All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am getting the following error :   command="sendemail", (*****SMTP; Client was not authenticated to send anonymous mail during MAIL FROM', '*****.com') while sending mail to: it-security@durr.com
Hi @swaprks, If you're relying on automatic field-extraction, i.e. KV_MODE = auto and AUTO_KV_JSON = true or KV_MODE = json or INDEXED_EXTRACTIONS = JSON, only the nested fields are extracted, e.g.:... See more...
Hi @swaprks, If you're relying on automatic field-extraction, i.e. KV_MODE = auto and AUTO_KV_JSON = true or KV_MODE = json or INDEXED_EXTRACTIONS = JSON, only the nested fields are extracted, e.g.: initiatedBy.user.id targetResources{}.id Arrays are extracted as multi-valued fields, e.g.: targetResources{}.modifiedProperties{}.displayName := AccountEnabled StsRefreshTokensValidFrom UserPrincipalName UserType Included Updated Properties Automatic extraction of arrays of objects with array fields can also be confusing. To return the native JSON directly, extract the fields as part of your search: index=directoryaudit | eval json=json(_raw), initiatedBy=json_extract(json, "initiatedBy"), targetResources=json_extract(json, "targetResources") | fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime  
Thank You @gcusello  But I do not own a Splunk system, so I have no Support account. I am just a developer, who has published two Apps at Splunkbase Should I ask via e-mail Splunk Developer in... See more...
Thank You @gcusello  But I do not own a Splunk system, so I have no Support account. I am just a developer, who has published two Apps at Splunkbase Should I ask via e-mail Splunk Developer instead ? best regards Altin
Hi @Mfmahdi , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @aasserhifni , the apps distributed by Deployer are in this folder not in apps and aren't installed on the Deployer. is this app in the $SPUNK_HOME/etc/shcluster/apps of the Deployer? If this a... See more...
Hi @aasserhifni , the apps distributed by Deployer are in this folder not in apps and aren't installed on the Deployer. is this app in the $SPUNK_HOME/etc/shcluster/apps of the Deployer? If this app is in this folder, remove it and push again apps. Ciao. Giuseppe  
Hi you could read more, how to use btool check from https://dev.splunk.com/enterprise/tutorials/module_validate/validateapp/ r. Ismo
As a quick follow-up, the setting is recognized by all currently supported versions of Splunk Enterprise and present at least as far back as Splunk Enterprise 8.1; however, it's not documented.
Probably because you have an Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey
The Search Head Cluster Deployer is not the same as Deployment Server (yes, I know the naming can be confusing). BTW SH captaincy doesn't have anything to do with deploying apps.
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make ... See more...
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make sure that the same passkey in SHC and the deployer is the same. Thank you  
Hi @gcusello , the app was installed on a single search head neither the deployer  nor the search head master. When I apply your solutions, the files keep appearing after restarting the search head ... See more...
Hi @gcusello , the app was installed on a single search head neither the deployer  nor the search head master. When I apply your solutions, the files keep appearing after restarting the search head and also I don't have the option to disable either the app or the add on from the search head GUI. Thank you for understanding my odd situation.
Hi @aasserhifni , sorry but I don't understand: have you a Search Head Cluster or not? if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you ... See more...
Hi @aasserhifni , sorry but I don't understand: have you a Search Head Cluster or not? if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you don't have a SHC, you can remove an app, only removing the foder and restarting Splunk. Ciao. Giuseppe
You also need the list_all_users capability in your role, to list all users. For the alerts, your user needs permission to read the alert to fetch triggered alerts.
Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain. I tried removing everything related to threatq multiple times from this... See more...
Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain. I tried removing everything related to threatq multiple times from this search head but these file keep appearing again and also there is no disable option when I try to disable the threatq app or anything related to it from the search head gui
Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue. Also mentioning that the threatq app was installed on a single search head not the deployer or t... See more...
Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue. Also mentioning that the threatq app was installed on a single search head not the deployer or the search head captain
For future reference so that if someone finds this thread has full information - tell us what did you do to make things work in the end/what was the problem.
Its all working now, Thank you for your help
We're getting somewhere As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to. By the fact that it's a wind... See more...
We're getting somewhere As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to. By the fact that it's a windows installation and because it's called "DESKTOP-something" I assume that it's your private test box and you're not having a lot of data on it. So you can run a index=* search over "All time (real-time)" - this is one of the very very rare cases where real-time search makes sanes. Very important - don't try this on any production or heavily loaded test box. With this you can see the events as they come into your Splunk box (so if your events are rare you might to wait a while). Check the index, source, sourcetype and timestamp of the incoming events. Another way to find where those events are could be to run | tstats count where index=* by source sourcetype index  
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users   However, when I added 'power user' permissions, I was able to access most of the us... See more...
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users   However, when I added 'power user' permissions, I was able to access most of the users. Could you please clarify what the minimum permissions are to retrieve all users? Additionally, I encountered a similar issue with the URL for fetching triggered alerts: /services/alerts/fired_alerts/{ALERT_NAME}   What permissions are necessary for accessing this information? Thanks
Hi @anandhalagaras1 , you could try something like this: index="abc" ("Restart transaction item" OR "Error restart workflow item:" OR "Restart Pending event from command,") | rex field=_raw "Restar... See more...
Hi @anandhalagaras1 , you could try something like this: index="abc" ("Restart transaction item" OR "Error restart workflow item:" OR "Restart Pending event from command,") | rex field=_raw "Restart transaction item: (?<Step>.*?) \(WorkId:" | rex field=_raw "Error restart workflow item: (?<Success>.*?) \(WorkId:" | rex field=_raw "Restart Pending event from command, (?<Failure>.*?) \Workid" | stats count(eval(searchmatch("Restart transaction item"))) AS "Step" count(eval(searchmatch("Error restart workflow item:"))) AS "Success" count(eval(searchmatch("Restart Pending event from command,"))) AS "Failure" Ciao. Giuseppe