All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Great point, and something I did not know beforehand.  In troubleshooting stumbled onto the documentation stating what you are pointing out, the new _ds* indexes.  So yes, the _ds* indexes are local ... See more...
Great point, and something I did not know beforehand.  In troubleshooting stumbled onto the documentation stating what you are pointing out, the new _ds* indexes.  So yes, the _ds* indexes are local to the DS.
I want to add C:\windows\system32\winevt\logs\Microsoft-Windows-DriverFrameworks-UserMode/Operational  as a stanza in my inputs.conf. How do I write the stanza? Thank you
Is it possible in Splunk to have one props.conf file on one server's Universal Forwarder (UF) for a specific app, and another props.conf file on a different server for the same app, but with one file... See more...
Is it possible in Splunk to have one props.conf file on one server's Universal Forwarder (UF) for a specific app, and another props.conf file on a different server for the same app, but with one file masking a certain field and the other not?
I opened a P2 3 days ago... still waiting.  Typical
Have you local indexes on DS or are you sending logs to your real indexers? This has changes on 9.2.x and it could cause something weird.
Everything is shiny "new".  This is a satellite to our full implementation, hosted in AWS.  Splunk 9.2.0.1 on both agents and the DS (which doubles as an HF) running on AWS RHEL 8.9.  UF's are all r... See more...
Everything is shiny "new".  This is a satellite to our full implementation, hosted in AWS.  Splunk 9.2.0.1 on both agents and the DS (which doubles as an HF) running on AWS RHEL 8.9.  UF's are all running 9.2.0.  Less than 40 total agents (14 Win, 26 nix).  DS was acting up, so destroyed it and built new.  Instantly, the same problem.  Even tried adding hostnames to the filter vice using wildcard.  Same.  The odd thing.  The DS reports that Windows hosts are running the Linux TA, but when you check the Windows hosts, they are running the Windows TA as they should be
I'm trying to achieve the following and hoped someone could help? I have a multivalue field that contains values that are colors, and would like to know how many fields contain duplicate colors, and... See more...
I'm trying to achieve the following and hoped someone could help? I have a multivalue field that contains values that are colors, and would like to know how many fields contain duplicate colors, and what the value of those colors are. e.g. my data colors blue blue red yellow red blue red blue red red green green Would return something like: duplicate_color duplicate_count blue 2 red 1 green 1 Because 'blue' is present as a duplicate in two entries, 'red' in one entry, and 'green' in one entry. 'yellow' is omitted because it is not a duplicate. Thank you very much for any help Steve
Seems fairly simple / basic configurations. I would suggest raising Support case to get this troubleshot and fixed. @isoutamo thoughts?
Hi can you told the base information of your environment (OS, version, splunk version, TA versions, UF versions etc.)? Have you update something lately etc.? r. Ismo
Hi @meetmshah I have added sample _raw events from original query     [test_field_name=test_field_name_1]: Hello This is event0 no_failure_msg some other message0 id_num { data: 000 }} [test_fi... See more...
Hi @meetmshah I have added sample _raw events from original query     [test_field_name=test_field_name_1]: Hello This is event0 no_failure_msg some other message0 id_num { data: 000 }} [test_field_name=test_field_name_1]: Hello This is event1 fail_msg1 some other message1 id_num { data: 111 }} [test_field_name=test_field_name_1]: Hello This is event2 fail_msg2 some other message2 id_num { data: 999 }} [test_field_name=test_field_name_1]: Hello This is event3 no_failure_msg some other message3 id_num { data: 222 }}      From these events I want to return these 2 events where fail_msg1 or fail_msg2 are present     [test_field_name=test_field_name_1]: Hello This is event1 fail_msg1 some other message1 id_num { data: 111 }} [test_field_name=test_field_name_1]: Hello This is event2 fail_msg2 some other message2 id_num { data: 999 }}      
Pretty simple....    serverClass:All:app:all_outputs] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:All] whitelist.0 = * [serverClass:Windows:app:Splunk_TA_windows]... See more...
Pretty simple....    serverClass:All:app:all_outputs] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:All] whitelist.0 = * [serverClass:Windows:app:Splunk_TA_windows] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:Linux:app:Splunk_TA_nix] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:All:app:all_deploymentclient] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:Linux] machineTypesFilter = linux-x86_64 whitelist.0 = * [serverClass:Windows] machineTypesFilter = windows-x64 whitelist.0 = *  
Perfect, I believe it would be a fair step to do this to avoid confusion for multiple stanzas / parameters. I have voted the idea
Thank you for the idea...  Idea created: EID-I-2244
Splunk treats "true", "True", "TRUE", and "1" as equivalent to a Boolean True value so all of what you see in the docs is correct.  But the point is well made.  We, however, can do nothing about it. ... See more...
Splunk treats "true", "True", "TRUE", and "1" as equivalent to a Boolean True value so all of what you see in the docs is correct.  But the point is well made.  We, however, can do nothing about it.  As @meetmshah suggests, https://ideas.splunk.com is the place to bring this up.
Hello @MVK1 Can you please share some sample event or an example along with expected results to understand the query better.
Hello, I have a splunk query returning my search results     index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_na... See more...
Hello, I have a splunk query returning my search results     index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name=test_field_name_1 | table _raw id_num | reverse | filldown id_num     From above table  _raw may have *fail_msg1* or *fail_msg2* I have created a lookup file sample.csv with the following content     Product,Feature,FailureMsg ABC,DEF,fail_msg1 ABC,DEF,fail_msg2     I want to search if FailureMsg field (fail_msg1 OR fail_msg2) is found in _raw of my splunk query search results and return only those matching lines. If they (fail_msg1 OR fail_msg2) are not found, return nothing Could you please share how to write lookup or inputlookup for fetching these results? If those   
Hello @optsplunk I would suggest you having this available as Idea under https://ideas.splunk.com/ for the Splunk Product team to look over
Would you mind sharing the serverclass.conf file?
Yes, filtering by OS.  Rebuilt the DS from scratch, set filters (using the OS filter).  All Linux servers receive the Linux TA.  All Windows Servers receive the Linux TA, and confirmed the OS filter,... See more...
Yes, filtering by OS.  Rebuilt the DS from scratch, set filters (using the OS filter).  All Linux servers receive the Linux TA.  All Windows Servers receive the Linux TA, and confirmed the OS filter, again   
Hi in splunk you can get it like  | makeresults | eval _raw = "Ex:- <abc>WoW</abc> <xyz>SURE</xyz>" ``` above prepare test event ``` | rex "(?ms)<abc>(?<abc>[^<]+)<\\/abc>.*<xyz>(?<xyz>[^... See more...
Hi in splunk you can get it like  | makeresults | eval _raw = "Ex:- <abc>WoW</abc> <xyz>SURE</xyz>" ``` above prepare test event ``` | rex "(?ms)<abc>(?<abc>[^<]+)<\\/abc>.*<xyz>(?<xyz>[^<]+)<\\/xyz>" A nice place to test those is regex101.com. Here is link to your case https://regex101.com/r/iBvAPm/1 When you are converting those for Splunk, usually there is need to add some additional escape character as splunk preprocessing that reg ex and remove some \ characters  r. Ismo