All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

How did you disable the workload management? Via web, cli, or rest? What is the host system producing these messages? (e.g. various indexers? Search head?) Can you then go to those hosts and then di... See more...
How did you disable the workload management? Via web, cli, or rest? What is the host system producing these messages? (e.g. various indexers? Search head?) Can you then go to those hosts and then disable workload management in the CLI? Ref: https://docs.splunk.com/Documentation/Splunk/9.2.1/Workloads/Enableworkloadmanagement
Hello, I am trying to troubleshoot sendemail.py since after an upgrate to red hat 9 our splunk stopped sending emails. I understand the command to use the splunk python interpreter in the cli is: ... See more...
Hello, I am trying to troubleshoot sendemail.py since after an upgrate to red hat 9 our splunk stopped sending emails. I understand the command to use the splunk python interpreter in the cli is: splunk cmd python /opt/splunk/etc/apps/search/bin/sendemail.py however, how do i combine the above with the below _internal search results so i can see what the interpreter would provide as feedback (such as errors).   _raw results of a sendemail: subject="old: : $: server-prod - AlertLog_Check - 4 Log(s) ", encoded_subject="old: : $: server-prod - AlertLog_Check - 4 Log(s) ", results_link="https://MyWebsite:8080/app/search/@go?sid=scheduler__nobody__search__RMD50fd7c7e5334fc616_at_1712993040_1213", recipients="['sysadmin@MyWebsite.com']", server="localhost"   any examples would e greatly apreciated, thanks, A totally blind Splunker with a mission
Unfortunately this message does not give much information other than the start_phantom.sh process failed with status code 2. Could you try running the install script with the "-v" (verbose) flag? 
Strange... though this looks like an issue with your Teams client, given that you can reply to the message with a different mobile client.
@Jasmine - Use like instead of match function. | eval label=case(like(host, "%tv00.test.net"), "Test", like(host, "%qv00.qa.net"), "QA", like(host, "%pv00.... See more...
@Jasmine - Use like instead of match function. | eval label=case(like(host, "%tv00.test.net"), "Test", like(host, "%qv00.qa.net"), "QA", like(host, "%pv00.prod.net"), "Prod")   I hope this helps!!!
macOS requires that all software be signed and notarized by the developer. It seems you're getting issues because macOS is not trusting the installed Splunk binary to load the libbz libraries. There... See more...
macOS requires that all software be signed and notarized by the developer. It seems you're getting issues because macOS is not trusting the installed Splunk binary to load the libbz libraries. There may be a way to whitelist Splunk from the code signing requirements of macOS, or perhaps you could try installing a different version in the hopes that the new version will be code-signed and accepted by macOS.
Are there any interesting messages in the error log? index=_internal TA-purestorage-unified log_level=ERROR I tried installing this add-on on a test machine with Splunk Enterprise 9.2.0 and could l... See more...
Are there any interesting messages in the error log? index=_internal TA-purestorage-unified log_level=ERROR I tried installing this add-on on a test machine with Splunk Enterprise 9.2.0 and could load the configuration page without error. Which version of Splunk Enterprise are you using?
@PickleRick - You must be right and I know its so complicated for HEC endpoint on what will execute or not, so I would avoid it all together at all and filter it early directly from source when using... See more...
@PickleRick - You must be right and I know its so complicated for HEC endpoint on what will execute or not, so I would avoid it all together at all and filter it early directly from source when using HEC.
@dc17  - You need to give full path like:   [WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = sysmon sourcetype =... See more...
@dc17  - You need to give full path like:   [WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = sysmon sourcetype = WinEventLog:Sysmon   In my case, I can see a folder called Micrsoft > Windows > Sysmon folder. In which I can see Operational logs.   You need to give full path, instead of just MyCustomLog. Give full path, which you can find from Event Viewer.   I hope this helps!!!
  <input type="dropdown" token="envtoken"> <label>env</label> <fieldForLabel>label</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> index=aaa (source="/v... See more...
  <input type="dropdown" token="envtoken"> <label>env</label> <fieldForLabel>label</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> index=aaa (source="/var/log/testd.log") |stats count by host | eval label=case(match(host, ".*tv*."), "Test", match(host, ".*qv*."), "QA", match(host, ".*pv*."), "Prod")| dedup label</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input>   dropdownlist binding with TEST, QA and PROD In QA and prod have 3 host. If i select QA from dropdown list , will the search includes from all the three hosts? could you plase confirm
Hi What issue you are trying to solve with this change? I think that usually it’s better to use S2S between splunk nodes than http version. r. Ismo
Hi it’s just like @P_vandereerden said. You should read more about it from https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/SearchTimeModifiers#Specify_a_snap_to_time_unit r. Ismo
Hi you could write “multi line” searches separated by | on one line. In normal situation there is no mater have you written SPL in one line or formatting it to several lines. It’s just for reading i... See more...
Hi you could write “multi line” searches separated by | on one line. In normal situation there is no mater have you written SPL in one line or formatting it to several lines. It’s just for reading it easier. You could also write your query as a report and then call it with savedsearch your report via rest. r. Ismo
Hi it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you mu... See more...
Hi it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you must have access to those indexes. This is defined with an attribute srchIndexesAllowed. Those both are define in authorize.conf. As already has said, you should always use index=xyz on your queries to use needed/wanted indexes as different roles has different default indexes.  IMHO you shouldn’t ever use srchIndexesDefault as it leads people to drop that index=xyz part away from queries. r. Ismo
Are you able to generate the some_example_generated_file.csv.gz file from running the search in the Splunk webUI as the user whose credentials or token is being used to authorize the API request? Th... See more...
Are you able to generate the some_example_generated_file.csv.gz file from running the search in the Splunk webUI as the user whose credentials or token is being used to authorize the API request? There should be no problem running searches with piped segments using curl and the search api endpoints. Though you may have to tweak the character encoding in the search query. I recommend trying it segment-by-segment to see if it generates the expected results.
Hi If query takes long, then maybe you should look if you should use time() instead of now()? 1st gives you current time and 2nd is time when query has started. r. Ismo http://docs.splunk.com/Docum... See more...
Hi If query takes long, then maybe you should look if you should use time() instead of now()? 1st gives you current time and 2nd is time when query has started. r. Ismo http://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/DateandTimeFunctions
@gcusello I have used below commands to generate various certificates and adjust web.conf also. But still the connection is not secure. D:\Splunk\bin\splunk" cmd openssl genrsa -aes256 -out mySplu... See more...
@gcusello I have used below commands to generate various certificates and adjust web.conf also. But still the connection is not secure. D:\Splunk\bin\splunk" cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048 "D:\Splunk\bin\splunk" cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key "D:\Splunk\bin\splunk" cmd openssl rsa -in mySplunkWebPrivateKey.key -text "D:\Splunk\bin\splunk" cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr "D:\Splunk\bin\splunk" cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 "D:\Splunk\bin\splunk" cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 type mySplunkWebCert.pem myCACertificate.pem > mySplunkWebCertificate.pem   web.conf [settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/mycerts/mySplunkWebPrivateKey.key serverCert = /opt/splunk/etc/auth/mycerts/mySplunkWebCertificate.pem
Hi @uagraw01 , The connection is using a self signed certificate. So, if the website doesn’t have a thir party certificate, the “HTTPS Not Secure” Message in Chrome will appear, even if you have a ... See more...
Hi @uagraw01 , The connection is using a self signed certificate. So, if the website doesn’t have a thir party certificate, the “HTTPS Not Secure” Message in Chrome will appear, even if you have a certificate. You can solve the issue using a third party certificate or enabling your browser to recognize this certificate as well. Ciao. Giuseppe
@gcusello I did it already but the connection not secure. I want to make connection secure as well.  
Hi @Jasmine , as @marnall said a space is missing between the index value and the source condition. I suppose that the erro is that the argument of the match function in the eval command is a regex... See more...
Hi @Jasmine , as @marnall said a space is missing between the index value and the source condition. I suppose that the erro is that the argument of the match function in the eval command is a regex, so you don't need to use asterisk: index=aaa (source="/var/log/testd.log") | stats count by host | eval env=case( match(host, "10qe"), "Test", match(host, "10qe"), "QA", match(host, "10qe"), "Prod") Ciao. Giuseppe