All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I tried that one. I have a debian test system, and downloaded the x64 Debian package from https://download.oracle.com/java/17/latest/jdk-17_linux-x64_bin.deb . Used dpkg to install, and it made a dir... See more...
I tried that one. I have a debian test system, and downloaded the x64 Debian package from https://download.oracle.com/java/17/latest/jdk-17_linux-x64_bin.deb . Used dpkg to install, and it made a dir at /usr/lib/jvm/jdk-17-oracle-x64/ . However, providing this path to the DB-connect app still failed to reset the task server. Then I tried using "apt install default-jre". It created the folder "/usr/lib/jvm/java-17-openjdk-amd64" along with links in the "/usr/lib/jvm/" directory. For some reason the splunk DB connect app would not accept "/usr/lib/jvm/java-17-openjdk-amd64" (failed to reset task server), but it did accept "/usr/lib/jvm/java-1.17.0-openjdk-amd64/" and successfully restarted the task server. Unless you have a strong reason to use a specific JDK, I recommend trying different ones until you get one which works.
Thank you kindly ... this worked perfectly.
Hi @wberkowicz  Can you try with powershell with refernece to following post.  https://community.splunk.com/t5/Installation/Handy-commands-for-uninstalling-SplunkUniversalForwarder-from/m-p/542... See more...
Hi @wberkowicz  Can you try with powershell with refernece to following post.  https://community.splunk.com/t5/Installation/Handy-commands-for-uninstalling-SplunkUniversalForwarder-from/m-p/542627
IME, \r and \n don't always work in Splunk regexes.  To match any text that might include newlines, try [\s\S]+. EventCode=4103[\s\S]+\s+Files\\SplunkUniversalForwarder\\bin\\splunk-powershell\.ps1
Hi @Manasa_401  response  provided by @richgalloway , will work.   https://localhost:8000/en-US/account/login?loginType=splunk In addition to rich reponse. if your existing URL contains 8000... See more...
Hi @Manasa_401  response  provided by @richgalloway , will work.   https://localhost:8000/en-US/account/login?loginType=splunk In addition to rich reponse. if your existing URL contains 8000 number keep that as well. sometimes it might be issue with  language en-us or en-gb , kindly try with  language for URL with SAML auth
Are you trying to configure the SSL certificate for Splunk web, such that accessing Splunk through HTTPS will use your cert? If so, how do the SSL stanzas look on your server.conf and/or web.conf?
My Episodes didn't have any "Impacted entities" until I enabled the correlation search "Service Monitoring - Entity Degraded"
My Episodes didn't have any "Impacted entities" until I enabled the correlation search "Service Monitoring - Entity Degraded"
Which bit don't you understand? How to set up a submit button, or how to have a panel search execute if a token changes? Your panel search could be a hidden panel whereby the search uses outputlooku... See more...
Which bit don't you understand? How to set up a submit button, or how to have a panel search execute if a token changes? Your panel search could be a hidden panel whereby the search uses outputlookup as I suggested.
I'm trying to remove some Windows events from being ingested ... example below: The regex I've tried in both Ingest Actions and the old method works both at regex101 and in my SPL index=win* ... See more...
I'm trying to remove some Windows events from being ingested ... example below: The regex I've tried in both Ingest Actions and the old method works both at regex101 and in my SPL index=win* EventCode=4103 Message=*Files\\SplunkUniversalForwarder* | regex "EventCode=4103(.|\r|\n)+\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1" Yet, when I configure an ingest action ruleset, nothing gets removed. [_rule:ruleset_WinEventLogSecurity:filter:regex:ft7j3fkn] INGEST_EVAL = queue=if(match(_raw, "EventCode=4103(.|\\r|\\n)+\\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1"), "nullQueue", queue) STOP_PROCESSING_IF = queue == "nullQueue" same goes for trying to do it "the old way" [drop_4103_splunkpowershell] DEST_KEY = queue REGEX = EventCode=4103(.|\r|\n)+\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1 FORMAT = nullQueue   04/04/2024 07:02:28 PM LogName=Microsoft-Windows-PowerShell/Operational EventCode=4103 EventType=4 ComputerName=redacted User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-PowerShell Type=Information RecordNumber=1258288151 Keywords=None TaskCategory=Executing Pipeline OpCode=To be used when operation is just executing a method Message=CommandInvocation(Start-Sleep): "Start-Sleep" ParameterBinding(Start-Sleep): name="Milliseconds"; value="200" Context:         Severity = Informational         Host Name = ConsoleHost         Host Version = 5.1.17763.5576         Host ID = 222d8490-3c1f-486d-94ed-47f91e59da32         Host Application = powershell.exe -command $input |C:\Program` Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1 C:\Program` Files\SplunkUniversalForwarder e20c0be00a8583fe         Engine Version = 5.1.17763.5576         Runspace ID = 87084a50-365f-409b-aed6-d666c6c6b2b         Pipeline ID = 1         Command Name = Start-Sleep         Command Type = Cmdlet         Script Name = ....... 
Thanks @ITWhisperer for the prompt reply.  I don’t understand how a csv file would be generated on the click of a submit button in a dashboard. Can you please elaborate more.   the user selections... See more...
Thanks @ITWhisperer for the prompt reply.  I don’t understand how a csv file would be generated on the click of a submit button in a dashboard. Can you please elaborate more.   the user selections would be 1. Time range and click submit.  the panel will show the results for a query which runs for the selected time range.  now the question is how can I export it to a csv automatically. And later on use this csv for different visualisation in a dashboard panel
The outputlookup command has a create_context option which can be set to user to create user-specific versions of the lookup (csv) file. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Se... See more...
The outputlookup command has a create_context option which can be set to user to create user-specific versions of the lookup (csv) file. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Outputlookup  
I tried several different prior versions.  Splunk only accepts the single msi that was used to install and that is not available: splunk-7.0.1-2b5b15c4ee89-x64-release.msi I will need to manually st... See more...
I tried several different prior versions.  Splunk only accepts the single msi that was used to install and that is not available: splunk-7.0.1-2b5b15c4ee89-x64-release.msi I will need to manually start surgical removal of the prior version.   Definitely a negative when trying Splunk.
Hi,  The requirement is that the user makes a dynamic selection (time range from time picker, environment from env dropdown and few more) and click submit button and as soon as hi clicks submit, a c... See more...
Hi,  The requirement is that the user makes a dynamic selection (time range from time picker, environment from env dropdown and few more) and click submit button and as soon as hi clicks submit, a csv file should be generated as per the user input selection and later on the user should be able to reference that csv in the dashboard panel to create different visualisations.  Is that possible in Splunk? 
| foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | st... See more...
| foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | stats values(d*) as d*
Hi @Muhammad Husnain.Ashfaq, It's been a few days and it seems the Community has not jumped in with a reply. Did you happen to make a discovery or find a solution you could share? If you have no... See more...
Hi @Muhammad Husnain.Ashfaq, It's been a few days and it seems the Community has not jumped in with a reply. Did you happen to make a discovery or find a solution you could share? If you have not, you can try contacting AppDynamics Support: How do I submit a Support ticket? An FAQ 
| regex permission="Permission12345"
OK so use eval with an if such that if the two fields are equal mvappend a value that the formatting picks up to change the colour to what you want. (See the example in the link I provided)
Hi @Marcie.Sirbaugh, Thanks for sharing that additional info and I'm glad upgrading helped solve the issue for you. 
Probably not - Splunk is a generalised tool for analysing logs not a windows-specific tool