The missing one will be the one that is only on one of the indexers. What to do - well, it will depend on the reason for the bucket not being properly replicated.
Hi @bhall_2 .. there are two forwarders - Splunk Universal forwarder(UF) and Splunk heavy forwarder(HF). (the old legacy forwarder is called as Splunk Light forwarder). maybe if you could update us...
See more...
Hi @bhall_2 .. there are two forwarders - Splunk Universal forwarder(UF) and Splunk heavy forwarder(HF). (the old legacy forwarder is called as Splunk Light forwarder). maybe if you could update us more details about the requirement( more details about "you can control through biometics the flow of data" ), we can suggest you better. thanks Best Regards Sekar
Hi @dm2 .. the SPL looks good and working fine also(as per the image). the trigger condition says the result greater than 4 and the image shows result 1. so the trigger condition was not triggered....
See more...
Hi @dm2 .. the SPL looks good and working fine also(as per the image). the trigger condition says the result greater than 4 and the image shows result 1. so the trigger condition was not triggered. are you saying that, when the result is greater than 4 also the trigger condition not triggering?
Hi @mtrochym Could you pls check these: https://splunkbase.splunk.com/app/2878/ https://splunkbase.splunk.com/app/3525/ https://github.com/splunk/slack-alerts
Hi All, I am fetching dashboards using REST Command | rest /servicesNS/-/-/data/ui/views Not all the dashboards returned from this command are seen in Splunk UI. Can anyone help me t...
See more...
Hi All, I am fetching dashboards using REST Command | rest /servicesNS/-/-/data/ui/views Not all the dashboards returned from this command are seen in Splunk UI. Can anyone help me to know why is this happening ? Regards, PNV
I was wondering if I can send a Splunk alert directly to an individual in slack. I know can @mention them in a channel with their <@islackid> etc, but I am looking to send an alert directly to an ind...
See more...
I was wondering if I can send a Splunk alert directly to an individual in slack. I know can @mention them in a channel with their <@islackid> etc, but I am looking to send an alert directly to an individual (or individuals) from Splunk, instead of sending it directly to a channel. Something like: or? (neither work). Thanks.
| stats count dc("File Name") as "File Name Count" first(_time) as _time, values(host) as host, values("File Type") as "File Type", values(Policy) as Policy, values(SHA256) as SHA256, values("Block R...
See more...
| stats count dc("File Name") as "File Name Count" first(_time) as _time, values(host) as host, values("File Type") as "File Type", values(Policy) as Policy, values(SHA256) as SHA256, values("Block Reason") as "Block Reason", values(Blocked) as Blocked by "File Name"
@PickleRick I am getting below issues while executing your suggested command "splunk list inputstatus" . Can you please tell me what issue you can see by referring to below screenshot?
Hi @dm2, please, share your search in text mode, otherwise it's more difficoult to help you. You can insert the text using the "Insert/Edit code sample" button. Ciao. Giuseppe
Hi @bhall_2 , are you speaking of Edge Processor? if yes, you an find documentation at https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/EdgeProcessor/AboutEdgeProcessorSolution Ciao. Gi...
See more...
Hi @bhall_2 , are you speaking of Edge Processor? if yes, you an find documentation at https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/EdgeProcessor/AboutEdgeProcessorSolution Ciao. Giuseppe
I have this rule, I need it to trigger when results / count of events is greater than 4 but the "Trigger Condition" did not work. Is there something I can add to the query ?
Honestly - I have no idea what you are talking about. Could you elaborate a bit more what such thing would do? Maybe it's possible to implement it using existing components. Or maybe it's simply imp...
See more...
Honestly - I have no idea what you are talking about. Could you elaborate a bit more what such thing would do? Maybe it's possible to implement it using existing components. Or maybe it's simply impossible. But to answer such question it's necessary to understand it first
Unfortunately, at the moment Splunk cannot automatically extract the structured data if it's not the whole event (as in your case - the json part is preceeded by non-json header). There is an open i...
See more...
Unfortunately, at the moment Splunk cannot automatically extract the structured data if it's not the whole event (as in your case - the json part is preceeded by non-json header). There is an open idea for that https://ideas.splunk.com/ideas/EID-I-208 So far you can either parse the json part in search with help of the spath command as @VatsalJagani already showed or cut away the header part using SEDCMD or INGEST_EVAL (possibly extracting indexed fields if needed prior to removing the non-structured part). As a side note - you should _not_ use the _json sourcetype. Define your own
You have a search element within a search element. If you see here https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/PanelreferenceforSimplifiedXML#search search element is not allowed as a chi...
See more...
You have a search element within a search element. If you see here https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/PanelreferenceforSimplifiedXML#search search element is not allowed as a child of a search element.
It's not all that's at play here but you're creating a whole lot of files (you could just create a key with -nodes option to have it non-encrypted) and your config apparently points to splunk.key whi...
See more...
It's not all that's at play here but you're creating a whole lot of files (you could just create a key with -nodes option to have it non-encrypted) and your config apparently points to splunk.key which - judging by the sequence of commands - is encrypted. As a side note - putting your private key into an app is not necessarily the most secure thing to do.