All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for the update. I am familiar with Windows and Powershell scripting,  The splunk instance is not managed by me and the person who manages has indicated he does not know how to script the rest... See more...
Thanks for the update. I am familiar with Windows and Powershell scripting,  The splunk instance is not managed by me and the person who manages has indicated he does not know how to script the restart of the inputs and to clear the keystore. I would like a script to run every night at midnight  to complete the above steps Can you provide some details on how to accomplish this in Splunk, Any help would be greatly appreciated.        
It's much easier and don't waist your resources if/when you set old "MC" as standalone MC after you have a new one up and running. Also you should remove unnecessary search peers from it's distribute... See more...
It's much easier and don't waist your resources if/when you set old "MC" as standalone MC after you have a new one up and running. Also you should remove unnecessary search peers from it's distributed search configuration. On a new MC you must also add all needed nodes as a distributed search peer to see those on MC configuration tab and assign correct roles to those. For clustered peers it's enough to add cluster master information and then it tells which nodes you have in your cluster at any particular time.
but this won't show sequence, how can we have a search that shows successful login after failed logins ( in sequence)
Hi as @burwell asked, what you have tried? Here is some examples which you could also try based on your one line sample. ... | rex "^\w+ \d+ \d\d:\d\d:\d\d \w+ [\w-]+ \w+ [\w\.]+ - (?<User1>[^\[]+... See more...
Hi as @burwell asked, what you have tried? Here is some examples which you could also try based on your one line sample. ... | rex "^\w+ \d+ \d\d:\d\d:\d\d \w+ [\w-]+ \w+ [\w\.]+ - (?<User1>[^\[]+)" | eval User1 = rtrim(User1, " ") | rex "CN=(?<User2>[^,]+),OU" ...  r. Ismo
Hi it's more or less same situation. You have those three options: Use lookup editor app Create own app which contains those definition and install it. In Victoria experience you can do it by you... See more...
Hi it's more or less same situation. You have those three options: Use lookup editor app Create own app which contains those definition and install it. In Victoria experience you can do it by your self On Classic edition you probably still need to create a support case or create cloud vetted private app on splunkbase from where you (probably) could install it by yourself? I said that the lookup editor app is probably the easiest way to do it unless your are familiar with your own apps and need this otherwise too. https://splunkbase.splunk.com/app/1724 r. Ismo
Hi one more reason. When user has removed (e.g. from AD/LDAP and splunk use those as authentication) then those searches are skipped as there are no identity to grant access etc. But you will get in... See more...
Hi one more reason. When user has removed (e.g. from AD/LDAP and splunk use those as authentication) then those searches are skipped as there are no identity to grant access etc. But you will get information on messages for that. There is also link for those to e.g. reassign those to someone else. Settings -> All configurations -> Reassign KOs. r. Ismo
Thank you for your fast reply , I will try to test it and come back with an output !
Hi can you clarify what you are meaning with this? I am using action.email.to=$result.email_address$ (dynamic email address returned from search). Through this, the email notification is getting s... See more...
Hi can you clarify what you are meaning with this? I am using action.email.to=$result.email_address$ (dynamic email address returned from search). Through this, the email notification is getting sent successfully to all users in $result.email_address$ but is getting sent separately. I want all of the users to be in to field , so that one email will be sent. If I understood correctly you can send email to those users but "it's not sent like you want"?  r. Ismo
Hi if you are talking about session timeout (how long it takes before splunk logout idle user) then it's a global system wide setting. But as @richgalloway thinking @JY1 are probably talking about s... See more...
Hi if you are talking about session timeout (how long it takes before splunk logout idle user) then it's a global system wide setting. But as @richgalloway thinking @JY1 are probably talking about some other time out parameter. r. Ismo
Hi basically you could do it based on this doc Free trial Splunk Cloud Platform deployments. Of course your app must fulfil cloud app vetting process, but this has checked when you try to install it... See more...
Hi basically you could do it based on this doc Free trial Splunk Cloud Platform deployments. Of course your app must fulfil cloud app vetting process, but this has checked when you try to install it. Are you sure that your account has sc_admin role? r. Ismo
Hi All, I  have created an alert that  looks for instances with no proper tags . The search in alert  will return instance name and  instance owner.  On scheduled time,  email notification is gett... See more...
Hi All, I  have created an alert that  looks for instances with no proper tags . The search in alert  will return instance name and  instance owner.  On scheduled time,  email notification is getting sent to all owners with the csv file attached.  I am using action.email.to=$result.email_address$ (dynamic email address returned from search). Through this, the email  notification is getting sent successfully to all users in $result.email_address$ but is getting sent separately. I want all of the users to be in to field , so that one email will be sent. Please let me know how we are achieving this ? Regards, PNV
Hi First you must have a definition what is your use case! Then after you fully understand it and know what are expecting from you you can start to design it and then implement. For that you can use... See more...
Hi First you must have a definition what is your use case! Then after you fully understand it and know what are expecting from you you can start to design it and then implement. For that you can use e.g. https://lantern.splunk.com/ to look what are Splunk's best practices for it. r. Ismo
Hi I don't know if there is any key combinations for this on Splunk's own edit. But you can copy this xml file into e.g. Visual Studio Code and format it there. That also gives you to possibility t... See more...
Hi I don't know if there is any key combinations for this on Splunk's own edit. But you can copy this xml file into e.g. Visual Studio Code and format it there. That also gives you to possibility to store it into git or other version control system. r. Ismo
Hi There are some examples on community how you can do it (e.g. https://community.splunk.com/t5/Getting-Data-In/Including-specific-incoming-data-from-monitored-log-files/m-p/504800). Basically 1st ... See more...
Hi There are some examples on community how you can do it (e.g. https://community.splunk.com/t5/Getting-Data-In/Including-specific-incoming-data-from-monitored-log-files/m-p/504800). Basically 1st send all to nullQueue and then select events with your keyword and send those to indexQueue. r. Ismo
Hello everyone ,   I need to onboard a huge amount of logs which the 90% of them is unnecessary . My goal is to ingest only some keywords like "Login Failed", "User Login " etc . I have seen other ... See more...
Hello everyone ,   I need to onboard a huge amount of logs which the 90% of them is unnecessary . My goal is to ingest only some keywords like "Login Failed", "User Login " etc . I have seen other articles  explaining how you can filter events by exclusion using NullQueue . But that doesn't fit in my case because I only know which event I want to ingest using particular keywords.  I am looking forward for a hint on how can I procced on that if it's possible .  Thank you all 
As mentioned in the subject, help me with the keyboard shortcut to format html and xml code in dashboard source code editor. For example, I want below code to be formatted to the code as shown in "T... See more...
As mentioned in the subject, help me with the keyboard shortcut to format html and xml code in dashboard source code editor. For example, I want below code to be formatted to the code as shown in "To" section: <dashboard version="1.1"> <label>Test Dashboard</label> <row> <panel> <html> <h1> <b>Some bold text</b> </h1> </html> </panel> </row> </dashboard>   To: <dashboard version="1.1"> <label>Test Dashboard</label> <row> <panel> <html> <h1> <b>Some bold text</b> </h1> </html> </panel> </row> </dashboard>   I tried using Ctrl+Shift+F but it is only formatting the XML code in the dashboard source code editor and html code in the dashboard source code editor is not getting formatted and remaining as is.
In your search, you need to escape your quotes, like this:  search="search index=list-service source=\"eventhub://sams-jupiter-prod-scus-logs-premium-1.servicebus.windows.net/list-service;\" \"kub... See more...
In your search, you need to escape your quotes, like this:  search="search index=list-service source=\"eventhub://sams-jupiter-prod-scus-logs-premium-1.servicebus.windows.net/list-service;\" \"kubernetes.namespace_name\"=\"list-service\" | stats dc(kubernetes.pod_name) as pod_count" or use single quotes around the search contents: search=‘search index=list-service source="eventhub://sams-jupiter-prod-scus-logs-premium-1.servicebus.windows.net/list-service;" "kubernetes.namespace_name”="list-service" | stats dc(kubernetes.pod_name) as pod_count’  
Hey @kelstahl8705 ,   thanks...Much appreciated.
Hey @alobuono ,   could you please brief here, how you are started installation. 1) what file you are using 2) VM details 3) installation steps and the eror you are facing. We are happy to assi... See more...
Hey @alobuono ,   could you please brief here, how you are started installation. 1) what file you are using 2) VM details 3) installation steps and the eror you are facing. We are happy to assist you..! Regards, GKBoss