When you have more than two nodes in one site, it’s not needed that all nodes have exactly same amount of buckets. Actually it’s almost normal situation that those are different when you have more nod...
See more...
When you have more than two nodes in one site, it’s not needed that all nodes have exactly same amount of buckets. Actually it’s almost normal situation that those are different when you have more nodes than your RF is.
This seems to be a bug on that dashboard. There shouldn’t be any fixed days, instead it should offer time picker for you to select needed time span and then use it. Probably the easiest way is just cr...
See more...
This seems to be a bug on that dashboard. There shouldn’t be any fixed days, instead it should offer time picker for you to select needed time span and then use it. Probably the easiest way is just create your own dashboard with time picker and fix it that way? Please create also an support case for it as Splunk should have a dashboard which shows that statistics based n their current license policy/model.
One comment. User creation happened just when installing with package manager. If you are using tar package you must do those user by yourself if you want to use those.
I can have the result with 60 days without changing index retention. I do not know why. But I have to change the -30 days to -60 days in Splunk-owned form that does not allow editing. Guess I w...
See more...
I can have the result with 60 days without changing index retention. I do not know why. But I have to change the -30 days to -60 days in Splunk-owned form that does not allow editing. Guess I will keep this in mind and see if Splunk will change any thing in the coming versions. best regards Altin
Hi @jeradb, you could use a regex, not an eval command like the following: | rex "User Name: (?<User_Name>[^ \n]+)" you can test this regex at https://regex101.com/r/gJ0I26/1 But only one questio...
See more...
Hi @jeradb, you could use a regex, not an eval command like the following: | rex "User Name: (?<User_Name>[^ \n]+)" you can test this regex at https://regex101.com/r/gJ0I26/1 But only one question: did you installed the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742)? using this add-on you should already have this field extracted without using a custom regex. Ciao. Giuseppe
LogName=Application
EventCode=1004
EventType=4
ComputerName=Test.local
User=NOT_TRANSLATED
Sid=S-1-5-21-2704069758-3089908202-2921546158-1104
SidType=0
SourceName=RoxioBurn
Type=Information
RecordNumber=16834
Keywords=Classic
TaskCategory=Optical Disc
OpCode=Info
Message=Date: Wed Feb 28 14:22:59 2024
Computer Name: COM-HV01
User Name: Test\test.user
Writing is completed on drive (E:). Project includes 0 folder(s) and 1 file(s).
Volume Label: 2024-02-28
Volume SN: 0
Volume ID: \??\Volume{b282bf1c-3dde-11ed-b48e-806e6f6e6963}
Type: Unknown
Status Of Media: Appendable,Blank,Closed session
Files: C:\ProgramData\Roxio Log Files\Test.test.user_20240228142142.txt SHA1: 7c347a6724dcd243d396f9bb5e560142f26b8aa4
File System: None
Disc Number: 1
Encryption: Yes
User Password: Yes
Spanned Set: No
Data Size On Disc Set: 511 Bytes
Network Volume: No How would I write an eval command to extract User Name: without domain, Status of Media, Data size on disc set, and files from the field Message?
When trying to run the ML demos on my Macbook M2 running Splunk in a docker env I get the following error in the middle of the display: Error in 'fit' command: Failed to find Python for Scientific...
See more...
When trying to run the ML demos on my Macbook M2 running Splunk in a docker env I get the following error in the middle of the display: Error in 'fit' command: Failed to find Python for Scientific Computing Add-on (Splunk_SA_Scientific_Python_linux_x86_64) After having installed both Linux x64 (yes it also runs fast in Rosetta 2) + the mac_Silicon one and restarted the server, the error still remains. Any help appreciated Thank you
@Nawab , Please try below : https://docs.splunk.com/Documentation/ES/7.3.0/Admin/CustomizeIR In the Splunk Enterprise Security app, select Configure. Select General and then select General Settings...
See more...
@Nawab , Please try below : https://docs.splunk.com/Documentation/ES/7.3.0/Admin/CustomizeIR In the Splunk Enterprise Security app, select Configure. Select General and then select General Settings. Go to Enhanced Incident Review workflow panel. Select Turn off.
When I navigate to Settings > Tokens, I get this error message: KVStore is not ready. Token auth system will not work. Splunk logs shows this: ERROR JsonWebToken [233289 TcpChannelThread]...
See more...
When I navigate to Settings > Tokens, I get this error message: KVStore is not ready. Token auth system will not work. Splunk logs shows this: ERROR JsonWebToken [233289 TcpChannelThread] - KVStore is not ready. Token auth system will not work.
ERROR KVStoreConfigurationProvider [233052 KVStoreConfigurationThread] - Failed to start mongod on first attempt reason=KVStore service will not start because kvstore process terminated
ERROR KVStoreBulletinBoardManager [233053 MongodLogThread] - KV Store changed status to failed. KVStore process terminated.. How can this be fixed?
Hi, @yuanliu! Thanks for your reply and clue. I have no spare instance right now but I've exported contents of this KV Store time-based lookup into CSV file, reconfigured lookup definition to use t...
See more...
Hi, @yuanliu! Thanks for your reply and clue. I have no spare instance right now but I've exported contents of this KV Store time-based lookup into CSV file, reconfigured lookup definition to use that CSV - and now it works. Looks like the problem is related only to KV Store time-based lookups. So this particular problem is solved but I'd like to know if such behavior is expected with KV Store lookups or it is some bug or my misconfiguration. My deployment is Splunk Enterprise 7.2.6 with MongoDB.
