Hi @JMPP, I tested on Splunk Enterprise 9.2 with a slight correction: action.email.escapeCSVNewline = 0 The attachment received did not encode newlines as \n.
I tried to query " index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 It did not come back with anything. I believe i have configured the data input correctly and pointing...
See more...
I tried to query " index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 It did not come back with anything. I believe i have configured the data input correctly and pointing to right index
That dump looks pretty much OK. Are you 100% sure your udp:514 input sends to the right index? You can also try to find reports about that particular source of syslog data with index=_internal sour...
See more...
That dump looks pretty much OK. Are you 100% sure your udp:514 input sends to the right index? You can also try to find reports about that particular source of syslog data with index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 If Splunk is receiving data from this host on that udp input, you should get some results with metrics field like _udp_bps, _udp_eps and so on.
Hi @inventsekar, I can't reproduce the issue with an ASCII newline: | makeresults
| eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%0A")
| rex max_match=0 "(?<cha...
See more...
Hi @inventsekar, I can't reproduce the issue with an ASCII newline: | makeresults
| eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%0A")
| rex max_match=0 "(?<char>(?=\\S)\\X)"
| eval len=mvcount(char)
``` len == 23 ``` What characters are present in char? If you have whitespace characters not included in the class [^\r\n\t\f\v ] (the final character is a space), you may need to replace \S with the class form and include e.g. Unicode newlines: | rex max_match=0 "(?<char>(?=[^\\r\\n\\t\\f\\v \\x0b\\x85])\\X)" I don't know if it's perfect, but it works with this: | makeresults
| eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%E2%80%A8")
| rex max_match=0 "(?<char>(?=[^\\r\\n\\t\\f\\v \\x0b\\x85])\\X)"
| eval len=mvcount(char)
``` len == 23 ``` Edit: This is simpler and lets PCRE decide what a Unicode newline is: | rex max_match=0 "\\R|(?<char>(?=\\S)\\X)"
| eval len=mvcount(char) But given that optimization, we can just remove the positive lookahead completely for a faster regex: | rex max_match=0 "\\R|\\s|(?<char>\\X)"
| eval len=mvcount(char)
You might not be explicitly using summaries but it's quite probable that you're using datamodel acceleration. And that's nothing other than summaries built on datamodel contents for given indexes. Y...
See more...
You might not be explicitly using summaries but it's quite probable that you're using datamodel acceleration. And that's nothing other than summaries built on datamodel contents for given indexes. You can read some basic info on summary replication here https://conf.splunk.com/files/2016/slides/replication-of-summary-data-in-indexer-cluster.pdf
OK. Let me jump in with some organizational stuff. 1. The Answers forum is not a free support service. It's a platform for users to exchange knowledge and help each other. So it's very useful if the...
See more...
OK. Let me jump in with some organizational stuff. 1. The Answers forum is not a free support service. It's a platform for users to exchange knowledge and help each other. So it's very useful if the threads are appropriately named - it makes searching in the future way easier. 2. When you're creating a new thread and writing "I'm facing the same issue as you" what are you refering to? What issue? Who's facing? If you're refering to other issue reported elsewhere, post a link for reference. 3. Please provide as much info as you can to help people help you - for example, the information that your alerting used to work OK and suddenly stopped is a very important knowledge. You also posted the first - less important - line from the sendemail log - the next line should contain the actual error. And more to the point - if something used to work and doesn't do that anymore, something must have changed. If you're absolutely sure (and double-checked it) that nothing changed on your side - something must have changed in the environment your Splunk is located in. Maybe the mail server's settings have changed, maybe your organization's firewall policies changed. Maybe you need to authenticate when sending outgoing email and the user/password you're using is no longer valid. Have you verify if you have connectivity to your configured email server from your search head? Did you try to manually connect to the server and initiate SMTP transaction? Did you get any errors?
Hi Team, Could you please help me on below requirement, how to make manual task approval without approver login to the phantom. Thanks in advance Regards, Harisha
What happens if you manually use the sendemail command? | makeresults
| sendemail to="it-security@durr.com" subject="Test mail" message="Test mail message"
+1 with @TheLawsOfChaos, It's a common practise to create a Role with "Read Only" permission. You have any further questions / issues with respect to this @treven?
@gaurav10 Note that in @ITWhisperer 's solution, Event_Time is handled in 2 steps, with the binning in between: First, convert SUBMIT_TIME to a time field using strptime. Now you can bin based on a...
See more...
@gaurav10 Note that in @ITWhisperer 's solution, Event_Time is handled in 2 steps, with the binning in between: First, convert SUBMIT_TIME to a time field using strptime. Now you can bin based on a time span. Do your binning in this in-between phase. Second, convert the new Event_Time to a string using strftime.
It seems that splunklib is trying to get the obsolete pycrypto library. Ideally you should configure it to use the Cryptography or pycrypodome library. There is an answer here how to change splunkli...
See more...
It seems that splunklib is trying to get the obsolete pycrypto library. Ideally you should configure it to use the Cryptography or pycrypodome library. There is an answer here how to change splunklib to use pycryptodome: https://stackoverflow.com/questions/59104347/how-do-i-install-splunklib-for-python-3-7-on-windows In case that link goes down, here are the instructions: by Chris Chris Dec 2 2019, 8:42: I finally found the way to install it: Uninstall pycrypto pip uninstall pycrypto Install pycryptodome as replacement of pycypto pip install pycryptodome Install splunklib without dependencies pip install splunklib --no-deps Edit "pythonlib"\splunklib-1.0.0.dist-info\METADATA and replace "Requires-Dist: pycrypto" with "Requires-Dist: pycryptodome" install splunk-sdk pip install splunk-sdk check that everything is ok pip install splunklib
Hi @bowesmana Thank for Answer! I checked balance as SPL that you gave to me. Balance looks like not bad. I confirmed that the major indexes are counted as many as the number of indexers.
Hi! @PickleRick Thank for Answer. I didn't know about primary, non-primary searchable copy terms until you said. In our operation environment, summary is rarely used. So, I think we need to collec...
See more...
Hi! @PickleRick Thank for Answer. I didn't know about primary, non-primary searchable copy terms until you said. In our operation environment, summary is rarely used. So, I think we need to collect information about primary copy and find the cause. Thank you again!
Hello PickleRick, I he created data input o allow udp14 traffic. So is index. Please check these screenshots for clarity, 192.168.3.5 is Palo Device and 192.168.3.1 is windows machine where ...
See more...
Hello PickleRick, I he created data input o allow udp14 traffic. So is index. Please check these screenshots for clarity, 192.168.3.5 is Palo Device and 192.168.3.1 is windows machine where Splunk is installed
Premium apps are associated with a specific account provided on a purchase order as far as I remember. Find the person responsible for this oder in your company or contact your local Splunk sales team.
Hi ! I want to try splunk UBA on a single linux machine. But, on the app download page, I'm seeing error saying app installation is restricted to certain users and your user profile is not in that...
See more...
Hi ! I want to try splunk UBA on a single linux machine. But, on the app download page, I'm seeing error saying app installation is restricted to certain users and your user profile is not in that list. Any suggestions to resolve this ? Thanks, Abhishek
While @ITWhisperer 's response about the original data (and desired result) is valid, there is one important thing worth noting - with Splunk often the approach of "joining" separate searches is not ...
See more...
While @ITWhisperer 's response about the original data (and desired result) is valid, there is one important thing worth noting - with Splunk often the approach of "joining" separate searches is not the best idea. The typical Splunk approach would be to search for all events in the initial search and then subsequently filter and split into separate categories further down the search pipeline.
It would help if you could share some sample anonymised events so we can see what it is that you are dealing with and try to figure a search that will work for you, because just discussing searches w...
See more...
It would help if you could share some sample anonymised events so we can see what it is that you are dealing with and try to figure a search that will work for you, because just discussing searches without knowing what they apply to is often fruitless.