All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

For future reference so that if someone finds this thread has full information - tell us what did you do to make things work in the end/what was the problem.
Its all working now, Thank you for your help
We're getting somewhere As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to. By the fact that it's a wind... See more...
We're getting somewhere As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to. By the fact that it's a windows installation and because it's called "DESKTOP-something" I assume that it's your private test box and you're not having a lot of data on it. So you can run a index=* search over "All time (real-time)" - this is one of the very very rare cases where real-time search makes sanes. Very important - don't try this on any production or heavily loaded test box. With this you can see the events as they come into your Splunk box (so if your events are rare you might to wait a while). Check the index, source, sourcetype and timestamp of the incoming events. Another way to find where those events are could be to run | tstats count where index=* by source sourcetype index  
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users   However, when I added 'power user' permissions, I was able to access most of the us... See more...
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users   However, when I added 'power user' permissions, I was able to access most of the users. Could you please clarify what the minimum permissions are to retrieve all users? Additionally, I encountered a similar issue with the URL for fetching triggered alerts: /services/alerts/fired_alerts/{ALERT_NAME}   What permissions are necessary for accessing this information? Thanks
Hi @anandhalagaras1 , you could try something like this: index="abc" ("Restart transaction item" OR "Error restart workflow item:" OR "Restart Pending event from command,") | rex field=_raw "Restar... See more...
Hi @anandhalagaras1 , you could try something like this: index="abc" ("Restart transaction item" OR "Error restart workflow item:" OR "Restart Pending event from command,") | rex field=_raw "Restart transaction item: (?<Step>.*?) \(WorkId:" | rex field=_raw "Error restart workflow item: (?<Success>.*?) \(WorkId:" | rex field=_raw "Restart Pending event from command, (?<Failure>.*?) \Workid" | stats count(eval(searchmatch("Restart transaction item"))) AS "Step" count(eval(searchmatch("Error restart workflow item:"))) AS "Success" count(eval(searchmatch("Restart Pending event from command,"))) AS "Failure" Ciao. Giuseppe
Hi @Abhishek627 , as @PickleRick said, UBA is a premium App, so you can download only if you did an order or if you are a certified partenr and you have an NFR license. Anyway, I experienced that t... See more...
Hi @Abhishek627 , as @PickleRick said, UBA is a premium App, so you can download only if you did an order or if you are a certified partenr and you have an NFR license. Anyway, I experienced that the installazion of UBA is a very much difficoult job, even if is very well decribed in documentation, with many constraints (e.g. the OS version or the presence of al the data it requests): usually the installation and configuration is a job for PS. Ciao. Giuseppe
Hi @altink , as to Splunk Support as Non Technical Issue to apply the changes to the release notes of your App. Ciao. Giuseppe
update: I have gone over the configs and  index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 is giving following output.
Hi Is it possible in SplunkBase, as an App Publisher, to edit the "Release Notes" of own App ? I mean in an existing version, without publishing a new one regards Altin
Well, there are no miracles. I understand that the packets show up on the interface but apparently are not picked up by Splunk. Question is whether it listens on the port at all (even though the inpu... See more...
Well, there are no miracles. I understand that the packets show up on the interface but apparently are not picked up by Splunk. Question is whether it listens on the port at all (even though the input is defined, something might be preventing Splunk from binding to the port). Did you verify with netstat that the Splunk process is actually listening on this port? (BTW, I don't remember if you don't need to restart splunkd after adding the input using WebUI or REST. You must do so if you change inputs by config files).
For testing, I have disabled the windows firewall. But I can see that logs are actually arriving within the windows machine and Splunk is not picking them up.
At first glance looks pretty OK. Check your windows firewall.
Hi @JMPP, I tested on Splunk Enterprise 9.2 with a slight correction: action.email.escapeCSVNewline = 0 The attachment received did not encode newlines as \n.
I tried to query " index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 It did not come back with anything. I believe i have configured the data input correctly and pointing... See more...
I tried to query " index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 It did not come back with anything. I believe i have configured the data input correctly and pointing to right index
That dump looks pretty much OK. Are you 100% sure your udp:514 input sends to the right index? You can also try to find reports about that particular source of syslog data with index=_internal sour... See more...
That dump looks pretty much OK. Are you 100% sure your udp:514 input sends to the right index? You can also try to find reports about that particular source of syslog data with index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 If Splunk is receiving data from this host on that udp input, you should get some results with metrics field like _udp_bps,  _udp_eps and so on.
Hi @inventsekar, I can't reproduce the issue with an ASCII newline:     | makeresults | eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%0A") | rex max_match=0 "(?<cha... See more...
Hi @inventsekar, I can't reproduce the issue with an ASCII newline:     | makeresults | eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%0A") | rex max_match=0 "(?<char>(?=\\S)\\X)" | eval len=mvcount(char) ``` len == 23 ```     What characters are present in char? If you have whitespace characters not included in the class [^\r\n\t\f\v ] (the final character is a space), you may need to replace \S with the class form and include e.g. Unicode newlines:     | rex max_match=0 "(?<char>(?=[^\\r\\n\\t\\f\\v \\x0b\\x85])\\X)"     I don't know if it's perfect, but it works with this:     | makeresults | eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%E2%80%A8") | rex max_match=0 "(?<char>(?=[^\\r\\n\\t\\f\\v \\x0b\\x85])\\X)" | eval len=mvcount(char) ``` len == 23 ```     Edit: This is simpler and lets PCRE decide what a Unicode newline is:   | rex max_match=0 "\\R|(?<char>(?=\\S)\\X)" | eval len=mvcount(char) But given that optimization, we can just remove the positive lookahead completely for a faster regex: | rex max_match=0 "\\R|\\s|(?<char>\\X)" | eval len=mvcount(char)  
You might not be explicitly using summaries but it's quite probable that you're using datamodel acceleration. And that's nothing other than summaries built on datamodel contents for given indexes. Y... See more...
You might not be explicitly using summaries but it's quite probable that you're using datamodel acceleration. And that's nothing other than summaries built on datamodel contents for given indexes. You can read some basic info on summary replication here https://conf.splunk.com/files/2016/slides/replication-of-summary-data-in-indexer-cluster.pdf
OK. Let me jump in with some organizational stuff. 1. The Answers forum is not a free support service. It's a platform for users to exchange knowledge and help each other. So it's very useful if the... See more...
OK. Let me jump in with some organizational stuff. 1. The Answers forum is not a free support service. It's a platform for users to exchange knowledge and help each other. So it's very useful if the threads are appropriately named - it makes searching in the future way easier. 2. When you're creating a new thread and writing "I'm facing the same issue as you" what are you refering to? What issue? Who's facing? If you're refering to other issue reported elsewhere, post a link for reference. 3. Please provide as much info as you can to help people help you - for example, the information that your alerting used to work OK and suddenly stopped is a very important knowledge. You also posted the first - less important - line from the sendemail log - the next line should contain the actual error. And more to the point - if something used to work and doesn't do that anymore, something must have changed. If you're absolutely sure (and double-checked it) that nothing changed on your side - something must have changed in the environment your Splunk is located in. Maybe the mail server's settings have changed, maybe your organization's firewall policies changed. Maybe you need to authenticate when sending outgoing email and the user/password you're using is  no longer valid. Have you verify if you have connectivity to your configured email server from your search head? Did you try to manually connect to the server and initiate SMTP transaction? Did you get any errors?
@gilbertos Follow the instructions, I would request you to check the sourcetype.  sourcetype should match as per the add-on.     
Hi team,   Could you please help me on how to get health alert notification in phantom. Thanks in advance.   Regards, Harisha