Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-31-2024
07:42 AM
Thank YOU!!! That worked after hours of searching!
01-31-2024
07:40 AM
01-31-2024
07:34 AM
Hello, i want to install the universal installer on a windows 11. I proceed according to these instructions: till now what i have done below steps- 1- install Universal forwarder into window (sp...
See more...
Hello, i want to install the universal installer on a windows 11. I proceed according to these instructions: till now what i have done below steps- 1- install Universal forwarder into window (splunkforwarder-9.1.3-d95b3299fa65-x64-release.msi) 2- download License file from cloud portal (splunkclouduf.spl) 3- download WIndow TIA file on window (splunk-add-on-for-microsoft-windows_880.tgz) now i didn't understand how i can process this, please help
Labels
01-31-2024
07:32 AM
Try this LINE_BREAKER = ([\r\n]+)\{[\s\S]+?event\d
SEDCMD-stripStart = s/\{[\s\S]+?"vulnerability":\s\[//
SEDCMD-stripEnd = s/\],[\s\S]+?"next": .*// The [\s\S]+? construct usually works best at ma...
See more...
Try this LINE_BREAKER = ([\r\n]+)\{[\s\S]+?event\d
SEDCMD-stripStart = s/\{[\s\S]+?"vulnerability":\s\[//
SEDCMD-stripEnd = s/\],[\s\S]+?"next": .*// The [\s\S]+? construct usually works best at matching embedded newlines.
01-31-2024
07:25 AM
If you can establish sufficiently unique anchors in your regex, you might be able to use pipe-delimited options e.g. (anchor 1|anchor 2|anchor 3)(?<field>field pattern)
01-31-2024
07:25 AM
Hi, I could get the results when I run the command. My observation about the lookup file between SH and ES on SH is , the .CSV extension is missing.once added it's running. I'm trying understa...
See more...
Hi, I could get the results when I run the command. My observation about the lookup file between SH and ES on SH is , the .CSV extension is missing.once added it's running. I'm trying understand the below query to implement. Firstly, the description provided in the usecase is not clearly understood . I got this usecase from the splunk SF content search. Anyone has idea about this query. https://lantern.splunk.com/Splunk_Platform/UCE/Security/Threat_Hunting/Protecting_a_Salesforce_cloud_deployment/Spike_in_exported_records_from_Salesforce_cloud ROWS_PROCESSED>0 EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI
|lookup lookup_sfdc_usernames USER_ID
|bucket _time span=1d
|stats sum(ROWS_PROCESSED) AS rows BY _time Username
|stats count AS num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), 'rows',null))) AS rows avg(eval(if(_time<relative_time(maxtime,"-1d@d"),'rows',null))) AS avg stdev(eval(if(_time<relative_time(maxtime,"-1d@d"),'rows',null))) AS stdev BY Username
|eval lowerBound=(avg-stdev*2), upperBound=(avg+stdev*2)
|where 'rows' > upperBound AND num_data_samples >=7
01-31-2024
07:20 AM
For the last one, it should be 1+01:02:10 to signify 1 day + 1 hour, 2 minutes and 10 seconds, but since you haven't shown your complete search, it is difficult to know why you are missing the "1+"
01-31-2024
07:16 AM
1 Karma
This is an old thread so you may be more likely to get responses from a new question. Have you tried untarring the file rather than using the splunk install command? 7-zip can be used to extract the...
See more...
This is an old thread so you may be more likely to get responses from a new question. Have you tried untarring the file rather than using the splunk install command? 7-zip can be used to extract the .spl file to %SPLUNK_HOME%\etc\apps
01-31-2024
07:14 AM
| eval newfield= mvjoin(mvappend(LocationName,EventName,ErrorCode,summary),",")
01-31-2024
07:12 AM
Hi @man03359 , if you want the values of the fields separated by comma, you should use eval in this way: | eval newfield=LocationName.",".EventName.",".ErrorCode.",".summary Ciao. Giuseppe
01-31-2024
07:08 AM
I had aws:cloudwatch:metrics to get the custom metrics. Is there any way where I can get all the aws cloudwatch log group directly rather mentioning one by one , because when there is new log grou...
See more...
I had aws:cloudwatch:metrics to get the custom metrics. Is there any way where I can get all the aws cloudwatch log group directly rather mentioning one by one , because when there is new log group created we have to reconfigure it and there chance of forgetting to add new log group
01-31-2024
07:07 AM
Hi, I have an output like this - Location EventName ErrorCode Summary server1 Mssql.LogBackupFailed BackupAgentError Failed backup.... server2 Mssql.LogBackupFailed BackupAgentErro...
See more...
Hi, I have an output like this - Location EventName ErrorCode Summary server1 Mssql.LogBackupFailed BackupAgentError Failed backup.... server2 Mssql.LogBackupFailed BackupAgentError Failed backup.... Now I am trying to combine all the values of Location, EventName, ErrorCode and Summary into one field called "newfield" , lets say using a comma "," or ";" I am trying this command - | eval newfield= mvappend(LocationName,EventName,ErrorCode,summary) but the output it is giving is - server1 Mssql.LogBackupFailed BackupAgentError Failed backup.... Output I am expecting is - server1,Mssql.LogBackupFailed,BackupAgentError,Failed backup
- Tags:
- other
Labels
- Labels:
-
eval
01-31-2024
06:47 AM
HI @SplunkingKnight Not sure what I am doing wrong here. I am setting it in local on my app. But I am getting this on a startup. An the colors are still very bright. I am using th...
See more...
HI @SplunkingKnight Not sure what I am doing wrong here. I am setting it in local on my app. But I am getting this on a startup. An the colors are still very bright. I am using this to applay it any help would be great -
01-31-2024
06:36 AM
Yes, I use ansible to push the app to the deployer. Then from within ansible I run the splunk apply shcluster.
01-31-2024
06:35 AM
Hi @att35, I usually use the different names and coalesce solution in a calculated field. Ciao. Giuseppe
01-31-2024
06:33 AM
that worked for 2 results but not for the last one
01-31-2024
06:32 AM
We have application data coming from Apache Tomcat's and have a regex in place to extract exception name. But there are some tomcats sending data in a slightly different formats and the extraction do...
See more...
We have application data coming from Apache Tomcat's and have a regex in place to extract exception name. But there are some tomcats sending data in a slightly different formats and the extraction doesn't work for them. I have updated regex ready for these different formats, but want to keep the field name same, i.e. exception. How Do I manage multiple extractions against the same sourcetype while keeping the field names same? If I add these regex in transforms, would they end up conflicting with each other? Or should I be creating them into different fields, such as exception1, exception2 and then use coalesce to eventually merge them into a single field?
- Tags:
- regex
01-31-2024
06:21 AM
Again - Splunk won't find something that's not there. Because how should it? So you need to have a list of what you expect, then you do a list of what you have and you compare both lists. You can't g...
See more...
Again - Splunk won't find something that's not there. Because how should it? So you need to have a list of what you expect, then you do a list of what you have and you compare both lists. You can't get it other way because how? If Splunk doesn't have something it can't tell you what it is. See the link I pointed you to. The question is how do you compile that list. You're saying that you have specific sourcetypes "associated" with indexes. So you should have some table. Upload this table to Splunk as lookup and use this lookup to compare with your search results.
01-31-2024
06:17 AM
@pacifikn Did you able to find the solution for the mentioned requirement? I too had a similar kind of requirement, if you were able to find the solution kindly help.
01-31-2024
05:56 AM
Have you checked if any firewalls are blocking connections to Splunk Cloud? What does splunkd.log say? Please confirm the user that installed the UF. Windows does not have 'root'.
