All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

When the index pipeline begins backing up at any stage, which resources are responsible for the bottleneck. Obviously, once backed up the problem will overflow into other areas but is there a "rule" ... See more...
When the index pipeline begins backing up at any stage, which resources are responsible for the bottleneck. Obviously, once backed up the problem will overflow into other areas but is there a "rule" or anything that says if the backup is at the Parsing Pipeline then the storage IO is too low,  Merging Pipeline then the CPU is too low,  Typing Pipeline the memory is too low, or Index Pipeline it's network bandwidth, etc. I am specifically looking for info regarding a Heavy Forwarder but any help would be appreciated. *It's not as bad as the picture makes it seem, just posting for visual*  
Got it working after adding src_ip field. Splunk is a long journey to learning basic stuff source="udp:514" index="syslog" NOT src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) action=DROP ... See more...
Got it working after adding src_ip field. Splunk is a long journey to learning basic stuff source="udp:514" index="syslog" NOT src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) action=DROP  
Hi @DanAlexander , looks like this is not supported at the moment : https://docs.splunk.com/Documentation/AddonBuilder/4.1.4/UserGuide/Installation "Add-on Builder is not supported in a search head... See more...
Hi @DanAlexander , looks like this is not supported at the moment : https://docs.splunk.com/Documentation/AddonBuilder/4.1.4/UserGuide/Installation "Add-on Builder is not supported in a search head cluster or index cluster environment."   You can upvote this idea : https://ideas.splunk.com/ideas/APPSID-I-843      
I described in OP that field_A and field_B share the value. So there's nothing I can do to join the rest of the corresponding fields together? Yes, I did find evidence of field_B in source_2 having ... See more...
I described in OP that field_A and field_B share the value. So there's nothing I can do to join the rest of the corresponding fields together? Yes, I did find evidence of field_B in source_2 having a value of 11111179 and a non-null value of field_C, which is what I intended to refer to in my previous post.  In regards to the mock code,  the search worked, so I'm guessing the flags were ignored. Either way, if it is indeed a data problem, I'm not seeing it in my logs. Thank you for the insight though. Will update this post if that does end up being the problem.
When adding a new cluster manager to redundant cluster manager cluster do I need to manually deploy the current manager-apps?
Use splunk offline --enforce-count to migrate to new hardware.  A rebalance will shuffle buckets around, but won't remove the old indexer.  If you're only replacing a single indexer then manual deten... See more...
Use splunk offline --enforce-count to migrate to new hardware.  A rebalance will shuffle buckets around, but won't remove the old indexer.  If you're only replacing a single indexer then manual detention is not necessary.  However, if this is one of many migrations than consider setting manual detention on each old indexer so they don't receive buckets from the others that are taken down.  It will spare the system from potentially moving the same bucket multiple times.
Hi @molko13, in this case, the people referrer of the license should ask to Splunk Support to add you to the Entitlement. In this case you'll be able to open cases. Ciao. Giuseppe 
You can start here, but skip the parts about static assets, setup pages, and icons. All you really need are default/app.conf and default/props.conf.  The site above shows what needs to be in app.conf.
Hello, I need help to assign text box value to radio button but it's not working.     <form> <label>assign text box value to Radio button</label> <fieldset submitButton="false"> <input ... See more...
Hello, I need help to assign text box value to radio button but it's not working.     <form> <label>assign text box value to Radio button</label> <fieldset submitButton="false"> <input type="radio" token="tokradio" searchWhenChanged="true"> <label>field1</label> <choice value="category=$toktext$">Group</choice> <default>category=$toktext$</default> <initialValue>category=$toktext$</initialValue> </input> <input type="text" token="toktext" searchWhenChanged="false"> <label>field2</label> </input> </fieldset> <row> <panel> <title>tokradio=$tokradio$</title> <table> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>   Thanks in advance. @bowesmana  @tscroggins @gcusello @yuanliu @ITWhisperer 
Have you fixed this issue.If so please share the solution
Thx for your answer, i'm a member of this company, this is not my customer. I am a new member of security team in this company, internally i mean. 
Hi @molko13, usually few persons are enabled to open a Case to Splunk Support for each entitlement, and usually is someone of the customer to open cases. I'm enabled to open Cases for some selected... See more...
Hi @molko13, usually few persons are enabled to open a Case to Splunk Support for each entitlement, and usually is someone of the customer to open cases. I'm enabled to open Cases for some selected customers that enabled me to do this, but this is an exception. If you ned to do this, you must ask to your customer to ask to Splunk to enable you, otherwise isn't possible. Ciao. Giuseppe
Hi   I'm facing an issue with creating a support ticket.   I'm on enterprise version for a company that has support account. I'm new in the security team, i ve tried to contact support via suppor... See more...
Hi   I'm facing an issue with creating a support ticket.   I'm on enterprise version for a company that has support account. I'm new in the security team, i ve tried to contact support via support form (4 times) but no answer. I've tried to call support, but they has answered me that i need to ask to my manager to add me via admin portal or contact support to help with. My manager isn't able to do that. This is  really blocking me, anyone has an advice?   Thx
Hi, Anyone figured out the way to integrate please? 
Hi @anandhalagaras1, you should install in your Splunk the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603). One of the examples is just what you're searching: the In page Dri... See more...
Hi @anandhalagaras1, you should install in your Splunk the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603). One of the examples is just what you're searching: the In page Drilldown. Ciao. Giuseppe
Hi Team,  I have created a dashboard with the below mentioned query and the output would be in Column chart format with a timer. And the output would display the Top 10 Event Codes with Count when w... See more...
Hi Team,  I have created a dashboard with the below mentioned query and the output would be in Column chart format with a timer. And the output would display the Top 10 Event Codes with Count when we choose the time and click submit. index=windows host=* source=WinEventLog:System EventCode=* Type=Error OR Type=Critical | stats count by EventCode Type |sort -count | head 10 So post the results are displayed in the Column chart then my requirement is that if we click any one of the EventCode  consider as an example of 4628 from the Top 10 details in the Column Chart then it should  navigate to a new panel or a window showing up with the Top 10 host, source, Message, EventCode along with Count for Event Code 4628. So something like that we want to get the results displayed.  But this should happen if we click the EventCode from the Column chart of the existing dashboard. Example: index=windows host=* source=WinEventLog:System EventCode=4628 Type=Error OR Type=Critical | stats count by host source Message EventCode |sort -count | head 10   So kindly let me know how to achieve this requirement in a dashboard format.  
Already done, System Paths are monitored, but no file is ingested I think this is a security feature to exclude direct access to "/"   Monitored Directories: /... /.a... See more...
Already done, System Paths are monitored, but no file is ingested I think this is a security feature to exclude direct access to "/"   Monitored Directories: /... /.autorelabel /afs /bin /boot /boot/.vmlinuz-5.14.0-284.11.1.el9_2.x86_64.hmac /boot/.vmlinuz-5.14.0-284.30.1.el9_2.x86_64.hmac /boot/config-5.14.0-284.11.1.el9_2.x86_64 /boot/config-5.14.0-284.30.1.el9_2.x86_64 /boot/efi /boot/grub2 /boot/initramfs-0-rescue-d264ca908f764f5191a3c479f3e6f4bc.img /boot/initramfs-5.14.0-284.11.1.el9_2.x86_64.img /boot/initramfs-5.14.0-284.11.1.el9_2.x86_64kdump.img /boot/initramfs-5.14.0-284.30.1.el9_2.x86_64.img /boot/initramfs-5.14.0-284.30.1.el9_2.x86_64kdump.img /boot/loader /boot/symvers-5.14.0-284.11.1.el9_2.x86_64.gz /boot/symvers-5.14.0-284.30.1.el9_2.x86_64.gz /boot/System.map-5.14.0-284.11.1.el9_2.x86_64 /boot/System.map-5.14.0-284.30.1.el9_2.x86_64 /boot/vmlinuz-0-rescue-d264ca908f764f5191a3c479f3e6f4bc /boot/vmlinuz-5.14.0-284.11.1.el9_2.x86_64 /boot/vmlinuz-5.14.0-284.30.1.el9_2.x86_64 /dev /dev/almalinux /dev/block /dev/bsg /dev/cdrom /dev/char /dev/core /dev/cpu /dev/disk /dev/dma_heap /dev/dri /dev/fd /dev/hugepages /dev/initctl /dev/input /dev/log /dev/mapper /dev/mqueue /dev/net /dev/pts /dev/rtc /dev/shm /dev/snd /dev/stderr /dev/stdin /dev/stdout /dev/vfio /etc /home /lib /lib64 /media /mnt /proc /proc/acpi /proc/bus /proc/dma /proc/fb /proc/fs /proc/irq /proc/keys /proc/kmsg /proc/net /proc/sys /proc/tty /root /run /sbin /srv /sys /This_is_Just_A_Test /usr     This can be also guessed by "/This_is_Just_A_Test" path, which contains many .txt files. With "/..." they are skipped, with explicit,     [monitor:///This_is_Just_A_Test]     They are ingested I really think it's a security feature to prevent "/" to be fully accessed.
@mochocki @jkat54 @kiran_panchavat need your assistance here.
I shouldn't think so. I'd expect it rather to be a permissions/SELinux issue or something like that. Do splunk list monitor and splunk inputstatus
Hi @ITSplunk117, it seems that you have son inconsitancy in data files. Open a ticket to Splunk Support, sending them a diag of these indexer. Ciao. Giuseppe