All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @vik  , I'm encountering the same issue. Did you resolve it?
So, I have two indexes and sourcetypes with the following fields: index1 and sourcetype1: aip = 34.465.45.234 AppVendor = vendor1, vendor2, vendor3 (These are all from different events) AppNa... See more...
So, I have two indexes and sourcetypes with the following fields: index1 and sourcetype1: aip = 34.465.45.234 AppVendor = vendor1, vendor2, vendor3 (These are all from different events) AppName = app2, app3, app1 (All from different events corresponding to position of the vendors above) AppVersion = 3.0343, 1.354, 2.5465 (Same convention) index2 and sourcetype2: jsonevent.external_ip = 34.465.45.234 jsonevent.hostname = Host1 jsonevent.Username = User1 I use the following search: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | rename jsonevent.external_ip as exip | rename aip as agentip | eval external_ip = coalesce(agentip, exip) | stats values(jsonevent.hostname) as Hostnames, values(jsonevent.Username) as Users, values(AppVendor) as Vendors, values(AppName) as Applications, values(AppVersion) as Version by external_ip | search Hostnames=* Users=* Vendors=* Applications=* Version=* I get the following: external_ip                    Hostnames         Usernames              Vendors             Applications                Version 34.465.45.234             Host1                    User1                          Vendor1           app1                                1.354                                                                                                                   Vendor2           app2                                2.5465                                                                                                                    Vendor3           app3                                3.0343   What I want is the following: external_ip                    Hostnames         Usernames              Vendors             Applications                Version 34.465.45.234             Host1                    User1                          Vendor1           app2                                3.0343 34.465.45.234             Host1                    User1                          Vendor2           app3                                1.354  34.465.45.234             Host1                    User1                          Vendor3           app1                                2.5465 Does anyone have any ideas how to achieve this?
Hi community, I have a dropdown for environments like DEV/CT/PROD, and saved it into a token `SDLC`. Now I would like to define another token `new_sdlc`. It's "ctpm" when `SDLC` is "pm"; Otherwise... See more...
Hi community, I have a dropdown for environments like DEV/CT/PROD, and saved it into a token `SDLC`. Now I would like to define another token `new_sdlc`. It's "ctpm" when `SDLC` is "pm"; Otherwise, it's the same value as `SDLC`. In the end, I found a way working but a bit stupid, simply because it seems "!=" is not allowed so I have to list all conditions. I've checked a few posts but didn't find a working and elegant way. I bet there is one. Looking forward to your help. Here is my code: <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="SDLC"> <label>SDLC</label> <choice value="prod">PROD</choice> <choice value="ct">CT</choice> <choice value="pm">PM</choice> <default>prod</default> <initialValue>prod</initialValue> <change> <condition label="CT"> <set token="new_sdlc">ct</set> </condition> <condition label="PM"> <set token="new_sdlc">ctpm</set> </condition> <condition label="PROD"> <set token="new_sdlc">prod</set> </condition> </change> </input> </fieldset>
This seems to be an limitation on the Microsoft end: https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335(v=office.15)?redirectedfrom=MSDN#data-gra... See more...
This seems to be an limitation on the Microsoft end: https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335(v=office.15)?redirectedfrom=MSDN#data-granularity-persistence-and-availability   The `delay_throttle` option in the input can be used to control it, but the docs seem to say that events can be delayed by 24-hours in the Microsoft end, so that seems to be why the default is 24-hours.
@abhi_2985  The openssl commands needed for the conversion are straightforward to use. Start by opening your terminal and navigating to the directory with your CRT file. Here’s how to convert .crt... See more...
@abhi_2985  The openssl commands needed for the conversion are straightforward to use. Start by opening your terminal and navigating to the directory with your CRT file. Here’s how to convert .crt to .pem: openssl x509 -in certificate.crt -out certificate.pem -outform PEM Replace ‘certificate.crt’ with your .crt file name and ‘certificate.pem’ with your desired .pem file name. This command will convert your .crt to .pem, providing you with a new file in .pem format.
ODBC is not a database but a standardized way of accessing the database - any database for which there is a n appropriate ODBC driver. So there is no such thing as "ODBC database". Same goes for JD... See more...
ODBC is not a database but a standardized way of accessing the database - any database for which there is a n appropriate ODBC driver. So there is no such thing as "ODBC database". Same goes for JDBC - it's another abstraction layer providing common interface to databases. Question is what database you have and what do you want to do with it and is there a jdbc driver for your particular database because if there is you can use the DBConnect with proper jdbc data source.
@Moshe Hey, Please find the below documents for your reference  The Splunk ODBC Driver - Splunk Documentation Configure the Splunk ODBC driver with Microsoft Power BI - Splunk Documentation  using... See more...
@Moshe Hey, Please find the below documents for your reference  The Splunk ODBC Driver - Splunk Documentation Configure the Splunk ODBC driver with Microsoft Power BI - Splunk Documentation  using-the-splunk-odbc-driver-tech-brief.pdf 
First things first - you're talking about deployer. Do you indeed have your apps on the search-head cluster deployer or maybe you meant the deployment server?
Thanks for the reply, thats what i thought but am not seeing any configuration in the app.conf file under the app folder. Do i need to add those config myself or find another way to go about it 
Hi Every apps has app.conf file under <app>/default. There is defined app's name and some other parameters. You must change those in this file. Then the name of app will changed on your GUI too. r.... See more...
Hi Every apps has app.conf file under <app>/default. There is defined app's name and some other parameters. You must change those in this file. Then the name of app will changed on your GUI too. r. Ismo
Hello I tried to change a Custom App name (e.g BRB_App to CAA_App) on the Deployer through the Cli but i realize that the name change only affects the Folder name not the name of the App when i chec... See more...
Hello I tried to change a Custom App name (e.g BRB_App to CAA_App) on the Deployer through the Cli but i realize that the name change only affects the Folder name not the name of the App when i checked the UI. Is there a way to effect that change to affect the Name of the custom App and not just the folder name 
When copy-pasting from chatgpt you forgot to include the rest of the "answer". [...] Here are some additional tips: Check printer documentation: Start by checking the documentation for your p... See more...
When copy-pasting from chatgpt you forgot to include the rest of the "answer". [...] Here are some additional tips: Check printer documentation: Start by checking the documentation for your printers to see if they support forwarding logs, and if so, how to configure it. Test in a lab environment: Before implementing this in a production environment, it's a good idea to test the setup in a lab environment to ensure everything works as expected. Security considerations: Make sure to consider security implications, especially when configuring devices to forward logs to other systems. Ensure that communication between the printers, print server, and Splunk instance is secure. Consult Splunk documentation: Splunk documentation is comprehensive and can provide detailed guidance on setting up forwarders and configuring inputs. By following these steps and considering the tips provided, you should be able to set up a system where printer logs are forwarded to Splunk via an intermediate print server. If you encounter any specific issues or have further questions, feel free to ask! [...]   Come on, people. What are you trying to achieve by posting such generic chatgpt-generated responses? This doesn't solve anything but only "dilutes" quality of responses on Answers.
Squid is not part of Splunk Enterprise installation. So if you're hitting squid it means either it is working as a reverse-proxy for your target service or you connect to it in order to perform the o... See more...
Squid is not part of Splunk Enterprise installation. So if you're hitting squid it means either it is working as a reverse-proxy for your target service or you connect to it in order to perform the outbound connection. Also - if your proxy is doing TLS inspection, cert-based mutual authentication won't work unless you create an exception in your inspection policy.
Thank you for the inputs. I checked and this is not the root cause. I need to identify the root cause to prevent such cases happening in the future.
That is what the stats command does. Use the by keyword to group results based on the values of certain fields. | stats sum(Success) as Success, sum(Failed) as Failed by Application | eval Total=Suc... See more...
That is what the stats command does. Use the by keyword to group results based on the values of certain fields. | stats sum(Success) as Success, sum(Failed) as Failed by Application | eval Total=Success + Failed | eval percentage=round(Failed*100/Total, 3)  
Hi Ryan, we have not found a workaround.   We are in the process of contacting AppDynamics.  
Thank you for your response @PickleRick. I tried running curl in verbose mode. After successful connection to proxy, I am getting below error but am unable to locate squid.conf file. X-Squid-Error: ... See more...
Thank you for your response @PickleRick. I tried running curl in verbose mode. After successful connection to proxy, I am getting below error but am unable to locate squid.conf file. X-Squid-Error: ERR_ACCESS_DENIED 0
@gcusello  We had two requirements for the same sourcetype. One involved line breaks, and the other required password masking during ingestion. As our Search heads are managed by Splunk Support and ... See more...
@gcusello  We had two requirements for the same sourcetype. One involved line breaks, and the other required password masking during ingestion. As our Search heads are managed by Splunk Support and hosted in the Cloud, we created a custom app and deployed the props.conf in the default directory. After uploading the apps for the cloud vetting process, they were successfully installed. However, I've noticed that the logs are now being separated into individual events, which is acceptable, but the passwords are still visible and haven't been masked according to our requirement. I'm unsure about where exactly I may have missed it.   This is the props.conf file for reference.  [sourcetype] SHOULD_LINEMERGE = false SEDCMD = s/password: ([^;]+);cpassword: ([^;]+);/password: (####);cpassword: (####);/gm   Sample log for reference:  [2024-03-01_06:32:08] INFO : REQUEST: User:abc CreateUser POST: name: xyz;email: abc@gmail.com;password: xyz@123;cpassword: xyz@123;role: Administrator; So kindly help on this requirement.
It may depend on the OS version.  In mine when I did dpkg -l | grep xz, that's the only one I see.  I thought about xz*.  That might be a better play here.  is lib different from util or just di... See more...
It may depend on the OS version.  In mine when I did dpkg -l | grep xz, that's the only one I see.  I thought about xz*.  That might be a better play here.  is lib different from util or just different names per OS?   thanks for the feedback!
Hi, I'm looking for a way to connect the SPLUNK to a ODCB data base, so the Splunk will be able to pull any data needed from that data base. So far, I have been told that the SPLUNK is working with... See more...
Hi, I'm looking for a way to connect the SPLUNK to a ODCB data base, so the Splunk will be able to pull any data needed from that data base. So far, I have been told that the SPLUNK is working with JDBC and the other product is working with ODBC, so there is no way to make that connection. Can someone tell me otherwise?