Are those logs deliberately put in a file, or can they be viewed in the Windows Event Log? If they are in the Windows Event Logs, then you can use a WinEventLog stanza: [WinEventLog://Microsoft-Win...
See more...
Are those logs deliberately put in a file, or can they be viewed in the Windows Event Log? If they are in the Windows Event Logs, then you can use a WinEventLog stanza: [WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational]
index=<your index>
sourcetype=<your sourcetype>
#etc ref: https://docs.splunk.com/Documentation/Splunk/9.2.0/admin/Inputsconf
Great point, and something I did not know beforehand. In troubleshooting stumbled onto the documentation stating what you are pointing out, the new _ds* indexes. So yes, the _ds* indexes are local ...
See more...
Great point, and something I did not know beforehand. In troubleshooting stumbled onto the documentation stating what you are pointing out, the new _ds* indexes. So yes, the _ds* indexes are local to the DS.
I want to add C:\windows\system32\winevt\logs\Microsoft-Windows-DriverFrameworks-UserMode/Operational as a stanza in my inputs.conf. How do I write the stanza? Thank you
Is it possible in Splunk to have one props.conf file on one server's Universal Forwarder (UF) for a specific app, and another props.conf file on a different server for the same app, but with one file...
See more...
Is it possible in Splunk to have one props.conf file on one server's Universal Forwarder (UF) for a specific app, and another props.conf file on a different server for the same app, but with one file masking a certain field and the other not?
Everything is shiny "new". This is a satellite to our full implementation, hosted in AWS. Splunk 9.2.0.1 on both agents and the DS (which doubles as an HF) running on AWS RHEL 8.9. UF's are all r...
See more...
Everything is shiny "new". This is a satellite to our full implementation, hosted in AWS. Splunk 9.2.0.1 on both agents and the DS (which doubles as an HF) running on AWS RHEL 8.9. UF's are all running 9.2.0. Less than 40 total agents (14 Win, 26 nix). DS was acting up, so destroyed it and built new. Instantly, the same problem. Even tried adding hostnames to the filter vice using wildcard. Same. The odd thing. The DS reports that Windows hosts are running the Linux TA, but when you check the Windows hosts, they are running the Windows TA as they should be
I'm trying to achieve the following and hoped someone could help? I have a multivalue field that contains values that are colors, and would like to know how many fields contain duplicate colors, and...
See more...
I'm trying to achieve the following and hoped someone could help? I have a multivalue field that contains values that are colors, and would like to know how many fields contain duplicate colors, and what the value of those colors are. e.g. my data colors blue blue red yellow red blue red blue red red green green Would return something like: duplicate_color duplicate_count blue 2 red 1 green 1 Because 'blue' is present as a duplicate in two entries, 'red' in one entry, and 'green' in one entry. 'yellow' is omitted because it is not a duplicate. Thank you very much for any help Steve
Hi can you told the base information of your environment (OS, version, splunk version, TA versions, UF versions etc.)? Have you update something lately etc.? r. Ismo
Hi @meetmshah I have added sample _raw events from original query [test_field_name=test_field_name_1]: Hello This is event0 no_failure_msg some other message0 id_num { data: 000 }}
[test_fi...
See more...
Hi @meetmshah I have added sample _raw events from original query [test_field_name=test_field_name_1]: Hello This is event0 no_failure_msg some other message0 id_num { data: 000 }}
[test_field_name=test_field_name_1]: Hello This is event1 fail_msg1 some other message1 id_num { data: 111 }}
[test_field_name=test_field_name_1]: Hello This is event2 fail_msg2 some other message2 id_num { data: 999 }}
[test_field_name=test_field_name_1]: Hello This is event3 no_failure_msg some other message3 id_num { data: 222 }} From these events I want to return these 2 events where fail_msg1 or fail_msg2 are present [test_field_name=test_field_name_1]: Hello This is event1 fail_msg1 some other message1 id_num { data: 111 }}
[test_field_name=test_field_name_1]: Hello This is event2 fail_msg2 some other message2 id_num { data: 999 }}
Splunk treats "true", "True", "TRUE", and "1" as equivalent to a Boolean True value so all of what you see in the docs is correct. But the point is well made. We, however, can do nothing about it. ...
See more...
Splunk treats "true", "True", "TRUE", and "1" as equivalent to a Boolean True value so all of what you see in the docs is correct. But the point is well made. We, however, can do nothing about it. As @meetmshah suggests, https://ideas.splunk.com is the place to bring this up.
Hello, I have a splunk query returning my search results index="demo1" source="demo2"
| rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}"
| rex field=_raw "test_field_name=(?P<test_field_na...
See more...
Hello, I have a splunk query returning my search results index="demo1" source="demo2"
| rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}"
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:"
| search test_field_name=test_field_name_1
| table _raw id_num
| reverse
| filldown id_num From above table _raw may have *fail_msg1* or *fail_msg2* I have created a lookup file sample.csv with the following content Product,Feature,FailureMsg
ABC,DEF,fail_msg1
ABC,DEF,fail_msg2 I want to search if FailureMsg field (fail_msg1 OR fail_msg2) is found in _raw of my splunk query search results and return only those matching lines. If they (fail_msg1 OR fail_msg2) are not found, return nothing Could you please share how to write lookup or inputlookup for fetching these results? If those
Yes, filtering by OS. Rebuilt the DS from scratch, set filters (using the OS filter). All Linux servers receive the Linux TA. All Windows Servers receive the Linux TA, and confirmed the OS filter,...
See more...
Yes, filtering by OS. Rebuilt the DS from scratch, set filters (using the OS filter). All Linux servers receive the Linux TA. All Windows Servers receive the Linux TA, and confirmed the OS filter, again