I have raw data like: Error=REQUEST ERROR | request is not valid.|","time":"1707622073040" and I want to extract "REQUEST ERROR | request is not valid." to a new field, so I try to use ...
See more...
I have raw data like: Error=REQUEST ERROR | request is not valid.|","time":"1707622073040" and I want to extract "REQUEST ERROR | request is not valid." to a new field, so I try to use rex to match until |" with below query but it still only returns "REQUEST ERROR" |rex field=_raw "Error\=(?<ErrDesc>[^|\"]+)"
I am trying to script the installation for the Mac Splunk Universal Forwarder package. The package is a disk image (.dmg). I understand that we can mount the image using hidutil and access the vo...
See more...
I am trying to script the installation for the Mac Splunk Universal Forwarder package. The package is a disk image (.dmg). I understand that we can mount the image using hidutil and access the volume to find the .pkg file. The issue comes from where we attempt to run installer pkg the end user is prompted to answer dialog boxes, which we do not want to occur. Is there a switch to use to install the extracted pkg or dmg file silently to install the app on Mac OS Machine ?
Hello I´ve upgraded DB connect app. from version 3.** to 3.15 not long time ago but I could configure it without any issues. I´ve start to receive this error only recently. I´m also attaching port...
See more...
Hello I´ve upgraded DB connect app. from version 3.** to 3.15 not long time ago but I could configure it without any issues. I´ve start to receive this error only recently. I´m also attaching port related message. I was also trying to downgrade DB connect app. according the instructions but when I change from DONE to PENDING I see no difference it´s still 3.15.0.
Is it possible to use something like this: GitHub - okfse/sweden-geojson: Tiny GeoJSON files of Sweden's municipalities and regions or this: GitHub - perliedman/svenska-landskap: Sveriges landskap...
See more...
Is it possible to use something like this: GitHub - okfse/sweden-geojson: Tiny GeoJSON files of Sweden's municipalities and regions or this: GitHub - perliedman/svenska-landskap: Sveriges landskap som öppen geodata i GeoJSON With Splunk? If so, are there any manuals/instructions/blog posts etc you could point me to describing how to achieve this? Best regards
Hello Ryan, Thanks for the response. Just to note here we have already configured the database collector and the link which you have shared is to achieve this configuration. However we just want t...
See more...
Hello Ryan, Thanks for the response. Just to note here we have already configured the database collector and the link which you have shared is to achieve this configuration. However we just want to have clarity on below points. 1. Is AppD Db agent capable of detecting Ora errors in Oracle DB? 2.If yes whether can we detect ORA-00600 error via AppD Db agent? Please let us know the process for the same.
In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard: Resoluti...
See more...
In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard: Resolution For silent installation, a Windows universal forwarder from the command line to use LOCAL_SYSTEM account (which is not a security best practice) looks like below: msiexec.exe /i splunkforwarder-9.1.2-b6b9c8185839-x64-release.msi LAUNCHSPLUNK=0 AGREETOLICENSE=Yes GENRANDOM
PASSWORD=1 SERVICESTARTTYPE=auto USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 /quiet by using flags: USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1
Hi @iainp, you could try something like this: index="mydevices" logdesc="Something that speeds the search" earliest=-7d@d latest=now
| eval period=if(now()-_time<1800,"Last 30 minutes","Previous")
...
See more...
Hi @iainp, you could try something like this: index="mydevices" logdesc="Something that speeds the search" earliest=-7d@d latest=now
| eval period=if(now()-_time<1800,"Last 30 minutes","Previous")
| stats
dc(period) AS period_count
values(period) AS period
count
BY devicename
| where period_count=1 period="Previous"
| table devicename See my approach and adapt it to your Use Case. Ciao. Giuseppe
I have a number of devices that send logs to Splunk. I want to know when devices stop logging. For this example search: index="mydevices" logdesc="Something that speeds the search" | top limit=40 ...
See more...
I have a number of devices that send logs to Splunk. I want to know when devices stop logging. For this example search: index="mydevices" logdesc="Something that speeds the search" | top limit=40 devicename How can i find "devicename"s that have logged in the last week that haven't logged in the last 30 minutes? if that makes sense. Iain.
And haven't you lately upgraded the app from an old version? If so, did you read https://docs.splunk.com/Documentation/DBX/3.15.0/DeployDBX/MigratefromDBConnectv1
I already wrote this - You can't do anything about it yourself except for either updating the add-on (if possible) or asking the developer to fix it. Unless you want to dig into the app's code.
Your first search filters on SOC, your second search (first in appendcols) filters on SOC, your third search (first in join) filters on SOC - where would BDC come from? Either remove the filter to g...
See more...
Your first search filters on SOC, your second search (first in appendcols) filters on SOC, your third search (first in join) filters on SOC - where would BDC come from? Either remove the filter to get all sites or use (site=SOC OR site=BDC) as your filters
Hi @bapun18 , The number of indexers depends on the daily indexed logs, on the number of scheduled searches and active users. how many of them do you have? can your reducted Indexers manage your v...
See more...
Hi @bapun18 , The number of indexers depends on the daily indexed logs, on the number of scheduled searches and active users. how many of them do you have? can your reducted Indexers manage your volume? In my opinion only a Splunk Architect can answer to this question. Ciao. Giuseppe
Try something like this <input type="dropdown" token="timeperiod" searchWhenChanged="true">
<label>Select day</label>
<choice value="earliest=-1d@d latest=@d">Yesterday</choice>
...
See more...
Try something like this <input type="dropdown" token="timeperiod" searchWhenChanged="true">
<label>Select day</label>
<choice value="earliest=-1d@d latest=@d">Yesterday</choice>
<choice value="earliest=-7d@d latest=-6d@d">Last week</choice>
</input> Then use the $timeperiod$ token in your first search
Hi @briancronrath , as @richgalloway said, License Manager, as the other Splunk management consoles aren't Single Point of Failuer because the infrastructure will continue to run even if the License...
See more...
Hi @briancronrath , as @richgalloway said, License Manager, as the other Splunk management consoles aren't Single Point of Failuer because the infrastructure will continue to run even if the License Manager is down. You eventually can have a turned off copy in a disaster recovery site, if the down is longer but it isn't mandatory. Ciao. Giuseppe
Hi @Gauri, in the dropdown list insert the following fixed choices: earliest=-d@d
earliest=-w@w then in the search use the dropdown token: index="abc" sourcetype="Prod_logs" $token$ latest=now
| ...
See more...
Hi @Gauri, in the dropdown list insert the following fixed choices: earliest=-d@d
earliest=-w@w then in the search use the dropdown token: index="abc" sourcetype="Prod_logs" $token$ latest=now
| eval day=if(strftime(_time,"%Y-%m-%d")=strftime(now(),"%Y-%m-%d"),"Today","Previous")
| stats count(transactionId) AS TotalRequest BY day Ciao. Giuseppe
You are not really giving us sufficient information. The rex command that @bowesmana provided extracts the alphanumeric and numeric as you asked. Your "table" doesn't identify what the columns are ca...
See more...
You are not really giving us sufficient information. The rex command that @bowesmana provided extracts the alphanumeric and numeric as you asked. Your "table" doesn't identify what the columns are called. Are ETC and RFG fixed non-varying constant strings? Do these need to be in separate fields in the table? Please clarify your requirement, although, tbh, you already appear to have been given a workable solution.