All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Storage for DB Connect Checkpoint values

by in Splunk Enterprise
‎04-05-2024 05:09 AM
‎04-05-2024 05:09 AM
Upgrade is not an option for now. furthermore, everything goes OK with DB Connect. it will be upgraded with the whole system. I did ask this question precisely because could not find the checkpoin... See more...
Upgrade is not an option for now. furthermore, everything goes OK with DB Connect. it will be upgraded with the whole system. I did ask this question precisely because could not find the checkpoint values persistence files for our enable DB Input in folder: /opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect

Re: Is it possible to export ITSI Services?

by in Splunk ITSI
‎04-05-2024 04:51 AM
‎04-05-2024 04:51 AM
this is perfect, thanks @spavin !

Re: Based on drop down list value how to change search string in each panel

by in Dashboards & Visualizations
‎04-05-2024 04:38 AM
‎04-05-2024 04:38 AM
can u pls.s give some sample. my requiremnt is i do have two differnt paths index=test (source="/test/log/path/test1.log" ) index=test (source="/test/log/path/test2.log" ) based on dropdownlist v... See more...
can u pls.s give some sample. my requiremnt is i do have two differnt paths index=test (source="/test/log/path/test1.log" ) index=test (source="/test/log/path/test2.log" ) based on dropdownlist value the above the path should be taken in Search string

Re: Can i have a tool tip for several headers on a table

by in Dashboards & Visualizations
‎04-05-2024 04:15 AM
‎04-05-2024 04:15 AM
@kamlesh_vaghela ,  When I add for second column the solution is not working. How is find("a") related? 

Re: Issue with Installing Universal Forwarder 9.2.1 on Windows

by SplunkTrust in Installation
‎04-05-2024 04:05 AM
‎04-05-2024 04:05 AM
Hi @CheongKing168 , installing the old version you know that the issue is on the environment and not on the new version. Windows 2016 is a certified  OS, so this shouldn't be the issue. Disabling ... See more...
Hi @CheongKing168 , installing the old version you know that the issue is on the environment and not on the new version. Windows 2016 is a certified  OS, so this shouldn't be the issue. Disabling McAfee, this isn't the issue. I suppose that you already checked the available disk space and the grants of the user used for the installation. as I said, the only hint is to open a case to Splunk Support: they can analyze the installation logs to understand where's the issue. Ciao. Giuseppe  

Re: Prometheus metric labels in a splunk metric index

by in Getting Data In
‎04-05-2024 03:45 AM
‎04-05-2024 03:45 AM
This is my current otel config:   --- service: telemetry: logs: level: "debug" metrics: level: detailed address: ":8888" pipelines: metrics: receivers: ... See more...
This is my current otel config:   --- service: telemetry: logs: level: "debug" metrics: level: detailed address: ":8888" pipelines: metrics: receivers: - prometheus exporters: - splunk_hec receivers: prometheus: config: scrape_configs: - job_name: jira_dev scrape_interval: 60s static_configs: - targets: [<hidden>:8060] exporters: debug: verbosity: detailed sampling_initial: 5 sampling_thereafter: 200 splunk_hec: token: "<hidden>" endpoint: "https://<hidden>:8088/services/collector" source: "toolchainotel" sourcetype: "toolchain:test:metric" index: "onboarding_metric" tls: insecure_skip_verify: true

Re: Based on drop down list value how to change search string in each panel

by SplunkTrust in Dashboards & Visualizations
‎04-05-2024 03:36 AM
‎04-05-2024 03:36 AM
You might be able to use the change stanza for the input to set up multiple tokens based on the value selected. For example, your value in the drop down could have 3 parts delimited by some character... See more...
You might be able to use the change stanza for the input to set up multiple tokens based on the value selected. For example, your value in the drop down could have 3 parts delimited by some character, e.g. colon. The change stanza would then process the value and set 3 different tokens based on the 3 parts of the value.

Based on drop down list value how to change search string in each panel

by in Dashboards & Visualizations
‎04-05-2024 03:30 AM
‎04-05-2024 03:30 AM
Based on drop down list value how to change search string in each panel eg  for panel to load the search string will vary as below: index=test (source="/test/log/path/test1.log" $param1$ c="$p... See more...
Based on drop down list value how to change search string in each panel eg  for panel to load the search string will vary as below: index=test (source="/test/log/path/test1.log" $param1$ c="$param2$" $dropdownlistvalue1$ $dropdownlistvalue1$) As log path is different all my params vary. so how can i change index based of drop down list value?
Labels

Re: Removal of the confidential data

by in Security
‎04-05-2024 03:18 AM
‎04-05-2024 03:18 AM
@ITWhisperer @scelikok I created below two regex and I think it is working fine from UI. | rex field=_raw mode=sed "s/Password\>([A-Za-z0-9]+)/Placeholder/g" | rex field=_raw mode=sed "s/UserId\>([... See more...
@ITWhisperer @scelikok I created below two regex and I think it is working fine from UI. | rex field=_raw mode=sed "s/Password\>([A-Za-z0-9]+)/Placeholder/g" | rex field=_raw mode=sed "s/UserId\>([A-Za-z0-9]+)/UserID/g" One question, shall I apply in the same regex in transforms.conf ?

Re: How to exclude result from query?

by SplunkTrust in Splunk Search
‎04-05-2024 03:16 AM
1 Karma
‎04-05-2024 03:16 AM
1 Karma
You are right, I missed to filter again for exceptions. Please try below, you should see only correlationId exceptions that have no SUCCESS. index="mulesoft" applicationName="s-concur-api" environme... See more...
You are right, I missed to filter again for exceptions. Please try below, you should see only correlationId exceptions that have no SUCCESS. index="mulesoft" applicationName="s-concur-api" environment=PRD | eventstats values(tracePoint) as TracePoints values(message) as Messages by correlationId | search TracePoints="EXCEPTION" Messages!="*(SUCCESS)*" | fields - TracePoints - Messages | search tracePoint="EXCEPTION" | transaction correlationId | rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.ErrorType as Error content.errorType as errorType content.errorMsg as ErrorMsg content.ErrorMsg as errorMsg | eval ErrorType=if(isnull(Error),"Unknown",Error) | dedup CorrelationId | eval errorType=coalesce(Error,errorType) | eval Errormsg=coalesce(ErrorMsg,errorMsg) | table CorrelationId,Timestamp, applicationName, locationInfo.fileName, locationInfo.lineInFile, errorType, message,Errormsg | sort -Timestamp  

Re: How to exclude result from query?

by in Splunk Search
‎04-05-2024 03:10 AM
‎04-05-2024 03:10 AM
@scelikok  Yes its working But its showing all the timestamp and all the messages. Just i want to show error message not all transaction messages for the correlationId

Re: Prometheus metric labels in a splunk metric index

by in Getting Data In
‎04-05-2024 03:04 AM
‎04-05-2024 03:04 AM
Could you please share your current otel config with us?

Re: How to exclude result from query?

by SplunkTrust in Splunk Search
‎04-05-2024 03:02 AM
1 Karma
‎04-05-2024 03:02 AM
1 Karma
Hi @karthi2809, Can you please try below with eventstats? index="mulesoft" applicationName="s-concur-api" environment=PRD | eventstats values(tracePoint) as TracePoints values(message) as Messages... See more...
Hi @karthi2809, Can you please try below with eventstats? index="mulesoft" applicationName="s-concur-api" environment=PRD | eventstats values(tracePoint) as TracePoints values(message) as Messages by correlationId | search TracePoints="EXCEPTION" Messages!="*(SUCCESS)*" | fields - TracePoints - Messages | transaction correlationId | rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.ErrorType as Error content.errorType as errorType content.errorMsg as ErrorMsg content.ErrorMsg as errorMsg | eval ErrorType=if(isnull(Error),"Unknown",Error) | dedup CorrelationId | eval errorType=coalesce(Error,errorType) | eval Errormsg=coalesce(ErrorMsg,errorMsg) | table CorrelationId,Timestamp, applicationName, locationInfo.fileName, locationInfo.lineInFile, errorType, message,Errormsg | sort -Timestamp  

Re: Getting time from XML Property

by in Getting Data In
‎04-05-2024 02:41 AM
‎04-05-2024 02:41 AM
Thanks! I have tried your setting, and unfortenatly it still doesn't work.  I have also discovered that xml data from sysmon have the same exact problem, won't pick up the time from the expected fi... See more...
Thanks! I have tried your setting, and unfortenatly it still doesn't work.  I have also discovered that xml data from sysmon have the same exact problem, won't pick up the time from the expected field from the xml data.  sysmon  looks like this, and it matches the text in the xml. [source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] TIME_PREFIX = <Data Name='UtcTime'> TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N TZ = UTC I have used btool to look for any other stanzas that would cause this, for example for the common xmlwineventlog sourcetype but haven't found anyting.  Tips for debugging this welcome!  

Re: How to onboard specific events and discard the rest in props.conf and transforms.conf

by in Getting Data In
‎04-05-2024 02:39 AM
‎04-05-2024 02:39 AM
Check out: Route and filter data - Splunk Documentation If you have more specific questions about your data just ask.

How to onboard specific events and discard the rest in props.conf and transforms.conf

by in Getting Data In
‎04-05-2024 02:33 AM
‎04-05-2024 02:33 AM
How to keep specific events and discard the rest in props.conf and transforms.conf We are Receiving large amount of data which is onboarded to splunk via tar files. We dont require monitoring a... See more...
How to keep specific events and discard the rest in props.conf and transforms.conf We are Receiving large amount of data which is onboarded to splunk via tar files. We dont require monitoring all the events.,we would need only some events with some data to be monitored and rest all files/sources needed to sent into nullqueue. Please give me some insights on it. Thanks in advance.
Labels

Re: Index only Specific Lines from a Strucutred Log File

by in Getting Data In
‎04-05-2024 02:31 AM
‎04-05-2024 02:31 AM
@tscroggins  thanks for the steer. I'm close ot getting this working but when I implemenet the transform it drops my event. The even tline looks as follows SOMEDATA NO_CLIENT_SITE: MYSYSTEM 10.15.37... See more...
@tscroggins  thanks for the steer. I'm close ot getting this working but when I implemenet the transform it drops my event. The even tline looks as follows SOMEDATA NO_CLIENT_SITE: MYSYSTEM 10.15.37.48 My props.conf is as follows: [netlogon] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Custom pulldown_type = 1 TRANSFORMS-netlogon_send_to_nullqueue = netlogon_send_to_nullqueue My transforms.conf  [netlogon_send_to_nullqueue] REGEX = ^(?!NO_CLIENT_SITE). DEST_KEY = queue FORMAT = nullQueue Is it the regEx at fault here? I have been playing with it at regex101: build, test, and debug regex but I cannot see the issue.

Re: Removal of the confidential data

by SplunkTrust in Security
‎04-05-2024 02:24 AM
1 Karma
‎04-05-2024 02:24 AM
1 Karma
Hi @uagraw01, You can also use Ingest Actions on UI. https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/DataIngest#Mask_with_regular_expression  

Re: Removal of the confidential data

by SplunkTrust in Security
‎04-05-2024 01:54 AM
1 Karma
‎04-05-2024 01:54 AM
1 Karma
rex has a mode option which can be set to sed to allow for edits to strings rex - Splunk Documentation props.conf has SEDCMD- stanzas which can do the editing before indexing props.conf - Splunk D... See more...
rex has a mode option which can be set to sed to allow for edits to strings rex - Splunk Documentation props.conf has SEDCMD- stanzas which can do the editing before indexing props.conf - Splunk Documentation

PHP on IIS

by in All Apps and Add-ons
‎04-05-2024 01:50 AM
‎04-05-2024 01:50 AM
Hello I could not find a clear answer.  We have a setup where we run an IIS server on a windows virtual machine. On the IIS server we run a PHP webshop that makes calls to different databases and e... See more...
Hello I could not find a clear answer.  We have a setup where we run an IIS server on a windows virtual machine. On the IIS server we run a PHP webshop that makes calls to different databases and external calls.   Does your Observerability system work out of the box on the PHP webshop, or is this not supported.   The reason for the question is that some monitoring solutions such as AppDynamics, and New Relic does not support that setup. The question is mainly to know if we should start moving the setup to a different tech stack or if can wait a little.
Labels