All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @tlmayes, How are you whitelisting the hosts? Do you just want to use this nice feature of filtering everything by the OS type? Screenshot below -      With the above way, you can create... See more...
Hello @tlmayes, How are you whitelisting the hosts? Do you just want to use this nice feature of filtering everything by the OS type? Screenshot below -      With the above way, you can create 2 separate server classes for Windows and Linux and whitelist all the hosts. Please accept the solution and hit Karma, if this helps!
Oh we will need to add max_match=0 in rex. Example below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet max_match=0 "CmdArgAV=(?<CmdArgAV>[^\s]+)" Can you please have a check... See more...
Oh we will need to add max_match=0 in rex. Example below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet max_match=0 "CmdArgAV=(?<CmdArgAV>[^\s]+)" Can you please have a check and me know how it goes?
Great! The 'search' function worked as intended, instead of 'join'.
hi @meetmshah  thanks for your reply. but not working as expected  
Hello @doeboy where are you firing the command (on which instance)? The command you mentioned "./splunk show cluster-bundle-status" is meant for Cluster Manager and not for Peers. Here is the Splunk ... See more...
Hello @doeboy where are you firing the command (on which instance)? The command you mentioned "./splunk show cluster-bundle-status" is meant for Cluster Manager and not for Peers. Here is the Splunk Doc for your reference - https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Updatepeerconfigurations#Use_the_CLI_to_view_the_status_of_the_bundle_push  It feels like you are trying to run the command on Indexer Peers. Can you please run on Cluster Manager and see if you are able to view the status as expected?   Please accept the solution and hit Karma, if this helps!
I have a mixed data of ADFS logs, mixed in the sense, I have non XML as well as XML formatted data in the same event. Now my requirement is to extract the field from XML format .   Ex:- <abc>WoW<... See more...
I have a mixed data of ADFS logs, mixed in the sense, I have non XML as well as XML formatted data in the same event. Now my requirement is to extract the field from XML format .   Ex:- <abc>WoW</abc> <xyz>SURE</xyz>   Now, both the lines are in the same event. I want to have two fields called "abc" and "xyz" with the corresponding value WoW and SURE.   Kindly help !!
Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet "CmdArgAV=(?<CmdArgAV>[^\s]+)"   Please accept the solution and hit Karma, if this he... See more...
Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet "CmdArgAV=(?<CmdArgAV>[^\s]+)"   Please accept the solution and hit Karma, if this helps! 
Please create a support case on Splunk Support to ask this option.
Hi @satyaallaparthi, whats the result you're waiting for? do you want to filter the first lookup using the second? in this case try this: | inputlookup unix.csv | eval sys_name = lower(FQDN) | se... See more...
Hi @satyaallaparthi, whats the result you're waiting for? do you want to filter the first lookup using the second? in this case try this: | inputlookup unix.csv | eval sys_name = lower(FQDN) | search [ | inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | fields sys_name ] | table Status sys_name host-ip "DNS Name" If instead you want to take values between both the lookups, yu can use the lookup command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandOverview) in this way: | inputlookup unix.csv | eval sys_name = lower(FQDN) | lookup inventory.csv sys_name | table Status sys_name host-ip "DNS Name" My only doubt is that in the two lookups the sys_name has different format. In this case, my hint is to elaborate the lookup to have another lookup with the correct sys_name. Ciao. Giuseppe
Hello @meetmshah  i would like to thank you for your reply. but i am looking to extract 'CmdSet' field. i am using 'rex field=CmdSet "CmdAV=(?<Command>[^\s]+)|\sCmdArgAV=(?<Command1>[^\s]+)" ' bu... See more...
Hello @meetmshah  i would like to thank you for your reply. but i am looking to extract 'CmdSet' field. i am using 'rex field=CmdSet "CmdAV=(?<Command>[^\s]+)|\sCmdArgAV=(?<Command1>[^\s]+)" ' but it is giving output till 1st CmdArgAV value    
Hi @asimsk84 , sorry, but why do you want to use a script to clean old Splunk data files? You can set up a retention time (adding to each index the parameter frozenTimePeriodInSecs) and Splunk auto... See more...
Hi @asimsk84 , sorry, but why do you want to use a script to clean old Splunk data files? You can set up a retention time (adding to each index the parameter frozenTimePeriodInSecs) and Splunk automaticall removes the old buckets in a correct way. Ciao. Giuseppe
I have two lookups, 1 with 460K rows and another with 10K rows.  I used join to get the 10K results from 460K rows, however join is not working and not returning any results.  I used table and stat... See more...
I have two lookups, 1 with 460K rows and another with 10K rows.  I used join to get the 10K results from 460K rows, however join is not working and not returning any results.  I used table and stats in both lookups though no results.    Below is the query I used:  | inputlookup unix.csv | eval sys_name = lower(FQDN) | join sys_name [| inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | table Status sys_name host-ip  "DNS Name"  ] &  | inputlookup unix.csv | eval sys_name = lower(FQDN) |stats values(*) as * by sys_name | join sys_name [| inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | table Status sys_name host-ip  "DNS Name"  ] Any help would be greatly appreciated. 
Ideally it should be managed locally in system/local - however, have you tried managing it through peer-apps? As peer-apps' Precedence will be as follow -  1. Peer-app local directories -- highest p... See more...
Ideally it should be managed locally in system/local - however, have you tried managing it through peer-apps? As peer-apps' Precedence will be as follow -  1. Peer-app local directories -- highest priority 2. System local directory 3. App local directories 4. Peer-app default directories 5. App default directories 6. System default directory -- lowest priority https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles#Precedence_within_global_context.2C_indexer_cluster_peers_only Please accept the solution and hit Karma, if this helps!
Hi @karthi2809, what do you mean with "pass parameters"? have you logs from this website, or what else? Ciao. Giuseppe
I will not be able to give screenshots but the issue was larger than just selected fields. It was no data was saving on a per user basis. This includes selected fields, search mode, and many other th... See more...
I will not be able to give screenshots but the issue was larger than just selected fields. It was no data was saving on a per user basis. This includes selected fields, search mode, and many other things. I found in another thread that the newer versions of Splunk come with an "Optimizations" script that disables these by default and in the documentation it states to not disable this. However in the thread the Splunk guy said this optimization was meant for environments with over 1000 users. My environment has a handful of users so disabling has not caused any issues so far. This has fixed my issues of saved data not persisting for each user. However, If it is possible I would like to keep the optimizations but then disable certain features that it is optimizing. is that possible? Example: Only optimizing search mode since verbose could theoretically take the most processing power. I hope I have explained this enough. Edit: Here is the thread I spoke about - https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652794
let's say that I have clustered for my indexers and now I want to change the configuration for peers regarding web.conf from the master node level (disable the indexers gui because there is now a clu... See more...
let's say that I have clustered for my indexers and now I want to change the configuration for peers regarding web.conf from the master node level (disable the indexers gui because there is now a cluster master manages them) and add config to server.conf from the cluster master level for the entire cluster. 
Just scanning the $SPLUNK_HOME/etc/system/default/*.conf files for boolean values show a huge disparity.  "0" and "1" exceed "true/false" or "True/False" in commonality.  If linted against the .spec ... See more...
Just scanning the $SPLUNK_HOME/etc/system/default/*.conf files for boolean values show a huge disparity.  "0" and "1" exceed "true/false" or "True/False" in commonality.  If linted against the .spec files, most of these would fail.  Is there person that needs to see this to get it changed and self-consistent on the default values?  The vendor defaults should be the gold standard to measure against.  Any and all comments and how I might pursue resolution are welcome. 
Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" The above should extract CmdSet from the events. If it looks good, you can write search time field extra... See more...
Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" The above should extract CmdSet from the events. If it looks good, you can write search time field extraction to extract the field CmdSet automatically. Please accept the solution and hit Karma, if this helps!
TACACS event: Mar 26 15:37:59 <device_IP> <device_name>_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succ... See more...
TACACS event: Mar 26 15:37:59 <device_IP> <device_name>_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=1398, Device IP Address=<device_IP>, DestinationIPAddress=<device_IP>, DestinationPort=49, UserName=<user>, CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=interface CmdArgAV=Ethernet1/19 CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=Unsafecommand, RequestLatency=10, NetworkDeviceName=<device_name>
Hello @dood9999, Would you be able to elaborate the question in detail along with few screenshots?