Can you let us know which log you see? Following three logs "Unexpected event id" ( 9.1.2 still logs) "Invalid ACK received from indexer" ( 9.1.2 should not log) "Got unexpected ACK with ev...
See more...
Can you let us know which log you see? Following three logs "Unexpected event id" ( 9.1.2 still logs) "Invalid ACK received from indexer" ( 9.1.2 should not log) "Got unexpected ACK with eventid" (9.1.2 should not log)
Hi Even splunk can receive syslog feed you shouldn’t use it for that. With splunk you will lost more those events than using some real syslog server. On production use always HA syslog server instead...
See more...
Hi Even splunk can receive syslog feed you shouldn’t use it for that. With splunk you will lost more those events than using some real syslog server. On production use always HA syslog server instead of HF with syslog receiver. r. Ismo
Hi @ITWhisperer @PickleRick yes, the sample event I gave you earlier, it was output of that event only whole command works as main search but if I put same thing as subsearch, it doesn't work
Hi @syk19567, it's a bug that I requested to solve for one of our biggest customers: if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to a...
See more...
Hi @syk19567, it's a bug that I requested to solve for one of our biggest customers: if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash. If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash). so the regex to use in a search is: | rex "\\\\\"submission_id\\\\\":(?<submission_id>\d+)" instead the regex to use in the extract field (and regex101) is \\\"submission_id\\\":(?P<submission_id>\d+) In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX. As I said, I asked to solve this bug but they didn't give me a date. Ciao. Giuseppe
You need to double up on some of your backslashes | rex "\\\"submission_id\\\\\":(?<subID>\d+)" Essentially, the rex command goes through a extra step of string parsing so backslashes have to be es...
See more...
You need to double up on some of your backslashes | rex "\\\"submission_id\\\\\":(?<subID>\d+)" Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time
You need to start breaking it down to find where the problem is - start with just sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" Do yo...
See more...
You need to start breaking it down to find where the problem is - start with just sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" Do you get any results/values in request_id?
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101....
See more...
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101.com/r/Usr7Ki/1 However, in Splunk, it doesn't find anything. The command is (just added double quotes to wrap the regex) rex "\"submission_id\\\":(?<subID>\d+)" Any ideas and suggestions are appreciated!
Hi @jmrubio , usually Heavy Forwarder are used to ingest syslogs. Then your HF should forward data to both the Indexers. Then you should also have a Search Head to search data on the two indexers....
See more...
Hi @jmrubio , usually Heavy Forwarder are used to ingest syslogs. Then your HF should forward data to both the Indexers. Then you should also have a Search Head to search data on the two indexers. Then usually, to avoid a Single Point of Failure, it's better to have two HFs with a Load Balancer in front of them that manages load distribution andfail over Ciao. Giuseppe
Hello @ITWhisperer , I shared the screenshot and Step by step in the reply to @gcusello /splunk/app/test_app/classicdashboard?form.student_token=$student_token$
Hello @gcusello , Here's the screenshot and steps Thank you in advance On Dashboard Studio 1) Put an icon and go to configuration 2) On configuration, I set a link to a second dashboard ...
See more...
Hello @gcusello , Here's the screenshot and steps Thank you in advance On Dashboard Studio 1) Put an icon and go to configuration 2) On configuration, I set a link to a second dashboard (classicdashboard) /splunk/app/test_app/classicdashboard?form.student_token=$student_token$ 3) Go to View mode and click the Icon It opened 2 tabs, instead of only 1
Hello! I am trying to send syslogs to splunk from network devices using udp. I have one heavy forwarder and two indexers, does it matter which indexer i set up to listen for the data?
Hi @pm11
please follow below steps to reset password go to <SPlunk installation directory>/splunk/etc/ under this location file called passwd rename it to passwd.backup go to fol...
See more...
Hi @pm11
please follow below steps to reset password go to <SPlunk installation directory>/splunk/etc/ under this location file called passwd rename it to passwd.backup go to following location <SPlunk installation directory>/splunk/etc/system/local create new file user-seed.conf inside user-seed file add following contents
[user_info]
USERNAME = admin
PASSWORD = <newpassword>
and restart splunk from cmd
<SPlunk installation directory>/splunl/bin/
splunk restart
---- Regards, Sanjay Reddy
---- If this reply helps you, Karma would be appreciated
