All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Is there any free alternative to this, as it went out of support? Many thanks.
May I ask if you're using this to track Exchange distribution group changes? Based on my testing, and thanks a lot for sharing your query, it generates a lot of events, because, even if you just rem... See more...
May I ask if you're using this to track Exchange distribution group changes? Based on my testing, and thanks a lot for sharing your query, it generates a lot of events, because, even if you just remove a member from a group, Exchange will remove and re-add the others... Has anyone found a way to work around this? Cheers!
Hi. I would thoroughly read this doc https://docs.splunk.com/Documentation/Splunk/9.1.4/Installation/AboutupgradingREADTHISFIRST I would make sure you migrate your kvstore before going to 9.x If yo... See more...
Hi. I would thoroughly read this doc https://docs.splunk.com/Documentation/Splunk/9.1.4/Installation/AboutupgradingREADTHISFIRST I would make sure you migrate your kvstore before going to 9.x If you aren't a member of Splunk's Slack usergroups instance, now is a good time to join. There's a Slack channel just for 9.x upgrade issues.  Good luck!
At this moment, all message responses come in less that 10 seconds. This okay. We want to create an alert, that  if eg, next happens: Time                                                           ... See more...
At this moment, all message responses come in less that 10 seconds. This okay. We want to create an alert, that  if eg, next happens: Time                                                                   message repose code 15:00:43                                                                              200 15:00:45                                                                              200 15:00:54                                                                              200 or Time                                                                   message repose code 15:00:43                                                                              200 15:00:55                                                                              200 15:00:56                                                                              200 So if 3 responses code 200 come with no error response between, and totally, they take more than 10 seconds.
"FileName":"" does not produce a null field, it produces a field with an empty string. This is what you are probably seeing. If you want to cope with this, you should set the FileName and filename fi... See more...
"FileName":"" does not produce a null field, it produces a field with an empty string. This is what you are probably seeing. If you want to cope with this, you should set the FileName and filename fields to null() if they are empty strings | eval FileName=if(FileName="", null(), FileName) | eval filename=if(filename="", null(), filename)
thanks @danspav ! that is very helpful!
Hello and thank you in advance for any insight. I am working on upgrading Splunk Enterprise from 8.2.3.2 to 9.1.4. I have been digging into the release notes and want to double-check I am not missing... See more...
Hello and thank you in advance for any insight. I am working on upgrading Splunk Enterprise from 8.2.3.2 to 9.1.4. I have been digging into the release notes and want to double-check I am not missing anything significant.  Has anyone had any issues upgrading from Splunk Enterprise 8.2.3.2 to 9.1.4? 
You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_parameters Try something like this: ... See more...
You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_parameters Try something like this: https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json&f=title&f=description
Thanks  VM.. got it working now ..
Hello,   I'm having problems using roles. I use this search, which gives me results via the admin role. [search index="idx_arv_ach_cas_traces" source="*orange_ach_cas_traces_ac_20*" nom_prenom_... See more...
Hello,   I'm having problems using roles. I use this search, which gives me results via the admin role. [search index="idx_arv_ach_cas_traces" source="*orange_ach_cas_traces_ac_20*" nom_prenom_manager="*" nom_prenom_rdg="*" cuid="*" ttv="*" (LibEDO="*") (LibEDO="*MAROC ANNULATION FIBRE INTERNET" OR LibEDO="*MAROC CTC ET PROSPECT" OR LibEDO="*MAROC CTC HOME" OR LibEDO="*MAROC HORS-PROD" OR LibEDO="*MAROC N1 ACH" OR LibEDO="*MAROC N2 ACH GESTION" OR LibEDO="*MAROC N2 ACH RECLAMATION" OR LibEDO="*MAROC N2 ACH RECOUVREMENT" OR LibEDO="*MAROC RECOUVREMENT SOSH" OR LibEDO="*MAROC GESTION MS") ((lib_origine="Appel Reco" OR "Appel Sortant" OR "BO Récla Recouv" OR "Correspondance Entrante" OR "Correspondance Sortante" OR "Courrier Ent Fidé" OR "Etask") OR (lib_motif="Contact Flash" OR "Contact non tracé" OR "Traiter une demande en N2" OR "Verbatim urgent") OR (lib_resultat="Client Pro" OR "Contact Flash" OR "Contact non tracé")) AND (cuid!="AUTOCPAD" AND cuid!="BTORCPAD" AND cuid!="COCOA01" AND cuid!="CRISTORC" AND cuid!="ECARE" AND cuid!="FACADE" AND cuid!="IODA" AND cuid!="MEFIN" AND cuid!="ND" AND cuid!="ORCIP" AND cuid!="ORDRAGEN" AND cuid!="PORTAIL USSD" AND cuid!="RECOU01" AND cuid!="SGZF0000" AND cuid!="SVI" AND cuid!="USAGER PURGE" AND cuid!="VAL01") | eventstats sum(total) as "Nbre_de_tracages" by lib_origine | top "Nbre_de_tracages" lib_origine | sort - "Nbre_de_tracages" | head 5 | streamstats count as row_number | search row_number=1 | return lib_origine] nom_prenom_manager="*" nom_prenom_rdg="*" cuid="*" ttv="*" (LibEDO="*") (LibEDO="*MAROC ANNULATION FIBRE INTERNET" OR LibEDO="*MAROC CTC ET PROSPECT" OR LibEDO="*MAROC CTC HOME" OR LibEDO="*MAROC HORS-PROD" OR LibEDO="*MAROC N1 ACH" OR LibEDO="*MAROC N2 ACH GESTION" OR LibEDO="*MAROC N2 ACH RECLAMATION" OR LibEDO="*MAROC N2 ACH RECOUVREMENT" OR LibEDO="*MAROC RECOUVREMENT SOSH" OR LibEDO="*MAROC GESTION MS") ((lib_origine="Appel Reco" OR "Appel Sortant" OR "BO Récla Recouv" OR "Correspondance Entrante" OR "Correspondance Sortante" OR "Courrier Ent Fidé" OR "Etask") OR (lib_motif="Contact Flash" OR "Contact non tracé" OR "Traiter une demande en N2" OR "Verbatim urgent") OR (lib_resultat="Client Pro" OR "Contact Flash" OR "Contact non tracé")) AND (cuid!="AUTOCPAD" AND cuid!="BTORCPAD" AND cuid!="COCOA01" AND cuid!="CRISTORC" AND cuid!="ECARE" AND cuid!="FACADE" AND cuid!="IODA" AND cuid!="MEFIN" AND cuid!="ND" AND cuid!="ORCIP" AND cuid!="ORDRAGEN" AND cuid!="PORTAIL USSD" AND cuid!="RECOU01" AND cuid!="SGZF0000" AND cuid!="SVI" AND cuid!="USAGER PURGE" AND cuid!="VAL01") | stats sum(total) as "nb_tracages" by cuid lib_origine | sort -nb_tracages | head 5 When I use another role, the first part of the search works, but not the second. The search on : nom_prenom_manager="*" , ... doesn't give any results, whereas with the admin role, it does. I can't modify the query because I don't have rights to it, but I have to play with the roles. I'd like to point out that the manager_last_name field is obtained via an automatic lookup. But there's no problem with specific rights for the admin role. I've tried everything, but I can't find a solution, please have an idea.  
Hey @SplunkExplorer , As you mentioned, it indeed is a permission issue. The lookup might be created within the search app context and the permission might not be shared to access the lookup within ... See more...
Hey @SplunkExplorer , As you mentioned, it indeed is a permission issue. The lookup might be created within the search app context and the permission might not be shared to access the lookup within different app context. You can update the permission of the KO to be shared globally and it should resolve your concern.   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.
Hello! You are not required to use data models or CIM compliance in correlation searches, so that isn't the issue here. Just to verify: If you copy/paste this exact search into a regular search bar, ... See more...
Hello! You are not required to use data models or CIM compliance in correlation searches, so that isn't the issue here. Just to verify: If you copy/paste this exact search into a regular search bar, it will find results? If that is the case, here's what I would check: - Is it looking back the same amount of time? Make sure your correlation search is using the same look back as your manual search. - Are you executing the search within the Enterprise Security app when you are testing? If not, try it there. If the results don't return within the Enterprise Security app but they do within a different app, it could be a permissions/sharing setting for field parsings.
This seems to be a known issue with 9.1. As you can see a minimum privileged user splunkfwd is automatically created. Reference : SPL-242093, SPL-242240 (https://docs.splunk.com/Documentation/Splunk... See more...
This seems to be a known issue with 9.1. As you can see a minimum privileged user splunkfwd is automatically created. Reference : SPL-242093, SPL-242240 (https://docs.splunk.com/Documentation/Splunk/9.1.0/ReleaseNotes/KnownIssues) Workaround - https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installleastprivileged    
I'm marking this as the solution since it makes my search nearly instant.  Though join might not be optimal, this change is sufficient for my needs at the moment, thanks a lot @PickleRick and also @... See more...
I'm marking this as the solution since it makes my search nearly instant.  Though join might not be optimal, this change is sufficient for my needs at the moment, thanks a lot @PickleRick and also @ITWhisperer for the time and effort spent.  Much appreciated!
Thanks, this works but only gives me one transaction in the result
{ "correlationId" : "3df40a3e4f07-b3ae-8b3ab12fa904", "timestamp" : "2024-04-03T08:12:12.071Z", "content" : { "FileName" : "Liability.csv.pgp" }, "applicationName" : "p-abk-finance-a... See more...
{ "correlationId" : "3df40a3e4f07-b3ae-8b3ab12fa904", "timestamp" : "2024-04-03T08:12:12.071Z", "content" : { "FileName" : "Liability.csv.pgp" }, "applicationName" : "p-abk-finance-api", "applicationVersion" : "1.0.1" { "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904", "timestamp" : "2024-04-03T08:12:11.218Z", "content" : { "message" : "Workday successful", "FileList" : [ "_Liability_Accrual.csv.pgp" ], "FileName" : "" }, "applicationName" : "p-abk-finance-api", { "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904", "timestamp" : "2024-04-03T08:12:10.212Z", "content" : { "FileName" : "" }, "applicationName" : "p-abk-finance-api", "applicationVersion" : "1.0.1", "applicationVersion" : "1.0.1" Please find above events
There doesn't appear to be anything wrong with what you are doing (I am unable to reproduce what you are seeing with dummy data). I have to conclude it is something about your actual data. Please can... See more...
There doesn't appear to be anything wrong with what you are doing (I am unable to reproduce what you are seeing with dummy data). I have to conclude it is something about your actual data. Please can you share some anonymised representative sample events which demonstrate the issue you are seeing?
Hi @SanjayReddy    Thank you for your reply.   Unfortunatelly, this is not working since your proposed commend will display the same fields as in the menu Fields>calculated fields. I think the is... See more...
Hi @SanjayReddy    Thank you for your reply.   Unfortunatelly, this is not working since your proposed commend will display the same fields as in the menu Fields>calculated fields. I think the issue is more related to the authorisations.  I am 100% sure that I allowed my role to read/write the newly created varaible. But I can't find it.   Regards.
Hello there, I'm newbie to splunk and need your help please to forward syslog logs coming to splunk to another third party linux server. I can clearly see on my SH instance, that there are logs with ... See more...
Hello there, I'm newbie to splunk and need your help please to forward syslog logs coming to splunk to another third party linux server. I can clearly see on my SH instance, that there are logs with sourcetype=syslog. but when I use a heavy forwarder to forward these logs I receive nothing. I configured teh receiving of heavy forwarder to listen to 9997. then my sources would send their logs to the HV using 9997. The HF also transmit all he receives to Splunk SH on 9997 and i'm also trying to transmit syslog to third party server. when I configure the outputs with the following configuration for syslog . I receive nothing on my server. [syslog] defaultGroup=syslogGroup [syslog:syslogGroup]   and when I just use [tcpout:custom_group] server = ip:port sendCookedData = false I receive all kind of data and none is tagged with sourcetype. although i can see among them syslog event, but they are not tagged properly.   Please help me out. Thanks in advance
Bingo. It figured out that data comes from indexers; simply, NOT the ones where ES is able to perform query. It exists another cluster that produce this data, but where SH with ES is not able to per... See more...
Bingo. It figured out that data comes from indexers; simply, NOT the ones where ES is able to perform query. It exists another cluster that produce this data, but where SH with ES is not able to perform query. Thanks for your help.