All Posts

Top

All Posts

@Jasmine - Use like instead of match function. | eval label=case(like(host, "%tv00.test.net"), "Test", like(host, "%qv00.qa.net"), "QA", like(host, "%pv00.... See more...
@Jasmine - Use like instead of match function. | eval label=case(like(host, "%tv00.test.net"), "Test", like(host, "%qv00.qa.net"), "QA", like(host, "%pv00.prod.net"), "Prod")   I hope this helps!!!
macOS requires that all software be signed and notarized by the developer. It seems you're getting issues because macOS is not trusting the installed Splunk binary to load the libbz libraries. There... See more...
macOS requires that all software be signed and notarized by the developer. It seems you're getting issues because macOS is not trusting the installed Splunk binary to load the libbz libraries. There may be a way to whitelist Splunk from the code signing requirements of macOS, or perhaps you could try installing a different version in the hopes that the new version will be code-signed and accepted by macOS.
Are there any interesting messages in the error log? index=_internal TA-purestorage-unified log_level=ERROR I tried installing this add-on on a test machine with Splunk Enterprise 9.2.0 and could l... See more...
Are there any interesting messages in the error log? index=_internal TA-purestorage-unified log_level=ERROR I tried installing this add-on on a test machine with Splunk Enterprise 9.2.0 and could load the configuration page without error. Which version of Splunk Enterprise are you using?
@PickleRick - You must be right and I know its so complicated for HEC endpoint on what will execute or not, so I would avoid it all together at all and filter it early directly from source when using... See more...
@PickleRick - You must be right and I know its so complicated for HEC endpoint on what will execute or not, so I would avoid it all together at all and filter it early directly from source when using HEC.
@dc17  - You need to give full path like:   [WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = sysmon sourcetype =... See more...
@dc17  - You need to give full path like:   [WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = sysmon sourcetype = WinEventLog:Sysmon   In my case, I can see a folder called Micrsoft > Windows > Sysmon folder. In which I can see Operational logs.   You need to give full path, instead of just MyCustomLog. Give full path, which you can find from Event Viewer.   I hope this helps!!!
  <input type="dropdown" token="envtoken"> <label>env</label> <fieldForLabel>label</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> index=aaa (source="/v... See more...
  <input type="dropdown" token="envtoken"> <label>env</label> <fieldForLabel>label</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> index=aaa (source="/var/log/testd.log") |stats count by host | eval label=case(match(host, ".*tv*."), "Test", match(host, ".*qv*."), "QA", match(host, ".*pv*."), "Prod")| dedup label</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input>   dropdownlist binding with TEST, QA and PROD In QA and prod have 3 host. If i select QA from dropdown list , will the search includes from all the three hosts? could you plase confirm
Hi What issue you are trying to solve with this change? I think that usually it’s better to use S2S between splunk nodes than http version. r. Ismo
Hi it’s just like @P_vandereerden said. You should read more about it from https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/SearchTimeModifiers#Specify_a_snap_to_time_unit r. Ismo
Hi you could write “multi line” searches separated by | on one line. In normal situation there is no mater have you written SPL in one line or formatting it to several lines. It’s just for reading i... See more...
Hi you could write “multi line” searches separated by | on one line. In normal situation there is no mater have you written SPL in one line or formatting it to several lines. It’s just for reading it easier. You could also write your query as a report and then call it with savedsearch your report via rest. r. Ismo
Hi it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you mu... See more...
Hi it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you must have access to those indexes. This is defined with an attribute srchIndexesAllowed. Those both are define in authorize.conf. As already has said, you should always use index=xyz on your queries to use needed/wanted indexes as different roles has different default indexes.  IMHO you shouldn’t ever use srchIndexesDefault as it leads people to drop that index=xyz part away from queries. r. Ismo
Are you able to generate the some_example_generated_file.csv.gz file from running the search in the Splunk webUI as the user whose credentials or token is being used to authorize the API request? Th... See more...
Are you able to generate the some_example_generated_file.csv.gz file from running the search in the Splunk webUI as the user whose credentials or token is being used to authorize the API request? There should be no problem running searches with piped segments using curl and the search api endpoints. Though you may have to tweak the character encoding in the search query. I recommend trying it segment-by-segment to see if it generates the expected results.
Hi If query takes long, then maybe you should look if you should use time() instead of now()? 1st gives you current time and 2nd is time when query has started. r. Ismo http://docs.splunk.com/Docum... See more...
Hi If query takes long, then maybe you should look if you should use time() instead of now()? 1st gives you current time and 2nd is time when query has started. r. Ismo http://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/DateandTimeFunctions
@gcusello I have used below commands to generate various certificates and adjust web.conf also. But still the connection is not secure. D:\Splunk\bin\splunk" cmd openssl genrsa -aes256 -out mySplu... See more...
@gcusello I have used below commands to generate various certificates and adjust web.conf also. But still the connection is not secure. D:\Splunk\bin\splunk" cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048 "D:\Splunk\bin\splunk" cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key "D:\Splunk\bin\splunk" cmd openssl rsa -in mySplunkWebPrivateKey.key -text "D:\Splunk\bin\splunk" cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr "D:\Splunk\bin\splunk" cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 "D:\Splunk\bin\splunk" cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 type mySplunkWebCert.pem myCACertificate.pem > mySplunkWebCertificate.pem   web.conf [settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/mycerts/mySplunkWebPrivateKey.key serverCert = /opt/splunk/etc/auth/mycerts/mySplunkWebCertificate.pem
Hi @uagraw01 , The connection is using a self signed certificate. So, if the website doesn’t have a thir party certificate, the “HTTPS Not Secure” Message in Chrome will appear, even if you have a ... See more...
Hi @uagraw01 , The connection is using a self signed certificate. So, if the website doesn’t have a thir party certificate, the “HTTPS Not Secure” Message in Chrome will appear, even if you have a certificate. You can solve the issue using a third party certificate or enabling your browser to recognize this certificate as well. Ciao. Giuseppe
@gcusello I did it already but the connection not secure. I want to make connection secure as well.  
Hi @Jasmine , as @marnall said a space is missing between the index value and the source condition. I suppose that the erro is that the argument of the match function in the eval command is a regex... See more...
Hi @Jasmine , as @marnall said a space is missing between the index value and the source condition. I suppose that the erro is that the argument of the match function in the eval command is a regex, so you don't need to use asterisk: index=aaa (source="/var/log/testd.log") | stats count by host | eval env=case( match(host, "10qe"), "Test", match(host, "10qe"), "QA", match(host, "10qe"), "Prod") Ciao. Giuseppe
Hi @vishwa  you can use eval (https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandOverview) or addtotal (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/A... See more...
Hi @vishwa  you can use eval (https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandOverview) or addtotal (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Addtotals), something like this: index=app-index source=application.logs | rex field= _raw "RampData :\s(?<RampdataSet>\w+)" | rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over RampdataSet by Message | eval Total="Letter published correctley to ATM subject" + "Letter published correctley to DMM subject" + "Letter published correctley to DMM subject" + "Letter rejected due to: DOUBLE_KEY" + "Letter rejected due to: UNVALID_LOG" + "Letter rejected due to: UNVALID_DATA_APP" | table "Initial message received with below details" Total  Ciao. Giuseppe
Hi @uagraw01, this is the procedure to generate a certificate or to add an external certificate, but you have also to enable the https on web and you can do it in [Settings > Server Settings > gener... See more...
Hi @uagraw01, this is the procedure to generate a certificate or to add an external certificate, but you have also to enable the https on web and you can do it in [Settings > Server Settings > general Settings]. If you want to use a self signed certificate, you don't need to create a new one because Splunk uses its own certificate for the internal management communications; you need only to enable https connection as I described. Ciao. Giuseppe
Hi @Satyapv, you can use eval to categorize your data: <your_search> | eval period=case( _time>now()-300,"Last 5min Vol", _time>now()-600,"Last 10min Vol", _time>now()-900,"Last 15min Vol"... See more...
Hi @Satyapv, you can use eval to categorize your data: <your_search> | eval period=case( _time>now()-300,"Last 5min Vol", _time>now()-600,"Last 10min Vol", _time>now()-900,"Last 15min Vol") | chart count OVER Transaction BY period Ciao. Giuseppe
I tried to copy-paste your chinese text to google translate to understand what you want to accomplish, but I am not sure the translation is correct: "I want to use syslog-ng to input data from the u... See more...
I tried to copy-paste your chinese text to google translate to understand what you want to accomplish, but I am not sure the translation is correct: "I want to use syslog-ng to input data from the universal forwarder to my search head I'm going to use TCP but I don't know what's wrong and I can't display my data in the search header " your syslog-ng seems to be receiving syslog data on port 514 and then delivering the data to 10001/10002 TCP depending on the source IP while doing some transformation. Is 10001 and 10002 where your search heads are? Or are those ports opened by UF? Usually the easiest way to send syslog data to Splunk is by using HEC (HTTP Event Collector), and if you were using that you can simply assign host/source/sourcetype to a specific log message, no need to use separate ports. Also, you are manually getting rid of the priority header (e.g. removing <NNN> in the front), but that would be taken care of by the actual syslog parser in syslog-ng that you disabled via flags(no-parse).