All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The usual debugging steps apply: 1) Check if the receiving side is listening on the port (use netstat to list open ports and verify if 8088 is among them). 2) Check the network connectivity from th... See more...
The usual debugging steps apply: 1) Check if the receiving side is listening on the port (use netstat to list open ports and verify if 8088 is among them). 2) Check the network connectivity from the client 3) Verify firewall rules 4) If needed, run tcpdump/wireshark on the server and see if any traffic from the client is reaching the server at all. When you can connect to your HEC service port you can start debugging the token settings.
Could you outline the exact steps you took? There are a lot of IDs (Tenant ID, Client ID, Secret ID, etc), so make sure you enter the correct ones in the app configuration. (Tenant ID, Application/Cl... See more...
Could you outline the exact steps you took? There are a lot of IDs (Tenant ID, Client ID, Secret ID, etc), so make sure you enter the correct ones in the app configuration. (Tenant ID, Application/Client ID, and the Secret itself)
Hi @AlirezaGhanavat, at first, which user are you using to install the UF? has it the grants to install an app? have you an antivirus? Anyway, in these cases I always open a case to Splunk Support... See more...
Hi @AlirezaGhanavat, at first, which user are you using to install the UF? has it the grants to install an app? have you an antivirus? Anyway, in these cases I always open a case to Splunk Support. Ciao. Giuseppe
Hi @taijusoup64, use always quotes in the eval condition: index="zeek" source="conn.log" ((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR ((id.resp_h IN `front end`) AND NOT (id.or... See more...
Hi @taijusoup64, use always quotes in the eval condition: index="zeek" source="conn.log" ((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR ((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`)) | fields orig_bytes, resp_bytes | eval terabytes=((if(id.resp_h="192.168.0.1",resp_bytes,0))+(if(id.orig_h="192.168.0.1",orig_bytes,0)))/1024/1024/1024/1024 | stats sum (terabytes) Ciao. Giuseppe
Hi @Rahul-Sri , my solution is only for a table because you transform a number in a string. if you have to display the result in a graph, you can divide by 1000000 and indicate in the subtitle that... See more...
Hi @Rahul-Sri , my solution is only for a table because you transform a number in a string. if you have to display the result in a graph, you can divide by 1000000 and indicate in the subtitle that the numbers are millions or use a logarythmic scale in the graph. Ciao. Giuseppe
Hello @splunkreal, AFAIK Yes - both the ways will update the capabilities to the respective roles as mentioned here - https://docs.splunk.com/Documentation/ES/7.3.1/Install/ConfigureUsersRoles#Add_ca... See more...
Hello @splunkreal, AFAIK Yes - both the ways will update the capabilities to the respective roles as mentioned here - https://docs.splunk.com/Documentation/ES/7.3.1/Install/ConfigureUsersRoles#Add_capabilities_to_a_role Please accept the solution and hit Karma, if this helps!
@marnall I have opened inbound port also 8088 also so I think firewall related issue also not be the concern now. 
Depending on how your server is configured, it may reject http connections. Are you able to connect to the collector health endpoint on 127.0.0.1 by connecting to the server via telnet and sending th... See more...
Depending on how your server is configured, it may reject http connections. Are you able to connect to the collector health endpoint on 127.0.0.1 by connecting to the server via telnet and sending the request to localhost?
Hello @ezmo1982 , Just checking through if the issue was resolved or you have any further questions?
Hello, Just checking through if the issue was resolved or you have any further questions?
Hello, Just checking through if the issue was resolved or you have any further questions?
Hello @short_cat, I don't think it's possible. I tried with makemv as well, something like -  | makeresults | eval message = "This is line 1.\nThis is line 2.\nThis is line 3." | makemv message de... See more...
Hello @short_cat, I don't think it's possible. I tried with makemv as well, something like -  | makeresults | eval message = "This is line 1.\nThis is line 2.\nThis is line 3." | makemv message delim="\n" But it's not sending the message as expected and just considering first line as below screenshot -  I would suggest checking with the project contributors over GitHub - https://github.com/splunk/slack-alerts 
Hello @viktoriiants, How about sorting it by 'Session count' before date desc?
@yuanliu Thanks again for your detailed explanation. Apologies, I should have asked id_num as a follow-up question and not related to this main question.  Instead of using filldown to populate id_num... See more...
@yuanliu Thanks again for your detailed explanation. Apologies, I should have asked id_num as a follow-up question and not related to this main question.  Instead of using filldown to populate id_num, I extracted id_num and included as part of fields for every payload upload to Splunk. I have updated to the following query and it worked index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format ] | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num Thanks again for your detailed analysis and guidance in helping solve this. 
Let's not confound different matters.  The original problem has nothing to do with id_num, filldown, or any other subject.  No other data characteristics were described.  The only information about d... See more...
Let's not confound different matters.  The original problem has nothing to do with id_num, filldown, or any other subject.  No other data characteristics were described.  The only information about data is filter ( fail_msg1 OR fail_msg2).  Let's focus on this and raise a separate question about id_num. The big question about the search is: Does this pick the correct events?   index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format]   To help you answer this, edit your sample.csv to ONLY include fail_msg1 and fail_msg2.    Use this lookup to run the search in a fixed interval, e.g., earliest=-1d@d latest=-0d@d.  Then, run the other search in the same fixed interval:   index="demo1" source="demo2" ("fail_msg1" OR "fail_msg2")   Do you get the same events?  In fact, run a third test in the same interval (as long as you run all searches within the same @Day).   index="demo1" source="demo2" [makeresults format=csv data="FailureMsg fail_msg1 fail_msg2" | rename FailureMsg AS search | format]   If you get the same events from all three, and your id_num is blank, you should look at the events themselves to find why your regex won't work.  In other words.  Because the inputlookup subsearch has no way to influence any operation after events are returned. We can discuss further if ("fail_msg1" OR "fail_msg2") gives drastically different events from the other two.  In that case, you will need to show raw events returned from each and explain what differences are between two groups of events. (Anonymize as necessary.) Here is a look at why I am suggesting these tests.  Just take the kernel of those two subsearches without index search:   | inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format   and   | makeresults format=csv data="FailureMsg fail_msg1 fail_msg2" | rename FailureMsg AS search | format   Both will give you search ( ( fail_msg1 ) OR ( fail_msg2 ) ) This is why I am confident that the subsearches are identical to ("fail_msg1" OR "fail_msg2").
@marnall For your information I already tried with https before posting this to Splunk answers and for your information on windows server is using telnet instead to SSH.  Can you please help me to... See more...
@marnall For your information I already tried with https before posting this to Splunk answers and for your information on windows server is using telnet instead to SSH.  Can you please help me to understand the significance why you suggested https ? Because on other server posted command is working fine with “http” Please provide your more suggestion on this.
I am trying to setup Azure Event hub to Splunk using the tutorial here.   I followed the tutorial as is   I gave the right permissions (Azure Event hub Data owner as well) to the application but i... See more...
I am trying to setup Azure Event hub to Splunk using the tutorial here.   I followed the tutorial as is   I gave the right permissions (Azure Event hub Data owner as well) to the application but it always gives authentication failed. What am I doing wrong 
Hi everyone. I'm currently trying to install the Universal Forwarder on a Windows client. I haven't installed any previous versions of the Universal Forwarder on this client before. After reaching th... See more...
Hi everyone. I'm currently trying to install the Universal Forwarder on a Windows client. I haven't installed any previous versions of the Universal Forwarder on this client before. After reaching the final stages of the installation, unfortunately, it rolls back and displays a message indicating that the installation wizard did not complete. I'm also attaching the AppCrash report for your reference. Could you please provide some guidance on this? Edit 1: I would like to add that the client is part of a domain, and it is not beneficial whether I perform the installation with the domain admin user or the local admin user, as I still encounter errors. Version=1 EventType=APPCRASH EventTime=133562052818303743 ReportType=2 Consent=1 UploadTime=133562052827678946 ReportStatus=268435456 ReportIdentifier=6a213693-13e6-41a8-8c33-245355f1efbf IntegratorReportIdentifier=5ed072f0-3e6e-4ece-a001-6e76acdb8b27 Wow64Host=34404 NsAppName=splunkd.exe OriginalFilename=splunkd.exe AppSessionGuid=000031bc-0000-000c-9fd1-8bb8fa81da01 TargetAppId=W:00061d36d7ec41eb4da589a3b7ff905efd8600000904!00009bb194c1f79d67ef2b5434b1914ec98a520e1989!splunkd.exe TargetAppVer=2024//03//21:00:03:19!399d613!splunkd.exe BootId=4294967295 TargetAsId=32379 IsFatal=1 EtwNonCollectReason=1 Response.BucketId=bb8a2b9d5336153e35c1c445cd31e043 Response.BucketTable=4 Response.LegacyBucketId=1567749949376028739 Response.type=4 Sig[0].Name=Application Name Sig[0].Value=splunkd.exe Sig[1].Name=Application Version Sig[1].Value=2306.256.26107.30017 Sig[2].Name=Application Timestamp Sig[2].Value=65fb7947 Sig[3].Name=Fault Module Name Sig[3].Value=mimalloc-override.dll Sig[4].Name=Fault Module Version Sig[4].Value=0.0.0.0 Sig[5].Name=Fault Module Timestamp Sig[5].Value=65dfbfa9 Sig[6].Name=Exception Code Sig[6].Value=c0000005 Sig[7].Name=Exception Offset Sig[7].Value=0000000000002ad5 DynamicSig[1].Name=OS Version DynamicSig[1].Value=10.0.20348.2.0.0.400.8 DynamicSig[2].Name=Locale ID DynamicSig[2].Value=1033 DynamicSig[22].Name=Additional Information 1 DynamicSig[22].Value=c13a DynamicSig[23].Name=Additional Information 2 DynamicSig[23].Value=c13a0933a69b5a9aa04a609346aaa13d DynamicSig[24].Name=Additional Information 3 DynamicSig[24].Value=e9e6 DynamicSig[25].Name=Additional Information 4 DynamicSig[25].Value=e9e669e3acebdf636ea1556b4596e7dd UI[2]=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe UI[5]=Close UI[8]=splunkd service stopped working and was closed UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available. UI[10]=&Close LoadedModule[0]=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll LoadedModule[2]=C:\Windows\System32\KERNEL32.DLL LoadedModule[3]=C:\Windows\System32\KERNELBASE.dll LoadedModule[4]=C:\Windows\System32\CRYPT32.dll LoadedModule[5]=C:\Windows\System32\ucrtbase.dll LoadedModule[6]=C:\Windows\System32\bcrypt.dll LoadedModule[7]=C:\Windows\System32\ADVAPI32.dll LoadedModule[8]=C:\Windows\System32\msvcrt.dll LoadedModule[9]=C:\Windows\System32\sechost.dll LoadedModule[10]=C:\Windows\System32\RPCRT4.dll LoadedModule[11]=C:\Program Files\SplunkUniversalForwarder\bin\mimalloc-override.dll LoadedModule[12]=C:\Windows\System32\WS2_32.dll LoadedModule[13]=C:\Windows\System32\USER32.dll LoadedModule[14]=C:\Windows\System32\win32u.dll LoadedModule[15]=C:\Windows\System32\GDI32.dll LoadedModule[16]=C:\Windows\System32\gdi32full.dll LoadedModule[17]=C:\Windows\System32\msvcp_win.dll LoadedModule[18]=C:\Windows\System32\SHELL32.dll LoadedModule[19]=C:\Windows\System32\ole32.dll LoadedModule[20]=C:\Windows\System32\combase.dll LoadedModule[21]=C:\Windows\SYSTEM32\ACTIVEDS.dll LoadedModule[22]=C:\Windows\SYSTEM32\pdh.dll LoadedModule[23]=C:\Windows\System32\OLEAUT32.dll LoadedModule[24]=C:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll LoadedModule[25]=C:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll LoadedModule[26]=C:\Windows\SYSTEM32\WINHTTP.dll LoadedModule[27]=C:\Program Files\SplunkUniversalForwarder\bin\SSLEAY32.dll LoadedModule[28]=C:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll LoadedModule[29]=C:\Program Files\SplunkUniversalForwarder\bin\archive.dll LoadedModule[30]=C:\Program Files\SplunkUniversalForwarder\bin\mimalloc-redirect.dll LoadedModule[31]=C:\Program Files\SplunkUniversalForwarder\bin\VCRUNTIME140.dll LoadedModule[32]=C:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll LoadedModule[33]=C:\Program Files\SplunkUniversalForwarder\bin\LIBEAY32.dll LoadedModule[34]=C:\Program Files\SplunkUniversalForwarder\bin\MSVCP140.dll LoadedModule[35]=C:\Windows\SYSTEM32\adsldpc.dll LoadedModule[36]=C:\Windows\System32\WLDAP32.dll LoadedModule[37]=C:\Windows\System32\bcryptprimitives.dll LoadedModule[38]=C:\Program Files\McAfee\Solidcore\SCINJECT_x64.DLL LoadedModule[39]=C:\Windows\System32\WINTRUST.dll LoadedModule[40]=C:\Windows\SYSTEM32\NETAPI32.dll LoadedModule[41]=C:\Windows\SYSTEM32\MPR.dll LoadedModule[42]=C:\Windows\SYSTEM32\SAMCLI.DLL LoadedModule[43]=C:\Windows\SYSTEM32\NETUTILS.DLL LoadedModule[44]=C:\Windows\SYSTEM32\MSASN1.dll LoadedModule[45]=C:\Windows\SYSTEM32\wkscli.dll State[0].Key=Transport.DoneStage1 State[0].Value=1 OsInfo[0].Key=vermaj OsInfo[0].Value=10 OsInfo[1].Key=vermin OsInfo[1].Value=0 OsInfo[2].Key=verbld OsInfo[2].Value=20348 OsInfo[3].Key=ubr OsInfo[3].Value=2322 OsInfo[4].Key=versp OsInfo[4].Value=0 OsInfo[5].Key=arch OsInfo[5].Value=9 OsInfo[6].Key=lcid OsInfo[6].Value=1033 OsInfo[7].Key=geoid OsInfo[7].Value=244 OsInfo[8].Key=sku OsInfo[8].Value=8 OsInfo[9].Key=domain OsInfo[9].Value=1 OsInfo[10].Key=prodsuite OsInfo[10].Value=400 OsInfo[11].Key=ntprodtype OsInfo[11].Value=3 OsInfo[12].Key=platid OsInfo[12].Value=10 OsInfo[13].Key=sr OsInfo[13].Value=0 OsInfo[14].Key=tmsi OsInfo[14].Value=222600573 OsInfo[15].Key=osinsty OsInfo[15].Value=2 OsInfo[16].Key=iever OsInfo[16].Value=11.1.20348.0-11.0.1000 OsInfo[17].Key=portos OsInfo[17].Value=0 OsInfo[18].Key=ram OsInfo[18].Value=32768 OsInfo[19].Key=svolsz OsInfo[19].Value=99 OsInfo[20].Key=wimbt OsInfo[20].Value=0 OsInfo[21].Key=blddt OsInfo[21].Value=210507 OsInfo[22].Key=bldtm OsInfo[22].Value=1500 OsInfo[23].Key=bldbrch OsInfo[23].Value=fe_release OsInfo[24].Key=bldchk OsInfo[24].Value=0 OsInfo[25].Key=wpvermaj OsInfo[25].Value=0 OsInfo[26].Key=wpvermin OsInfo[26].Value=0 OsInfo[27].Key=wpbuildmaj OsInfo[27].Value=0 OsInfo[28].Key=wpbuildmin OsInfo[28].Value=0 OsInfo[29].Key=osver OsInfo[29].Value=10.0.20348.2322.amd64fre.fe_release.210507-1500 OsInfo[30].Key=buildflightid OsInfo[31].Key=edition OsInfo[31].Value=ServerDatacenter OsInfo[32].Key=ring OsInfo[32].Value=Retail OsInfo[33].Key=expid OsInfo[34].Key=fconid OsInfo[35].Key=containerid OsInfo[36].Key=containertype OsInfo[37].Key=edu OsInfo[37].Value=0 OsInfo[38].Key=servicinginprogress OsInfo[38].Value=0 FriendlyEventName=Stopped working ConsentKey=APPCRASH AppName=splunkd service AppPath=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe NsPartner=windows NsGroup=windows8 ApplicationIdentity=C750D84D7F48DB77161DC8FC07E09CE5 MetadataHash=1491437884
Hi @marnall, Thank you for your comment, I will definitely try that next time. At this time, I was able to workaround the issue and upload the app by extracting the add-on tar and performing the foll... See more...
Hi @marnall, Thank you for your comment, I will definitely try that next time. At this time, I was able to workaround the issue and upload the app by extracting the add-on tar and performing the following:  1-Navigate to the add-on default directory. 2- vi addon_builder.conf,  3- change this line accordingly: builder_version = 4.1.3 4- Run: find . -name .DS_Store -delete (macOS)  5- tar the app folder again and re-upload.  It would be beneficial for the vendor to update the add-on to ensure it meets the criteria for official support.   
Hello, does editing ES roles on Permissions page is same as editing ES roles in Splunk's native edit role page? I guess they both point to ES authorize.conf but native's one can work with custom ro... See more...
Hello, does editing ES roles on Permissions page is same as editing ES roles in Splunk's native edit role page? I guess they both point to ES authorize.conf but native's one can work with custom roles? Thanks.