All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I'm looking to buy a single 5GB/day or 6GB/day Splunk Enterprise license and then divide that license up into about 30 smaller licenses for my different production use cases.  Are there any l... See more...
Hello, I'm looking to buy a single 5GB/day or 6GB/day Splunk Enterprise license and then divide that license up into about 30 smaller licenses for my different production use cases.  Are there any limits to the license divisions from Splunk support?  As in, will Splunk support limit the number of times I can divide a license - can I divide my 5GB license into 30 smaller licenses or is there a limit to how many divisions they'll do?  Relatedly, is there a limit to how small (in terms of daily ingestion) they'll divide my smaller licenses into?  For example, I have a few production standalone instances where I would only require 60MB/day for licensing... I've heard mixed answers to this license division question - from Splunk sales reps and Fezzes, so I'm not sure what the truth is anymore, especially now that Cisco owns Splunk. Thank you.
1. You posted it in "Geting data in" section which deals with... well, getting data into Splunk. But you're talking about alerts. Do you want to ingest alerts into Splunk or are you talking about som... See more...
1. You posted it in "Geting data in" section which deals with... well, getting data into Splunk. But you're talking about alerts. Do you want to ingest alerts into Splunk or are you talking about something else? 2. If by any chance you're talking about triggering alerts withing Splunk by means of saved search and alert actions - are you talking about custom alert action or just a standard action (which one?) just triggered on different environments?
Well, permissive selinux should not interfere with anything. So that's one less thing to worry about.
Hello, I'm trying to create an alert in DEV Environment to include "DEV" with subject something like  Splunk Alert:  DEV - MyAlert I can't hardcore this since we deploy the same alert to PROD ... See more...
Hello, I'm trying to create an alert in DEV Environment to include "DEV" with subject something like  Splunk Alert:  DEV - MyAlert I can't hardcore this since we deploy the same alert to PROD through GIT and we can't make corrections to the code.  So I'm looking something (Splunk Alert:  $env$- $name$) if there is way to implement this.  My splunk cloud urls DEV : xydev.splunkcloud.com PROD : xyprod.splunkcloud.com
Can you please help to extract Receiver_ID also, how should I regex it?   Receiver_ID ='Thermo Fisher Sci West Palm Beach' TxnType=
I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*   Received this for a message: No results found. Try expanding the time range.  
Sharing is specified in default.meta rather than in .conf files.  To make a search global, use settings like these [savedsearches/<<URL-encoded search name>>] export = system
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "index-name">source. The search job has failed due to an error. You may be able vie... See more...
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "index-name">source. The search job has failed due to an error. You may be able view the job in the 
Thanks for the help!  Do you have an example of what it looks like to share a search globally? I've read lots of forum posts and Splunk Docs but haven't gotten a clear answer on how to configure t... See more...
Thanks for the help!  Do you have an example of what it looks like to share a search globally? I've read lots of forum posts and Splunk Docs but haven't gotten a clear answer on how to configure this in the .conf file.
I'm trying to make it so any search on my KV store will be filterable by the timepicker. So if I were to search |inputlookup {collection_name} I would get back all the entries from my collection ba... See more...
I'm trying to make it so any search on my KV store will be filterable by the timepicker. So if I were to search |inputlookup {collection_name} I would get back all the entries from my collection based on the selected time range.  Are you saying that since it's a KV store I'll need to include time constraints in each query to make this work? 
I really appreciate the suggestion. You do seem to get what I'm after, though the mvcount(indexes) returned no results. It seems so simple to me conceptually, but finding it very frustrating to try a... See more...
I really appreciate the suggestion. You do seem to get what I'm after, though the mvcount(indexes) returned no results. It seems so simple to me conceptually, but finding it very frustrating to try and wrap my head around "how splunk does it". I'm trying to include just the InstanceIds seen in both indexes while keeping the rest of the values from ResourceId in index=main. Index=main contains many different values in ResourceId (some of which are instance IDs). Index=other has a field called InstanceId.  This works, but I am not sure how to filter the MV index results (where mvcount(index)=2 did not work)     (index=main ResourceId=i-*) OR (index=other type=instance earliest=-2h) | eval InstanceId=coalesce(ResourceId, InstanceId) | stats values(index) as index by InstanceId       I've tried to use if/match, which sounds like it is exactly what I need, but it looks like you can't specify dynamic values for the match.      (index=main ResourceId=i-*) OR (index=other type=instance earliest=-2h) | eval InstanceId=if(match(ResourceId, InstanceId, ResourceId, "null")) | stats values(index) as index by InstanceId      
@AL3Z - Search for "lateral" on this website - https://research.splunk.com/ (ES Content Update App) and you will find some common use-case along with details.   I hope this helps!!!
@xathviar - FYI, There is an idea already someone submitted - https://ideas.splunk.com/ideas/EID-I-1704 And its under development, which means you may see it as core feature to Splunk in near future... See more...
@xathviar - FYI, There is an idea already someone submitted - https://ideas.splunk.com/ideas/EID-I-1704 And its under development, which means you may see it as core feature to Splunk in near future.   I hope this helps!!!
Sender_ID is present in log line: 2024-02-16 09:55:41:829 EST| INFO |InterfaceName=USCUSTOMERPO POCanonical_JSONHttpDataProcess=END JSON data successfully processed to Order Processor application ... See more...
Sender_ID is present in log line: 2024-02-16 09:55:41:829 EST| INFO |InterfaceName=USCUSTOMERPO POCanonical_JSONHttpDataProcess=END JSON data successfully processed to Order Processor application for TxID=20240216095535623-0EEu Sender_ID=hC Bioscience Inc Receiver_ID=ThermoFisher Scientific TxnType=USCustomer_PO Format=cXML Direction=Inbound PO_Num=2550 Status=Success       I have updated the query bit still space is truncated  InterfaceName=USCUSTOMERPO Status=Success OR Status=Failure | eval timestamp=strftime(_time, "%F")|chart limit=30 dc(TxID) over Sender_ID by timestamp|rex "Sender_ID=(?<Sender_ID>.+)\s"    
index=<index-name> source="WinEventLog:Application" EventCode=* user=*   Also, please mention the specific error that you are getting, so we can help!!
I have installed the Onelogin TA and there is a sourcetype parser from that TA that has taken over everything and it is jacking the logs up (onelogin:user). Anybody know why this is happening, and ho... See more...
I have installed the Onelogin TA and there is a sourcetype parser from that TA that has taken over everything and it is jacking the logs up (onelogin:user). Anybody know why this is happening, and how I can prevent this? 
Right, @Tron-spectron47 - more details would be needed to say whether are you referring to transaction search command or anything else. Also, what do you mean by specifying index and source??
Quick update: I manually removed '.DS_Store' from the etc/users directory and could then start. I'm not sure why this issue keeps coming up but that's at least an easier fix than reinstalling.
@Iris  - I have also never done it myself but I have thought of it a couple of times. I think a more widely known option is Selenium for web application testing. You can try that.   I hope this he... See more...
@Iris  - I have also never done it myself but I have thought of it a couple of times. I think a more widely known option is Selenium for web application testing. You can try that.   I hope this helps!!!
One more option is also to connect other Splunk machines to connect as clients of the deployment server to deploy these Apps. * This is something people follow as practice, I don't find it helpful a... See more...
One more option is also to connect other Splunk machines to connect as clients of the deployment server to deploy these Apps. * This is something people follow as practice, I don't find it helpful as it creates so much confusion managing apps and upgrading them.   A good option for automation (ex. ansible) if you have it in place, or manual.