All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Splunk query to skip alphanumeric string

by in Splunk Search
‎03-13-2024 06:48 AM
‎03-13-2024 06:48 AM
Yes, I've hyphens and a full stop on the hostname that needs to be considered.  So far identified those 4 patterns and that should be it.

Re: Searches taking long time to show results

by SplunkTrust in Monitoring Splunk
‎03-13-2024 06:44 AM
‎03-13-2024 06:44 AM
Is the data stored same way on both environments? Like are there same indexes, source types, props / transforms etc. on both environment? Are the IO resources equally on both nodes? Are there running... See more...
Is the data stored same way on both environments? Like are there same indexes, source types, props / transforms etc. on both environment? Are the IO resources equally on both nodes? Are there running any other stuff that splunk on those nodes? You should setup MC on both nodes and look from it what there are happening. Start with health check part. It will tell if there are some configurations which are not based on Splunk's requirements.

Error proofpoint TAP : When trying to retrieve the last poll time, multiple kvstore records were found

by in Getting Data In
‎03-13-2024 06:42 AM
‎03-13-2024 06:42 AM
We have installed "Proofpoint TAP Modular Input" add-on on victoria search head and created input (api call) to fetch the logs. For the first run, it fetched one event and from next runs it is throwi... See more...
We have installed "Proofpoint TAP Modular Input" add-on on victoria search head and created input (api call) to fetch the logs. For the first run, it fetched one event and from next runs it is throwing an error: " pp_tap_input: When trying to retrieve the last poll time, multiple kvstore records were found". We tried creating new input and observed the same behavior. 
Labels

Re: Roll hotwarm data to cold when frozenTimePeriodInSecs is met

by SplunkTrust in Deployment Architecture
‎03-13-2024 06:38 AM
1 Karma
‎03-13-2024 06:38 AM
1 Karma
Hi that .conf presentation which @kiran_panchavat are referring is excellent even it's little bit old and don't contains all new stuff like S2 (Splunk Smart Store). Please read it and also some othe... See more...
Hi that .conf presentation which @kiran_panchavat are referring is excellent even it's little bit old and don't contains all new stuff like S2 (Splunk Smart Store). Please read it and also some other answers which are talking bout that same issue. Shortly, You cannot ensure that events are moved into cold storage based on age! There are no parameter which define this for warm bucket. Moving warm to cold is defined base on bucket count not based on time. frozenTimePerioInSecs is used for moving cold buckets to frozen (archiving those outside of splunk or remove those as default action). r. Ismo

Re: How to calculate statistics for using PC

by SplunkTrust in Splunk Search
‎03-13-2024 06:31 AM
‎03-13-2024 06:31 AM
Hi one way it use command transaction like | makeresults format=csv data="_time,user,action 1710320306,u09,unlocked 1710320356,u09,locked 1710320360,u10,unlocked 1710320363,u10,locked 1710320369,u1... See more...
Hi one way it use command transaction like | makeresults format=csv data="_time,user,action 1710320306,u09,unlocked 1710320356,u09,locked 1710320360,u10,unlocked 1710320363,u10,locked 1710320369,u11,unlocked 1710320374,u11,locked 1710320379,u09,unlocked 1710320384,u09,locked 1710320389,u10,unlocked 1710321119,u10,locked 1710321126,u11,unlocked 1710322754,u11,locked 1710322760,u09,unlocked 1710324580,u09,locked 1710326550,u09,unlocked 1710328364,u09,locked" | transaction startswith="action=unlocked" endswith="action=locked" user | fieldformat duration=tostring(duration,"duration") r. Ismo

How to calculate statistics for using PC

by in Splunk Search
‎03-13-2024 06:20 AM
‎03-13-2024 06:20 AM
Hello! I have a log that shows locking/unlocking PCs: 1710320306,u09,unlocked 1710320356,u09,locked 1710320360,u10,unlocked 1710320363,u10,locked 1710320369,u11,unlocked 1710320374,u11,locke... See more...
Hello! I have a log that shows locking/unlocking PCs: 1710320306,u09,unlocked 1710320356,u09,locked 1710320360,u10,unlocked 1710320363,u10,locked 1710320369,u11,unlocked 1710320374,u11,locked 1710320379,u09,unlocked 1710320384,u09,locked 1710320389,u10,unlocked 1710321119,u10,locked 1710321126,u11,unlocked 1710322754,u11,locked 1710322760,u09,unlocked 1710324580,u09,locked 1710326550,u09,unlocked 1710328364,u09,locked The first field - unix timestamp, second - user, third - action. I need to get a statistics for PCs beeing unlocked by users. So it will the sum of seconds between unlocked-locked actions for each user. Please, help with search query
Labels

Why doesn't a maintenance window in ITSI put the service in maintenance

by in Other Usage
‎03-13-2024 06:14 AM
‎03-13-2024 06:14 AM
We are having a problem with maintenance windows in Splunk IT Service Intelligence. We have a common service that two other services are dependent on, on top of those two there are other services de... See more...
We are having a problem with maintenance windows in Splunk IT Service Intelligence. We have a common service that two other services are dependent on, on top of those two there are other services dependent on them. Service a                                  Service b Service in maintenance     Service not in maintenance                              Common Service   With the current implementation in ITSI, we are forced to put "Service in maintenance" and "Common Service" in maintenance mode to avoid getting wrong healthscores in "Service a". This creates a problem for us, if an error occurs in "Common Service" during the maintenance window, as it won't reflect correctly in "Service not in maintenance", hence we will not be able to detect failures that affect our users. We tried raising a ticket, that correctly stated the this is works as designed and documented. We have an idea ITSIID-I-359, but so far it hasn't been upvoted. Kind regards

Re: having exclamation symbol and showing warning message:indicates problems with underlying storage performance

by SplunkTrust in Splunk Search
‎03-13-2024 06:10 AM
‎03-13-2024 06:10 AM
Hi as @gcusello said you have performance issue on your splunk system. Quite probably it's on indexer side. Another place could be SH side if you have too small splunk var directory.  I suppose tha... See more...
Hi as @gcusello said you have performance issue on your splunk system. Quite probably it's on indexer side. Another place could be SH side if you have too small splunk var directory.  I suppose that you have MC on place? Then use it for monitoring your environment.  You could look this https://conf.splunk.com/files/2021/slides/TRU1172B.pdf and there are also some other MC and CMC presentations and those contains links to other resources and instructions. If those didn't help, then ask help from PS or some Splunk architect. r. Ismo

Re: Splunk query to skip alphanumeric string

by SplunkTrust in Splunk Search
‎03-13-2024 06:10 AM
‎03-13-2024 06:10 AM
How much of this is real? For example, do you really have hyphens in the host name of the address? Are they the only place where hyphens occur apart from the end part? Are there any other representa... See more...
How much of this is real? For example, do you really have hyphens in the host name of the address? Are they the only place where hyphens occur apart from the end part? Are there any other representative examples you wish to be considered?

Re: Prerequisites of Splunk

by SplunkTrust in Splunk Search
‎03-13-2024 05:58 AM
‎03-13-2024 05:58 AM
Hi @Tron-spectron47, everything in Splunk is a search, so you have to learn how to create a search, both using indexes or Data Models. When you'll be able to create a search, you can save it in a d... See more...
Hi @Tron-spectron47, everything in Splunk is a search, so you have to learn how to create a search, both using indexes or Data Models. When you'll be able to create a search, you can save it in a dashboard or an alert or a report, but the starting point is always a search. To start, you could follow the Splunk Search Tutorial https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial Ciao. Giuseppe

Re: user is getting the following error:Could not load lookup=LOOKUP-h_vms

by SplunkTrust in Splunk Search
‎03-13-2024 05:58 AM
‎03-13-2024 05:58 AM
Hi if/when admin can use it and regular user didn't then quite probably user hasn't permission to use it. Ask that your admin check those permissions. It should be shared (at least) app level and gi... See more...
Hi if/when admin can use it and regular user didn't then quite probably user hasn't permission to use it. Ask that your admin check those permissions. It should be shared (at least) app level and given read access to all needed roles or to everyone. If/when it has shared as app level then users must use it inside that app not from any other app. If it need to access from any app then it must shared globally. r. Ismo

Re: sendMail "From= "

by SplunkTrust in Splunk Enterprise
‎03-13-2024 05:55 AM
‎03-13-2024 05:55 AM
Hi you must use valid email address on from field. Currently most email servers require that those senders must be within valid and permitted domains. Depending on your configuration it could be tha... See more...
Hi you must use valid email address on from field. Currently most email servers require that those senders must be within valid and permitted domains. Depending on your configuration it could be that you can use only that from field and user which are configured into your splunk and given by email provider. r. Ismo

Re: Prerequisites of Splunk

by in Splunk Search
‎03-13-2024 05:39 AM
‎03-13-2024 05:39 AM
I wanted to see what i captured is in right direction its for own sake,can i say like that like there are two ways for creating dashboard understand through inputs and other through data models?

Re: regex field extraction not from _raw

by SplunkTrust in Splunk Search
‎03-13-2024 05:38 AM
‎03-13-2024 05:38 AM
Hi you must use transforms to get this done.  Create Field transformations on your app e.g. get_directory_from_linux_audit_source Type regex-based Regular expression like: /log/([^/]+)/ Format... See more...
Hi you must use transforms to get this done.  Create Field transformations on your app e.g. get_directory_from_linux_audit_source Type regex-based Regular expression like: /log/([^/]+)/ Format: directory::$1 Source key: source Save and give needed permissions like app and roles which can use it Create Field extractions  Name: <what ever you want to call it> Apply to: sourcetype named: e.g. linux_audit or what ever this is in your node Type: Uses transforms Extraction/Transforms: <from above like get_directory_from_linux_audit_source> Save and give needed permission like above Wait that this will be applied to all needed places on SCP Use it like: index=<your index> sourcetype=<your sourcetype> <Your field name>=* r. Ismo

Re: Merge numberous data in a field

by in Splunk Search
‎03-13-2024 05:33 AM
‎03-13-2024 05:33 AM
thank you - this hasn't worked .. I'm still getting all 158 problem details although now renamed as problem_classification  but i think i understand that logic and will play around with it.   

Splunk ui react

by in Dashboards & Visualizations
‎03-13-2024 05:16 AM
‎03-13-2024 05:16 AM
Hi Im trying to follow this tutorial https://splunkui.splunk.com/Create/ComponentTutorial and i have a problem when i start the demo. The steps that im following are: Navigate to an empty dir... See more...
Hi Im trying to follow this tutorial https://splunkui.splunk.com/Create/ComponentTutorial and i have a problem when i start the demo. The steps that im following are: Navigate to an empty directory of your choice and invoke Create: mkdir -p ~/Code/MyTodoList && cd ~/Code/MyTodoList npx @splunk/create (I choose A monorepo with a React Component) Run setup and start the component in demo mode yarn run setup cd packages/react-todo-list yarn run start:demo This bring me back the following errors: ERROR in ../../node_modules/@splunk/splunk-utils/url.js 11:19-41 Module not found: Error: Can't resolve 'querystring' in 'c SPLUNK\Code\MyTodoList\node_modules\@splunk\splunk-utils' BREAKING CHANGE: webpack < 5 used to include polyfills for node.js core modules by default. This is no longer the case. Verify if you need this module and configure a polyfill for it. If you want to include a polyfill, you need to: - add a fallback 'resolve.fallback: { "querystring": require.resolve("querystring-es3") }' - install 'querystring-es3' If you don't want to include a polyfill, you can use an empty module like this: resolve.fallback: { "querystring": false } ow can i handle this? Thx in advance. node -v v20.11.1 npm -v 10.2.4 yarn -v 1.22.22 I did that: npm install querystring-es3 And this is the fallback on webpack.config.js: const path = require('path'); const { merge: webpackMerge } = require('webpack-merge'); const baseComponentConfig = require('@splunk/webpack-configs/component.config').default; module.exports = webpackMerge(baseComponentConfig, {     resolve: {         fallback: { "querystring": require.resolve("querystring-es3") }     },     entry: {         ReactTodoList: path.join(__dirname, 'src/ReactTodoList.jsx'),     },     output: {         path: path.join(__dirname),     } });   But the error is the same.
Labels

Re: How to extract two fields using regex?

by in Splunk Search
‎03-13-2024 05:11 AM
‎03-13-2024 05:11 AM
Working 

Re: Is there feature which notifies the new release of Splunk version ?

by SplunkTrust in Splunk Enterprise
‎03-13-2024 04:51 AM
‎03-13-2024 04:51 AM
Hi unfortunately there is no common mechanism for getting this information or at least I don't know it. You could look this page https://advisory.splunk.com/?301=/en_us/product-security.html to get... See more...
Hi unfortunately there is no common mechanism for getting this information or at least I don't know it. You could look this page https://advisory.splunk.com/?301=/en_us/product-security.html to get information if there is any security issues which usually means that a new version has released. On that page there are possibility to subscribe RSS feed also.  Other option is look when there is a new version in docs.splunk.com. And if/when you have Splunk instance which have access to internet (some splunk sites) and you have admin rights into it, you could can see Messages when a new version and/or release has launched. r. Ismo 

Re: Splunk query to skip alphanumeric string

by in Splunk Search
‎03-13-2024 04:49 AM
‎03-13-2024 04:49 AM
Thanks a lot! This regex works for the given example.  I've another pattern like this "address":"http://test-query-service.xxx-xxx.xxx.xxx.com/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg... See more...
Thanks a lot! This regex works for the given example.  I've another pattern like this "address":"http://test-query-service.xxx-xxx.xxx.xxx.com/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg" for which I'm trying to implement the regex you've given by modifying slightly but couldn't achieve the same result. Can you please help here? Also can you please break down the regex for my better understanding.

Re: How to extract two fields using regex?

by SplunkTrust in Splunk Search
‎03-13-2024 04:43 AM
1 Karma
‎03-13-2024 04:43 AM
1 Karma
Try something like this |rex field=message max_match=0 "API: START: /v1/expense/extract/demand/(?<oneField>[^\/]+)\/(?<anotherField>\S+)"