Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-01-2024
12:42 AM
Hi @PickleRick and @isoutamo , Thank you for your yints, this is the new transforms.conf [relay_hostname]
REGEX = (/var/log/remote/)([^/]+)(/.*)
FORMAT = relay_hostname::$2
WRITE_META = true
#DES...
See more...
Hi @PickleRick and @isoutamo , Thank you for your yints, this is the new transforms.conf [relay_hostname]
REGEX = (/var/log/remote/)([^/]+)(/.*)
FORMAT = relay_hostname::$2
WRITE_META = true
#DEST_KEY = relay_hostname
SOURCE_KEY = MetaData:Source
REPEAT_MATCH = false I tried with your hints but they don't run, what could I try again? Ciao. Giuseppe
03-01-2024
12:15 AM
Only the file authentication.conf is used. The other one - with different extension - is not used. (which should be shown in the output of the commanf @isoutamo provided. Splunk only uses files with...
See more...
Only the file authentication.conf is used. The other one - with different extension - is not used. (which should be shown in the output of the commanf @isoutamo provided. Splunk only uses files with the exact name needed, not with some additional prefixes or suffixes (but they can be in various directories from which they are "layered" onto each other according to the precedence rules. https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Wheretofindtheconfigurationfiles Why your authentication doesn't work though - we don't know. Not enough information. Look in your logs, look in your authentication server (LDAP?) logs. That might shed some light on the reasons.
03-01-2024
12:10 AM
I’m sorry, I should’ve been more specific. The files don’t have the same name, one is called authentication.conf and the other one authentication.conf_2. I have updated the binddnpassword in the auth...
See more...
I’m sorry, I should’ve been more specific. The files don’t have the same name, one is called authentication.conf and the other one authentication.conf_2. I have updated the binddnpassword in the authentication.conf file, rebooted server, the password got hashed but I’m still not able to log into splunk.
02-29-2024
11:48 PM
Actually i am looking a query on a scenario where there are few istances on my hosts and it went down.Eventually the there were no logs within 2 hrs ..but we find after 2 hrs the logs are captured.So...
See more...
Actually i am looking a query on a scenario where there are few istances on my hosts and it went down.Eventually the there were no logs within 2 hrs ..but we find after 2 hrs the logs are captured.So if we find no logs coming from server past 30 min, it should trigger an alert.
02-29-2024
11:32 PM
2 Karma
Hi My old answer for this https://community.splunk.com/t5/Splunk-Enterprise/Migration-of-Splunk-to-different-server-same-platform-Linux-but/m-p/538062 r. Ismo
02-29-2024
11:27 PM
One old post about this https://community.splunk.com/t5/Alerting/How-to-detect-when-a-host-stop-sending-data-to-Splunk/m-p/563571
02-29-2024
11:12 PM
Hi All, i want a query to check and fire an alert when , there are no logs from a server past 30 min. For example we have different isnatnce running on a host and i want an alert when there are no ...
See more...
Hi All, i want a query to check and fire an alert when , there are no logs from a server past 30 min. For example we have different isnatnce running on a host and i want an alert when there are no logs coming from serevr in past 30 min(because server instances are not running) .So we we dont see any logs from server past 30 min and alert shoul notfiy that server instances are stopped.Please help. Logs below event. 3/1/24 12:26:07.000 PM www 89589 0 0.0 00:00:02 0.1 51784 2151496 ? S 35:31 httpd -d_/sys_apps_01/apache/server20Cent/versions/server2.4.56_-f_/sys_apps_01/apache/server20Cent/conf/MTF.AEM.conf host = www2stl52 source = ps sourcetype = ps
Labels
- Labels:
-
alert action
-
alert condition
02-29-2024
10:49 PM
Hi Rajesh, Thank you for the reply to the above doubt. I would also like to know on what is the max number of volume a machine agent can observe? i.e. if a server has for example 300 Volumes/Storage...
See more...
Hi Rajesh, Thank you for the reply to the above doubt. I would also like to know on what is the max number of volume a machine agent can observe? i.e. if a server has for example 300 Volumes/Storage disk. Will the machine agent be able to monitor them all or Does the limit end at around 50-60 volumes? Regards, Shashwat
02-29-2024
10:40 PM
Is splunk forwarder agent 9.2.0.1 supported on Amazon Linux 2023 x86/arm OS using RPM file. Got error while starting splunk service. tcp_conn_open_afux ossocket_connect failed with No such file o...
See more...
Is splunk forwarder agent 9.2.0.1 supported on Amazon Linux 2023 x86/arm OS using RPM file. Got error while starting splunk service. tcp_conn_open_afux ossocket_connect failed with No such file or directory tcp_conn_open_afux ossocket_connect failed with No such file or directory tcp_conn_open_afux ossocket_connect failed with No such file or directory
- Tags:
- AmazonLinux2023
- linux
Labels
- Labels:
-
universal forwarder
02-29-2024
10:25 PM
Hi, Why my CIDR matching in not following the lookup content? Query i used is as below: | makeresults | eval ip="10.10.10.10" | lookup testip ip OUTPUTNEW description Result should look...
See more...
Hi, Why my CIDR matching in not following the lookup content? Query i used is as below: | makeresults | eval ip="10.10.10.10" | lookup testip ip OUTPUTNEW description Result should look like this: ip Description 10.10.10.10 New But the real output look like this: ip Description 10.10.10.10 New In Progress Closed I have check my lookup and its clearly state the Description for IP Range 10.10.10.10/27 is "New". Please help and thanks!
- Tags:
- cidr
02-29-2024
10:05 PM
1 Karma
This helped, there were few more errors in the python which I fixed too. Thanks
02-29-2024
09:08 PM
Hi @asabatini, I think the problem is name-capturing groups in REGEX. Using name-capturing groups will already create a field without a FORMAT parameter. You can try one of the below options; Usi...
See more...
Hi @asabatini, I think the problem is name-capturing groups in REGEX. Using name-capturing groups will already create a field without a FORMAT parameter. You can try one of the below options; Using name-capturing groups in REGEX; [group1]
REGEX = (?<group1>.+\s\-\s\-\s\-\s).*.auditID.:.(?<group2>[\w-]+)..*requestURI.:.(?<group4>[^,]+).+username.:.(?<group5>[^,]+).+sourceIPs....(?<group3>\d+.\d+.\d+.\d+) Without name-capturing groups in REGEX; [group1]
REGEX = (.+\s\-\s\-\s\-\s).*.auditID.:.([\w-]+)..*requestURI.:.([^,]+).+username.:.([^,]+).+sourceIPs....(\d+.\d+.\d+.\d+)
FORMAT = group1::$1, group2::$2, group5::$3, group3::$4, group4::$5
02-29-2024
05:54 PM
Glad you can work around this issue! Anyway, I run a spare instance on my laptop always for simple matters that can be emulated. You may consider the same. (You can also observe how versions may af...
See more...
Glad you can work around this issue! Anyway, I run a spare instance on my laptop always for simple matters that can be emulated. You may consider the same. (You can also observe how versions may affect these.) I wish I learned how to set up KV store on my laptop so I could help more. But KV Store vs. CSV files has no indication that time-based lookup should function differently. So you would have a support case except 7 might be out of support.
02-29-2024
05:25 PM
That makes sense and I was wanting to create some additional fields for the output and was getting hung up on the usage of | stats and had to switch it to | eventstats to retain _raw data for the res...
See more...
That makes sense and I was wanting to create some additional fields for the output and was getting hung up on the usage of | stats and had to switch it to | eventstats to retain _raw data for the rest of the code after the stats/eventstats.
You have helped me before PickleRick and always provide good info !!!
Works like a charm, thanks again !
| rex field=_raw "Batch::(?<aJobName>[^\s]*)"
| eval aStatus=case(
searchmatch("START of script"), "Start",
searchmatch("COMPLETED OK"), "End",
searchmatch("ABORTED, exiting with status"), "End",
true(),null()
)
| eventstats values(aStatus) as aStateList by aJobName
| where aStateList != "End"
|........
02-29-2024
05:13 PM
It would help to have a sample (sanitized) event to work with. Avoid lookbehind and lookahead in Splunk. They're costly and rarely necessary. Try on\s(?<HostName>\S*)\sby Firewall Settings
02-29-2024
05:08 PM
It depends on what's wrong with it. Tell us more or contact Splunk Support.
02-29-2024
04:52 PM
I am getting an error when using the following regex (?<=on\s)(.*)(?=\sby Firewall Settings) The error is "Error in 'rex' command: regex="(?<=on\s)(.*)(?<HostName>.*)(?=\sby Firewall Settings)"...
See more...
I am getting an error when using the following regex (?<=on\s)(.*)(?=\sby Firewall Settings) The error is "Error in 'rex' command: regex="(?<=on\s)(.*)(?<HostName>.*)(?=\sby Firewall Settings)" has exceeded configured match_limit, consider raising the value in limits.conf." Is there a better way to do this, I am trying to find all text between "on " and " by Firewall Settings. It works in regex101.com, but I get that error in Splunk. TIA!
- Tags:
- search
02-29-2024
04:43 PM
One way is using SEDCMD. Add this to the appropriate props.conf file: [mysourcetype]
SEDCMD-rmJSONprefix = s/^[^\{]+?//
02-29-2024
03:54 PM
Hello all,
I'm bringing data into Splunk as json but it coming bold text in front that throw off the json.
Any suggestion on regx to remove the bold text?
<165>Feb 29 19:06:30 server01 darktra...
See more...
Hello all,
I'm bringing data into Splunk as json but it coming bold text in front that throw off the json.
Any suggestion on regx to remove the bold text?
<165>Feb 29 19:06:30 server01 darktrace {"hostname":"ss-26138-03","label":"","ip_address":"10.21.32.88","child_id":null,"name":"age_alert-inaccessible_ui","priority":61,"priority_level":"high","alert_name":"Datatrace / Email: Inaccessible UI","status":"Resolved","message":"The UI is inaccessible, this could be the result of a misconfiguration or network error.","last_updated":1709233590.814423,"last_updated_status":1709233590.814423,"acknowledge_time":null,"acknowledge_timeout":null,"uuid":"1111114d-6e72-4029-8ac2-5d051be02ad5","url":"https://server01/sysstatus?alert=1481514d-6e72-4029-8ac2-5d051be02ad5","creationTime":1709233590814}
Labels
- Labels:
-
Classic dashboard
