All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

First, A couple of links that you should probably have around.  This is a great flowchart for the whole pile o' stuff to do around and upgrade. https://community.splunk.com/t5/Installation/What-s-th... See more...
First, A couple of links that you should probably have around.  This is a great flowchart for the whole pile o' stuff to do around and upgrade. https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Enterprise/m-p/408003 And of course the official docs https://docs.splunk.com/Documentation/Splunk/latest/Installation/HowtoupgradeSplunk And there are a few gotchas with the upgrades you'll have to go through.  While we don't know all the problems you'll have in your environment, the big ones that I'm aware of that you'll have to address is the upgrade to Python3 and the migration of kvstore to wired tiger.  The former is documented here: https://docs.splunk.com/Documentation/Splunk/9.0.0/Installation/AboutupgradingREADTHISFIRST The latter is found in here, though I think it doesn't make it prominent enough - https://docs.splunk.com/Documentation/Splunk/9.0.0/Installation/AboutupgradingREADTHISFIRST (It ends up pointing you to here: https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/MigrateKVstore) There may be others, you should read through the About Upgrading docs for each version with an eye on your environment and how it's set up.  For instance, here's the one for the 8.1.14 upgrade.  https://docs.splunk.com/Documentation/Splunk/8.1.14/Installation/HowtoupgradeSplunk I know, it seems boring.  But doing so will pay off in the end!   Happy Splunking! -Richfez      
As I said before, you can't do calculations on strings! Try this | stats avg(eval(incident_review_time-notable_time)) as average
yeah its was 100% my fault. i forgot to disable the local firewall on the server.   thank you though for the help. 
Thanks, that query is still returning private 192.168.x.x src IPs.
It's message.id. There is a JSON object called message that has a number of fields in it. message.id gets the WAF session id value.
client_ip is not getting returned.  I have tried using values() and count by. I tested rex for client_ip returns values using below test, and it does. index=_network snat IN (10.10.10.10*,20.20.2... See more...
client_ip is not getting returned.  I have tried using values() and count by. I tested rex for client_ip returns values using below test, and it does. index=_network snat IN (10.10.10.10*,20.20.20.20*) | rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)" ``` this applies to index _network ``` | table client_ip Above returns just a list of IPs from our clients.    
Hi I think that most important for you is check that all your apps etc. works with Python3 and fulfil other requirements which have come with 8.x and also on 9.x.  I suppose that you have several ap... See more...
Hi I think that most important for you is check that all your apps etc. works with Python3 and fulfil other requirements which have come with 8.x and also on 9.x.  I suppose that you have several apps and TAs which you must/should update to the latest suitable versions. At least some of those need to update 1st to 8 than after update Splunk to 8.x then you can update those into latest version. One issue could be found versions which are working with Splunk 8.x as splunkbase don't have all versions and especially to found documentation which told how you should upgrade those (e.g. DBX etc.)! I propose that after you have upgraded to 8.x then use upgrade readiness app to check that everything is ok and fix what is needed! I suppose that you have already read this https://lantern.splunk.com/Splunk_Platform/Product_Tips/Upgrades_and_Migration/Upgrading_the_Splunk_platform For UFs I think that you can update those after you have updated to 9.1.x. Depending on your UF version you probably need to update those with several steps if needed? r. Ismo
Hi @shrinathkumbhar , if you are a Splunk Partner, you can access Splunk show (https://show.splunk.com/login/?redirect=/) where you can find many demo environments (also ES), but it isn't open to al... See more...
Hi @shrinathkumbhar , if you are a Splunk Partner, you can access Splunk show (https://show.splunk.com/login/?redirect=/) where you can find many demo environments (also ES), but it isn't open to all. Ciao. Giuseppe
Hi @kate , yes, the Splunk_TA_Windows gives you more counters than internal logs, even if it consumes license. Ciao. Giuseppe
Hi @premrajvs , you can input these files on an HF in the same way of on UF and also by GUI (it's easiest). Then youcan forward them to the indexers. Why do you want to install an UF on the same s... See more...
Hi @premrajvs , you can input these files on an HF in the same way of on UF and also by GUI (it's easiest). Then youcan forward them to the indexers. Why do you want to install an UF on the same server? Ciao. Giuseppe
L.s., We are at the beginning of a migration to Smartstore. We are reading/ following Migrate existing data on an indexer cluster to SmartStore - Splunk Documentation . One thing is worrying to us.... See more...
L.s., We are at the beginning of a migration to Smartstore. We are reading/ following Migrate existing data on an indexer cluster to SmartStore - Splunk Documentation . One thing is worrying to us.. bullet 7 in the "Run the migration on the indexer cluster". It says "Stop all the peer nodes."... not so nice on a production cluster. Is this really necessary? Isn't it possible to do ithis part with the deployment from the MC? So not all peers goes down at the same time (and losing data). Thanks in advance for the answer.   Jari  
Hi @hinako , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Point... See more...
Hi @hinako , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
How can I sum all the time together ? stats sum did not work for me, and in addition, I need to add also  | stats count(event_id) and get the count of critical alerts in order to do Event Count / To... See more...
How can I sum all the time together ? stats sum did not work for me, and in addition, I need to add also  | stats count(event_id) and get the count of critical alerts in order to do Event Count / Total Time and get an average of how much time takes to close alert by severity.  
Hi @scelikok , Can you pls explain this part I didnt understand  [^\(\']+)
There are situations where an HF needs to forward log and security data located on itself and running an HF and SUF on the same host runs into problems. 
@richgalloway , I need to change the query or its fine to drop the _time from the Throttling group by field name?
Hi, @gcusello  Thank you so much. My problem has solved. I appreciate your kindfulness.   Thanks,   Hinako
Try combining the two lines | eval time_difference=tostring(round(incident_review_time - notable_time, 0), "duration")
Hi @AL3Z , Please try below; | rex field=_raw "System\.Exception:\s+(?<system_exception>[^\(\']+)"
How can I round/get rid off the decimals after the seconds?