All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Is there any way to search for events which has any special characters? thanks in advance for any help.
This is an ancient thread, but bears updating. As of 9.1.x, this is what I see: Default is 10K lines.  You need to change it in alert_actions.conf.  Any change there will propagate to "Advanced Edi... See more...
This is an ancient thread, but bears updating. As of 9.1.x, this is what I see: Default is 10K lines.  You need to change it in alert_actions.conf.  Any change there will propagate to "Advanced Edit" for a saved search; there is no need to change the value there. If the mail doesn't come through, look through splunkd logs for "Message size exceeds fixed limit" as many mailers reject attachments larger than a given size (10M is typical)
This is an ancient thread, but bears updating. As of 9.1.x, this is what I see: Default is 10K lines.  You need to change it in alert_actions.conf.  Any change there will propagate to "Advanced Edi... See more...
This is an ancient thread, but bears updating. As of 9.1.x, this is what I see: Default is 10K lines.  You need to change it in alert_actions.conf.  Any change there will propagate to "Advanced Edit" for a saved search; there is no need to change the value there. If the mail doesn't come through, look through splunkd logs for "Message size exceeds fixed limit" as many mailers reject attachments larger than a given size (10M is typical)
Hi @Fabian_W , This app is indeed external hosted on GitHub, if you want to use it just clone the repo or download a copy of it. Hope this helps ... Cheers, MuS
Thanks.  Since transforms.conf doesn't have the limitations of EXTRACT, I finally got it working.
So I got a resolution elsewhere, and I want to close this post out with a resolution so it is help to anyone else: "You should be able to fix that problem and join the cluster by updating your s... See more...
So I got a resolution elsewhere, and I want to close this post out with a resolution so it is help to anyone else: "You should be able to fix that problem and join the cluster by updating your server.conf as follows."   [general] site = site1 [clustering] multisite = true manager_uri = https://YourClusterManagerIP:8089 mode = searchhead pass4SymmKey = ClearText   "To configure a search head in a multisite cluster, you set a site attribute in the [general] stanza and a multisite attribute in the [clustering] stanza. All other configuration settings are identical to a search head in a single-site cluster. Be sure to use the clear text pass4symmkey again and restart the splunk service."
Hi @hazem , when the primary site is down, you can access the secondary site Indexer for searches. But rememeber that using an IDX cluster, you must use a Search Head to search on the two clustered... See more...
Hi @hazem , when the primary site is down, you can access the secondary site Indexer for searches. But rememeber that using an IDX cluster, you must use a Search Head to search on the two clustered Indexers, it isn't possible to use the same server for searches as a stand-aone server. From version 7 Splunk IDX Cluster is accessible only using a Search Head Ciao. Giuseppe
question in the educational clips explains that an alert is generated from splunk and sent to soar this process is cumbersome I want to have soar to make action for gifts without creating an alert i ... See more...
question in the educational clips explains that an alert is generated from splunk and sent to soar this process is cumbersome I want to have soar to make action for gifts without creating an alert i mean the process is automatic    
Really what I want is to replace that default text to something like this ( Below ) Instead of the Message in the picture above. Example: Alert Description:  Alert Steps:  Look at it Do Som... See more...
Really what I want is to replace that default text to something like this ( Below ) Instead of the Message in the picture above. Example: Alert Description:  Alert Steps:  Look at it Do Something Alert Escalation:  Alert Updating:   
hello @gcusello  i think the below answer will be sittable  for multi-site cluster and in single  single site-cluster during DR Drill both of nodes will down and may search affect. am i right?   ... See more...
hello @gcusello  i think the below answer will be sittable  for multi-site cluster and in single  single site-cluster during DR Drill both of nodes will down and may search affect. am i right?   During DR,  you have primary site and probably also Cluster Manager both down, but you can search on the Indexer in the secondary site, that will have al the data for the replication, for this reason you cannot have a minor retention time in the secondary site. The secondary site continue to work (also without CM) until the primary site and CM will come up again, at this point there will be the data balancing replicating the data indexed during the DR
Hi there, I wanted to download the Embedded Dashboards For Splunk (EDFS) App. For me I can only visit the Github repo. Is the App missing? Or is the code/config in Github the 'app' ? https://sp... See more...
Hi there, I wanted to download the Embedded Dashboards For Splunk (EDFS) App. For me I can only visit the Github repo. Is the App missing? Or is the code/config in Github the 'app' ? https://splunkbase.splunk.com/app/4377 in Github itself I don't find anything to download, only config and code files   Best regards Fabian
Hi @hazem , During DR,  you have primary site and probably also Cluster Manager both down, but you can search on the Indexer in the secondary site, that will have al the data for the replication, fo... See more...
Hi @hazem , During DR,  you have primary site and probably also Cluster Manager both down, but you can search on the Indexer in the secondary site, that will have al the data for the replication, for this reason you cannot have a minor retention time in the secondary site. The secondary site continue to work (also without CM) until the primary site and CM will come up again, at this point there will be the data balancing replicating the data indexed during the DR.  Ciao. Giuseppe
Hi @Roy_9, check executable grants and check if the file owner (splunk I suppose) is the owner also of the splunkd process running on the server. If the owner is root and the process runs as splunk... See more...
Hi @Roy_9, check executable grants and check if the file owner (splunk I suppose) is the owner also of the splunkd process running on the server. If the owner is root and the process runs as splunk there could be an issue. Ciao. Giuseppe
Super! Thanks!
Here is a runanywhere example showing it working | makeresults | eval guid=1 | eval property="start" | eval value="2024-04-30T12:01:04.215Z" | xyseries guid property value | eval start=strftime(strp... See more...
Here is a runanywhere example showing it working | makeresults | eval guid=1 | eval property="start" | eval value="2024-04-30T12:01:04.215Z" | xyseries guid property value | eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T") Please share some actual examples (anonymised of course) where this technique does not work
@gcusello We are using git repo for any code changes and i have validated that the permissions are set to executable on the deployers, do you want me to push these once again?
Thank you very match fro helping me! This works now fine! Have nice day!
Gratie Giuseppe! See you next time! Have a nice day.
Hi @gcusello  Regarding this point you have raised: You cannot configure stand alone Indexers, you can configure two IDX located in two different locations and managed by a Cluster Master. so if i... See more...
Hi @gcusello  Regarding this point you have raised: You cannot configure stand alone Indexers, you can configure two IDX located in two different locations and managed by a Cluster Master. so if i used this approach  and during DR Drill all node located in one site and also cluster master node  will be down and searching will be affect. am i right?  
hi @saidAb , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors