Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-12-2024
06:30 AM
Hi, Yes I have already run set_permissions.sh on my forwarder but it didn't change anything. Do you have any other recommandation ?
02-12-2024
06:29 AM
Use the depends option on the panel to control whether is is shown or not. <panel depends="$t_entity$">
...
</panel> The panel will be shown if the specified token has any value, which is not exact...
See more...
Use the depends option on the panel to control whether is is shown or not. <panel depends="$t_entity$">
...
</panel> The panel will be shown if the specified token has any value, which is not exactly what you're looking for. In this case, we want to set a different token if t_entity has a specific value. <input token=t_entity ...>
...
<change>
<condition value="C2V">
<set token="show_panel">1</set>
</condition>
<condition>
<unset token="show_panel" />
</condition>
</change>
</input>
...
<panel depends="$show_panel$">
...
</panel>
02-12-2024
06:26 AM
Hi @adrojis, Did you run set_permissions.sh on your forwarder? You should have done it manually on the UF host. cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./s...
See more...
Hi @adrojis, Did you run set_permissions.sh on your forwarder? You should have done it manually on the UF host. cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./set_permissions.sh Install Splunk Add-on for Stream Forwarder
02-12-2024
05:27 AM
Thank you. Issue resolved after using base search. Was able to identified the issue.
02-12-2024
05:26 AM
Hi @selvam_sekar, I suppose that you are speaking of Classi Dashboards not dashboard Studio. Anyway, in the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603) you can find an ex...
See more...
Hi @selvam_sekar, I suppose that you are speaking of Classi Dashboards not dashboard Studio. Anyway, in the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603) you can find an example (using CSS and JavaScript) to change the width of your panels. Ciao. Giuseppe
02-12-2024
05:24 AM
1 Karma
Hi @Muthu_Vinith , you should use a regex like the following: | rex field=result "\w:\\\w+\\\w+\\(?<myfield>[^\.]+)" that you can test at https://regex101.com/r/BYH1rP/1 Ciao. Giuseppe
02-12-2024
05:21 AM
Hey Experts, I'm new to splunk and I'm trying to extract APP WEB and MNOPQ from a field called result. Can someone please guide me on how to achieve this? Any help or example queries would be greatly...
See more...
Hey Experts, I'm new to splunk and I'm trying to extract APP WEB and MNOPQ from a field called result. Can someone please guide me on how to achieve this? Any help or example queries would be greatly appreciated. Thank You!
Fi a:\abc\def\MNOPQ.txt content is expected to include "A H Dis Query,0,0"
Fi a:\abc\def\APP.txt content is expected to include "A H Dis Query,0,0"
Fi a:\abc\def\WEB.txt content is expected to include "A H Dis Query,0,0"
Labels
- Labels:
-
field extraction
02-12-2024
05:05 AM
It looks like you have introduced the double equals again! Try something like this sourcetype=“my_source” [search sourcetype="my_source" "failed request, request id=" | rex “failed request, request...
See more...
It looks like you have introduced the double equals again! Try something like this sourcetype=“my_source” [search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" | top limit=100 request_id | fields request_id | rename request_id as search]
02-12-2024
05:02 AM
This works perfectly thank you very much.
02-12-2024
05:02 AM
Hi to everyone,
I have recently installed Splunk enterprise (9.1.2) on an ubuntu 20.04 with the add-on "Splunk App for Stream" (8.1.1). . On another VM (also ubuntu 20.04, IP : 192.168.182.134 ) I...
See more...
Hi to everyone,
I have recently installed Splunk enterprise (9.1.2) on an ubuntu 20.04 with the add-on "Splunk App for Stream" (8.1.1). . On another VM (also ubuntu 20.04, IP : 192.168.182.134 ) I put my UF (9.1.2). In the UF, I put the add-on "Splunk Add-on for Stream Forwarders" (8.1.1) to capture stream/packets.
My streamfwd.conf file is :
[streamfwd]
logConfig = streamfwdlog.conf
port = 8889
ipAddr = 192.168.182.134
netflowReceiver.0.decodingThreads = 4
indexer.0.uri = http://192.168.182.132:8088
[streamfwdcapture]
netflowReceiver.0.ip = 192.168.182.134
netflowReceiver.0.interface = ens33
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow
And in my streamfwd.log I have this :
2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:817) stream.CaptureServer - Found DataDirectory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/data 2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:823) stream.CaptureServer - Found UIDirectory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/ui 2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:896) stream.CaptureServer - Default configuration directory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/default 2024-02-12 01:28:53 INFO [140717870847936] (CaptureServer.cpp:1918) stream.CaptureServer - Netflow receiver configuration defined; disabling default automatic promiscuous mode packet capture on all available interfaces. Configure one or more streamfwdcapture parameters in streamfwd.conf to enable network packet capture. 2024-02-12 01:28:53 INFO [140717870847936] (SnifferReactor/SnifferReactor.cpp:327) stream.SnifferReactor - No packet processors configured 2024-02-12 01:28:54 INFO [140717870847936] (CaptureServer.cpp:2001) stream.CaptureServer - Starting data capture 2024-02-12 01:28:54 INFO [140717870847936] (SnifferReactor/SnifferReactor.cpp:161) stream.SnifferReactor - Starting network capture: sniffer 2024-02-12 01:28:54 INFO [140717870847936] (CaptureServer.cpp:2362) stream.CaptureServer - Done pinging stream senders (config was updated) 2024-02-12 01:28:54 INFO [140717870847936] (main.cpp:1109) stream.main - streamfwd has started successfully (version 8.1.1 build afdcef4b) 2024-02-12 01:28:54 INFO [140717870847936] (main.cpp:1111) stream.main - web interface listening on port 8889
But, in my splunk_stream_app I have this :
If anyone can help me to fix this issue, I will be glad to read it.
Labels
- Labels:
-
configuration
02-12-2024
04:59 AM
Here's a step-by-step guide to activating a forwarder server: 1) Install Splunk Universal Forwarder 2) Configure Forwarder 3) Start the Forwarder 4) Monitor Forwarder Status 5) Verify Data Forwa...
See more...
Here's a step-by-step guide to activating a forwarder server: 1) Install Splunk Universal Forwarder 2) Configure Forwarder 3) Start the Forwarder 4) Monitor Forwarder Status 5) Verify Data Forwarding
02-12-2024
04:55 AM
OK. I haven't been following this topic very closely but I have a feeling you extracted the field manually. If so, that makes the search harder because at the time of the initial search you don't ha...
See more...
OK. I haven't been following this topic very closely but I have a feeling you extracted the field manually. If so, that makes the search harder because at the time of the initial search you don't have fields extracted yet. But if it's simply a case of searching for another field than the one you're getting your values from, just do " | rename field1 as field2" at the end of your subsearch and you're all set.
02-12-2024
04:53 AM
Certainly! There are a few stages involved in regenerating SSL certificates for your Windows Splunk instance. Here's a step-by-step guide:
1. Generate a New SSL Certificate
- Open a command promp...
See more...
Certainly! There are a few stages involved in regenerating SSL certificates for your Windows Splunk instance. Here's a step-by-step guide:
1. Generate a New SSL Certificate
- Open a command prompt that has administrator access - Go to the directory of the Splunk bin. It's usually found under C:\Program Files\Splunk\bin. - To create a fresh SSL certificate, utilize the Splunk command-line utility
Run the following command
Splunk createssl server-cert -d <your_domain_name>
2. Configure Splunk to Use the New Certificate
- Go to the directory where Splunk configuration is located. Usually, it can be found at C:\Program Files\Splunk\etc\system\local - Open web.conf in a text editor - To point to the newly generated SSL certificate and private key, update the privKeyPath and serverCert settings
[settings] enableSplunkWebSSL = true privKeyPath = C:\Program Files\Splunk\etc\auth\server.pem serverCert = C:\Program Files\Splunk\etc\auth\server.pem
3. Restart Splunk
- With administrator rights, open a command prompt - Go to the Splunk bin directory - Use the following command to restart Splunk
Splunk restart
4. Test the New SSL Configuration
- Open a web browser and use HTTPS to access the Splunk web interface - A green padlock icon signifying a secure connection ought should be visible. To verify that it is the new certificate with a valid expiration date, click on it to examine the certificate details
You should be able to use these procedures to for your Windows Splunk instance and make sure that it is connecting securely with the new certificates.
02-12-2024
04:47 AM
Hi @ITWhisperer , below is the search I am trying search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id==(?<request_id>\”?[\w-]+\”?)” | stats values(reques...
See more...
Hi @ITWhisperer , below is the search I am trying search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id==(?<request_id>\”?[\w-]+\”?)” | stats values(request_id) as request_ids | eval request_ids = "\"" . mvjoin(request_ids, "\" OR \"") . "\"" | eval request_ids= replace(request_ids,"^request_id=","") | format @PickleRick , Sorry I did not follow you. so basically my subsearch gives me list of failed request_ids, then that list will act as input to my main search , and gives me main events, I need to extract different fields related to that req id ( i.e. accountId)
02-12-2024
04:42 AM
1 Karma
| sort 0 _time
| eventstats last(Status) as lastStatus by EquipmentID
| where lastStatus!="null"
| streamstats last(Status) as previous current=f global=f by EquipmentID
| where Status!="null" and pr...
See more...
| sort 0 _time
| eventstats last(Status) as lastStatus by EquipmentID
| where lastStatus!="null"
| streamstats last(Status) as previous current=f global=f by EquipmentID
| where Status!="null" and previous=="null"
| stats last(_time) as lastTime last(lastStatus) as lastStatus by EquipmentID
| eval duration=now()-lastTime
02-12-2024
04:37 AM
I see, you are correct I made a mistake in my example events the 120 should indeed be 360. Thanks for catching my mistake
02-12-2024
04:34 AM
1 Karma
This is different to your original question - using this criteria, with your first set of events, the duration would have been 360 not 120, correct?
02-12-2024
04:15 AM
Thanks for the reply unfortunately it doesn’t seem to work completely. I have the timerange set to the previous 15 minutes what I think happens is that the query takes the first !=null and starts...
See more...
Thanks for the reply unfortunately it doesn’t seem to work completely. I have the timerange set to the previous 15 minutes what I think happens is that the query takes the first !=null and starts the duration from there. I fixed this by adding |sort _time 0 to the top of the query but then it only tracks the time of the last status. I would like for it to track the total time all statuses are !=null When I use your query I get durations of ~900 seconds while they are between 1-100 When I add the time sort I only get the duration of X and not X+Y (from the following events) Do you happen to know how I get the duration of X+Y? Time EquipmentID Status JobID 12:00 1 X 10 12:01 1 "null" 10 12:02 1 "null" 10 12:03 1 Y 10 12:04 1 Y 10 12:05 1 Y 10 12:06 1 Y 10 12:07 1 X 10 12:08 1 X 10
