All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Ubuntu on Windows is still Windows.  I had the same problem.  You have to use a real Linux box.
The props.conf file should be on the machine that is parsing your logs. If your log path is UF->HF->Cloud, then likely the HF machine is the one doing the parsing, and it should have the props.conf f... See more...
The props.conf file should be on the machine that is parsing your logs. If your log path is UF->HF->Cloud, then likely the HF machine is the one doing the parsing, and it should have the props.conf file, not the UF. Also, keep in mind that the first capture group of LINE_BREAKER is discarded. It is intended to capture the filler characters that occur between distinct events. If you would like to keep "platform":"ArcodaSAT"} as part of the first event, then it should not be in a capture group. Try this: LINE_BREAKER = \"platform\"\:\"ArcodaSAT\"\}() For SHOULD_LINEMERGE, this would be better set as FALSE unless you would like events to be recombined to make bigger events. If your LINE_BREAKER above works well to separate distinct events, then SHOULD_LINEMERGE should be false SHOULD_LINEMERGE = false
A temporary workaround that worked for us was setting current_only to 1 and restarting the forwarder.... Splunk-wineventlog.exe still crashes and restarts, but it does at least read some events and ... See more...
A temporary workaround that worked for us was setting current_only to 1 and restarting the forwarder.... Splunk-wineventlog.exe still crashes and restarts, but it does at least read some events and send them before it does.
Has any one seen this issue while installing the splunk forwarder in the Freebsd 13.3 ? or any idea why we are getting this ? I am trying to install the splunk forwarder 9.0.2.   This appears to be... See more...
Has any one seen this issue while installing the splunk forwarder in the Freebsd 13.3 ? or any idea why we are getting this ? I am trying to install the splunk forwarder 9.0.2.   This appears to be your first time running this version of Splunk.   Splunk software must create an administrator account during startup. Otherwise, you cannot log in. Create credentials for the administrator account. Characters do not appear on the screen when you type in credentials.   Please enter an administrator username: admin ERROR: pid 18277 terminated with signal 11 (core dumped)
Hello, Background: I am generating alerts around our Office 365 Environment using the Content Pack for Microsoft 365. I have limited search query experience but willing to put in the time to learn ... See more...
Hello, Background: I am generating alerts around our Office 365 Environment using the Content Pack for Microsoft 365. I have limited search query experience but willing to put in the time to learn more as I go. About the Content Pack for Microsoft 365 - Splunk Documentation Trying to accomplish: Runs every 10 minutes > Trigger single alert if "id"/"Ticket" is unique for every result > Throttle for 24 hours This is just an example of my search query:   (index=Office365) sourcetype="o365:service:healthIssue" service="Exchange Online" classification=incident OR advisory status=serviceDegradation OR investigating | eventstats max(_time) as maxtime, by id | where _time = maxtime | mvexpand posts{}.description.content | mvexpand posts{}.createdDateTime | rename posts{}.description.content AS content posts{}.createdDateTime AS postUpdateTime | stats latest(content) AS Content latest(status) AS Status earliest(_time) AS _time latest(postUpdateTime) AS postUpdateTime by service, classification id isResolved | fields _time service classification id Content postUpdateTime Status isResolved | sort + isResolved -postUpdateTime | rename isResolved AS Resolved? service AS Workload id AS Ticket classification AS Classification postUpdateTime AS "Last Update"   would I need a custom trigger? and what result would be required for suppressing?   What Is happening: There could be technically be 3 events based on the search query but the alert will only send 1 email to me (with only 1 event) instead of 3 individual alert emails, with 3 separate events. I am trying to prevent the same alert being generated for the same "Ticket/ID" so if a new event happens it will trigger the alert should I be using a custom trigger? and if so what result would I suppress to prevent multiple alerts of the same "ticket/id"? Any help would be greatful!   Thank you!   
Hi @Kjell.Lönnqvist, I know you asked your question a while ago, but Steve has offered some insight if this is still a question you have. Feel free to jump in and continue the conversation. 
Hi @Abdulrahman.Kazamel, Thank you for asking your question on the Community. I don't fully understand your question. Can you please try explaining again? In case you didn't know, you can always... See more...
Hi @Abdulrahman.Kazamel, Thank you for asking your question on the Community. I don't fully understand your question. Can you please try explaining again? In case you didn't know, you can always check out AppD Docs for helpful information. 
I need to skip 1st 10 lines of key field "_raw"
I would try to reboot the deployment server – It could be cache issue.
It would be better to give us some more context - its helps with trying to help and answer you question. I guess you are trying to remove / filter out some data? This is just guessing on what y... See more...
It would be better to give us some more context - its helps with trying to help and answer you question. I guess you are trying to remove / filter out some data? This is just guessing on what you maybe wanting to do. This is an example using make results, this filters the ticket_id=5678 (so apply same princples for your code)  | makeresults | eval _raw="ticket_id, priority,status 123,P1,Closed 5678,, 8765,P2,Closed" | multikv forceheader=1 | search ticket_id!=5678 | table ticket_id, priority, status
I am trying to change the host name from short name to FQDN in the deployment server gui for windows servers.I have the input.conf and server.conf already set as $decideOnStartup and fullyqualifiedna... See more...
I am trying to change the host name from short name to FQDN in the deployment server gui for windows servers.I have the input.conf and server.conf already set as $decideOnStartup and fullyqualifiedname respectively in the local app folder.The hostname doesn't change in the GUI .The search logs shows FQDN for windows servers after setting up the input and server conf as above. But the hostname in GUI remains the same as shortname. How do I change it?
Hi @edoardo_vicendo the weird thing is the local folder with app.conf inside have been created on the deployment-apps folder when restarting/reloading deploy-server.  
Expected Output: Ticket ID   Priority   Status 1234           P1            Closed 5678   8765            P2            Closed
Hi everybody, I need to install a PHP agent for a dockerized application, the application is a CRM called SuiteCRM, I was not able to find documentation about it in the PHP section, and in the docke... See more...
Hi everybody, I need to install a PHP agent for a dockerized application, the application is a CRM called SuiteCRM, I was not able to find documentation about it in the PHP section, and in the docker section only mentions Java, .NET and NodeJS: https://docs.appdynamics.com/appd/24.x/latest/en/application-monitoring/install-app-server-agents/agent-management/supported-automation-tools-to-deploy-agents/docker So I want to ask is somebody know if it possible to install the PHP agent in this dockerized SuiteCRM application, and if it is possible, what kind of considerations should I be aware of. At the moment there is no orchestrator to autoscale the container. Thanks in advance.
Hi have you met all the following conditions, The Splunk platform instance must be configured to use the Local System user to run all PowerShell scripts. PowerShell version 3.0 or higher must b... See more...
Hi have you met all the following conditions, The Splunk platform instance must be configured to use the Local System user to run all PowerShell scripts. PowerShell version 3.0 or higher must be installed on the machine. Microsoft .NET version 4.5 or higher must be installed on the machine. There might be additional requirements to run PowerShell scripts depending on the version of Windows and PowerShell. See the Microsoft documentation on PowerShell for details.
First manually create the lookup and the definitions if using CLI use the below example and test it in splunk, so you know this works. (It sounds like you have done this, not sure) Ensure this knowl... See more...
First manually create the lookup and the definitions if using CLI use the below example and test it in splunk, so you know this works. (It sounds like you have done this, not sure) Ensure this knowledge Object inside your app/lookup folder and  the lookup  is shared for all - (you may have done this all in the GUI,not sure)  /yourapp/local/transforms.conf [mylookup] filename = my_lookup.csv From your Splunk search bar run the below - to see the data inputputlookup mylookup If this works then it must be a permissions issue somewhere post your powershell script process, ensure the splunk user or what user you have used on the Splunk/Windows patform can read the lookup file and its the same name when you created it, like in the transfoms.
Hi @Dallastek1, mrsparkle is responsible for web interface provided by the splunk.
@splunkreal ideally if you create the app you should put the configs in the default folder. You should see you as the author. About your question, yes when you deploy an app the entire app folder on... See more...
@splunkreal ideally if you create the app you should put the configs in the default folder. You should see you as the author. About your question, yes when you deploy an app the entire app folder on the client is replaced by the new one. Therefore if you first manually created an app on a client (for test), and later you want to move the management of that app on the deployment server because you have several client, then is the deployment server that will drive. Since then any change need to be made on the DS. Best Regards, Edoardo
Maybe it’s not taking the settings due to app/config order precendece, run this to see you apps settings | rest splunk_server=local services/configs/conf-ui-prefs | rename eai:appName AS app | tabl... See more...
Maybe it’s not taking the settings due to app/config order precendece, run this to see you apps settings | rest splunk_server=local services/configs/conf-ui-prefs | rename eai:appName AS app | table app, disabled, display.events.maxLines, eai:acl.owner, eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing   As these settings is in the search app MaxLines_Values (YOUR_APP) (This file needs to be ui-prefs.conf needs to be in the default folder in your app MaxLines_Values, it will then auto place it into local in cloud, make sure you update the version number so Splunk takes the new version as you already have it in there. /default/ui-prefs.conf [search] display.events.maxLines = 20   Your meta data needs permissions metatdata/default.meta [] access = read : [ * ], write : [ admin, sc_admin] export = system   I can’t test this as I don't have cloud, but worth a go, if that fails worth installing https://splunkbase.splunk.com/app/6368 As this can show app precedence order | btool ui-prefs list --local  
 I don't think this is the issue, I am  using linux