All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for providing some example events in a code block - very informative. The main issue with your request is that you haven't explained how the events are to be correlated between the two source... See more...
Thanks for providing some example events in a code block - very informative. The main issue with your request is that you haven't explained how the events are to be correlated between the two sources and how you would like to count them to give the desired result. Also, it appears the your search for the second source is not quite right (unless there are other events which match the search criteria that you have shared, e.g. "<---" should be "<===" in the search?
I was following the documentation of splunk connect for syslog so that I could ingest syslog in Splunk Cloud setup. I cannot turn of SSL option in my HEC global settings. So I did not uncomment the ... See more...
I was following the documentation of splunk connect for syslog so that I could ingest syslog in Splunk Cloud setup. I cannot turn of SSL option in my HEC global settings. So I did not uncomment the below line I created the file /opt/sc4s/env_file with the contents. SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://your.splunk.instance:8088 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx #Uncomment the following line if using untrusted SSL certificates #SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no I started my sc4s.service ( systemd service created by following the doc). I started to get exception Followed this for splunk cloud. When sc4s service is started I get error below curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid token, or other HEC connectivity issue index=main. sourcetype=sc4s:fallback Startup will continue to prevent data loss if this is a transient failure. If I uncomment the line, I don't see the exception anymore but I fail to get any message when I  search index=* sourcetype=sc4s:events "starting up" as suggested in the documentation. No sample data when I run echo “Hello SC4S” > /dev/udp/<SC4S_ip>/514 Please let me know what I am missing in the setup so that I can proceed forward
Hi @aasserhifni, did you tried to sop Splunk on the SH, delete the folder and then restart Splunk? did you checked if you have deployment tools as Ansible GPO or a Splunk Deployment Server? Ciao. ... See more...
Hi @aasserhifni, did you tried to sop Splunk on the SH, delete the folder and then restart Splunk? did you checked if you have deployment tools as Ansible GPO or a Splunk Deployment Server? Ciao. Giuseppe
It could be in the default location as well Try the command and should give you some pointers splunk btool web list --debug|findstr cert   Or in details splunk btool web list settings
Hi @ben_ramsey, I’m a Community Moderator in the Splunk Community. This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend ... See more...
Hi @ben_ramsey, I’m a Community Moderator in the Splunk Community. This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
@gcusello I also did that but every time I do that the app still exists in the gui with its configurations and also the files keep appearing 
If splunk forwarder is installe on COntrol-m host then you can run the splunk queries. In our case we have implemented it and working.  Search query -  index="YOUR_INDEX_NAME" sourcetype="Control... See more...
If splunk forwarder is installe on COntrol-m host then you can run the splunk queries. In our case we have implemented it and working.  Search query -  index="YOUR_INDEX_NAME" sourcetype="Control-M" "JOB * ENDED NOTOK" | rex "JOB\ \s*(?<JOB_NAME>.+)\s*\ \(ORDERID"
@richgalloway  : If dont use rex , it gets entire value i.e nat_gateways. I just want nat. My requirement is it should just extract service name. Example : 434531263412:us-west-2:lambda_functi... See more...
@richgalloway  : If dont use rex , it gets entire value i.e nat_gateways. I just want nat. My requirement is it should just extract service name. Example : 434531263412:us-west-2:lambda_functions it will be lambda_functions. This is straight forward. But like in  : "434531263412:us-west-2:nat_gateways",  it should be gateways.  434531263412:us-west-2:application_load_balancers,  it should be load_balancers This is my requirement. 
Hi @aasserhifni , if you have a stand-alone Search Head, you have only to remove the folder in $SPLUNK_HOME/etc/apps and restart Splunk. Are you sure that your Search Head isn't managed by an exter... See more...
Hi @aasserhifni , if you have a stand-alone Search Head, you have only to remove the folder in $SPLUNK_HOME/etc/apps and restart Splunk. Are you sure that your Search Head isn't managed by an external deployment sistem (e.g. Ansible or GPO) or a Splunk Deployment Server? Ciao. Giuseppe
@gcusello Actually it was installed on one search head only not the deployer
Hi @Keerthi, I suppose that you have a script that launches the API, manually launch again your script, I don't know how your script runs, but eventually modifying it to take also the old data, you... See more...
Hi @Keerthi, I suppose that you have a script that launches the API, manually launch again your script, I don't know how your script runs, but eventually modifying it to take also the old data, you shuld be able to re-run it. Ciao. Giuseppe
Hi @aasserhifni, I suppose that you have a Search Head Cluster, did you removed the app from the list in the $SPUNK_HOME/etc/shcluster-apps/apps folder in the SH-Deployer and then did you run the d... See more...
Hi @aasserhifni, I suppose that you have a Search Head Cluster, did you removed the app from the list in the $SPUNK_HOME/etc/shcluster-apps/apps folder in the SH-Deployer and then did you run the deploy command on the Deployer? Ciao. Giuseppe
hi , my index stopped running 3 months ago. on checking i came to know that the data was not ingested because of API token issue which got expired. . i fixed it now. i want the data to be loaded agai... See more...
hi , my index stopped running 3 months ago. on checking i came to know that the data was not ingested because of API token issue which got expired. . i fixed it now. i want the data to be loaded again. how do i run the Index
@gcusello I already did that but without any useful result    
      | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3) | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3)         For the above, should t... See more...
      | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3) | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3)         For the above, should the second set have been given a different value for the field?  Additionally, when I run the example, I received: 04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined. I believe the function requires 9.2.0+  
Hi @aasserhifni, you can manually remove an app from a stand alone Search Head, removing the folder and restarting Splunk. If you have a SH-Cluster, you have to remove it from the Deployer ($SPLUNK... See more...
Hi @aasserhifni, you can manually remove an app from a stand alone Search Head, removing the folder and restarting Splunk. If you have a SH-Cluster, you have to remove it from the Deployer ($SPLUNK_HOME/etc/shcluster-apps/apps folder) and then push the apps. Ciao. Giuseppe
Another bump. I've run into this issue, too.
Hi @Ryan.Paredez  and @Troy.Partain , Thank you for the reply, that clarifies the issue for me, I'll be more careful with my demo presentations in the future, especially with potential customers. ... See more...
Hi @Ryan.Paredez  and @Troy.Partain , Thank you for the reply, that clarifies the issue for me, I'll be more careful with my demo presentations in the future, especially with potential customers. Hope you both have a great day!
The split function is extracting the desired field, but then rex reduces it to the part before the first underscore (_).  Remove the rex command and the query should work as expected. In props..conf... See more...
The split function is extracting the desired field, but then rex reduces it to the part before the first underscore (_).  Remove the rex command and the query should work as expected. In props..conf, add a transform that uses INGEST_EVAL INGEST_EVAL = aws_service=mvindex(split(source,":"),2)  
I  tried to remove the threatq application files from /etc/apps inside the search head but every time I  remove them, they keep appearing again even I removed its files from /etc/users. Is there any ... See more...
I  tried to remove the threatq application files from /etc/apps inside the search head but every time I  remove them, they keep appearing again even I removed its files from /etc/users. Is there any solution for it?