All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Version 3.15.0
Hi there! How are you doing? Our FIM tool is detecting modifications to the /etc/passwd file by the splunkfwd user found on some of our critical Linux servers for our operation with Splunk Universa... See more...
Hi there! How are you doing? Our FIM tool is detecting modifications to the /etc/passwd file by the splunkfwd user found on some of our critical Linux servers for our operation with Splunk Universal Forwarder installed. Do you know if this behavior is correct? Shouldn't it be modifying /opt/splunkforwarder/etc/passwd?   Thank you very much! Regards, Juanma   PS: when echoing $SPLUNK_HOME it appears to be blank in other users, but the tools is sending logs correctly to SplunkCloud
thank you - this would work as well:  we are now  going the old data fall out of dashboard and be updated with data from the new DUO site.  You can have data ingested from multiple DUO APIs in the da... See more...
thank you - this would work as well:  we are now  going the old data fall out of dashboard and be updated with data from the new DUO site.  You can have data ingested from multiple DUO APIs in the dashboard concurrently, so we have visibility from both sites on the same dashboard, but consolidated.  Appreciated!
Great solution - I like how it also takes out need for subsearch Thank you!!
Great way to sanity check - didn't think of this til you mentioned it. Ty!!
hi @richgalloway  ¿Do I have to change the name app or folder name or both?  
Assuming you've verified 12 indexers can handle both the indexing and search loads, then you just need to remove 12 indexers.  1. Remove 12 indexers from outputs.conf on all instances.  Ideally, you... See more...
Assuming you've verified 12 indexers can handle both the indexing and search loads, then you just need to remove 12 indexers.  1. Remove 12 indexers from outputs.conf on all instances.  Ideally, you have this in an app so you can make the change once an push it to where it is needed (SHs, forwarders, DS, MC, CM, LM).  If you've implemented Indexer Discover then you can skip this step. 2. Put the 12 indexers into manual detention.  This will keep them from accepting new data or replicated buckets. splunk edit cluster-config -auth <username>:<password> -manual_detention on 3. Run this command on each indexer being removed. splunk offline --enforce-counts Wait for the indexer to stop before proceeding to the next.
Used this to drop the comments related fields. Longstanding tickets had more than 10,000 characters and would cause false negatives and/or crash browsers.
Yes, that is what I am trying to do, and I obviously have the host, is there a way to extract this out of the event to add to the alert?   Jan 4 13:07:57 HOST 1 2024-01-04T13:07:57.085-05:00 somenu... See more...
Yes, that is what I am trying to do, and I obviously have the host, is there a way to extract this out of the event to add to the alert?   Jan 4 13:07:57 HOST 1 2024-01-04T13:07:57.085-05:00 somenumber-somename-ks-srx rpd 2188 JTASK_SIGNAL_INFO [junos@2636.1.1.1.2.133 message-name="INFO Signal Info: Signal Number = " signal-number="1" name=" Consumed Count = " data-1="3"] Thanks for all the help
Yes, it can handle.. Data volume reduced, so there is no point of keeping 24 indexers. 
this seems like working, can you please explain how did it work? @ITWhisperer 
Why do you want to reduce the number of indexers?  What problem are you trying to solve?  Can 12 indexers handle the workload currently done by 24 indexers?
Hi Team, I need to decrease the number of indexers used to half, in my current configurations we have site replication factor is 5 in total with origin:3 and site searchfactor is defined as 3 in tot... See more...
Hi Team, I need to decrease the number of indexers used to half, in my current configurations we have site replication factor is 5 in total with origin:3 and site searchfactor is defined as 3 in total and origin:2. My total number of indexers is 24 and I want to decrease the count of indexers to 12. I want to have the complete process of reducing the indexer cluster size so that the buckets which have site information will not be impacted.  
I tried below syntax but it's matching entire line but I want only "ID" value /(?<ID>\w+)_ETC_RFG
Yes. But. 1. As this is a metadata search for hosts only, you'd have to search across all your indexes - you have no indication of which index that event is in. 2. It'd be a very ugly and resource ... See more...
Yes. But. 1. As this is a metadata search for hosts only, you'd have to search across all your indexes - you have no indication of which index that event is in. 2. It'd be a very ugly and resource intensive search spawning possibly huge number of subsearches. It's a good way to overstress your Splunk environment. That's why the map command is considered a risky command and not enabled for ordinary users by default. But in general I think you're trying to solve a completely different problem here. The issue of finding hosts which stopped reporting was tackled many times already and there are even specific apps for this - like TrackMe - https://splunkbase.splunk.com/app/4621
OK. How old is your DBConnect app version (what version is it)?
Would there be a way to to search for the first host not reporting and see the most recent event and create an alert on that, and do it for the second and the third and so forth?
https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/TypesofSplunklicenses#Other_types_of_licenses [...] Free license The Free license allows a completely free Splunk Enterprise instance with ... See more...
https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/TypesofSplunklicenses#Other_types_of_licenses [...] Free license The Free license allows a completely free Splunk Enterprise instance with limited functionality and license usage. The following important points apply to the Free license: The Free license gives access to a limited set of Splunk Enterprise features. The Free license is for a standalone, single-instance installation of Splunk Enterprise only. The Free license cannot be stacked with other licenses. The Free license does not expire. The Free license allows you to index 500 MB of data per day. If you exceed that you will receive a license warning. The Free license prevents searching if there are a number of license warnings. To learn about license warnings and violation, see What happens during a license violation? For a list of features that are disabled in Splunk Free, see About Splunk Free. [...] So while it doesn't impose any limits on commercial vs. non-commercial use, the features that are disabled make it very challenging for production use of any kind. While in some scenarios you could probably get away without scheduled searches, the lack of ability to create users would probably disqualify the free license in all my use cases.
Not in this search. Remember that at each pipe you get only the results from subsequent commands. So if the metadata command gives you just some, well, metadata, you're not having any events. You'd... See more...
Not in this search. Remember that at each pipe you get only the results from subsequent commands. So if the metadata command gives you just some, well, metadata, you're not having any events. You'd need to either run a very wide search and do stats latest(_raw) by host, which is not a very good idea or either use this one as part of a subsearch to generate time limiting conditions or pass this through map command. Both solutions aren't very pretty.  
Same problem here! Have you found a solution to fix this problem?