Hi here is one old post which is talking about AWAS AMI based installations. https://community.splunk.com/t5/Installation/EC2-from-AMI-having-splunk-installed-stops-working/m-p/669633#M13418 I thi...
See more...
Hi here is one old post which is talking about AWAS AMI based installations. https://community.splunk.com/t5/Installation/EC2-from-AMI-having-splunk-installed-stops-working/m-p/669633#M13418 I think that you should find your answer from it? r. Ismo
As I already said. 1st you MUST define what actually is your use case. Without that information it's impossible to look answer to question which is not known.
Hi Your example picks those <Entry> lines to one event and the rests are separate events. So basically this is working, but output is not something what you are expecting? How you would like to divi...
See more...
Hi Your example picks those <Entry> lines to one event and the rests are separate events. So basically this is working, but output is not something what you are expecting? How you would like to divide this to separate events? Can you also add some more events/rows or are events always like this? r. Ismo
Thanks for the update. I am familiar with Windows and Powershell scripting, The splunk instance is not managed by me and the person who manages has indicated he does not know how to script the rest...
See more...
Thanks for the update. I am familiar with Windows and Powershell scripting, The splunk instance is not managed by me and the person who manages has indicated he does not know how to script the restart of the inputs and to clear the keystore. I would like a script to run every night at midnight to complete the above steps Can you provide some details on how to accomplish this in Splunk, Any help would be greatly appreciated.
It's much easier and don't waist your resources if/when you set old "MC" as standalone MC after you have a new one up and running. Also you should remove unnecessary search peers from it's distribute...
See more...
It's much easier and don't waist your resources if/when you set old "MC" as standalone MC after you have a new one up and running. Also you should remove unnecessary search peers from it's distributed search configuration. On a new MC you must also add all needed nodes as a distributed search peer to see those on MC configuration tab and assign correct roles to those. For clustered peers it's enough to add cluster master information and then it tells which nodes you have in your cluster at any particular time.
Hi as @burwell asked, what you have tried? Here is some examples which you could also try based on your one line sample. ...
| rex "^\w+ \d+ \d\d:\d\d:\d\d \w+ [\w-]+ \w+ [\w\.]+ - (?<User1>[^\[]+...
See more...
Hi as @burwell asked, what you have tried? Here is some examples which you could also try based on your one line sample. ...
| rex "^\w+ \d+ \d\d:\d\d:\d\d \w+ [\w-]+ \w+ [\w\.]+ - (?<User1>[^\[]+)"
| eval User1 = rtrim(User1, " ")
| rex "CN=(?<User2>[^,]+),OU"
... r. Ismo
Hi it's more or less same situation. You have those three options: Use lookup editor app Create own app which contains those definition and install it. In Victoria experience you can do it by you...
See more...
Hi it's more or less same situation. You have those three options: Use lookup editor app Create own app which contains those definition and install it. In Victoria experience you can do it by your self On Classic edition you probably still need to create a support case or create cloud vetted private app on splunkbase from where you (probably) could install it by yourself? I said that the lookup editor app is probably the easiest way to do it unless your are familiar with your own apps and need this otherwise too. https://splunkbase.splunk.com/app/1724 r. Ismo
Hi one more reason. When user has removed (e.g. from AD/LDAP and splunk use those as authentication) then those searches are skipped as there are no identity to grant access etc. But you will get in...
See more...
Hi one more reason. When user has removed (e.g. from AD/LDAP and splunk use those as authentication) then those searches are skipped as there are no identity to grant access etc. But you will get information on messages for that. There is also link for those to e.g. reassign those to someone else. Settings -> All configurations -> Reassign KOs. r. Ismo
Hi can you clarify what you are meaning with this? I am using action.email.to=$result.email_address$ (dynamic email address returned from search). Through this, the email notification is getting s...
See more...
Hi can you clarify what you are meaning with this? I am using action.email.to=$result.email_address$ (dynamic email address returned from search). Through this, the email notification is getting sent successfully to all users in $result.email_address$ but is getting sent separately. I want all of the users to be in to field , so that one email will be sent. If I understood correctly you can send email to those users but "it's not sent like you want"? r. Ismo
Hi if you are talking about session timeout (how long it takes before splunk logout idle user) then it's a global system wide setting. But as @richgalloway thinking @JY1 are probably talking about s...
See more...
Hi if you are talking about session timeout (how long it takes before splunk logout idle user) then it's a global system wide setting. But as @richgalloway thinking @JY1 are probably talking about some other time out parameter. r. Ismo
Hi basically you could do it based on this doc Free trial Splunk Cloud Platform deployments. Of course your app must fulfil cloud app vetting process, but this has checked when you try to install it...
See more...
Hi basically you could do it based on this doc Free trial Splunk Cloud Platform deployments. Of course your app must fulfil cloud app vetting process, but this has checked when you try to install it. Are you sure that your account has sc_admin role? r. Ismo
Hi All, I have created an alert that looks for instances with no proper tags . The search in alert will return instance name and instance owner. On scheduled time, email notification is gett...
See more...
Hi All, I have created an alert that looks for instances with no proper tags . The search in alert will return instance name and instance owner. On scheduled time, email notification is getting sent to all owners with the csv file attached. I am using action.email.to=$result.email_address$ (dynamic email address returned from search). Through this, the email notification is getting sent successfully to all users in $result.email_address$ but is getting sent separately. I want all of the users to be in to field , so that one email will be sent. Please let me know how we are achieving this ? Regards, PNV
Hi First you must have a definition what is your use case! Then after you fully understand it and know what are expecting from you you can start to design it and then implement. For that you can use...
See more...
Hi First you must have a definition what is your use case! Then after you fully understand it and know what are expecting from you you can start to design it and then implement. For that you can use e.g. https://lantern.splunk.com/ to look what are Splunk's best practices for it. r. Ismo
Hi I don't know if there is any key combinations for this on Splunk's own edit. But you can copy this xml file into e.g. Visual Studio Code and format it there. That also gives you to possibility t...
See more...
Hi I don't know if there is any key combinations for this on Splunk's own edit. But you can copy this xml file into e.g. Visual Studio Code and format it there. That also gives you to possibility to store it into git or other version control system. r. Ismo
Hi There are some examples on community how you can do it (e.g. https://community.splunk.com/t5/Getting-Data-In/Including-specific-incoming-data-from-monitored-log-files/m-p/504800). Basically 1st ...
See more...
Hi There are some examples on community how you can do it (e.g. https://community.splunk.com/t5/Getting-Data-In/Including-specific-incoming-data-from-monitored-log-files/m-p/504800). Basically 1st send all to nullQueue and then select events with your keyword and send those to indexQueue. r. Ismo
