All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You could try something like this  
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public" fields: - name: "some_name" oid: "x.x.x.x.x... See more...
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public" fields: - name: "some_name" oid: "x.x.x.x.x.x.x.x.x.x.x.x.x" If that doesn't help, if you could email me the agent_config.yaml, I'll take a closer look (the pdf kills the indentation). Just add "@splunk.com" to my username if you want to send it. Thanks!
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need t... See more...
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need them separately. We need to write the rex generic so that it should capture the data if there are different field names as well  
Hi. Have a look at  https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.c... See more...
Hi. Have a look at  https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.conf and the corresponding lookup file does not exist. You can use btool on the Splunk head to locate the setting. For example /opt/splunk/bin/splunk btool transforms list --debug | grep file   You can see all the lookup file definitions.
thanks it worked
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base.   There is nothing under Settings>Data Inputs>Local Inputs to accomplish... See more...
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base.   There is nothing under Settings>Data Inputs>Local Inputs to accomplish this task...which kind of blows my mind.  Anyone find a solutions for this or something similar?  TIA
Thank you, config is attached ... I've obscured the ip...    Here's the log    Apr 11 16:44:00  otelcol[142312]: 2024/04/11 16:44:00 main.go:89: application run finished with error: failed to re... See more...
Thank you, config is attached ... I've obscured the ip...    Here's the log    Apr 11 16:44:00  otelcol[142312]: 2024/04/11 16:44:00 main.go:89: application run finished with error: failed to resolve config: cannot resolve the configuration: cannot retrieve the configuration: configsource provider failed retrieving: yaml: line 91 : did not find expected key Apr 11 16:44:00 systemd[1]: splunk-otel-collector.service: Main process exited, code=exited, status=1/FAILURE Apr 11 16:44:00 systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Scheduled restart job, restart counter is at 5. Apr 11 16:44:01 systemd[1]: Stopped Splunk OpenTelemetry Collector. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Start request repeated too quickly. Apr 11 16:44:01  systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Apr 11 16:44:01 systemd[1]: Failed to start Splunk OpenTelemetry Collector.
Hi, We get the following exceptions while trying to load APM agent 24.3 in WebLogic 14.1: java.lang.IllegalAccessError: class jdk.jfr.internal.SecuritySupport$$Lambda$225/0x0000000800979c40 (in mod... See more...
Hi, We get the following exceptions while trying to load APM agent 24.3 in WebLogic 14.1: java.lang.IllegalAccessError: class jdk.jfr.internal.SecuritySupport$$Lambda$225/0x0000000800979c40 (in module jdk.jfr) cannot access class com.singularity.ee.agent.appagent.entrypoint.bciengine.FastMethodInterceptorDelegatorBoot (in unnamed module @0x2205a05d) because module jdk.jfr does not read unnamed module @0x2205a05d  java.lang.IllegalStateException: Unable to perform operation: create on weblogic.diagnostics.instrumentation.InstrumentationManager The WebLogic managed server won't start after throwing these exceptions. Any insights on what might be causing these errors? Thanks, Roberto
I don't see checkbox as part of the inputs list. It is possible in simple xml but would like to know how it can be achieved using dashboard studio?    
Please provide more details, for example, what do you mean by tag? how do you set it up? how do you use it in your search? in what way doesn't it work? do you have any errors reported? etc.
HI  If I replace, for example, src=10.0.0.1 with my tag containing src=10.0.0.1 in the query, it doesn't work. Please help.
HI, I need to upgrade my correlation search for Excessive Failed Logins with Username, | tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",... See more...
HI, I need to upgrade my correlation search for Excessive Failed Logins with Username, | tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",values("Authentication.user") as "usernames", dc("Authentication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Failed_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authentication.src" as "src" | where 'count'>=6 I would like the query to trigger only when there is a Successful Authentication after 6 failed authentication     thank youu
Hello there,  Here I am writing to see my use case for integration of Splunk cloud/enterprise features on my website.  I am looking for web services regarding integration with Splunk cloud or Splun... See more...
Hello there,  Here I am writing to see my use case for integration of Splunk cloud/enterprise features on my website.  I am looking for web services regarding integration with Splunk cloud or Splunk enterprise. My aim is to render Splunk cloud /enterprise dashboards, reports on my website. I have, Splunk cloud admin account (trial) Splunk enterprise admin account (trial) I want to, Get list of apps of Splunk cloud/enterprise programmatically. After that I will be able to see list of dashboards, reports on desired app. Further, I can select a dashboard, report which I want to embed on my website. This will allow me to easily visualize up-to-date Splunk data on my website. Thank you in advance to consider on my query.
I am unable to find REST API Postman collection for Splunk Enterprise. Can anyone please provide a link to export or download Postman collection for Enterprise ?
Hi @Marcie.Sirbaugh, I see you have an open ticket with the same error you asked Sajo about  agentregistrationmodule.go:352 Perhaps you can continue to share any outcomes from that interactio... See more...
Hi @Marcie.Sirbaugh, I see you have an open ticket with the same error you asked Sajo about  agentregistrationmodule.go:352 Perhaps you can continue to share any outcomes from that interaction with your ticket here with Sajo.
Hello @493600, There is no OOTB of achieving this. Usually, we have to download the events in _raw format, upload it on a test environment which has latest version of TA along with CIM Validator inst... See more...
Hello @493600, There is no OOTB of achieving this. Usually, we have to download the events in _raw format, upload it on a test environment which has latest version of TA along with CIM Validator installed - and validate the field extraction. Commands like fieldsummary can help in comparing the field name and values - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Fieldsummary   Please accept the solution and hit Karma, if this helps!
Seeing some errors in the internal logs for lookup files. Can someone help me with the reason for these errors? 1) Unable to find filename property for lookup=xyz.csv will attempt to use implicit fi... See more...
Seeing some errors in the internal logs for lookup files. Can someone help me with the reason for these errors? 1) Unable to find filename property for lookup=xyz.csv will attempt to use implicit filename. 2) No valid lookup table file found for this lookup=* 3) The lookup table '*' does not exist or is not available. - This can be due to the definition or reference of the lookup file is there but the file has been deleted.
Looking for a solution that does certain validations check when we upgrade any splunk addon to latest version. This is to make sure when the addon is upgraded to latest version it does not break any... See more...
Looking for a solution that does certain validations check when we upgrade any splunk addon to latest version. This is to make sure when the addon is upgraded to latest version it does not break any of the existing working configs like field parsing, search execution time, etc. in prod. So we need to check if its possible to create a dashboard or something where in we can compare the old state vs upgraded state of the addon before we deploy to prod. Basic two validations can be CIM fields & search execution time and to kick off this we can pick any one sourcetype.
I left the Frozen drive to point to $SPLUNK_DB on the indexer's drive, but I'm not trying to employ frozen buckets at all. I'm trying to use the volumes on external drives for hot and cold, that's h... See more...
I left the Frozen drive to point to $SPLUNK_DB on the indexer's drive, but I'm not trying to employ frozen buckets at all. I'm trying to use the volumes on external drives for hot and cold, that's how our current instance is set up. The difference being the current is on Windows, and this new one is going to be on RHEL8.
Thanks @richgalloway!!