Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-08-2024
11:46 AM
Hi, I've got a problem with this playbook code block, the custom functions I try to execute seem to hang indefinitely, I also know the custom function works because I've successfully used it from a u...
See more...
Hi, I've got a problem with this playbook code block, the custom functions I try to execute seem to hang indefinitely, I also know the custom function works because I've successfully used it from a utility block I've tried a few different arrangements of this logic including initializing cfid with both the custom function calls and consolidating custom function names into a single while loop with the phantom.completed and have used pass instead of sleep. But the custom function doesn't seem to return/complete. Here's another example, which is basically the same except it consolidates the while loops and executes both the custom functions at the same time. Once either of these above scenarios (or something similar) are successful I need to get the results from the custom function executions (below pic), combine it into a single string and then send "data" to another function: > post_http_data(container=container, body=json.dumps({"text": data}) Any assistance would be great. Thanks.
Labels
- Labels:
-
using SOAR ⁄ Phantom
02-08-2024
11:42 AM
Hi you can always ask that splunk split your enterprise license to 5 and 45GB license file. Then ask also 5GB ES license. Then just use separate LM where to put those two 5+5 files and use that for ...
See more...
Hi you can always ask that splunk split your enterprise license to 5 and 45GB license file. Then ask also 5GB ES license. Then just use separate LM where to put those two 5+5 files and use that for your SIEM instance. This will fulfill official requirements. r. Ismo
02-08-2024
11:41 AM
Thanks @ITWhisperer its working for me
02-08-2024
11:32 AM
Hi rule of thumbs. Never restore anything into running system unless your product support it! If you have single instance where you have take that backup, then you should use separate dummy/empty i...
See more...
Hi rule of thumbs. Never restore anything into running system unless your product support it! If you have single instance where you have take that backup, then you should use separate dummy/empty instance where to restore it. I suppose that even that case you will have some issues with files e.g. hot buckets and buckets which has switch state from warm to cold or cold to frozen during your backup time. If you have used e.g. snapshot for backup then this is not so big issue. After restoration just switch this service up (change splunk node name or shutdown the primary instance first). If you have clustered environment then it’s much harder to get working backup and restore it. I really suggest that you use snapshots for backing up! You must take this at same time from all your indexers to get a consistent backup. I really like to empty test etc. environment for restoration! r. Ismo
02-08-2024
11:27 AM
Have UFs configured on several Domain Controllers that point to a Heavy Forwarder and that points to Splunk Cloud. Trying to configure Windows Event Logs. Application, System & DNS logs are working c...
See more...
Have UFs configured on several Domain Controllers that point to a Heavy Forwarder and that points to Splunk Cloud. Trying to configure Windows Event Logs. Application, System & DNS logs are working correctly, however, no Security logs for any of the DCs are working. Splunk service is running with a service account that has proper admin permissions. I have edited the DC GPO to allow the service account access to 'Manage auditing and security logs' I am at a lose here. Not sure what else to troubleshoot. Here is in inputs.conf file on each DC [WinEventLog://Application] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = wineventlog [WinEventLog://Security] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = wineventlog [WinEventLog://System] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = wineventlog [WinEventLog://DNS Server] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = wineventlog
Labels
- Labels:
-
inputs.conf
-
universal forwarder
-
Windows
02-08-2024
11:06 AM
Hi, We are monitoring a SQL Server but cant see the cpu and memory metrics, i can see the metrics only 15 minutes and later they disappeared.
02-08-2024
10:40 AM
The rex command can either extract fields from an event or replace text in an event. In this case, mode=sed tells it to replace text. The field=summary option restricts the command to the contents ...
See more...
The rex command can either extract fields from an event or replace text in an event. In this case, mode=sed tells it to replace text. The field=summary option restricts the command to the contents of the summary field. The quoted string is the sed command to execute. The 's' represents the substitute command. The part after the first slash is a regular expression. It says to look for the string "from '" followed by any number of additional characters (.*). The parentheses create a group we'll refer back to later. The part after the next slash is the replacement text. It puts the "from" back, adds a newline character (\n), then adds the remainder of the original text (the group from part 1). To read more about rex, see the Search Reference manual. https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Rex
02-08-2024
10:31 AM
Thanks for the feedback. I have read the link you provided and feel more confident about the upgrade. Thanks
- Tags:
- upgrade
02-08-2024
10:24 AM
@richgalloway It worked, thanks a lot Also, could you please explain it to me, or is there any docs I may refer to?
02-08-2024
10:14 AM
Hello @maede_yavari , Splunk Enterprise 9.2.0.1 was released today (on February 8, 2024). Thanks.
02-08-2024
10:09 AM
@kamlesh_vaghela it's works !! I deeply appreciated your kindly support ...
02-08-2024
09:28 AM
Hello, I've read the following documentation: https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Backupindexeddata https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Backupconfigurat...
See more...
Hello, I've read the following documentation: https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Backupindexeddata https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Backupconfigurations Basically to back up Splunk, I need to make a copy of "$SPLUNK_HOME/etc/*" and "$SPLUNK_HOME/var/lib/splunk/defaultdb/db/*" (after rotating the hot buckets.) My question is, how is this restored? Would I just paste the copied files back in to a working Splunk instance? Then the data can be searched normally? Thank you
Labels
- Labels:
-
administration
02-08-2024
09:23 AM
Responding to this bc we recently received the same question at Community Office Hours. In case anyone else is looking to do this, here's the expert guidance: Option 1: Workload Management is your...
See more...
Responding to this bc we recently received the same question at Community Office Hours. In case anyone else is looking to do this, here's the expert guidance: Option 1: Workload Management is your friend here. A very easy implementation without messing with all the roles Workload Management examples (see scenarios 1 and 2) Configuring workload rules Option 2: Use Role Limitations to dictate the rule Follow guidance in: How to restrict usage of real-time search
02-08-2024
08:56 AM
1 Karma
Splunk has a built-in lookup table for converting lat/long into country name. | lookup geo_countries latitude longitude OUTPUT featureId as country
02-08-2024
08:28 AM
Try something like this |rest /services/data/indexes
|rename title as index
|rex field=index "^foo_(?<appname>.+)"
|rex field=index "^foo_(?<appname>.+)_"
|table appname, index
|stats dc(appname) as...
See more...
Try something like this |rest /services/data/indexes
|rename title as index
|rex field=index "^foo_(?<appname>.+)"
|rex field=index "^foo_(?<appname>.+)_"
|table appname, index
|stats dc(appname) as count
|eval title = "currentapps"
| append
[| makeresults
| eval count = 300
| eval title="total_apps"]
| table title count
02-08-2024
07:44 AM
Upgrade to 9.0.3 and above.
02-08-2024
07:37 AM
useACK = <boolean>
* Whether or not to use indexer acknowledgment.
* Indexer acknowledgment is an optional capability on forwarders that helps
prevent loss of data when sending data to an indexer. ...
See more...
useACK = <boolean>
* Whether or not to use indexer acknowledgment.
* Indexer acknowledgment is an optional capability on forwarders that helps
prevent loss of data when sending data to an indexer. the workaround means you don't need use the indexer aknowledgment, so you run the risk of losing data during an indexer restart. The solution is not suitable for me.
02-08-2024
07:24 AM
Also remember that the Trial license is granted to a particular party for a particular use (testing the solution to see if it's appropriate for intended purpose) and limited time. Attempts to "prolon...
See more...
Also remember that the Trial license is granted to a particular party for a particular use (testing the solution to see if it's appropriate for intended purpose) and limited time. Attempts to "prolong" the trial license by moving data to a fresh instance is against license terms. If you need a longer-time trial license, contact your local friendly Splunk Partner.
02-08-2024
07:20 AM
1 Karma
I wouldn't use words like "illegal", especially since legality may differ between countries but it all depends on your agreement with Splunk. By default you just buy a single Splunk Enterprise licens...
See more...
I wouldn't use words like "illegal", especially since legality may differ between countries but it all depends on your agreement with Splunk. By default you just buy a single Splunk Enterprise license for your organization and a Enterprise Security license which equals your SE size. If you have a specific need (like the necessity to have a two separate licenses because you have two completely unconnected sites which can't be handled by a single license manager), you have to talk with your local Partner/Splunk sales representative. This is a custom case and has to be treated as such. We can't know whether Splunk decides to grant such "license layout" or not.
02-08-2024
06:57 AM
Yes, I understand. But this is a relatively complicated thing. 1. Unless you have exclusive access enabled on your account, you have the possibility of two people connecting at the same time to the ...
See more...
Yes, I understand. But this is a relatively complicated thing. 1. Unless you have exclusive access enabled on your account, you have the possibility of two people connecting at the same time to the destination system. You can't distinguish between them. 2. Since the action form one search occurs before the action from another search, it's not as easy as just matching by time and host. I think I'd try to pull both searches into one result set then "populate down" the value from the PAS user to the windows events using streamstats. (or try to use transaction but using this command is generally not advised unless you have really no other option).
