All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Good afternoon I hva e splunk srchitecture: 1 seach  2 indexers in cluster 1 master node/License Server 1 Moniotoring Console/Deploymen server 2 Heavy forwarders SF=2 RF=2 I added a new in... See more...
Good afternoon I hva e splunk srchitecture: 1 seach  2 indexers in cluster 1 master node/License Server 1 Moniotoring Console/Deploymen server 2 Heavy forwarders SF=2 RF=2 I added a new indexer to cluster, after that  tryed to change the RF and SF, both to 3, but when i change the values from splunk web in the master node and restart the instance, th aplatform show me the nex message:     then, I did rollabck, return SF=2 and RF=2, and evetrything normal, but the bucket status shows I need to change the SF and RF and I need to know if this will fix the iisues with the indexes Regards  
Hi @jariw, In my experience maintenance-mode and stopping all peer nodes is not necessary. You will already push the configuration from Cluster Manager. Before pushing new configuration, do not for... See more...
Hi @jariw, In my experience maintenance-mode and stopping all peer nodes is not necessary. You will already push the configuration from Cluster Manager. Before pushing new configuration, do not forget testing your new indexes.conf configuration on a standalone instance and repFactor=auto setting (as said  on item 8.a).  
Hi @AchimK, You should delete colon before the port number like below. Or why don't you just delete this stanza from inputs.conf ? [tcp://5514] connection_host = ip host = splunkindex index = linux... See more...
Hi @AchimK, You should delete colon before the port number like below. Or why don't you just delete this stanza from inputs.conf ? [tcp://5514] connection_host = ip host = splunkindex index = linux sourcetype = linux_messages_syslog disabled = 1  
Thanks @ITWhisperer  Using makeresult to pull the time is much faster than index since it only pulls a single event Is it possible to change the font type (bold), color and background in Visual... See more...
Thanks @ITWhisperer  Using makeresult to pull the time is much faster than index since it only pulls a single event Is it possible to change the font type (bold), color and background in Visualization Type "Table"? Thanks again!!
Hi @scottc_3, I would love to learn more about the requirement to use an array. Can you share more about why it's not feasible to separate the values in your use case? 
Step to reproduce 1. Install version: '3.7' services: splunk: image: splunk/splunk:latest container_name: splunk ports: - "8000:8000" - "9997:9997" - "8088:8088" environment: - SPLUNK_STA... See more...
Step to reproduce 1. Install version: '3.7' services: splunk: image: splunk/splunk:latest container_name: splunk ports: - "8000:8000" - "9997:9997" - "8088:8088" environment: - SPLUNK_START_ARGS=--accept-license - SPLUNK_PASSWORD=Password1 volumes: - splunk_data_var:/opt/splunk/var - splunk_data_etc:/opt/splunk/etc restart: unless-stopped volumes: splunk_data_var: splunk_data_etc:   2. change admin pass from web ui   3. Restart splunk docker instance
Hello, The Splunk connect for Syslog add-on for Thycotic (Product section) shows information that is related to Tenable. See https://splunk.github.io/splunk-connect-for-syslog/1.96.4/sources/Thycoti... See more...
Hello, The Splunk connect for Syslog add-on for Thycotic (Product section) shows information that is related to Tenable. See https://splunk.github.io/splunk-connect-for-syslog/1.96.4/sources/Thycotic/. Please review and update the section.  Best, Pramod
This thread is several months old with an accepted solution so you may get better results by posting a new question.
This is exactly my experience in Splunk Cloud as well.  I fed table data to a dropdown, and dropdown uses an array of the entire result set, instead of listing the values separately.  Can we get a fi... See more...
This is exactly my experience in Splunk Cloud as well.  I fed table data to a dropdown, and dropdown uses an array of the entire result set, instead of listing the values separately.  Can we get a fix for this?
Splunk support responded that this was a known, as yet published, bug in the software.  Was hoping 9.2 release fixed this but sadly it did not
Note: 1) The spath command can be expensive, especially against large data sets 2) If all you need is to parse a string and get the values, consider regular expressions for json data also. In the ... See more...
Note: 1) The spath command can be expensive, especially against large data sets 2) If all you need is to parse a string and get the values, consider regular expressions for json data also. In the rex below, I named the a|b|c|d field "foo", in case it had value later on. If not, it doesn't need to be used | makeresults ```creating dummy data based on the original question``` | eval json_data="{data: {a : { x: {value_x} y: {value_y}}} }" | append [ makeresults | eval json_data="{data: {b : { x: {value_x} y: {value_y}}} }" ] | append [ makeresults | eval json_data="{data: {c : { x: {value_x} y: {value_y}}} }" ] | append [ makeresults | eval json_data="{data: {d : { x: {value_x} y: {value_y}}} }" ] ```ending the creation of dummy data``` | rex field=json_data "{(?<foo>\w+)\s:\s{\s\sx:\s{(?<x_value>.+)}\s\sy:\s{(?<y_value>.+)}}}" ```parse strings using a regular expression``` | table json_data x_value y_value ```display results of regular expression in a table``` Results in:  
It looks like logs from ESET are encrypted.... because yes. I tried with syslog-ng and rsyslog but result is the same. I saw in the network that similar issue was reported directly to ESET
Hi, Did you find solution? I have the same issue.  
You can save a search as a report and then open "advanced edit" from settings -> searches, reports, and alerts -> "edit' dropdown. Then search for "preview" and disable it there. You will find an ... See more...
You can save a search as a report and then open "advanced edit" from settings -> searches, reports, and alerts -> "edit' dropdown. Then search for "preview" and disable it there. You will find an option similar to "display.general.enablePreview" and it defaults to the number 1 for "True". Change it to 0 and click the save butotn. Then you can just use | savedsearch "YourReportName" https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch This is particularly useful if you're using an external system to pull the data via API and the developers of the integration were unaware of the preview function being enabled by the default mode of operation in Splunk search.
Hi another option is use those props.conf and transforms.conf files as you already have looked. Here is one old post to do it https://community.splunk.com/t5/Monitoring-Splunk/FortiGate-Firewall-is-... See more...
Hi another option is use those props.conf and transforms.conf files as you already have looked. Here is one old post to do it https://community.splunk.com/t5/Monitoring-Splunk/FortiGate-Firewall-is-consuming-the-license/m-p/648680 There are lot of other examples in community and also on docs.splunk.com.  One thing what you must remember is that you must put those configurations on 1st full splunk instance from source to indexers. This could be a HF or an indexer. r. Ismo  
Hi scelikok, I killed the IP's restart splunk, but the data input with port 5514 is not deletable Error occurred attempting to remove :5514: Malformed IP address: :5514. here the inputs file ... See more...
Hi scelikok, I killed the IP's restart splunk, but the data input with port 5514 is not deletable Error occurred attempting to remove :5514: Malformed IP address: :5514. here the inputs file [splunktcp://9997] connection_host = ip [tcp://:5514] connection_host = ip host = splunkindex index = linux sourcetype = linux_messages_syslog disabled = 1
Hi Team, Need to upgrade OS to RHEL 8 for our AppD controller. Currently, OS is at version Red Hat Enterprise Linux Server release 7.9 (Maipo). Please let us know if we could proceed to upgrade at ... See more...
Hi Team, Need to upgrade OS to RHEL 8 for our AppD controller. Currently, OS is at version Red Hat Enterprise Linux Server release 7.9 (Maipo). Please let us know if we could proceed to upgrade at this version AppD with RHEL 8. Thanks and Regards, Anand
Hi I match all other characters except ( and ' and there must be at least one or more those with any order and combination. You can test these e.g. regex101.com. There is also descriptions what all... See more...
Hi I match all other characters except ( and ' and there must be at least one or more those with any order and combination. You can test these e.g. regex101.com. There is also descriptions what all those anchors etc. are/meaning. r. Ismo
Hi as already said by @batabay don't disable it. Even you are using Splunk's internal certs it's better than without it. If you have issue to use that e.g. with cURL or other tools you could accept... See more...
Hi as already said by @batabay don't disable it. Even you are using Splunk's internal certs it's better than without it. If you have issue to use that e.g. with cURL or other tools you could accept those cert within those command. Like "curl -k". Or other option (better) is just replace those Splunk's internal certs with official certs. See https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL and https://conf.splunk.com/files/2023/slides/SEC1936B.pdf r. Ismo
I would drop _time as a throttling field.