The Search Head Cluster Deployer is not the same as Deployment Server (yes, I know the naming can be confusing). BTW SH captaincy doesn't have anything to do with deploying apps.
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf, pass4SymmKey in my search heads cluster i make ...
See more...
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf, pass4SymmKey in my search heads cluster i make sure that the same passkey in SHC and the deployer is the same. Thank you
Hi @gcusello , the app was installed on a single search head neither the deployer nor the search head master. When I apply your solutions, the files keep appearing after restarting the search head ...
See more...
Hi @gcusello , the app was installed on a single search head neither the deployer nor the search head master. When I apply your solutions, the files keep appearing after restarting the search head and also I don't have the option to disable either the app or the add on from the search head GUI. Thank you for understanding my odd situation.
Hi @aasserhifni , sorry but I don't understand: have you a Search Head Cluster or not? if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you ...
See more...
Hi @aasserhifni , sorry but I don't understand: have you a Search Head Cluster or not? if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you don't have a SHC, you can remove an app, only removing the foder and restarting Splunk. Ciao. Giuseppe
You also need the list_all_users capability in your role, to list all users. For the alerts, your user needs permission to read the alert to fetch triggered alerts.
Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain. I tried removing everything related to threatq multiple times from this...
See more...
Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain. I tried removing everything related to threatq multiple times from this search head but these file keep appearing again and also there is no disable option when I try to disable the threatq app or anything related to it from the search head gui
Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue. Also mentioning that the threatq app was installed on a single search head not the deployer or t...
See more...
Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue. Also mentioning that the threatq app was installed on a single search head not the deployer or the search head captain
For future reference so that if someone finds this thread has full information - tell us what did you do to make things work in the end/what was the problem.
We're getting somewhere As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to. By the fact that it's a wind...
See more...
We're getting somewhere As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to. By the fact that it's a windows installation and because it's called "DESKTOP-something" I assume that it's your private test box and you're not having a lot of data on it. So you can run a index=* search over "All time (real-time)" - this is one of the very very rare cases where real-time search makes sanes. Very important - don't try this on any production or heavily loaded test box. With this you can see the events as they come into your Splunk box (so if your events are rare you might to wait a while). Check the index, source, sourcetype and timestamp of the incoming events. Another way to find where those events are could be to run | tstats count where index=* by source sourcetype index
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users However, when I added 'power user' permissions, I was able to access most of the us...
See more...
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users However, when I added 'power user' permissions, I was able to access most of the users. Could you please clarify what the minimum permissions are to retrieve all users? Additionally, I encountered a similar issue with the URL for fetching triggered alerts: /services/alerts/fired_alerts/{ALERT_NAME} What permissions are necessary for accessing this information? Thanks
Hi @anandhalagaras1 , you could try something like this: index="abc" ("Restart transaction item" OR "Error restart workflow item:" OR "Restart Pending event from command,")
| rex field=_raw "Restar...
See more...
Hi @anandhalagaras1 , you could try something like this: index="abc" ("Restart transaction item" OR "Error restart workflow item:" OR "Restart Pending event from command,")
| rex field=_raw "Restart transaction item: (?<Step>.*?) \(WorkId:"
| rex field=_raw "Error restart workflow item: (?<Success>.*?) \(WorkId:"
| rex field=_raw "Restart Pending event from command, (?<Failure>.*?) \Workid"
| stats
count(eval(searchmatch("Restart transaction item"))) AS "Step"
count(eval(searchmatch("Error restart workflow item:"))) AS "Success"
count(eval(searchmatch("Restart Pending event from command,"))) AS "Failure" Ciao. Giuseppe
Hi @Abhishek627 , as @PickleRick said, UBA is a premium App, so you can download only if you did an order or if you are a certified partenr and you have an NFR license. Anyway, I experienced that t...
See more...
Hi @Abhishek627 , as @PickleRick said, UBA is a premium App, so you can download only if you did an order or if you are a certified partenr and you have an NFR license. Anyway, I experienced that the installazion of UBA is a very much difficoult job, even if is very well decribed in documentation, with many constraints (e.g. the OS version or the presence of al the data it requests): usually the installation and configuration is a job for PS. Ciao. Giuseppe
Hi Is it possible in SplunkBase, as an App Publisher, to edit the "Release Notes" of own App ? I mean in an existing version, without publishing a new one regards Altin
Well, there are no miracles. I understand that the packets show up on the interface but apparently are not picked up by Splunk. Question is whether it listens on the port at all (even though the inpu...
See more...
Well, there are no miracles. I understand that the packets show up on the interface but apparently are not picked up by Splunk. Question is whether it listens on the port at all (even though the input is defined, something might be preventing Splunk from binding to the port). Did you verify with netstat that the Splunk process is actually listening on this port? (BTW, I don't remember if you don't need to restart splunkd after adding the input using WebUI or REST. You must do so if you change inputs by config files).
For testing, I have disabled the windows firewall. But I can see that logs are actually arriving within the windows machine and Splunk is not picking them up.
Hi @JMPP, I tested on Splunk Enterprise 9.2 with a slight correction: action.email.escapeCSVNewline = 0 The attachment received did not encode newlines as \n.