Are you saying that all the Application logs are not forwarding, or just the application logs for a specific source? There is a known issue with forwarder 9.0.4 where the event logs for Windows Defe...
See more...
Are you saying that all the Application logs are not forwarding, or just the application logs for a specific source? There is a known issue with forwarder 9.0.4 where the event logs for Windows Defender will stop forwarding, (until next restart) but other logs will forward. Perhaps this issue is related. https://docs.splunk.com/Documentation/Splunk/9.0.4/ReleaseNotes/KnownIssues Could you try updating your forwarder version and seeing if it fixes the issue?
Hi All, We have widnows event and other application logs ngested into splunk. There is no problem with windows event logs but for our application related logs, the logs stop suddenly and star...
See more...
Hi All, We have widnows event and other application logs ngested into splunk. There is no problem with windows event logs but for our application related logs, the logs stop suddenly and starts reporting again but the log file in windows is being continuously updated with recent logs though the modified time does not get updated because of the windows feature. The modified time for the log file is not an issue because the logs starts rolling in even when the modified time is same but the log file had latest logs. we are using splunk forwarder 9.0.4 version currently. Can someone please help in triaging this issue? It is a problem with only one specific source with this windows host and other sources (windows event logs) are flowing in properly.
It needs equal access as you have in GUI. If you need to access data then you need access to those indexes and same for internal indexes. The only exception is that there are some scheduled reports...
See more...
It needs equal access as you have in GUI. If you need to access data then you need access to those indexes and same for internal indexes. The only exception is that there are some scheduled reports which have run as owner. Those should work when you have access to those reports. But if those aren’t scheduled then that’s not working.
Since it's the same index with two different source types, could be SPL build differentially? -------------------
index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=bloc...
See more...
Since it's the same index with two different source types, could be SPL build differentially? -------------------
index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block event_type="error"
|table event_type, hostname, ip
Thank you
Hi @tony.lao
If the reply helped answer your question, please click the “Accept as Solution” button on the reply. This confirmation that the question was answered alerts the community and helps bui...
See more...
Hi @tony.lao
If the reply helped answer your question, please click the “Accept as Solution” button on the reply. This confirmation that the question was answered alerts the community and helps build that bank of expertise for everyone in the community.
If the reply did not answer your question, jump back into the conversation to keep it going.
Thank you. Because in different data source I see host name under different fields i.e. in metadata "host1" and in collector just "host", I added rename
index=firewall event_type="error" [sear...
See more...
Thank you. Because in different data source I see host name under different fields i.e. in metadata "host1" and in collector just "host", I added rename
index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| rename host1 as host
|dedup host
| table host
| format]
| table event_type, host, ip
-------- Now I am back to square 1 - it runs but no events produced and never finish.
I have soled the issue.
I needed to add quotes to the AccountType:
| where AccountType IN ("$AccountType$")
I also needed to change the delimiter:
<delimiter>,</delimiter>
This...
See more...
I have soled the issue.
I needed to add quotes to the AccountType:
| where AccountType IN ("$AccountType$")
I also needed to change the delimiter:
<delimiter>,</delimiter>
This solved the problem for me! Thank you!
Its empty in the field .Attached screenshot. For some of the transaction we have multiple error type with empty values and with values. For the same transaction below events are there with empty and...
See more...
Its empty in the field .Attached screenshot. For some of the transaction we have multiple error type with empty values and with values. For the same transaction below events are there with empty and with value. "timestamp" : "2024-03-21T17:33:53.993Z", "content" : { "ErrorType" : "", "ErrorMsg" : "" }
"timestamp" : "2024-03-21T17:33:20.786Z", "content" : { "ErrorType" : "HTTP:NOT_FOUND", "ErrorMsg" : "HTTP /glimport' failed: not found (404)." },
I need to identify hosts with errors, but only in block mode MY SPL ---------
index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block]
| dedup host
| ...
See more...
I need to identify hosts with errors, but only in block mode MY SPL ---------
index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block]
| dedup host
| table event_type, host, ip
------------------ each search works separately, but combined it seating on "parsing job" with no result for long time. Thank you
After configuring content pack for VMware. I repeatedly get "duplicate entity aliases found". We are also collecting for TA-Nix. How can I fix the duplicate entity alias issue. I am running ITE 4.18....
See more...
After configuring content pack for VMware. I repeatedly get "duplicate entity aliases found". We are also collecting for TA-Nix. How can I fix the duplicate entity alias issue. I am running ITE 4.18.1 and Splunk app for content packs 2.10
Are these multivalue fields within the same event? By "empty" do you mean they contain the word "empty" or that they have no value (empty string) or that they don't exist? Please share some sample ...
See more...
Are these multivalue fields within the same event? By "empty" do you mean they contain the word "empty" or that they have no value (empty string) or that they don't exist? Please share some sample (anonymised) events to illustrate what you mean.