All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It would be better to give us some more context - its helps with trying to help and answer you question. I guess you are trying to remove / filter out some data? This is just guessing on what y... See more...
It would be better to give us some more context - its helps with trying to help and answer you question. I guess you are trying to remove / filter out some data? This is just guessing on what you maybe wanting to do. This is an example using make results, this filters the ticket_id=5678 (so apply same princples for your code)  | makeresults | eval _raw="ticket_id, priority,status 123,P1,Closed 5678,, 8765,P2,Closed" | multikv forceheader=1 | search ticket_id!=5678 | table ticket_id, priority, status
I am trying to change the host name from short name to FQDN in the deployment server gui for windows servers.I have the input.conf and server.conf already set as $decideOnStartup and fullyqualifiedna... See more...
I am trying to change the host name from short name to FQDN in the deployment server gui for windows servers.I have the input.conf and server.conf already set as $decideOnStartup and fullyqualifiedname respectively in the local app folder.The hostname doesn't change in the GUI .The search logs shows FQDN for windows servers after setting up the input and server conf as above. But the hostname in GUI remains the same as shortname. How do I change it?
Hi @edoardo_vicendo the weird thing is the local folder with app.conf inside have been created on the deployment-apps folder when restarting/reloading deploy-server.  
Expected Output: Ticket ID   Priority   Status 1234           P1            Closed 5678   8765            P2            Closed
Hi everybody, I need to install a PHP agent for a dockerized application, the application is a CRM called SuiteCRM, I was not able to find documentation about it in the PHP section, and in the docke... See more...
Hi everybody, I need to install a PHP agent for a dockerized application, the application is a CRM called SuiteCRM, I was not able to find documentation about it in the PHP section, and in the docker section only mentions Java, .NET and NodeJS: https://docs.appdynamics.com/appd/24.x/latest/en/application-monitoring/install-app-server-agents/agent-management/supported-automation-tools-to-deploy-agents/docker So I want to ask is somebody know if it possible to install the PHP agent in this dockerized SuiteCRM application, and if it is possible, what kind of considerations should I be aware of. At the moment there is no orchestrator to autoscale the container. Thanks in advance.
Hi have you met all the following conditions, The Splunk platform instance must be configured to use the Local System user to run all PowerShell scripts. PowerShell version 3.0 or higher must b... See more...
Hi have you met all the following conditions, The Splunk platform instance must be configured to use the Local System user to run all PowerShell scripts. PowerShell version 3.0 or higher must be installed on the machine. Microsoft .NET version 4.5 or higher must be installed on the machine. There might be additional requirements to run PowerShell scripts depending on the version of Windows and PowerShell. See the Microsoft documentation on PowerShell for details.
First manually create the lookup and the definitions if using CLI use the below example and test it in splunk, so you know this works. (It sounds like you have done this, not sure) Ensure this knowl... See more...
First manually create the lookup and the definitions if using CLI use the below example and test it in splunk, so you know this works. (It sounds like you have done this, not sure) Ensure this knowledge Object inside your app/lookup folder and  the lookup  is shared for all - (you may have done this all in the GUI,not sure)  /yourapp/local/transforms.conf [mylookup] filename = my_lookup.csv From your Splunk search bar run the below - to see the data inputputlookup mylookup If this works then it must be a permissions issue somewhere post your powershell script process, ensure the splunk user or what user you have used on the Splunk/Windows patform can read the lookup file and its the same name when you created it, like in the transfoms.
Hi @Dallastek1, mrsparkle is responsible for web interface provided by the splunk.
@splunkreal ideally if you create the app you should put the configs in the default folder. You should see you as the author. About your question, yes when you deploy an app the entire app folder on... See more...
@splunkreal ideally if you create the app you should put the configs in the default folder. You should see you as the author. About your question, yes when you deploy an app the entire app folder on the client is replaced by the new one. Therefore if you first manually created an app on a client (for test), and later you want to move the management of that app on the deployment server because you have several client, then is the deployment server that will drive. Since then any change need to be made on the DS. Best Regards, Edoardo
Maybe it’s not taking the settings due to app/config order precendece, run this to see you apps settings | rest splunk_server=local services/configs/conf-ui-prefs | rename eai:appName AS app | tabl... See more...
Maybe it’s not taking the settings due to app/config order precendece, run this to see you apps settings | rest splunk_server=local services/configs/conf-ui-prefs | rename eai:appName AS app | table app, disabled, display.events.maxLines, eai:acl.owner, eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing   As these settings is in the search app MaxLines_Values (YOUR_APP) (This file needs to be ui-prefs.conf needs to be in the default folder in your app MaxLines_Values, it will then auto place it into local in cloud, make sure you update the version number so Splunk takes the new version as you already have it in there. /default/ui-prefs.conf [search] display.events.maxLines = 20   Your meta data needs permissions metatdata/default.meta [] access = read : [ * ], write : [ admin, sc_admin] export = system   I can’t test this as I don't have cloud, but worth a go, if that fails worth installing https://splunkbase.splunk.com/app/6368 As this can show app precedence order | btool ui-prefs list --local  
 I don't think this is the issue, I am  using linux
Hi Splunkers, I have an inssue with a line breaking use case. I know it is very simple to fix, but I still have the problem, so there is something I'm not getting in the right way.  First, a little ... See more...
Hi Splunkers, I have an inssue with a line breaking use case. I know it is very simple to fix, but I still have the problem, so there is something I'm not getting in the right way.  First, a little bit of info about env. Log source: custom application Input type: File monitor Input File monitoring: via UF, so a deployed app has been deployed with a DS Final flow: Log Source with UF -> HF -> Splunk Cloud Data are ingested? Yes. Issue: once log are collected, we got a unique big log. So, we need to separate logs in different events. So I thought: Ok fine, I did a lot of custom addon, I know how do do it. By the way, I did not performed initial configuration about UF, so I check related deployed app and logs . That's the summary: Single event ends with "platform":"ArcodaSAT"} UF deployed app is very simple: it has an app.conf, an inputs,.conf and a props.conf. inputs.conf file works fine due logs are ingested from the right source Below, settings in I found in props.conf:             [<sourcetype_name>]             CHARSET=AUTO             LINE_BREAKER = (\"platform\"\:\"ArcodaSAT\"\})             SHOULD_LINEMERGE = true Observation: Regex is fine; I tested it on regex101 with a log sample and it catch fine. I tried, in the LINE_BREAKER, both using round brackets - cause documentation say that parameter use the capture group to check where new log starts - and without. Same result. SHOULD_LINEMERGE has be set both as true and false: same result Let me say again: I know this is some nonsense I'm missing, but I can't find it.
Even untar and tar with different permissions, will not let me package because the permissions are 644, there is no execute permission
I followed the permissions from the list https://dev.splunk.com/enterprise/reference/appinspect/appinspectcheck/?_gl=1*fchjpf*_ga*MTA4MzA2OTgyNS4xNzA2MDE0Nzg4*_ga_GS7YF8S63Y*MTcxNDYzNDAxNy43Mi4xLjE3... See more...
I followed the permissions from the list https://dev.splunk.com/enterprise/reference/appinspect/appinspectcheck/?_gl=1*fchjpf*_ga*MTA4MzA2OTgyNS4xNzA2MDE0Nzg4*_ga_GS7YF8S63Y*MTcxNDYzNDAxNy43Mi4xLjE3MTQ2MzYxMDAuNTcuMC4w*_ga_5EPM2P39FV*MTcxNDYzMzg3Ni4xMzAuMS4xNzE0NjM2MTM3LjAuMC43MzQxMzI1OTE.&_ga=2.202439633.1531808691.1714369489-1083069825.1706014788&_gac=1.15736132.1712044493.Cj0KCQjw2a6wBhCVARIsABPeH1t5zRXtGhlOnCnFrrO2uJB84ZoqzRxjfVT0wZruAQGQ9rWcd5insFMaAkIgEALw_wcB#Source-code-and-binaries-standards  
No I use Linux ubuntu wsl on windows, I can set permissions correctly but the problem is with 644 permissions, I cant run slim package app-folder
I'm guessing you're packaging the app on a Windows machine.  That will never work because Windows can't/won't set the file permissions correctly.  When I used to package on Windows, I would transfer ... See more...
I'm guessing you're packaging the app on a Windows machine.  That will never work because Windows can't/won't set the file permissions correctly.  When I used to package on Windows, I would transfer the .tgz file to a Linux system, explode it, change the permissions, then re-tar it and transfer back to the Windows machine for uploading.
Hi @mshakeb, having an Indexer Cluster, the best solution is adding three new Indexers to the old CM using RF=3 and SF=3, in this way, after some time) in the new three Indexers you will have a comp... See more...
Hi @mshakeb, having an Indexer Cluster, the best solution is adding three new Indexers to the old CM using RF=3 and SF=3, in this way, after some time) in the new three Indexers you will have a complete set of data. When data will be replicated in the new indexers, remove, one by one the three old Indexers, then change RF and SR as original. At least replace the CM following the documentation. Plan with much attention these activities! Ciao. Giuseppe
In clustered Splunk folder names in thaweddb folder should match db_<newest_time><oldest_time>_<bucketid>_<guid> naming convention. Also you can restore data from another indexer, just change the GUI... See more...
In clustered Splunk folder names in thaweddb folder should match db_<newest_time><oldest_time>_<bucketid>_<guid> naming convention. Also you can restore data from another indexer, just change the GUID to local (find in etc/instance.cfg). Please note that rb_ prefix should also be renamed to db_
Whenever I package the splunk app, I get execute permission error because I have 744 permission for conf files but splunk expects it to be 644. With 644 permission I cannot package the app, is t... See more...
Whenever I package the splunk app, I get execute permission error because I have 744 permission for conf files but splunk expects it to be 644. With 644 permission I cannot package the app, is there any workaround for the same. Below is the screenshot of the error.  
I have a PowerShell script that needs to be ran as admin to be able to load in all of the data. It returns a .csv file that exports to the lookups folder so that we can pull out the data and use said... See more...
I have a PowerShell script that needs to be ran as admin to be able to load in all of the data. It returns a .csv file that exports to the lookups folder so that we can pull out the data and use said data. I have the script in the correct directory in the Splunk server and can see it and I can run it but I'm not getting data out of it which is making me think that the script is not being ran as an admin. I've tried a few things but can't get it to work correctly. I've come to a couple of different options for what to do here. 1. Make a managed service account that runs the script as an admin. 2. Try to configure splunkd to allow running as admin (if possible?) 3. Other recommendations? I'm relatively new to Splunk. Just trying to learn all I can and I appreciate any pointers/guidance.