Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-05-2024
05:51 AM
There are situations where an HF needs to forward log and security data located on itself and running an HF and SUF on the same host runs into problems.
02-05-2024
05:42 AM
@richgalloway , I need to change the query or its fine to drop the _time from the Throttling group by field name?
02-05-2024
05:33 AM
Hi, @gcusello Thank you so much. My problem has solved. I appreciate your kindfulness. Thanks, Hinako
02-05-2024
05:29 AM
1 Karma
Try combining the two lines | eval time_difference=tostring(round(incident_review_time - notable_time, 0), "duration")
02-05-2024
05:28 AM
1 Karma
Hi @AL3Z , Please try below; | rex field=_raw "System\.Exception:\s+(?<system_exception>[^\(\']+)"
02-05-2024
05:24 AM
How can I round/get rid off the decimals after the seconds?
02-05-2024
05:11 AM
Look in the add-on's props.conf file to see what sourcetypes are defined. Then choose the one that matches your data. Be advised that data arriving via syslog may be in a different format than that...
See more...
Look in the add-on's props.conf file to see what sourcetypes are defined. Then choose the one that matches your data. Be advised that data arriving via syslog may be in a different format than that fetched by an API so the props may not work as expected.
02-05-2024
05:09 AM
Throttling works by checking to see if the specified field changed value within the throttle period. Since _time is always changing it is ineffective as a throttle.
02-05-2024
05:06 AM
We can't help you with something that can't be done. ES requires a dedicated SH, but Splunk Cloud trial accounts get a single SH. That is why ES is not available in trial accounts.
02-05-2024
04:57 AM
1 Karma
Hi, I am trying to understand the best/cost effective approach to ingest logs from Azure AKS in Splunk Enterprise with Enterprise Security. The logs we have to collect are mainly for security purpo...
See more...
Hi, I am trying to understand the best/cost effective approach to ingest logs from Azure AKS in Splunk Enterprise with Enterprise Security. The logs we have to collect are mainly for security purposes. Here the options I have found: Use the "Splunk OpenTelemetry Collector for Kubernetes" https://docs.splunk.com/Documentation/SVA/current/Architectures/OTelKubernetes Use Cloud facilities to export the logs to Storage Accounts Use Cloud facilities to export the logs to Event Hubs Use Cloud facilities to send syslog to a Log Analytics workspace https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-syslog references: https://learn.microsoft.com/en-us/azure/azure-monitor/containers/monitor-kubernetes https://learn.microsoft.com/en-us/azure/aks/monitor-aks https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal https://learn.microsoft.com/en-us/azure/architecture/aws-professional/eks-to-aks/monitoring https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview Is there a way to use Cloud facilities to stream the logs directly to Splunk so that we can avoid deploying the OTEL collector? Otherwise, if we must save the logs first to a Workspace/Storage Accounts/Event Hubs and export them with Splunk via API calls with "Splunk Add-on for Microsoft Cloud Services" or with "Microsoft Azure Add-on for Splunk", which is the best/cost effective approach? Thanks a lot, Edoardo
Labels
02-05-2024
04:36 AM
What predefined templating variables can be used to get below details for a synthetic event,I tried #foreach ($item in ${fullEventList})#end but could get only summary and event details, How can ot...
See more...
What predefined templating variables can be used to get below details for a synthetic event,I tried #foreach ($item in ${fullEventList})#end but could get only summary and event details, How can other details be fetched
Labels
- Labels:
-
Real User Monitoring
02-05-2024
04:19 AM
Hi all, help me extracting the field from the below two events System.Exception: Assertion violated: stream.ReadByteInto(bufferStream) == 0x03 System.Exception: An error was encountered while atte...
See more...
Hi all, help me extracting the field from the below two events System.Exception: Assertion violated: stream.ReadByteInto(bufferStream) == 0x03 System.Exception: An error was encountered while attempt to fetch proxy credentials for user 'xyz system_exception=Assertion violated: stream.ReadByteInto An error was encountered while attempt to fetch proxy credentials for user thanks
Labels
- Labels:
-
field extraction
-
regex
-
rex
02-05-2024
04:15 AM
Hi @AchimK, You should check input settings inside inputs.conf file. If you created this input using GUI it may be under search app. You can find the place using btool like below. splunk btool inpu...
See more...
Hi @AchimK, You should check input settings inside inputs.conf file. If you created this input using GUI it may be under search app. You can find the place using btool like below. splunk btool inputs list tcp --debug | grep 5514 This will show the path of inputs.conf file that you should edit to delete malformed TCP input.
02-05-2024
04:06 AM
Hello! I have installed the kemp add-on from here: https://splunkbase.splunk.com/app/6830 . The issue is I cannot find a proper documentation on how to setup data and what sourcetype to specify in t...
See more...
Hello! I have installed the kemp add-on from here: https://splunkbase.splunk.com/app/6830 . The issue is I cannot find a proper documentation on how to setup data and what sourcetype to specify in the inputs.conf . For more context, I am collecting the logs through syslog not API, so I need to specify the sourcetype in the inputs.conf for parsing to work properly.
Labels
- Labels:
-
administration
-
configuration
02-05-2024
03:44 AM
Enterprise security is not available in Splunk cloud trial version. I need assistance for it.
02-05-2024
03:43 AM
Thank you for your response. Is there are difference between the performance (CPU and memory) data for a UF in internal logs and the logs fetched by splunk add on for windows or splunk add on for un...
See more...
Thank you for your response. Is there are difference between the performance (CPU and memory) data for a UF in internal logs and the logs fetched by splunk add on for windows or splunk add on for unix and linux machine?
02-05-2024
02:58 AM
I have the problem that I can't delete an input filter that I probably formulated incorrectly so that I can take it out. Error occurred attempting to remove a.b.*.*, c.d.e.0, f.g.*:5514: Malformed I...
See more...
I have the problem that I can't delete an input filter that I probably formulated incorrectly so that I can take it out. Error occurred attempting to remove a.b.*.*, c.d.e.0, f.g.*:5514: Malformed IP address: a.b.*.*, c.d.e.0, f.g.*:5514. An outputs.conf under /system/local does not exist
Labels
- Labels:
-
indexer
02-05-2024
02:46 AM
Oh yeah I did that. also, I was making use of REPORT instead of TRANSFORM in props.conf this is what worked: Props.conf [source::ping] TRANSFORMS-add_static_fields = mystaticFieldValue Tran...
See more...
Oh yeah I did that. also, I was making use of REPORT instead of TRANSFORM in props.conf this is what worked: Props.conf [source::ping] TRANSFORMS-add_static_fields = mystaticFieldValue Transforms.conf [mystaticFieldValue] SOURCE_KEY = _raw WRITE_META = true REGEX = (.*) FORMAT = item::31 Fields.conf [item] INDEXED = true
02-05-2024
02:39 AM
Hi all, In my AD computer account deletion correlation search, I use _time and subjectusername in throttling fields for grouping. Is adding _time to throttling the correct approach? Please correct m...
See more...
Hi all, In my AD computer account deletion correlation search, I use _time and subjectusername in throttling fields for grouping. Is adding _time to throttling the correct approach? Please correct me if I'm wrong. query index=win sourcetype=XmlWinEventLog EventCode=4743 | bin _time span=5m | stats values(EventCode) as EventCode, values(signature) as EventDescription, values(TargetUserName) as deleted_computer, dc(TargetUserName) as computeruser_count by _time SubjectUserName | where computeruser_count > 20 Time Range set to Earliest Time 20m@m latest now cron schedule */15 * * * * Scheduling set to Continuous Throttling window duration 12 hours Fields to group by SubjectUserName , _time Thanks in Advance..
Labels
- Labels:
-
correlation search
-
investigation
02-05-2024
02:25 AM
Hi Splunkers, today I have a very strange case to manage. I'm going to try right now to be more clear possible. The scenario is a full on prem Splunk Enterprise environment, with many components. F...
See more...
Hi Splunkers, today I have a very strange case to manage. I'm going to try right now to be more clear possible. The scenario is a full on prem Splunk Enterprise environment, with many components. For this customer, we are not the starting provider; another company was on charge before us and developed a full custom app. About this application: No doc has been shared by previous provider It states now some error messages that are not completely clear. So, in a nutshell, we have to try to understand why we got those errors and try to fix them. Now of course I'm not here to ask you "Ehy magic guys, give me the magic solution!"; the purpose of this topic is ask your help to understand data we have (we have only a GUI little dashboard with a short app description and how it works) and try to understand how we can fix those errors. The app analyze Indexers and their indexes. Its purpose is to understand if indexes are retaining the correct amount of historical data; do achieve this, it investigate the index retention status. So, how this investigation is done? The app analyze the currentTimePeriodDay value against the frozenTimePeriodDay. To state if an error is found, the app consider 2 possible cases: currentTimePeriodDay > frozenTimePeriodDay + 45: this case is considered unhealthy because indexes are retaining more historical data than expected currentTimePeriodDay < frozenTimePeriodDay: this case is considered unhealthy because indexes are retaining insufficient historical data. For both cases, the suggested workaround is a generic retention and disk space settings tuning. Of course there are more specific error message for each index on every Indexers (we have a menu to select specific Indexers) but this, by my point of view, is a further analysis step; what is not clear, for my team and me, is the foundation logic of app. I mean: how comparison between currentTimePeriodDay and frozenTimePeriodDay should help us to check a good index retention? How are they related? Why if one of them is greater than the other one, this could be an unhealthy symptom?
Labels
