splunk_server = local /servicesNS/-/-/admin/users | fields title last_successful_login | eval lastLogin = if(isnull(last_successful_login) OR last_successful_login=0,"never", strftime(last_successful_login, "%c")) | eval idleDays = round((now()-last_successful_login)/86400,0) | where (idleDays > 90 OR lastLogin = "never") | fields title | rename title as owner | format]
Hi @ITWhisperer  The query which is working but i need total counts of enabled and disabled in the output .Now its showing  1 for enabled and 1for disabled.But the event is getting 79    index="... See more...
Hi @ITWhisperer  The query which is working but i need total counts of enabled and disabled in the output .Now its showing  1 for enabled and 1for disabled.But the event is getting 79    index="mulesoft" applicationName="scheduler" message="Upcoming :*" [search index="mulesoft" applicationName="scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |stats values(content.currStatus) as currStatus by correlationId|where currStatus!="Interface has no entry found in object Store"|stats count by currStatus There are 79 events in this 74 is enabled and 5 are disabled .The values enabled and disabled from currstatus field.  
Tell Splunk which field to extract from by using the in option. EXTRACT-service = [^:]+:[^:]+:(?<service>.+)$ in source  
Hi @karthi2809 , if currStatus has values enabled or disabled, please try something like this: "content.currStatus"="*" content.currStatus!="Interface has no entry found in object Store" | rename c... See more...
Hi @karthi2809 , if currStatus has values enabled or disabled, please try something like this: "content.currStatus"="*" content.currStatus!="Interface has no entry found in object Store" | rename content.currStatus AS currStatus | stats count(eval(currStatus="enabled"))AS enabled_count count(eval(currStatus="disabled"))AS disabled_count last(currStatus) AS last_currStatus BY correlationId) In addition one hint: add always the index containing these events: you'll have a faster search and you'll be sure to take events. Ciao. Giuseppe
Use the below as an example, using both props and transforms,  change to your sourcetype that you are using and if it works, change your group names if desired.  Props.conf [my_sourcetype] REP... See more...
Use the below as an example, using both props and transforms,  change to your sourcetype that you are using and if it works, change your group names if desired.  Props.conf [my_sourcetype] REPORT-my_service = extract_service Transforms.conf [extract_service] SOURCE_KEY = source REGEX = [^:]+:(?<my_service>.+)$ FORMAT = my_service::$1
Thank you very much for your reply, @gcusello ! I have some questions to your post, where can I configure for how long UF stores the logs when the connection is interrupted? Also how can I know th... See more...
Thank you very much for your reply, @gcusello ! I have some questions to your post, where can I configure for how long UF stores the logs when the connection is interrupted? Also how can I know the location of where UF stores these logs, is it some file within the add-on? And finally, what's the capacity of that file/those files, where the logs will be stored in this scenario before the connection to Splunk machine is re-established? 
Try something like this "content.currStatus"="*" [search <your index> | stats latest(correlationId) as correlationId | table correlationId | format] | where currStatus!="Interface has no entry found... See more...
Try something like this "content.currStatus"="*" [search <your index> | stats latest(correlationId) as correlationId | table correlationId | format] | where currStatus!="Interface has no entry found in object Store"|stats count by currStatus
It looks like the app was not re-packaged properly on the Linux box.  Perhaps an extra directory level was added.
Hi All, JAVA App Agent is not showing in Tier and Node also in app agent logs I can see following message. [AD Thread Pool-Global1] 02 May 2024 21:21:31,149 INFO DynamicRulesManager - The config di... See more...
Hi All, JAVA App Agent is not showing in Tier and Node also in app agent logs I can see following message. [AD Thread Pool-Global1] 02 May 2024 21:21:31,149 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:21:55,817 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:21:55,832 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:22:55,833 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:22:55,848 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:23:55,849 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:23:55,866 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:25:53,942 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:25:58,948 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:30:53,887 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:35:53,895 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:40:53,906 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:45:53,910 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:49:56,265 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:49:56,279 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:50:53,910 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:50:56,280 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:50:56,295 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:51:56,296 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:51:56,309 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:52:56,310 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) Regards, Mandar Kadam
09-14-2017 10:43:30.132 -0400 WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 10994 - data_source="json.txt", data_host="n00bserver.n... See more...
09-14-2017 10:43:30.132 -0400 WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 10994 - data_source="json.txt", data_host="n00bserver.n00blab.local", data_sourcetype="someSourcetype" How did you go about solving this  
Hi @Poojitha, please try this: | rex field=source ":(?<your_field>\w+)$" or in props.conf: EXTRACT-service = EXTRACT-service = source([^:]+:[^:]+:(?<service>.+)$) in source that you can test at ... See more...
Hi @Poojitha, please try this: | rex field=source ":(?<your_field>\w+)$" or in props.conf: EXTRACT-service = EXTRACT-service = source([^:]+:[^:]+:(?<service>.+)$) in source that you can test at https://regex101.com/r/NBjX8h/1 ciao. Giuseppe
Hi All, I am trying to get count of enabled and disabled from field. Then i want to show the field values based on latest correlation ID.The currstatus field will run for every 10 min. "content.cur... See more...
Hi All, I am trying to get count of enabled and disabled from field. Then i want to show the field values based on latest correlation ID.The currstatus field will run for every 10 min. "content.currStatus"="*" |stats values(content.currStatus) as currStatus by latest(correlationId)|where currStatus!="Interface has no entry found in object Store"|stats count by currStatus    
Here is the message logged on peer side, when during starting after adding register_replication_address 05-02-2024 11:26:38.046 +0200 WARN CMSlave [1355571 indexerPipe] - Failed to register with clu... See more...
Here is the message logged on peer side, when during starting after adding register_replication_address 05-02-2024 11:26:38.046 +0200 WARN CMSlave [1355571 indexerPipe] - Failed to register with cluster master reason: failed method=POST path=/services/cluster/master/peers/?output_mode=json manager=CM:8089 rv=0 gotConnectionError=0 gotUnexpectedStatusCode=1 actual_response_code=500 expected_response_code=2xx status_line="Internal Server Error" socket_error="No error" remote_error=Cannot add peer=NEW-IP mgmtport=8089 (reason: Peer with guid=F00C07FD-F8A6-4C15-91D3-8A6CDCF28C96 is already registered and UP). [ event=addPeer status=retrying AddPeerRequest: { active_bundle_id=054CB061CFCD038A4B98FCDB01CE3F2F add_type=Initial-Add base_generation_id=0 batch_serialno=1 batch_size=26 forwarderdata_rcv_port=9997 forwarderdata_use_ssl=0 guid=F00C07FD-F8A6-4C15-91D3-8A6CDCF28C96 last_complete_generation_id=0 latest_bundle_id=054CB061CFCD038A4B98FCDB01CE3F2F mgmt_port=8089 register_forwarder_address= register_replication_address=NEW-IP register_search_address=NEW-IP replication_port=8087 replication_use_ssl=0 replications= server_name=PEER-NAME site=site1 splunk_version=9.0.7 splunkd_build_number=b985591d12fd status=Up } Batch 1/26 ].
Hi All, I am trying to extract a value from the indexed field. i.e from source field . I have added the regex in props.conf  Example :  source = 234234324234:us-west-2:firehose_list_tags_for... See more...
Hi All, I am trying to extract a value from the indexed field. i.e from source field . I have added the regex in props.conf  Example :  source = 234234324234:us-west-2:firehose_list_tags_for_resource I want everything after second : (colon) as service i.e firehose_list_tags_for_resource I have added in props.conf as below : EXTRACT-service = source([^:]+:[^:]+:(?<service>.+)$) This has created the field service but fetching wrong value. It is fetching last part of raw data. Please can anyone help me to understand how can I extract field value from indexed data ? Should I add in transforms.conf as well ? Please can anyone guide me. It helps me lot Regards, PNV
I'm not sure I fully understand what's going on here. When you run the |ldapsearch search="(objectClass=group)" attrs="*" | collect index=<ldapsearch> command on your forwarder, do you get results ... See more...
I'm not sure I fully understand what's going on here. When you run the |ldapsearch search="(objectClass=group)" attrs="*" | collect index=<ldapsearch> command on your forwarder, do you get results or an error message? If you get results, then you should be able to simply search against the index on your search head. If you don't get results, then there's something else going on: is the app configured correctly? is the query correct?
I have an input created in DB Connect app to few the necessary rows from a DB2 table. The job is scheduled to run on daily basis and to fetch only the previous day's data. I have left the "Max rows ... See more...
I have an input created in DB Connect app to few the necessary rows from a DB2 table. The job is scheduled to run on daily basis and to fetch only the previous day's data. I have left the "Max rows to retrieve" and "Fetch size" to default settings. Whenever my job runs, by default it is logging the same records twice. I am not sure what is causing this issue. I have attached screenshot of the entries belong to a primary key field where two events are indexed for each record. Could anyone help me in troubleshooting the issue?
Hi @splunky_diamond , for my knowledhe, the only limit of Splunk is that logs must reach splnk and be searcheable! If you cannot be sure about this there isn't any internal Splunk solution. If the... See more...
Hi @splunky_diamond , for my knowledhe, the only limit of Splunk is that logs must reach splnk and be searcheable! If you cannot be sure about this there isn't any internal Splunk solution. If the network connection between UF and Splunk is interrupted, UF locally stores logs for some time and, when the connection, is again available, it sends all logs to Splunk, but an attacker could delete also Splunk temp files, so you cannot do nothing.  You can be informed that there could be an attack when the data flow is interrupted and when, after the network connection is again available, windows logs are missed. In other words, Splunk save your data for a while, to avoid data loss during network issue, but these logs could be deleted by an attacker. The only way is to be notices that there could ne an attack. Ciao. Giuseppe
Hey Folks,  We are trying to deployed the machine agent on EKS 1.27. The version of the machine agent is v22.3.0.  The pod gets stuck with the below error :   Error in custom provider, javax.xml... See more...
Hey Folks,  We are trying to deployed the machine agent on EKS 1.27. The version of the machine agent is v22.3.0.  The pod gets stuck with the below error :   Error in custom provider, javax.xml.ws.WebServiceException: Failed to get a response from /info using a GET request.   The error encountered is: java.net.SocketException: Connection refused   [machineagent.jar:Machine Agent v22.3.0-3296 GA compatible with 4.4.1.0 Build Date 2022-03-18 19:50:59]   Could not start up the machine agent due to: Failed to get a response from /info using a GET request. The error encountered is: java.net.SocketException: Connection refused Please see startup.log in the current working directory for details