All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @jariw, In my experience maintenance-mode and stopping all peer nodes is not necessary. You will already push the configuration from Cluster Manager. Before pushing new configuration, do not for... See more...
Hi @jariw, In my experience maintenance-mode and stopping all peer nodes is not necessary. You will already push the configuration from Cluster Manager. Before pushing new configuration, do not forget testing your new indexes.conf configuration on a standalone instance and repFactor=auto setting (as said  on item 8.a).  
Hi @AchimK, You should delete colon before the port number like below. Or why don't you just delete this stanza from inputs.conf ? [tcp://5514] connection_host = ip host = splunkindex index = linux... See more...
Hi @AchimK, You should delete colon before the port number like below. Or why don't you just delete this stanza from inputs.conf ? [tcp://5514] connection_host = ip host = splunkindex index = linux sourcetype = linux_messages_syslog disabled = 1  
Thanks @ITWhisperer  Using makeresult to pull the time is much faster than index since it only pulls a single event Is it possible to change the font type (bold), color and background in Visual... See more...
Thanks @ITWhisperer  Using makeresult to pull the time is much faster than index since it only pulls a single event Is it possible to change the font type (bold), color and background in Visualization Type "Table"? Thanks again!!
Hi @scottc_3, I would love to learn more about the requirement to use an array. Can you share more about why it's not feasible to separate the values in your use case? 
Step to reproduce 1. Install version: '3.7' services: splunk: image: splunk/splunk:latest container_name: splunk ports: - "8000:8000" - "9997:9997" - "8088:8088" environment: - SPLUNK_STA... See more...
Step to reproduce 1. Install version: '3.7' services: splunk: image: splunk/splunk:latest container_name: splunk ports: - "8000:8000" - "9997:9997" - "8088:8088" environment: - SPLUNK_START_ARGS=--accept-license - SPLUNK_PASSWORD=Password1 volumes: - splunk_data_var:/opt/splunk/var - splunk_data_etc:/opt/splunk/etc restart: unless-stopped volumes: splunk_data_var: splunk_data_etc:   2. change admin pass from web ui   3. Restart splunk docker instance
Hello, The Splunk connect for Syslog add-on for Thycotic (Product section) shows information that is related to Tenable. See https://splunk.github.io/splunk-connect-for-syslog/1.96.4/sources/Thycoti... See more...
Hello, The Splunk connect for Syslog add-on for Thycotic (Product section) shows information that is related to Tenable. See https://splunk.github.io/splunk-connect-for-syslog/1.96.4/sources/Thycotic/. Please review and update the section.  Best, Pramod
This thread is several months old with an accepted solution so you may get better results by posting a new question.
This is exactly my experience in Splunk Cloud as well.  I fed table data to a dropdown, and dropdown uses an array of the entire result set, instead of listing the values separately.  Can we get a fi... See more...
This is exactly my experience in Splunk Cloud as well.  I fed table data to a dropdown, and dropdown uses an array of the entire result set, instead of listing the values separately.  Can we get a fix for this?
Splunk support responded that this was a known, as yet published, bug in the software.  Was hoping 9.2 release fixed this but sadly it did not
Note: 1) The spath command can be expensive, especially against large data sets 2) If all you need is to parse a string and get the values, consider regular expressions for json data also. In the ... See more...
Note: 1) The spath command can be expensive, especially against large data sets 2) If all you need is to parse a string and get the values, consider regular expressions for json data also. In the rex below, I named the a|b|c|d field "foo", in case it had value later on. If not, it doesn't need to be used | makeresults ```creating dummy data based on the original question``` | eval json_data="{data: {a : { x: {value_x} y: {value_y}}} }" | append [ makeresults | eval json_data="{data: {b : { x: {value_x} y: {value_y}}} }" ] | append [ makeresults | eval json_data="{data: {c : { x: {value_x} y: {value_y}}} }" ] | append [ makeresults | eval json_data="{data: {d : { x: {value_x} y: {value_y}}} }" ] ```ending the creation of dummy data``` | rex field=json_data "{(?<foo>\w+)\s:\s{\s\sx:\s{(?<x_value>.+)}\s\sy:\s{(?<y_value>.+)}}}" ```parse strings using a regular expression``` | table json_data x_value y_value ```display results of regular expression in a table``` Results in:  
It looks like logs from ESET are encrypted.... because yes. I tried with syslog-ng and rsyslog but result is the same. I saw in the network that similar issue was reported directly to ESET
Hi, Did you find solution? I have the same issue.  
You can save a search as a report and then open "advanced edit" from settings -> searches, reports, and alerts -> "edit' dropdown. Then search for "preview" and disable it there. You will find an ... See more...
You can save a search as a report and then open "advanced edit" from settings -> searches, reports, and alerts -> "edit' dropdown. Then search for "preview" and disable it there. You will find an option similar to "display.general.enablePreview" and it defaults to the number 1 for "True". Change it to 0 and click the save butotn. Then you can just use | savedsearch "YourReportName" https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch This is particularly useful if you're using an external system to pull the data via API and the developers of the integration were unaware of the preview function being enabled by the default mode of operation in Splunk search.
Hi another option is use those props.conf and transforms.conf files as you already have looked. Here is one old post to do it https://community.splunk.com/t5/Monitoring-Splunk/FortiGate-Firewall-is-... See more...
Hi another option is use those props.conf and transforms.conf files as you already have looked. Here is one old post to do it https://community.splunk.com/t5/Monitoring-Splunk/FortiGate-Firewall-is-consuming-the-license/m-p/648680 There are lot of other examples in community and also on docs.splunk.com.  One thing what you must remember is that you must put those configurations on 1st full splunk instance from source to indexers. This could be a HF or an indexer. r. Ismo  
Hi scelikok, I killed the IP's restart splunk, but the data input with port 5514 is not deletable Error occurred attempting to remove :5514: Malformed IP address: :5514. here the inputs file ... See more...
Hi scelikok, I killed the IP's restart splunk, but the data input with port 5514 is not deletable Error occurred attempting to remove :5514: Malformed IP address: :5514. here the inputs file [splunktcp://9997] connection_host = ip [tcp://:5514] connection_host = ip host = splunkindex index = linux sourcetype = linux_messages_syslog disabled = 1
Hi Team, Need to upgrade OS to RHEL 8 for our AppD controller. Currently, OS is at version Red Hat Enterprise Linux Server release 7.9 (Maipo). Please let us know if we could proceed to upgrade at ... See more...
Hi Team, Need to upgrade OS to RHEL 8 for our AppD controller. Currently, OS is at version Red Hat Enterprise Linux Server release 7.9 (Maipo). Please let us know if we could proceed to upgrade at this version AppD with RHEL 8. Thanks and Regards, Anand
Hi I match all other characters except ( and ' and there must be at least one or more those with any order and combination. You can test these e.g. regex101.com. There is also descriptions what all... See more...
Hi I match all other characters except ( and ' and there must be at least one or more those with any order and combination. You can test these e.g. regex101.com. There is also descriptions what all those anchors etc. are/meaning. r. Ismo
Hi as already said by @batabay don't disable it. Even you are using Splunk's internal certs it's better than without it. If you have issue to use that e.g. with cURL or other tools you could accept... See more...
Hi as already said by @batabay don't disable it. Even you are using Splunk's internal certs it's better than without it. If you have issue to use that e.g. with cURL or other tools you could accept those cert within those command. Like "curl -k". Or other option (better) is just replace those Splunk's internal certs with official certs. See https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL and https://conf.splunk.com/files/2023/slides/SEC1936B.pdf r. Ismo
I would drop _time as a throttling field.
Hi I suppose that you means that the currentTimePeriodDay is the oldest data what you have on bucket before it has moved to frozen state. I suppose that this apps use those two values to check how ... See more...
Hi I suppose that you means that the currentTimePeriodDay is the oldest data what you have on bucket before it has moved to frozen state. I suppose that this apps use those two values to check how well date retention is working. I expecting that you are familiar how data has stored on splunk bucket and which all parameters need to take count when real retention (remove bucket and events) will happened? If not then there are couple of old post where we have discussed this challenge. Also there is a good .conf presentation about it https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf I suppose that you could use this apps and those limits to fine-tune needed parameters in indexes.conf file to ensure that your real event retention time is as close as possible what you have defined in indexes.conf. r. Ismo