All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

  #!/bin/bash ########################## FUNC function UFYUM(){ cd /tmp rpm -Uvh --nodeps `curl -s https://www.splunk.com/en_us/download/universal-forwarder.html\?locale\=en_us | grep -oP '"https:... See more...
  #!/bin/bash ########################## FUNC function UFYUM(){ cd /tmp rpm -Uvh --nodeps `curl -s https://www.splunk.com/en_us/download/universal-forwarder.html\?locale\=en_us | grep -oP '"https:.*(?<=download).*x86_64.rpm"' |sed 's/\"//g' | head -n 1` yum -y install splunkforwarder.x86_64 sleep 5 } function UFDEB(){ cd /tmp wget `curl -s https://www.splunk.com/en_us/download/universal-forwarder.html\?locale\=en_us | grep -oP '"https:.*(?<=download).*amd64.deb"' |sed 's/\"//g' | head -n 1` -O amd64.deb dpkg -i amd64.deb sleep 5 } function UFConf(){ mkdir -p /opt/splunkforwarder/etc/apps/nwl_all_deploymentclient/local/ cd /opt/splunkforwarder/etc/apps/nwl_all_deploymentclient/local/ cat <<EOF> /opt/splunkforwarder/etc/apps/nwl_all_deploymentclient/local/app.conf [install] state = enabled [package] check_for_updates = false [ui] is_visible = false is_manageable = false EOF cat <<EOF> /opt/splunkforwarder/etc/apps/nwl_all_deploymentclient/local/deploymentclient.conf [deployment-client] phoneHomeIntervalInSecs = 60 [target-broker:deploymentServer] targetUri = XXXXXXXXXXXXXXXXXXXXXXX:8089 EOF cat <<EOF> /opt/splunkforwarder/etc/system/local/user-seed.conf [user_info] USERNAME = admin PASSWORD = XXXXXXXXXXXXXXXXXXXXXXXX EOF /opt/splunkforwarder/bin/splunk cmd btool deploymentclient list --debug /opt/splunkforwarder/bin/splunk start --accept-license } ######################################################### MAIN # Check for RPM package managers if command -v yum > /dev/null; then UFYUM UFConf else echo "No YUM package manager found." fi # Check for DEB package managers if command -v dpkg > /dev/null; then UFDEB UFConf else echo "No DEB package manager found." fi
got nasty gram for posting links search online for freeload101 github   in scripts Splunk_UniversalForwarder_Installer.bash got nasty gram for posting links search online for freeload101 githu... See more...
got nasty gram for posting links search online for freeload101 github   in scripts Splunk_UniversalForwarder_Installer.bash got nasty gram for posting links search online for freeload101 github in scripts Splunk_UniversalForwarder_Installer.bash
got nasty gram for posting links search online for freeload101 github   in scripts Splunk_UniversalForwarder_Installer.bash
@NoSpaces - That could be true because Splunk applies Timestamp Parsing before Transforms (nullQueue). I hope this helps to understand why you are seeing the log. Please upvote and accept if this ... See more...
@NoSpaces - That could be true because Splunk applies Timestamp Parsing before Transforms (nullQueue). I hope this helps to understand why you are seeing the log. Please upvote and accept if this helps and resolves your query!!!
got nasty gram for posting links search online for freeload101 github in scripts Splunk_UniversalForwarder_Installer.bash
Hi. Perhaps you can show what your output looks like but basically whatever the final fields are in the search results, those are the fields that can be used in email. What I often do is format up s... See more...
Hi. Perhaps you can show what your output looks like but basically whatever the final fields are in the search results, those are the fields that can be used in email. What I often do is format up special fields to use in email/slack that are easier for the user to see. For example, I have a search that shows me missing indexers in a cluster manager. My code snippet is | eval cluster_manager=host | stats count by missing_indexer,cluster_manager | eval missing_indexer_cm=missing_indexer + " (" + cluster_manager + ")" | eventstats values(missing_indexer_cm) as missing_indexer_cm   I create a new field missing_indexer_cm which combines 2 fields missing_indexer and cluster_manager So the output is approximately this missing_indexer cluster_manager count missing_indexer_cm --------------- --------------- ----- ------------------- idx1.foo.com cm3.foo.com 42 idx1.foo.com (cm3.foo.com) And then in alerting I use $result.missing_indexer_cm$ but when users click on the results of the search they see the above with all the info  
@pujan - To tell you simply what "Universal Forwarder Credentials" is: * An App that contains an SSL certificate and other stuff for Splunk UF to send data to your Splunk cloud stack. * Also, I thi... See more...
@pujan - To tell you simply what "Universal Forwarder Credentials" is: * An App that contains an SSL certificate and other stuff for Splunk UF to send data to your Splunk cloud stack. * Also, I think it contains outputs.conf, to specify where data will going to be forwarded (address of your cloud stack).   To collect the Windows logs, as I can see you have already downloaded the Add-on for Windows. You can follow its' documentation to see how to configure the inputs - https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows   If you have more than 2-3 windows forwarders to deploy same Windows input on, I would prefer to deploy all these Apps including UF Cloud Credentials App via deployment server. Reference - https://docs.splunk.com/Documentation/Splunk/9.1.3/Updating/Configuredeploymentclients   I hope this helps!!!
Does adding | addinfo help you @Mindy_McTiernan  https://www.splunk.com/en_us/blog/tips-and-tricks/i-cant-make-my-time-range-picker-pick.html   | eval unixtime_Opened_At | eval _time=unixtime_Open... See more...
Does adding | addinfo help you @Mindy_McTiernan  https://www.splunk.com/en_us/blog/tips-and-tricks/i-cant-make-my-time-range-picker-pick.html   | eval unixtime_Opened_At | eval _time=unixtime_Opened_At | addinfo | timechart ...
Hi @ezamit, the solution from @ITWhisperer  is perfect! Ciao. Giuseppe
@raghul725 - You can use the token inside a subject of the Splunk email action. But it will take first value from the field instead of the total. To do that use this instead in your query instead of... See more...
@raghul725 - You can use the token inside a subject of the Splunk email action. But it will take first value from the field instead of the total. To do that use this instead in your query instead of addcoltotals: my_search |chart count AS XXXX by YYYY | | appendpipe [| stats sum(File_Count) by Total_Delivered]   Use something like this in the subject of the email Files count is $result.Total_Delivered$   Reference - https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Alert/EmailNotificationTokens   I hope this helps!!! 
| eval "delta(EpochOT)" = if(NO % 2 = 0, null(), 'delta(EpochOT)')
Thanks @gcusello . That's a great suggestion.  I added | delta EpochOT p=1 to the search and it gave me the following results Is there a way we can do every other row in delta. I want Row 3 - Ro... See more...
Thanks @gcusello . That's a great suggestion.  I added | delta EpochOT p=1 to the search and it gave me the following results Is there a way we can do every other row in delta. I want Row 3 - Row 2, Row 5 - Row 4, Row 7 - Row 6 etc. Thanks again for your help 
I'm literally getting this same error. Any solutions other than basically rebuildling?
Hello,   I am using addcoltotals command to get the total value of a column and I would like to display the value returned by addcoltotals command in the subject of the email when an alert is trigg... See more...
Hello,   I am using addcoltotals command to get the total value of a column and I would like to display the value returned by addcoltotals command in the subject of the email when an alert is triggered.   my_search|chart count AS XXXX by YYYY| addcoltotals labelfield="Total Delivered"   The output is   Files | Files_Count | Total Delivered F1     |     3                   | F2     |      5                  | F3     |      3                  |            |      11               | Total   I would like 11 to be displayed in the subject line. Tried various tokens but could not get it working.   Regards  
Hi @ezamit, di you explored the delta command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta)? Ciao. Giuseppe
Thank YOU!!! That worked after hours of searching!
I have AWS Cloudtrail data and want to find out how long an EC2 instance was stopped. Is it possible to subtract the EpochOT from Row 3 to Row 2 and Row 5 to Row 4 etc..      
Hello, i want to install the universal installer on a windows 11. I proceed according to these instructions:   till now what i have done below steps- 1- install Universal forwarder into window (sp... See more...
Hello, i want to install the universal installer on a windows 11. I proceed according to these instructions:   till now what i have done below steps- 1- install Universal forwarder into window (splunkforwarder-9.1.3-d95b3299fa65-x64-release.msi) 2- download License file from cloud portal (splunkclouduf.spl) 3- download WIndow TIA file on window (splunk-add-on-for-microsoft-windows_880.tgz) now i didn't understand how i can process this, please help  
Try this LINE_BREAKER = ([\r\n]+)\{[\s\S]+?event\d SEDCMD-stripStart = s/\{[\s\S]+?"vulnerability":\s\[// SEDCMD-stripEnd = s/\],[\s\S]+?"next": .*// The [\s\S]+? construct usually works best at ma... See more...
Try this LINE_BREAKER = ([\r\n]+)\{[\s\S]+?event\d SEDCMD-stripStart = s/\{[\s\S]+?"vulnerability":\s\[// SEDCMD-stripEnd = s/\],[\s\S]+?"next": .*// The [\s\S]+? construct usually works best at matching embedded newlines.
If you can establish sufficiently unique anchors in your regex, you might be able to use pipe-delimited options e.g. (anchor 1|anchor 2|anchor 3)(?<field>field pattern)