Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
04-11-2024
12:23 PM
A better way to do this is to use the "Run a Script" alert action (after you create a script to do the copy). Yes, this alert action is deprecated but I use it often and there is no way that Splunk ...
See more...
A better way to do this is to use the "Run a Script" alert action (after you create a script to do the copy). Yes, this alert action is deprecated but I use it often and there is no way that Splunk will be removing it from the product.
04-11-2024
12:23 PM
1 Karma
The base instructions here should be all you need to follow for that one. Review the rest of the 'planning' and 'securing' sections of that documentation to see any additional details you might be cu...
See more...
The base instructions here should be all you need to follow for that one. Review the rest of the 'planning' and 'securing' sections of that documentation to see any additional details you might be curious about, though.
04-11-2024
11:58 AM
The Forwarder Management screen applies only to Deployment Server (DS) instances. A DS is a Splunk instance type that ensures each forwarder has the configuration (apps) it needs. DSs are optional ...
See more...
The Forwarder Management screen applies only to Deployment Server (DS) instances. A DS is a Splunk instance type that ensures each forwarder has the configuration (apps) it needs. DSs are optional and are unnecessary when you only have a single forwarder. When you installed the forwarder, did you configure it to forward data to the server? If so, then you should be seeing data from the forwarder. Verify that by searching for index=_internal host=f1 Make sure that returns results for continuing further. The next step is telling the forwarder what you want it to forward. By default, it only sends its own logs. Install the Splunk Add-on for Windows (https://splunkbase.splunk.com/app/742) on the forwarder and turn on (set disabled=0) the inputs you desire. Be sure to restart the forwarder after changing inputs.conf settings.
04-11-2024
11:31 AM
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
04-11-2024
11:28 AM
The current query can't do that because it only looks at failed logins. It will never see a successful login. The solution will entail appending a tstats command that counts successes and then modi...
See more...
The current query can't do that because it only looks at failed logins. It will never see a successful login. The solution will entail appending a tstats command that counts successes and then modifying the where command to look for 6 or more failures and at least 1 success. You can find an example in the Basic Brute Force Detection use case in the Splunk Security Essentials apps.
04-11-2024
11:03 AM
I installed spunk enterprise on a server named s1. I installed a forwarder on server f1. Both Windows Server 2019. When I go into Forwarder Management, s1 sees f1, but I can't DO anything with it....
See more...
I installed spunk enterprise on a server named s1. I installed a forwarder on server f1. Both Windows Server 2019. When I go into Forwarder Management, s1 sees f1, but I can't DO anything with it. There's nothing on the Forwarder Management screen to CONFIGURE. If I go to Settings | Data Inputs and try to configure "Remote Performance monitoring" (just as a test, just to monitor something), it says it's going to use WMI and that I should use a forwarder instead. Yes, please. I want to use a forwarder instead. I want to user my new forwarder, but I just don't see how.
Labels
- Labels:
-
universal forwarder
04-11-2024
11:02 AM
According to the developer, it can be done with HEC: https://infosecwriteups.com/knowbe4-to-splunk-33c5bdd53e29
04-11-2024
10:52 AM
Hi @ITWhisperer , Actually I need the generic rex like the way I posted in the screen shot because this is given in transforms.conf file and i tried the query u provided it's not working
04-11-2024
10:42 AM
With this kind and quality of screenshot it's very hard to help. Take a look to Fields in settings and there especially for Field extractions and Field transformations
04-11-2024
10:38 AM
Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in th...
See more...
Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in the meantime am just trying to consider other options in case they can't make it work.
04-11-2024
10:36 AM
You could try something like this
04-11-2024
10:31 AM
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public"
fields:
- name: "some_name"
oid: "x.x.x.x.x...
See more...
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public"
fields:
- name: "some_name"
oid: "x.x.x.x.x.x.x.x.x.x.x.x.x" If that doesn't help, if you could email me the agent_config.yaml, I'll take a closer look (the pdf kills the indentation). Just add "@splunk.com" to my username if you want to send it. Thanks!
04-11-2024
10:15 AM
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need t...
See more...
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need them separately. We need to write the rex generic so that it should capture the data if there are different field names as well
- Tags:
- regex
Labels
- Labels:
-
using Splunk Enterprise
04-11-2024
10:09 AM
Hi. Have a look at https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.c...
See more...
Hi. Have a look at https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.conf and the corresponding lookup file does not exist. You can use btool on the Splunk head to locate the setting. For example /opt/splunk/bin/splunk btool transforms list --debug | grep file You can see all the lookup file definitions.
04-11-2024
09:57 AM
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base. There is nothing under Settings>Data Inputs>Local Inputs to accomplish...
See more...
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base. There is nothing under Settings>Data Inputs>Local Inputs to accomplish this task...which kind of blows my mind. Anyone find a solutions for this or something similar? TIA
- Tags:
- api
- rest
- splunkcloud
Labels
- Labels:
-
using Splunk Cloud
04-11-2024
09:54 AM
Thank you, config is attached ... I've obscured the ip... Here's the log Apr 11 16:44:00 otelcol[142312]: 2024/04/11 16:44:00 main.go:89: application run finished with error: failed to re...
See more...
Thank you, config is attached ... I've obscured the ip... Here's the log Apr 11 16:44:00 otelcol[142312]: 2024/04/11 16:44:00 main.go:89: application run finished with error: failed to resolve config: cannot resolve the configuration: cannot retrieve the configuration: configsource provider failed retrieving: yaml: line 91 : did not find expected key Apr 11 16:44:00 systemd[1]: splunk-otel-collector.service: Main process exited, code=exited, status=1/FAILURE Apr 11 16:44:00 systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Scheduled restart job, restart counter is at 5. Apr 11 16:44:01 systemd[1]: Stopped Splunk OpenTelemetry Collector. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Start request repeated too quickly. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Apr 11 16:44:01 systemd[1]: Failed to start Splunk OpenTelemetry Collector.
04-11-2024
09:41 AM
Hi, We get the following exceptions while trying to load APM agent 24.3 in WebLogic 14.1: java.lang.IllegalAccessError: class jdk.jfr.internal.SecuritySupport$$Lambda$225/0x0000000800979c40 (in mod...
See more...
Hi, We get the following exceptions while trying to load APM agent 24.3 in WebLogic 14.1: java.lang.IllegalAccessError: class jdk.jfr.internal.SecuritySupport$$Lambda$225/0x0000000800979c40 (in module jdk.jfr) cannot access class com.singularity.ee.agent.appagent.entrypoint.bciengine.FastMethodInterceptorDelegatorBoot (in unnamed module @0x2205a05d) because module jdk.jfr does not read unnamed module @0x2205a05d java.lang.IllegalStateException: Unable to perform operation: create on weblogic.diagnostics.instrumentation.InstrumentationManager The WebLogic managed server won't start after throwing these exceptions. Any insights on what might be causing these errors? Thanks, Roberto
Labels
- Labels:
-
Agent Management
04-11-2024
09:41 AM
04-11-2024
09:33 AM
Please provide more details, for example, what do you mean by tag? how do you set it up? how do you use it in your search? in what way doesn't it work? do you have any errors reported? etc.
