All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @ben_ramsey, I’m a Community Moderator in the Splunk Community. This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend ... See more...
Hi @ben_ramsey, I’m a Community Moderator in the Splunk Community. This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
@gcusello I also did that but every time I do that the app still exists in the gui with its configurations and also the files keep appearing 
If splunk forwarder is installe on COntrol-m host then you can run the splunk queries. In our case we have implemented it and working.  Search query -  index="YOUR_INDEX_NAME" sourcetype="Control... See more...
If splunk forwarder is installe on COntrol-m host then you can run the splunk queries. In our case we have implemented it and working.  Search query -  index="YOUR_INDEX_NAME" sourcetype="Control-M" "JOB * ENDED NOTOK" | rex "JOB\ \s*(?<JOB_NAME>.+)\s*\ \(ORDERID"
@richgalloway  : If dont use rex , it gets entire value i.e nat_gateways. I just want nat. My requirement is it should just extract service name. Example : 434531263412:us-west-2:lambda_functi... See more...
@richgalloway  : If dont use rex , it gets entire value i.e nat_gateways. I just want nat. My requirement is it should just extract service name. Example : 434531263412:us-west-2:lambda_functions it will be lambda_functions. This is straight forward. But like in  : "434531263412:us-west-2:nat_gateways",  it should be gateways.  434531263412:us-west-2:application_load_balancers,  it should be load_balancers This is my requirement. 
Hi @aasserhifni , if you have a stand-alone Search Head, you have only to remove the folder in $SPLUNK_HOME/etc/apps and restart Splunk. Are you sure that your Search Head isn't managed by an exter... See more...
Hi @aasserhifni , if you have a stand-alone Search Head, you have only to remove the folder in $SPLUNK_HOME/etc/apps and restart Splunk. Are you sure that your Search Head isn't managed by an external deployment sistem (e.g. Ansible or GPO) or a Splunk Deployment Server? Ciao. Giuseppe
@gcusello Actually it was installed on one search head only not the deployer
Hi @Keerthi, I suppose that you have a script that launches the API, manually launch again your script, I don't know how your script runs, but eventually modifying it to take also the old data, you... See more...
Hi @Keerthi, I suppose that you have a script that launches the API, manually launch again your script, I don't know how your script runs, but eventually modifying it to take also the old data, you shuld be able to re-run it. Ciao. Giuseppe
Hi @aasserhifni, I suppose that you have a Search Head Cluster, did you removed the app from the list in the $SPUNK_HOME/etc/shcluster-apps/apps folder in the SH-Deployer and then did you run the d... See more...
Hi @aasserhifni, I suppose that you have a Search Head Cluster, did you removed the app from the list in the $SPUNK_HOME/etc/shcluster-apps/apps folder in the SH-Deployer and then did you run the deploy command on the Deployer? Ciao. Giuseppe
hi , my index stopped running 3 months ago. on checking i came to know that the data was not ingested because of API token issue which got expired. . i fixed it now. i want the data to be loaded agai... See more...
hi , my index stopped running 3 months ago. on checking i came to know that the data was not ingested because of API token issue which got expired. . i fixed it now. i want the data to be loaded again. how do i run the Index
@gcusello I already did that but without any useful result    
      | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3) | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3)         For the above, should t... See more...
      | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3) | eval offset = mvappend("24", "16", "8") | eval segment_rev = mvrange(0, 3)         For the above, should the second set have been given a different value for the field?  Additionally, when I run the example, I received: 04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined. I believe the function requires 9.2.0+  
Hi @aasserhifni, you can manually remove an app from a stand alone Search Head, removing the folder and restarting Splunk. If you have a SH-Cluster, you have to remove it from the Deployer ($SPLUNK... See more...
Hi @aasserhifni, you can manually remove an app from a stand alone Search Head, removing the folder and restarting Splunk. If you have a SH-Cluster, you have to remove it from the Deployer ($SPLUNK_HOME/etc/shcluster-apps/apps folder) and then push the apps. Ciao. Giuseppe
Another bump. I've run into this issue, too.
Hi @Ryan.Paredez  and @Troy.Partain , Thank you for the reply, that clarifies the issue for me, I'll be more careful with my demo presentations in the future, especially with potential customers. ... See more...
Hi @Ryan.Paredez  and @Troy.Partain , Thank you for the reply, that clarifies the issue for me, I'll be more careful with my demo presentations in the future, especially with potential customers. Hope you both have a great day!
The split function is extracting the desired field, but then rex reduces it to the part before the first underscore (_).  Remove the rex command and the query should work as expected. In props..conf... See more...
The split function is extracting the desired field, but then rex reduces it to the part before the first underscore (_).  Remove the rex command and the query should work as expected. In props..conf, add a transform that uses INGEST_EVAL INGEST_EVAL = aws_service=mvindex(split(source,":"),2)  
I  tried to remove the threatq application files from /etc/apps inside the search head but every time I  remove them, they keep appearing again even I removed its files from /etc/users. Is there any ... See more...
I  tried to remove the threatq application files from /etc/apps inside the search head but every time I  remove them, they keep appearing again even I removed its files from /etc/users. Is there any solution for it? 
OK, is the "Dataframe row :" part really a part of the event or just a header you posted before the actual event. Anyway, it seems like it's a relatively well-formed (unless I'm missing something) j... See more...
OK, is the "Dataframe row :" part really a part of the event or just a header you posted before the actual event. Anyway, it seems like it's a relatively well-formed (unless I'm missing something) json embedded (and escaped) within another json. Possibly prepended with that "Dataframe row :" header. I'd say just cut the header if applicable, parse the outer json, extract the inner json, split if needed into multiple events, then spath the inner json(s). And don't use regexes to manipulate structured data unless you really can't avoid it.
Hi All, I want to extract service name from sourcetype="aws:metadata" and source field. Example : 434531263412:eu-central-1:elasticache_describe_reserved_cache_nodes_offerings I am using thi... See more...
Hi All, I want to extract service name from sourcetype="aws:metadata" and source field. Example : 434531263412:eu-central-1:elasticache_describe_reserved_cache_nodes_offerings I am using this query :     index=* sourcetype=aws:metadata | eval aws_service=mvindex(split(source,":"),2) | rex field=aws_service "(?<aws_service>[^_]+)" | table aws_service source| dedup aws_service     Using this I will get result :  elasticache. But in case of "434531263412:us-west-2:nat_gateways" its just extracting nat. But it should be gateways. S Similarly in 434531263412:eu-central-1:application_load_balancers, its extracting application. I was thinking if we can check for the keyword and update the value. I want to add this in props.conf file so aws_service field gets created from source. Please can anyone of you help me how can I achieve this ? Regards, PNV
If you examine and try to understand the solution I posted, you will see there is a not equals condition on the regex. Perhaps you could have figured out for yourself that you could simply change not... See more...
If you examine and try to understand the solution I posted, you will see there is a not equals condition on the regex. Perhaps you could have figured out for yourself that you could simply change not equals to equals! | regex Name="NODATA"
Hi ITWhisperer, Thank you for your response. But the query which you have provided is eliminating the job name that contains NODATA string, but we only need that job name that contains NODATA strin... See more...
Hi ITWhisperer, Thank you for your response. But the query which you have provided is eliminating the job name that contains NODATA string, but we only need that job name that contains NODATA string, rest all jobs, we can eliminate. Kindly help us on this. Thank you