All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Okay, I guess then nullQueue will even work with /event endpoint.   Thanks @PickleRick 
@ITWhisperer  thank you. I am trying to get the total execution id count between the different sourcetype, where parent id is equal.  As per the design, sourcetype=ma execution will be higher than s... See more...
@ITWhisperer  thank you. I am trying to get the total execution id count between the different sourcetype, where parent id is equal.  As per the design, sourcetype=ma execution will be higher than sourcetype=cs. But, i want to get execution count of sourcetype=ma that has sent to sourcetype=cs.
@gcusello , Any inputs from your end since still i can see the events are getting ingested with the password information present in it.    
@KothariSurbhi , Thank you for your prompt response. But actually it needs to be updated for each and every search and  all users want to have the default as 20 instead of 5. So our Search head is h... See more...
@KothariSurbhi , Thank you for your prompt response. But actually it needs to be updated for each and every search and  all users want to have the default as 20 instead of 5. So our Search head is hosted in Cloud and I have tried to create an app with ui-prefs.conf but most of the time i got an error during app vetting process. But at some point of time the app has been deployed successfully and we have restarted the Search head and once again when we navigate and checked the max lines its still the same.  display.events.maxLines = 20 I can able to do it in the default directory whereas when i do from local its getting error. So kindly let me know how to achieve it.
Hello All, We have log flow from fortigate to splunk as follows: Fortigate Analyzer> Syslog server with UF>Deployment server> SearchHead /Indexer. Kindly suggest how can i get logs using fortinet ... See more...
Hello All, We have log flow from fortigate to splunk as follows: Fortigate Analyzer> Syslog server with UF>Deployment server> SearchHead /Indexer. Kindly suggest how can i get logs using fortinet add on over indexer? will i have to install fortinet add on app over syslog server UF as well? and what data source need to be selected over indexer.
Hello, yes, it seems I have run into the same problem as well. It says it is using Python v2 as opposed to version 3.  It gives two options, 1 to remove the application called Splunk Visual Expo... See more...
Hello, yes, it seems I have run into the same problem as well. It says it is using Python v2 as opposed to version 3.  It gives two options, 1 to remove the application called Splunk Visual Exporter or update Python to version 3. Since this is a SaaS service, this is usually handled by the vendor (Splunk) since we don't manage the backend. Is there a way to update the existing application to a higher version, not sure if by removing the application we break something. Todd
Because when I try in a python program still got same error 
What's that function for ? And how to add that on the python program ? Is it like this?  
Sub-searches e.g. those used by join, are limited, so you could try combining the initial search like so index=india (sourcetype=ma NOT (source=*OPT* OR app_instance=MA_DROP_SESSION OR "11555=Y-NOBK... See more...
Sub-searches e.g. those used by join, are limited, so you could try combining the initial search like so index=india (sourcetype=ma NOT (source=*OPT* OR app_instance=MA_DROP_SESSION OR "11555=Y-NOBK" OR fix_applicationInstanceID IN(*OPT*,*GWIM*)) msgType=8 (execType=1 OR execType=2 OR execType=F) stream=Outgoing app_instance=UPSTREAM "clientid=XAC*") OR (sourcetype=cs NOT (source=*OPT* OR "11555=Y-NOBK" OR applicationInstanceID IN(*OPT*,*GWIM*)) msgType=8 (execType=1 OR execType=2 OR execType=F) app_instance=PUBHUB stream=Outgoing "clientid=XAC" "sourceid=AX_DN_XAC") Next you have to work out what is meant by your dedup. For example, if you rename fix_execID as execID, you could do your dedup like this | stats count execID ParentOrderID sourcetype Next problem is your join (apart from avoiding joins in the first place (with the combined initial search), your two searches do not return ParentOrderID since they both end with stats count, therefore the only field you have to join with is count, and I suspect this is not what you require?
Hi, I am trying to get the execution count based on the parentIDs over two different data sets. Please could you review and suggest ?  I would like to see what's execution count  between (sourcet... See more...
Hi, I am trying to get the execution count based on the parentIDs over two different data sets. Please could you review and suggest ?  I would like to see what's execution count  between (sourcetype=cs, sourcetype=ma) , only the field ParentOrderID is common between cs, ma sourcetype. Note: daily close to ~10Million events are loaded  into splunk and unique execution will be 4Million.Also, sometime the join query is getting auto-canceled. SPL: index=india sourcetype=ma NOT (source=*OPT* OR app_instance=MA_DROP_SESSION OR "11555=Y-NOBK" OR fix_applicationInstanceID IN(*OPT*,*GWIM*)) msgType=8 (execType=1 OR execType=2 OR execType=F) stream=Outgoing app_instance=UPSTREAM "clientid=XAC*" | dedup fix_execID,ParentOrderID | stats count | join ParentOrderID [ search index=india sourcetype=cs NOT (source=*OPT* OR "11555=Y-NOBK" OR applicationInstanceID IN(*OPT*,*GWIM*)) msgType=8 (execType=1 OR execType=2 OR execType=F) app_instance=PUBHUB stream=Outgoing "clientid=XAC" "sourceid=AX_DN_XAC" | dedup execID,ParentOrderID | stats count] Thanks, Selvam.
Hi, Try    preview=true   It's must be like that  curl -k -u admin:pass https://localhost:8089/services/search/v2/jobs/mysearch_02151949/results preview=true
Why I get empty results while I using REST API (results) Search on python? And when I using REST API (events) in Python to got like this  For your information the SID is already successfu... See more...
Why I get empty results while I using REST API (results) Search on python? And when I using REST API (events) in Python to got like this  For your information the SID is already successfully retreived using the python program and when I try to use curl command to search the SID jobs (curl -k -u admin:pass https://localhost:8089/services/search/v2/jobs/mysearch_02151949/results) the results is show on the screen without any error. Can you help me about this case ? Thank you   
Anyone coming here should know that in 9.2.0.1 this does not work any more. Look at dmc_instances_view_default_search macro for how the monitoring console does it now.
Hi @masakazu , let me understand: do you want to manage the Cluster Manager using the DS or do you want to directly manage the Indexers using the DS? the second option isn't possible. For the firs... See more...
Hi @masakazu , let me understand: do you want to manage the Cluster Manager using the DS or do you want to directly manage the Indexers using the DS? the second option isn't possible. For the first it's always better to deploy to the Cluster Manager apps (e.g. TA_indexes) and not the indexes.conf file in _cluster. Anyway, you have to configure as deployment folder the $SPLUNK_HOME/etc/managed-apps folder. Ciao. Giuseppe
Hi @Satyams14 , it isn't a good idea adding a new question, even if on the same topic, to another question because with a new question you could have a quicker and probably better answer. Anyway, a... See more...
Hi @Satyams14 , it isn't a good idea adding a new question, even if on the same topic, to another question because with a new question you could have a quicker and probably better answer. Anyway, as I said in the previous answer, you have to install the Fortinet Add-On on the UF/HF that you're using to receive data and on the Search Heads. As I said I hint to use a rsyslog receiver that writes the logs on files that you read using the UF. Ciao. Giuseppe
In an indexed cluster environment, I set the following stanza configuration in the deployment server's serverclass.conf file, but [Server class: splunk_indexer_master_cluster] stateOnClient = n... See more...
In an indexed cluster environment, I set the following stanza configuration in the deployment server's serverclass.conf file, but [Server class: splunk_indexer_master_cluster] stateOnClient = noop Whitelist = <ClusterManagerA> The _cluster folder under manager-app disappeared along with his Indexes.conf inside it. Fortunately, Indexes.conf remained in the cluster's peer app, so this was not a problem. If I want to use stateOnClient = noop, how should I maintain Indexes.conf deployed to the cluster on the cluster master?
I am using outlook as the external mail server ..Do you have any idea what value should I use in that mail server hostname?
I installed this app last week and have been experiencing the same problem. Has this issue been resolved since then?
Requirement - alert only needs to trigger outside window even if server is down in maintenance window | tstats count where index=cts-dcpsa-app sourcetype=app:dcpsa host_ip IN (xx.xx.xxx.xxx, xx.xx.... See more...
Requirement - alert only needs to trigger outside window even if server is down in maintenance window | tstats count where index=cts-dcpsa-app sourcetype=app:dcpsa host_ip IN (xx.xx.xxx.xxx, xx.xx.xxx.xxx) by host | eval current_time=_time | eval excluded_start_time=strptime("2024-04-14 21:00:00", "%Y-%m-%d %H:%M:%S") | eval excluded_end_time=strptime("2024-04-15 04:00:00", "%Y-%m-%d %H:%M:%S") | eval is_maintenance_window=if(current_time >= excluded_start_time AND current_time < excluded_end_time, 1, 0) | eval is_server_down=if((host="xx.xx.xxx.xxx" AND count == 0) OR (host="xx.xx.xxx.xxx" AND count == 0) 1, 0 ) Trigger condition- |search is_maintenance window = 0 AND is_server_down=1 Alert is not getting triggered outside maintenance window even though one of server is down. Help me what is wrong in query or another possible solution
Hello @gcusello , I have the same scenerio in which i have architecture as follow: Fortinet analyzer> syslog forwarder(UF installed on it)>Deployment server>search head/indexer Could you confirm h... See more...
Hello @gcusello , I have the same scenerio in which i have architecture as follow: Fortinet analyzer> syslog forwarder(UF installed on it)>Deployment server>search head/indexer Could you confirm how we can install Fortinet add-on  on UF?