All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Deployment client resolving to old deployment server

by in Splunk Search
‎04-21-2024 10:49 PM
‎04-21-2024 10:49 PM
Hi All, I have deployed new deployment server  (aws ec2 instance) and updated the existing route53 dns entry to point to this new server. But I see the deployment clients are making connection to ... See more...
Hi All, I have deployed new deployment server  (aws ec2 instance) and updated the existing route53 dns entry to point to this new server. But I see the deployment clients are making connection to old server still. I believe there is  old connection saved at deployment client. Does anyone of you know how to encounter this issue ? Your solution helps me lot please. Regards, PNV

Re: How to segregate the dropdown ALL values ?

by SplunkTrust in Dashboards & Visualizations
‎04-21-2024 10:40 PM
1 Karma
‎04-21-2024 10:40 PM
1 Karma
@karthi2809  Please check the below sample XML.  Observe `new_value` token and use in your search.   <form version="1.1" theme="dark"> <label>Application</label> <fieldset submitButton="false"... See more...
@karthi2809  Please check the below sample XML.  Observe `new_value` token and use in your search.   <form version="1.1" theme="dark"> <label>Application</label> <fieldset submitButton="false"> <input type="dropdown" token="BankApp" searchWhenChanged="true"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | makeresults | eval applicationName="Test1,Test2,Test3" | eval applicationName=split(applicationName,",") | stats count by applicationName | table applicationName </query> </search> <fieldForLabel>applicationName</fieldForLabel> <fieldForValue>applicationName</fieldForValue> <default>*</default> <prefix>applicationName="</prefix> <suffix>"</suffix> <change> <condition match="$value$==&quot;*&quot;"> <set token="new_value">applicationName IN ("Test1" OR "TEST2" OR "Test3")</set> </condition> <condition> <set token="new_value">applicationName = $BankApp$</set> </condition> </change> </input> </fieldset> <row> <panel> <html> Dropdown Value = $BankApp$ <br/> new_value= $new_value$ </html> </panel> </row> </form>    I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: Pre-emptive eviction of buckets on smartstore ?

by in Splunk Enterprise
‎04-21-2024 10:27 PM
‎04-21-2024 10:27 PM
Yes, it was the padding / max cache size that was the culprit. The calculation I did was wrong.   Thank you André

Re: Passing token to chart overlay

by in Dashboards & Visualizations
‎04-21-2024 10:17 PM
‎04-21-2024 10:17 PM
Hi  @mdunnavant , I noticed you were working on passing a token to chart overlay. I'm encountering a similar issue where I'm trying to pass a token value to overlay options for line chart representa... See more...
Hi  @mdunnavant , I noticed you were working on passing a token to chart overlay. I'm encountering a similar issue where I'm trying to pass a token value to overlay options for line chart representation over a column chart. If you've managed to achieve this, could you please share how you made it overlay with a token value? Your insights would be greatly appreciated. My Chart and My SPL query: SPL: index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=* | eval ds_file_path=ds_path."\\".ds_file | chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine | appendcols [search index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=* | eval ds_file_path=ds_path."\\".ds_file | stats max(block_count) as total_blocks by ds_file_path]   I need to assign the overlay field value from the line in SPL: | chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine The reason I'm attempting to assign it as a token is that the avg_processing_time_per_block has dynamic values (sometimes it may be 10 or 12).instead of rwmini and rwws01. Thanks In advance,

How to segregate the dropdown ALL values ?

by in Dashboards & Visualizations
‎04-21-2024 09:19 PM
‎04-21-2024 09:19 PM
Thanks In Advance. I am using dropdown values for my requirement. In the dropdown i am using token and getting the values from inputlookup and i will pass the value to splunk query.There are two dro... See more...
Thanks In Advance. I am using dropdown values for my requirement. In the dropdown i am using token and getting the values from inputlookup and i will pass the value to splunk query.There are two dropdown one is application Name another one interface name.If i select values i am getting result .If select ALL and the values shows *.in the splunk query.Instead of * .I want to gey values like OR conditions.If i the token getting * then it showing all the values.But i want to show the values which is comming from inputlookup values both application name and interface name.     When i am selecting ALL my splunk query like this: index=mulesoft environment=PRD (applicationName="*" OR priority IN ("ERROR", "WARN")) | stats values(*) AS * BY correlationId applicationName | rename content.InterfaceName AS InterfaceName content.FileList{} AS FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | search InterfaceName="*" FileList="*" | sort -timestamp | sort -timestamp I am expecting : index=mulesoft environment=PRD applicationName IN ("Test1" OR "TEST2" OR "Test3") OR priority IN ("ERROR", "WARN") | stats values(*) AS * BY correlationId applicationName | rename content.InterfaceName AS InterfaceName content.FileList{} AS FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | search InterfaceName IN ("aa" OR "bb" OR "cc") AND FileList="*" | sort -timestamp | sort -timestamp DropDown Code </input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup applicationName | sort applicationName | table applicationName </query> </search> <fieldForLabel>applicationName</fieldForLabel> <fieldForValue>applicationName</fieldForValue> <default>*</default> <prefix>applicationName="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort InterfaceName | table InterfaceName </query> </search> <fieldForLabel>InterfaceName</fieldForLabel> <fieldForValue>InterfaceName</fieldForValue> <default>*</default> <prefix>InterfaceName="</prefix> <suffix>"</suffix> </input>    
Labels

Re: Change App's Release Notes

by SplunkTrust in Splunk Dev
‎04-21-2024 08:33 PM
1 Karma
‎04-21-2024 08:33 PM
1 Karma
@altink - Surely you can do that. Go to classic Splunkbase.   Click on Manage App (You won't see this option if you are not the editor or owner of the App)   Click on any of the ver... See more...
@altink - Surely you can do that. Go to classic Splunkbase.   Click on Manage App (You won't see this option if you are not the editor or owner of the App)   Click on any of the version number for which you would like to update the release notes.   And here, you should be able to update the release notes or any other details.   I hope this is helpful!!! If this helps, kindly upvote and accept the answer.!!

Re: Scripting admin credentials in scripted install

by in Installation
‎04-21-2024 05:58 PM
‎04-21-2024 05:58 PM
How do you implement this using ansible playbook? I'm also stuck with this process of accepting the license in Splunk. I'm using user-seed.conf but it couldn't access the src path since I'm using git... See more...
How do you implement this using ansible playbook? I'm also stuck with this process of accepting the license in Splunk. I'm using user-seed.conf but it couldn't access the src path since I'm using gitlab as my repository.  - name: Generate Splunk Seed Password   ansible.builtin.set_fact:     splunk_seed_passwd: "{{ 'password' | password_hash('sha512') }}"   register: hashed_pwd   when: splunk_agent_status.rc != 0 - name: Create user-seed.conf file   ansible.builtin.template:     dest: /opt/splunkforwarder/etc/system/local/user-seed.conf     owner: root     group: root     mode: 0640     option: "{{ item.opt }}"     value: "{{ item.val }}"   with_items:   - {opt: 'USERNAME', val: 'admin'}   - {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd}}'}   become: true   when: splunk_agent_status.rc != 0

Re: Phantom health alert notification

by SplunkTrust in Splunk SOAR
‎04-21-2024 02:07 PM
‎04-21-2024 02:07 PM
Hi @harishlnu  One of the ways is using Rest API - /rest/health of SOAR - status field contains all the daemons health information and additional info on resource utilization. https://docs.splunk.c... See more...
Hi @harishlnu  One of the ways is using Rest API - /rest/health of SOAR - status field contains all the daemons health information and additional info on resource utilization. https://docs.splunk.com/Documentation/SOAR/current/PlatformAPI/RESTInfo#.2Frest.2Fhealth To monitor I would run an external script or if you are using Splunk Enterprise - by using | restsoar command you can call the above Rest API and create an alert.  You should install official  https://splunkbase.splunk.com/app/6361 Splunk App for SOAR to use  | restsoar command. -------- Srikanth Yarlagadda  

Re: alerts

by SplunkTrust in Alerting
‎04-21-2024 12:50 PM
‎04-21-2024 12:50 PM
This is a message saying that the server you're trying to send your emails with doesn't let you do so (at least not without proper authentication first). It's something you have work with your email ... See more...
This is a message saying that the server you're trying to send your emails with doesn't let you do so (at least not without proper authentication first). It's something you have work with your email server provider (or configure proper settings on your Splunk server).

Re: alerts

by in Alerting
‎04-21-2024 12:18 PM
‎04-21-2024 12:18 PM
I am getting the following error :   command="sendemail", (*****SMTP; Client was not authenticated to send anonymous mail during MAIL FROM', '*****.com') while sending mail to: it-security@durr.com

Re: REST API - Search targetResources from Azure Audit via Java SDK

by in Getting Data In
‎04-21-2024 11:10 AM
‎04-21-2024 11:10 AM
Hi @swaprks, If you're relying on automatic field-extraction, i.e. KV_MODE = auto and AUTO_KV_JSON = true or KV_MODE = json or INDEXED_EXTRACTIONS = JSON, only the nested fields are extracted, e.g.:... See more...
Hi @swaprks, If you're relying on automatic field-extraction, i.e. KV_MODE = auto and AUTO_KV_JSON = true or KV_MODE = json or INDEXED_EXTRACTIONS = JSON, only the nested fields are extracted, e.g.: initiatedBy.user.id targetResources{}.id Arrays are extracted as multi-valued fields, e.g.: targetResources{}.modifiedProperties{}.displayName := AccountEnabled StsRefreshTokensValidFrom UserPrincipalName UserType Included Updated Properties Automatic extraction of arrays of objects with array fields can also be confusing. To return the native JSON directly, extract the fields as part of your search: index=directoryaudit | eval json=json(_raw), initiatedBy=json_extract(json, "initiatedBy"), targetResources=json_extract(json, "targetResources") | fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime  

Re: Change App's Release Notes

by in Splunk Dev
‎04-21-2024 10:48 AM
‎04-21-2024 10:48 AM
Thank You @gcusello  But I do not own a Splunk system, so I have no Support account. I am just a developer, who has published two Apps at Splunkbase Should I ask via e-mail Splunk Developer in... See more...
Thank You @gcusello  But I do not own a Splunk system, so I have no Support account. I am just a developer, who has published two Apps at Splunkbase Should I ask via e-mail Splunk Developer instead ? best regards Altin

Re: How to drop specific lines from an event not the whole event

by SplunkTrust in Getting Data In
‎04-21-2024 10:04 AM
‎04-21-2024 10:04 AM
Hi @Mfmahdi , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors

Re: How to delete app from splunk search head?

by SplunkTrust in Deployment Architecture
‎04-21-2024 10:03 AM
‎04-21-2024 10:03 AM
Hi @aasserhifni , the apps distributed by Deployer are in this folder not in apps and aren't installed on the Deployer. is this app in the $SPUNK_HOME/etc/shcluster/apps of the Deployer? If this a... See more...
Hi @aasserhifni , the apps distributed by Deployer are in this folder not in apps and aren't installed on the Deployer. is this app in the $SPUNK_HOME/etc/shcluster/apps of the Deployer? If this app is in this folder, remove it and push again apps. Ciao. Giuseppe  

Re: Why am I getting Invalid key in stanza [clustermaster:one]

by SplunkTrust in Installation
‎04-21-2024 08:27 AM
1 Karma
‎04-21-2024 08:27 AM
1 Karma
Hi you could read more, how to use btool check from https://dev.splunk.com/enterprise/tutorials/module_validate/validateapp/ r. Ismo

Re: CSV file different format when downloaded from report generated.

by in Other Usage
‎04-21-2024 07:50 AM
‎04-21-2024 07:50 AM
As a quick follow-up, the setting is recognized by all currently supported versions of Splunk Enterprise and present at least as far back as Splunk Enterprise 8.1; however, it's not documented.

Re: Why am I getting Invalid key in stanza [clustermaster:one]

by SplunkTrust in Installation
‎04-21-2024 05:58 AM
1 Karma
‎04-21-2024 05:58 AM
1 Karma
Probably because you have an Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey

Re: How to delete app from splunk search head?

by SplunkTrust in Deployment Architecture
‎04-21-2024 05:27 AM
‎04-21-2024 05:27 AM
The Search Head Cluster Deployer is not the same as Deployment Server (yes, I know the naming can be confusing). BTW SH captaincy doesn't have anything to do with deploying apps.

Why am I getting Invalid key in stanza [clustermaster:one]

by in Installation
‎04-21-2024 04:58 AM
‎04-21-2024 04:58 AM
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make ... See more...
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make sure that the same passkey in SHC and the deployer is the same. Thank you  
Labels

Re: How to delete app from splunk search head?

by in Deployment Architecture
‎04-21-2024 03:58 AM
‎04-21-2024 03:58 AM
Hi @gcusello , the app was installed on a single search head neither the deployer  nor the search head master. When I apply your solutions, the files keep appearing after restarting the search head ... See more...
Hi @gcusello , the app was installed on a single search head neither the deployer  nor the search head master. When I apply your solutions, the files keep appearing after restarting the search head and also I don't have the option to disable either the app or the add on from the search head GUI. Thank you for understanding my odd situation.