All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

EVENT Time 3/18/24 12:58:45.880 PM { "Timestamp": "2024-03-18T10:58:45.880+00:00", "Level": "ERR", "Message": "The HTTP status code of the response was not expected (404).\n\nStatus: 404\nRespons... See more...
EVENT Time 3/18/24 12:58:45.880 PM { "Timestamp": "2024-03-18T10:58:45.880+00:00", "Level": "ERR", "Message": "The HTTP status code of the response was not expected (404).\n\nStatus: 404\nResponse: \n{\"IsError\":false,\"IsValidationError\":false,\"IsNotFound\":true,\"IsDisplayError\":false,\"Type\":\"http://glc-api-integration-tst.cs.sanlam.co.za/intermediary-accreditations\",\"Status\":404,\"Title\":\"Not found error\",\"Detail\":\"Intermediary accreditation Product not found. Search parameters: WhiteLabel: GLC, ProductCode: SANFRP01, GuaranteedIncome: False, GuaranteedCapital: False, GuaranteedAnnuitySingleLife: False, GuaranteedAnnuityJointLife: False \",\"Errors\":[],\"ValidationErrors\":{}}", "Properties": { "RequestId": "0HN271KO7M0H2:00000007", "RequestPath": "/products/fit-and-proper", "CorrelationId": "1e5975b4-d3e3-42c5-9bed-48760f4002d8", "ConnectionId": "0HN271KO7M0H2", "MachineName": "k8s-glc-api-bff-portal-tst-7b67f985b5-xqspv", "SolutionName": "PortalBFF", "Environment": "tst", "LoggerName": "PortalBFF", "ApplicationName": "PortalBFF", "ThreadId": "1", "ProcessId": "1", "ProcessUserId": "root", "SiteName": "PortalBFF" }, "Exception": { "ExceptionSource": "API.Client.3rdParty.Integration", "ExceptionType": "Api.Client.ThirdParty.Integration.V1.ApiException", "ExceptionMessage": "The HTTP status code of the response was not expected (404).\n\nStatus: 404\nResponse: \n{\"IsError\":false,\"IsValidationError\":false,\"IsNotFound\":true,\"IsDisplayError\":false,\"Type\":\"http://glc-api-integration-tst.cs.sanlam.co.za/intermediary-accreditations\",\"Status\":404,\"Title\":\"Not found error\",\"Detail\":\"Intermediary accreditation Product not found. Search parameters: WhiteLabel: GLC, ProductCode: SANFRP01, GuaranteedIncome: False, GuaranteedCapital: False, GuaranteedAnnuitySingleLife: False, GuaranteedAnnuityJointLife: False \",\"Errors\":[],\"ValidationErrors\":{}}", "StackTrace": " at Api.Client.ThirdParty.Integration.V1.IntegrationClient.IntermediaryAccreditationAsync(IntermediaryAccreditationProductRequestModel model, CancellationToken cancellationToken)\n at Providers.ExternalIntegrations.FitAndProper.V1.FitAndProperProvider.IntermediaryAccreditation(IntermediaryAccreditationProductRequestModel model, CancellationToken cancellationToken) in /src/Providers/ExternalIntegrations/FitAndProper/V1/FitAndProperProvider.cs:line 14\n at Services.ExternalIntegrations.FitAndProper.Queries.V1.GetFitAndProperQueryHandler.Handle(GetFitAndProperQuery request, CancellationToken cancellationToken) in /src/Services/ExternalIntegrations/FitAndProper/Queries/V1/GetFitAndProperQuery.cs:line 37\n at Api.Utilities.Behaviours.PerformanceBehaviour`2.Handle(TRequest request, RequestHandlerDelegate`1 next, CancellationToken cancellationToken)\n at Api.Utilities.Behaviours.ValidationBehavior`2.Handle(TRequest request, RequestHandlerDelegate`1 next, CancellationToken cancellationToken)\n at Api.Controller.Products.V1.ProductsController.GetFitAndProper(GetFitAndProperQuery request, CancellationToken cancellationToken) in /src/Api/Controller/Products/V1/ProductsController.cs:line 53\n at lambda_method954(Closure , Object )\n at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Logged|12_1(ControllerActionInvoker invoker)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)\n at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)\n at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.ClaimsMiddleware.Invoke(HttpContext context, IUserService userService)\n at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.SwaggerUiIndexMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.RedirectToIndexMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.OpenApiDocumentMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.SwaggerBasicAuthMiddleware.InvokeAsync(HttpContext context)\n at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)\n at Api.Utilities.Middleware.RequestBodyMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.LoggingMiddleware.Invoke(HttpContext context)", "FileName": null, "MethodName": "Api.Client.ThirdParty.Integration.V1.IntegrationClient+<IntermediaryAccreditationAsync>d__15", "Line": 0, "Data": null }, "RequestBody": null, "Additional": null } { "Timestamp": "2024-03-18T10:58:46.979+00:00", "Level": "ERR", "Message": "The HTTP status code of the response was not expected (404).\n\nStatus: 404\nResponse: \n{\"IsError\":false,\"IsValidationError\":false,\"IsNotFound\":true,\"IsDisplayError\":false,\"Type\":\"http://glc-api-integration-tst.cs.sanlam.co.za/intermediary-accreditations\",\"Status\":404,\"Title\":\"Not found error\",\"Detail\":\"Intermediary accreditation Product not found. Search parameters: WhiteLabel: GLC, ProductCode: SANFRP01, GuaranteedIncome: False, GuaranteedCapital: False, GuaranteedAnnuitySingleLife: False, GuaranteedAnnuityJointLife: False \",\"Errors\":[],\"ValidationErrors\":{}}", "Properties": { "RequestId": "0HN271KO7M0H6:00000002", "RequestPath": "/products/fit-and-proper", "CorrelationId": "31069097-572e-42cd-b47d-688b63260705", "ConnectionId": "0HN271KO7M0H6", "MachineName": "k8s-glc-api-bff-portal-tst-7b67f985b5-xqspv", "SolutionName": "PortalBFF", "Environment": "tst", "LoggerName": "PortalBFF", "ApplicationName": "PortalBFF", "ThreadId": "1", "ProcessId": "1", "ProcessUserId": "root", "SiteName": "PortalBFF" }, "Exception": { "ExceptionSource": "API.Client.3rdParty.Integration", "ExceptionType": "Api.Client.ThirdParty.Integration.V1.ApiException", "ExceptionMessage": "The HTTP status code of the response was not expected (404).\n\nStatus: 404\nResponse: \n{\"IsError\":false,\"IsValidationError\":false,\"IsNotFound\":true,\"IsDisplayError\":false,\"Type\":\"http://glc-api-integration-tst.cs.sanlam.co.za/intermediary-accreditations\",\"Status\":404,\"Title\":\"Not found error\",\"Detail\":\"Intermediary accreditation Product not found. Search parameters: WhiteLabel: GLC, ProductCode: SANFRP01, GuaranteedIncome: False, GuaranteedCapital: False, GuaranteedAnnuitySingleLife: False, GuaranteedAnnuityJointLife: False \",\"Errors\":[],\"ValidationErrors\":{}}", "StackTrace": " at Api.Client.ThirdParty.Integration.V1.IntegrationClient.IntermediaryAccreditationAsync(IntermediaryAccreditationProductRequestModel model, CancellationToken cancellationToken)\n at Providers.ExternalIntegrations.FitAndProper.V1.FitAndProperProvider.IntermediaryAccreditation(IntermediaryAccreditationProductRequestModel model, CancellationToken cancellationToken) in /src/Providers/ExternalIntegrations/FitAndProper/V1/FitAndProperProvider.cs:line 14\n at Services.ExternalIntegrations.FitAndProper.Queries.V1.GetFitAndProperQueryHandler.Handle(GetFitAndProperQuery request, CancellationToken cancellationToken) in /src/Services/ExternalIntegrations/FitAndProper/Queries/V1/GetFitAndProperQuery.cs:line 37\n at Api.Utilities.Behaviours.PerformanceBehaviour`2.Handle(TRequest request, RequestHandlerDelegate`1 next, CancellationToken cancellationToken)\n at Api.Utilities.Behaviours.ValidationBehavior`2.Handle(TRequest request, RequestHandlerDelegate`1 next, CancellationToken cancellationToken)\n at Api.Controller.Products.V1.ProductsController.GetFitAndProper(GetFitAndProperQuery request, CancellationToken cancellationToken) in /src/Api/Controller/Products/V1/ProductsController.cs:line 53\n at lambda_method954(Closure , Object )\n at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Logged|12_1(ControllerActionInvoker invoker)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)\n at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)\n at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.ClaimsMiddleware.Invoke(HttpContext context, IUserService userService)\n at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.SwaggerUiIndexMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.RedirectToIndexMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.OpenApiDocumentMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.SwaggerBasicAuthMiddleware.InvokeAsync(HttpContext context)\n at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)\n at Api.Utilities.Middleware.RequestBodyMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.LoggingMiddleware.Invoke(HttpContext context)", "FileName": null, "MethodName": "Api.Client.ThirdParty.Integration.V1.IntegrationClient+<IntermediaryAccreditationAsync>d__15", "Line": 0, "Data": null }, "RequestBody": null, "Additional": null } { "Timestamp": "2024-03-18T10:58:49.080+00:00", "Level": "ERR", "Message": "The HTTP status code of the response was not expected (404).\n\nStatus: 404\nResponse: \n{\"IsError\":false,\"IsValidationError\":false,\"IsNotFound\":true,\"IsDisplayError\":false,\"Type\":\"http://glc-api-integration-tst.cs.sanlam.co.za/intermediary-accreditations\",\"Status\":404,\"Title\":\"Not found error\",\"Detail\":\"Intermediary accreditation Product not found. Search parameters: WhiteLabel: GLC, ProductCode: SANFRP01, GuaranteedIncome: False, GuaranteedCapital: False, GuaranteedAnnuitySingleLife: False, GuaranteedAnnuityJointLife: False \",\"Errors\":[],\"ValidationErrors\":{}}", "Properties": { "RequestId": "0HN271KO7M0H8:00000002", "RequestPath": "/products/fit-and-proper", "CorrelationId": "d7ccaaaa-1a6d-4dbe-9b80-ad63fc69a1c5", "ConnectionId": "0HN271KO7M0H8", "MachineName": "k8s-glc-api-bff-portal-tst-7b67f985b5-xqspv", "SolutionName": "PortalBFF", "Environment": "tst", "LoggerName": "PortalBFF", "ApplicationName": "PortalBFF", "ThreadId": "1", "ProcessId": "1", "ProcessUserId": "root", "SiteName": "PortalBFF" }, "Exception": { "ExceptionSource": "API.Client.3rdParty.Integration", "ExceptionType": "Api.Client.ThirdParty.Integration.V1.ApiException", "ExceptionMessage": "The HTTP status code of the response was not expected (404).\n\nStatus: 404\nResponse: \n{\"IsError\":false,\"IsValidationError\":false,\"IsNotFound\":true,\"IsDisplayError\":false,\"Type\":\"http://glc-api-integration-tst.cs.sanlam.co.za/intermediary-accreditations\",\"Status\":404,\"Title\":\"Not found error\",\"Detail\":\"Intermediary accreditation Product not found. Search parameters: WhiteLabel: GLC, ProductCode: SANFRP01, GuaranteedIncome: False, GuaranteedCapital: False, GuaranteedAnnuitySingleLife: False, GuaranteedAnnuityJointLife: False \",\"Errors\":[],\"ValidationErrors\":{}}", "StackTrace": " at Api.Client.ThirdParty.Integration.V1.IntegrationClient.IntermediaryAccreditationAsync(IntermediaryAccreditationProductRequestModel model, CancellationToken cancellationToken)\n at Providers.ExternalIntegrations.FitAndProper.V1.FitAndProperProvider.IntermediaryAccreditation(IntermediaryAccreditationProductRequestModel model, CancellationToken cancellationToken) in /src/Providers/ExternalIntegrations/FitAndProper/V1/FitAndProperProvider.cs:line 14\n at Services.ExternalIntegrations.FitAndProper.Queries.V1.GetFitAndProperQueryHandler.Handle(GetFitAndProperQuery request, CancellationToken cancellationToken) in /src/Services/ExternalIntegrations/FitAndProper/Queries/V1/GetFitAndProperQuery.cs:line 37\n at Api.Utilities.Behaviours.PerformanceBehaviour`2.Handle(TRequest request, RequestHandlerDelegate`1 next, CancellationToken cancellationToken)\n at Api.Utilities.Behaviours.ValidationBehavior`2.Handle(TRequest request, RequestHandlerDelegate`1 next, CancellationToken cancellationToken)\n at Api.Controller.Products.V1.ProductsController.GetFitAndProper(GetFitAndProperQuery request, CancellationToken cancellationToken) in /src/Api/Controller/Products/V1/ProductsController.cs:line 53\n at lambda_method954(Closure , Object )\n at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Logged|12_1(ControllerActionInvoker invoker)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)\n at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)\n at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.ClaimsMiddleware.Invoke(HttpContext context, IUserService userService)\n at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.SwaggerUiIndexMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.RedirectToIndexMiddleware.Invoke(HttpContext context)\n at NSwag.AspNetCore.Middlewares.OpenApiDocumentMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.SwaggerBasicAuthMiddleware.InvokeAsync(HttpContext context)\n at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)\n at Api.Utilities.Middleware.RequestBodyMiddleware.Invoke(HttpContext context)\n at Api.Utilities.Middleware.LoggingMiddleware.Invoke(HttpContext context)", "FileName": null, "MethodName": "Api.Client.ThirdParty.Integration.V1.IntegrationClient+<IntermediaryAccreditationAsync>d__15", "Line": 0, "Data": null }, "RequestBody": null, "Additional": null } {
Yes, this is specific to one sourcetype. I have confirmed it has been edited as follows: [glc:api:bff:tst] CHARSET=UTF-8 LINE_BREAKER=([\n\r]+)\{[\n\r]*"Timestamp" MAX_TIMESTAMP_LOOKAHEAD=32 NO_BIN... See more...
Yes, this is specific to one sourcetype. I have confirmed it has been edited as follows: [glc:api:bff:tst] CHARSET=UTF-8 LINE_BREAKER=([\n\r]+)\{[\n\r]*"Timestamp" MAX_TIMESTAMP_LOOKAHEAD=32 NO_BINARY_CHECK=true SHOULD_LINEMERGE=false category=Custom description=test disabled=false pulldown_type=true TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%:z TIME_PREFIX="Timestamp":\s+"   I have attached a screenshot of the events in Splunk and also a .txt with the content of one of the events. You will notice more than one entry in this single event.
Hi Ismo, I'm not sure on how to do that. Can you please guide me or provide any doc link.   Thank you
Hi There seems to be quite many Qualys apps on splunkbase! In generally there are two options: Ask that Qualys update and "certify" their apps to work also on Splunk Cloud. Do that by yourself (... See more...
Hi There seems to be quite many Qualys apps on splunkbase! In generally there are two options: Ask that Qualys update and "certify" their apps to work also on Splunk Cloud. Do that by yourself (check their license, if this is real option or not) Port and validate those by yourself Take those dashboards which you are needing and create your own  app based on those And last option is just create your own app based on your needs. r. Ismo
Hi when you want/need to read network shares on window machine, you must install splunk UF to run as domain user not a local. Otherwise it cannot access those files on shares. Prepare your Windows... See more...
Hi when you want/need to read network shares on window machine, you must install splunk UF to run as domain user not a local. Otherwise it cannot access those files on shares. Prepare your Windows network to run Splunk Enterprise as a network or domain user https://community.splunk.com/t5/Installation/Domain-Account-for-UF/m-p/523581 r. Ismo
Hi here is network diagram which describes which ports and what directions should/must be open. https://www.aplura.com/assets/pdf/splunk_common_ports.pdf r. Ismo
You have also this  SHOULD_LINEMERGE=false on your sourcetype? You can check it by splunk btool props list <your sourcetype name here> --debug  Previous command shows what is applied to your sour... See more...
You have also this  SHOULD_LINEMERGE=false on your sourcetype? You can check it by splunk btool props list <your sourcetype name here> --debug  Previous command shows what is applied to your sourcetype (or at least after next refresh/reboot of splunk) and from which props.conf files those are coming. Can you give sample of those events which aren't break correctly?
Thanks, it seems to be breaking at the right place, but I'm still getting multiple entries as one event. Doesn't seem to be splitting them into separate events for each of the following entries:  {... See more...
Thanks, it seems to be breaking at the right place, but I'm still getting multiple entries as one event. Doesn't seem to be splitting them into separate events for each of the following entries:  { "Timestamp": "2024-03-18T10:57:17.096+00:00", }
Thanks you made my day.I need to show in the dashbaord table how to use table after stats and i am getting warning message 'list' command: Limit of '100' for values reached. Additional values may h... See more...
Thanks you made my day.I need to show in the dashbaord table how to use table after stats and i am getting warning message 'list' command: Limit of '100' for values reached. Additional values may have been truncated or ignored.   And your mind-reading one and three is working as expected result and i have a queries that my content list have 134 batch_ID .But the splunk extracted and shows 26 counts, rest of the things are not showing .how can i handle this.I need to fix that issue.Will this need to be extract from props and transform.conf file while indexing the data.Please help me to fix it.
Hello everyone,  In my splunk journey, I've to make a documentation for the installation of the Universal Forwarder. Ours Forwarders will be install VMs who are on a private network so we need some... See more...
Hello everyone,  In my splunk journey, I've to make a documentation for the installation of the Universal Forwarder. Ours Forwarders will be install VMs who are on a private network so we need some configuration on the network to let the Universal Forwarder to send data to the indexers splunk. Ours indexers are install on another private network, we created a rule on the network to receive data on the port 9997 of the Splunk server. I'm looking for network prerequisites before the installation of the fowarder. What rules we have to create on the Forwarder's network ? What port we have to open on the Forwarder's network ? Do we need to create a specific flow for the Forwarder to send data to the indexers? What protocol we have to setup on the Forwarder's network? Thank for all who read me,
Hi, We are using a Splunk hybrid environment , with Splunk HF on Splunk enterprise , indexers and search heads  on Splunk Cloud. I have installed and configured the Qualys TA addon on Splunk HF... See more...
Hi, We are using a Splunk hybrid environment , with Splunk HF on Splunk enterprise , indexers and search heads  on Splunk Cloud. I have installed and configured the Qualys TA addon on Splunk HF and ingesting the data to Splunk Cloud. But the Qualys apps are supported only on Splunk Enterprise and not Splunk Cloud. Is there a way to get the dashboards on Splunk Cloud? Can someone please help.
Can you give some scrambled test events to check this?
Hi it's quite possible that your logs have issues in onboarding. It's probably take wrong timezone information from logs or actually cannot find it and for that reason it use some assumptions which ... See more...
Hi it's quite possible that your logs have issues in onboarding. It's probably take wrong timezone information from logs or actually cannot find it and for that reason it use some assumptions which seems to to incorrect. Here https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf is excellent picture/flow how data is ingested into splunk and where you should put different configuration options. It's new version of previous MASA diagram. r. Ismo
Yes, chart will sort the columns by name. In order to get around this, you need to use transpose | eval static="Category" | chart count by static category | transpose header_field=static column_name... See more...
Yes, chart will sort the columns by name. In order to get around this, you need to use transpose | eval static="Category" | chart count by static category | transpose header_field=static column_name=category | sort - Category | transpose header_field=category column_name=static
Hi Dashboard Studio's PM are quite active in slack https://splunk-usergroups.slack.com/archives/C2RC5Q17E. You could also ask this there. r. Ismo
Hi you could use this https://splunkbase.splunk.com/app/5328 to make backups for KVstore on your primary and then restore those into secondary. I'm not sure is this still working configuration or no... See more...
Hi you could use this https://splunkbase.splunk.com/app/5328 to make backups for KVstore on your primary and then restore those into secondary. I'm not sure is this still working configuration or not. As @gcusello said, SHC do this automatically for you and without issues which other solutions definitely will generate for you. So 1st you must understand why you need this secondary SH and based for that decide which is best / less worst solution to implement it. r. Ismo
Hello to everyone! I have many FlexEngine.log files in different directories that are ingested by Splunk UF 9.0.8 The path from logs is network share on the Windows Server, in which client-side app... See more...
Hello to everyone! I have many FlexEngine.log files in different directories that are ingested by Splunk UF 9.0.8 The path from logs is network share on the Windows Server, in which client-side application write via SMB Some files are ingested without errors, but others have errors that you can see below: 03-18-2024 11:39:23.852 +0300 ERROR TailReader [10000 tailreader0] - error from read call from 'L:\App\UEM\CB\UserSettings\username\FlexEngine.log'. 03-18-2024 11:39:27.839 +0300 WARN FileClassifierManager [10000 tailreader0] - Unable to open 'L:\App\UEM\CB\UserSettings\username\FlexEngine.log'. 03-18-2024 11:39:27.839 +0300 WARN FileClassifierManager [10000 tailreader0] - The file 'L:\App\UEM\CB\UserSettings\username\FlexEngine.log' is invalid. Reason: cannot_open.   inputs.conf looks like: [monitor://L:\App\UEM\CB\UserSettings\*\FlexEngine.log] disabled = false index = dem sourcetype = dem_file_log   and this is an example of a file: 2024-03-18 07:01:32.889 [INFO ] Starting FlexEngine v9.9.0.905 [IFP#14d600e0-T5>>] 2024-03-18 07:01:32.889 [INFO ] Running as Group Policy client-side extension 2024-03-18 07:01:32.889 [INFO ] Performing path-based import 2024-03-18 07:01:32.890 [DEBUG] User: domain\username, Computer: ComputerName, OS: x64-win10 (Version 1809, BuildNumber 17763.5329, SuiteMask 100, ProductType 1/7d, Lang 0419, IE 11.1790.17763.0, VMware VDM 7.12.0, App Volumes 2.18.6.24, DEM 9.9.0.905, ProcInfo 1/1/2/2, UTC+03:00N), PTS: 6108/2768/1CT 2024-03-18 07:01:32.890 [DEBUG] Profile state: local (0x00000204) 2024-03-18 07:01:32.890 [DEBUG] Recursively processing config files from path '\\domain\app\UEM\CB\Settings\general' 2024-03-18 07:01:32.890 [DEBUG] Using profile archive path '\\domain\app\UEM\CB\UserSettings\username' 2024-03-18 07:01:32.890 [DEBUG] Last modified dates will be restored 2024-03-18 07:01:32.890 [DEBUG] Logging to file '\\domain\app\UEM\CB\UserSettings\username\FlexEngine.log' 2024-03-18 07:01:32.890 [DEBUG] Log file will be overwritten when larger than 512 kilobytes Which problems can lead to these errors? Can it be file-blocking by a client-side app, or must Splunk UF handle this situation?
Hi It's just like @richgalloway never install more than one splunk installation per server. One instance can have some different roles inside it, but also that is restricted which one can coexistenc... See more...
Hi It's just like @richgalloway never install more than one splunk installation per server. One instance can have some different roles inside it, but also that is restricted which one can coexistence in one node! Another issue is, that when you are installing SHC, then minimum node amount is three what it must contains. That restrictions comes from RAFT protocol which manages consistency for SHC. Only time when you can install several splunk instances on one node is your own personal lab environment. But don't do this in production or even in your official company test environment! r. Ismo
Yes! Exactly what I need, thank you. Now the only issue I'm having is that I'm no longer available to sort the bar chart in descending order. Earlier I used to do | sort -count, but that doesn't s... See more...
Yes! Exactly what I need, thank you. Now the only issue I'm having is that I'm no longer available to sort the bar chart in descending order. Earlier I used to do | sort -count, but that doesn't seem to work using static
Hi Your input seems to be almost valid JSON, but not exactly. It misses "," between events. So you could use this  [<Your sourcetype here>] CHARSET=UTF-8 LINE_BREAKER=([\n\r]+)\{[\n\r]*"Timestamp"... See more...
Hi Your input seems to be almost valid JSON, but not exactly. It misses "," between events. So you could use this  [<Your sourcetype here>] CHARSET=UTF-8 LINE_BREAKER=([\n\r]+)\{[\n\r]*"Timestamp" MAX_TIMESTAMP_LOOKAHEAD=32 NO_BINARY_CHECK=true SHOULD_LINEMERGE=false category=Custom description=test disabled=false pulldown_type=true TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%:z TIME_PREFIX="Timestamp":\s+" r. Ismo