https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/EmailNotificationTokens Here you have what tokens you can use. I assume you want the same saved search config on both environments so result-...
See more...
https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/EmailNotificationTokens Here you have what tokens you can use. I assume you want the same saved search config on both environments so result-based tokens are also a no-no. So you're limited to $server.serverName$ I think
1. We can't answer sales question. Only sales people can do that reliably. Obviously sales questions answer will depend heavily on the size of what you'd be talking about. And quite frankly, 6GB/day ...
See more...
1. We can't answer sales question. Only sales people can do that reliably. Obviously sales questions answer will depend heavily on the size of what you'd be talking about. And quite frankly, 6GB/day is not a very big license. 2. Even if they were willing to split, remember that even Splunk Free is relatively "big" compared to what you're trying to get. 3. What might be most reasonable is to install your license on a license manager, split your license into separate stacks and connect your license peers to that LM so that you manage all your indexers from a single entitlement.
Putting maxspan option does work for the one particular event where the start/stop events happen at the same time. The next issue that comes up is that there are around 80 "transactions" that I am...
See more...
Putting maxspan option does work for the one particular event where the start/stop events happen at the same time. The next issue that comes up is that there are around 80 "transactions" that I am monitoring that can have a duration of over an hour. The only way I can think of making this work is to have two different transaction creation lines that are inside of a case statement? One with the maxspan and one without depending upon a job name that I am extracting earlier in my code... Is that possible or do you have any other ideas/suggestions ?
It's possible the policy has changed over the years. Again, the account team should be your source for answers to license questions. Specifically ask them if Support will further divide the license.
I recently received CA Certificates from my Organization´s PKI Team. In CSR, I provided Server Hostname in CN and SAN and hence when I am accessing the GUI using hostname the connection is secure. ...
See more...
I recently received CA Certificates from my Organization´s PKI Team. In CSR, I provided Server Hostname in CN and SAN and hence when I am accessing the GUI using hostname the connection is secure. But when I access it with IP, it is not secure. So, do I need to provide IP in SAN? Is there an alternate way, that the browser should only be accessible through hostname:8000 and not IP:8000 Please pour in your suggestions
Have you tried using the maxspan option to limit how far apart the startswith and endswith events can be? | transaction keeporphans=true host aJobName startswith=("START of script") endswith=("COMPL...
See more...
Have you tried using the maxspan option to limit how far apart the startswith and endswith events can be? | transaction keeporphans=true host aJobName startswith=("START of script") endswith=("COMPLETED OK" OR "ABORTED, exiting with status") maxspan=0
Is there a way to give a user read-only access to only a specific dashboard on Splunk ES such as the Executive Summary dashboard? Any assistance would be greatly appreciated! *Edit Sorry we have t...
See more...
Is there a way to give a user read-only access to only a specific dashboard on Splunk ES such as the Executive Summary dashboard? Any assistance would be greatly appreciated! *Edit Sorry we have the user role and user created but we are unable to restrict it to a single dashboard, we can specify an app such as ES but have been unsuccessful in getting a default dashboard set. When you land on ES there is the "Security Posture" "Incident Review" "App Configuration" etc settings. Would it be possible to change one of these from "Security Posture" to "Executive Summary" so that way they are just a click away from the appropriate dashboard? Thank you!
Thank you @richgalloway. Our sales rep said that if we buy a 5GB/day or 6GB/day license, the smallest they (the sales department) will divide that is into 1GB/day license chunks. However, I know fo...
See more...
Thank you @richgalloway. Our sales rep said that if we buy a 5GB/day or 6GB/day license, the smallest they (the sales department) will divide that is into 1GB/day license chunks. However, I know for a fact that a Splunk support ticket can be submitted to divide an existing license into smaller than 1GB/day chunks. So I'm just trying to reconcile these two different sources: does the sales department have a different set of rules they follow; and does the Splunk customer support have different rules for this? Has anything changed since I last divided a license many years ago?
I have Heavy Forwarders that are running on Windows and Linux servers that still need to be monitored. Are there best practices for what to and not to log from a Heavy Forwarder? For example, can I ...
See more...
I have Heavy Forwarders that are running on Windows and Linux servers that still need to be monitored. Are there best practices for what to and not to log from a Heavy Forwarder? For example, can I take my default Windows inputs.conf file from my Universal Forwarders and apply it to my Heavy Forwarders or will this cause a "logging loop" where the Heavy Forwarder is logging itself logging? I am completely guessing but maybe I could copy over my UF inputs.conf file but disable the wineventlog:application logs? What would be the equivalent on a Linux HF?
Cisco does not own Splunk, yet. The community unlikely to have a better answer than Sales or fezzes. Your account team should have the answer for you or be able to get it.
Apologies, didn't realized it got posted in "Getting Data in". Well, I have a data already in Splunk and trying to create a custom alert to trigger an email to DL, when the condition met. But I do...
See more...
Apologies, didn't realized it got posted in "Getting Data in". Well, I have a data already in Splunk and trying to create a custom alert to trigger an email to DL, when the condition met. But I don't have an env field in either DEV & PROD data. When I create alert with subject DEV $name$. the admin team deploying the same code to PROD saying that they wanted to keep the same code across all env. I'm getting the alert as "DEV myAlert" in PROD. So checking if there is a way to implement this just by including the token ??
Hello, I'm looking to buy a single 5GB/day or 6GB/day Splunk Enterprise license and then divide that license up into about 30 smaller licenses for my different production use cases. Are there any l...
See more...
Hello, I'm looking to buy a single 5GB/day or 6GB/day Splunk Enterprise license and then divide that license up into about 30 smaller licenses for my different production use cases. Are there any limits to the license divisions from Splunk support? As in, will Splunk support limit the number of times I can divide a license - can I divide my 5GB license into 30 smaller licenses or is there a limit to how many divisions they'll do? Relatedly, is there a limit to how small (in terms of daily ingestion) they'll divide my smaller licenses into? For example, I have a few production standalone instances where I would only require 60MB/day for licensing... I've heard mixed answers to this license division question - from Splunk sales reps and Fezzes, so I'm not sure what the truth is anymore, especially now that Cisco owns Splunk. Thank you.
1. You posted it in "Geting data in" section which deals with... well, getting data into Splunk. But you're talking about alerts. Do you want to ingest alerts into Splunk or are you talking about som...
See more...
1. You posted it in "Geting data in" section which deals with... well, getting data into Splunk. But you're talking about alerts. Do you want to ingest alerts into Splunk or are you talking about something else? 2. If by any chance you're talking about triggering alerts withing Splunk by means of saved search and alert actions - are you talking about custom alert action or just a standard action (which one?) just triggered on different environments?
Hello, I'm trying to create an alert in DEV Environment to include "DEV" with subject something like Splunk Alert: DEV - MyAlert I can't hardcore this since we deploy the same alert to PROD ...
See more...
Hello, I'm trying to create an alert in DEV Environment to include "DEV" with subject something like Splunk Alert: DEV - MyAlert I can't hardcore this since we deploy the same alert to PROD through GIT and we can't make corrections to the code. So I'm looking something (Splunk Alert: $env$- $name$) if there is way to implement this. My splunk cloud urls DEV : xydev.splunkcloud.com PROD : xyprod.splunkcloud.com
I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=* Received this for a message: No results found. Try expanding the time range.