All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I want to get the list of summary index configured in splunk. Please help me with queries to get the summary index and sourcetype
Hello, When I try to sample data for the WinEventLog sourcetype in Ingest Actions I get an error message:      "No results found. Try expanding the time range." Expanding the query I see Splunk ... See more...
Hello, When I try to sample data for the WinEventLog sourcetype in Ingest Actions I get an error message:      "No results found. Try expanding the time range." Expanding the query I see Splunk using the following and manually running this query does not return any results either:       index=* OR index=_* sourcetype="WinEventLog" | where sourcetype="WinEventLog" | head 100   However, I do get results when I manually run either:     index=* OR index=_* | where sourcetype="WinEventLog" | head 100             OR      index=* OR index=_* sourcetype="WinEventLog" | head 100 Can someone please explain why the first query may not be working? Is there a different way I should be working with the WinEventLog sourcetype in Ingest Actions? Thanks in advance for your help!
@gcusello , appreciate the response.   Yes, this is a DMC that has been operational for ~ 3years, and suddenly started doing this.  All sources are connected without error.  I even removed a few and... See more...
@gcusello , appreciate the response.   Yes, this is a DMC that has been operational for ~ 3years, and suddenly started doing this.  All sources are connected without error.  I even removed a few and added back to see what happened.  No immediate change.  The interface works..... some of the time, about 20% but cannot figure out why it suddenly works, and without any change, refresh the screen and it is broken AGAIN.   I did update as soon as 9.1.2 appeared hoping that would fix it (updated the entire architecture).  No luck, still broken About to the point what I am simply going to delete it, and start over
Permission Exception while updating rule: User doesn't have CONFIG_TRANSACTION_DETECTION on tier sgh-oaas-broker. I'm getting this error while trying to create a new transaction detection rule [Appdy... See more...
Permission Exception while updating rule: User doesn't have CONFIG_TRANSACTION_DETECTION on tier sgh-oaas-broker. I'm getting this error while trying to create a new transaction detection rule [Appdynamics]. How can i get this permission?
Hi @tlmayes, at first: did youconfigured yur DMC to take logs from the other servers? To do this you have to connect the DMC to all the server to monitor on the 8089 port as a Search Head in Distri... See more...
Hi @tlmayes, at first: did youconfigured yur DMC to take logs from the other servers? To do this you have to connect the DMC to all the server to monitor on the 8089 port as a Search Head in Distributed Search. Then, have you the message "N.A." or what else? if you have "N.A.", are you using the last Splunk version (9.1.2)? because the previous version had a bug. Ciao. Giuseppe
I have a couple of questions: - Are you trying to get rid of the the metrics data from Splunk's metrics.log? - Can you post the props and transforms config that you tried? What you're trying to do... See more...
I have a couple of questions: - Are you trying to get rid of the the metrics data from Splunk's metrics.log? - Can you post the props and transforms config that you tried? What you're trying to do may not "fix" the memory utilization on your container.
Getting a bit more complex but I think something like this will get you started. | rex field=_raw "\]\s+(?<log_level>[A-Z]+)\s+(?<log_type>[^\s]+)\s+\-" | rex field=_raw "\-\s+\([^\)]+\)\s+(... See more...
Getting a bit more complex but I think something like this will get you started. | rex field=_raw "\]\s+(?<log_level>[A-Z]+)\s+(?<log_type>[^\s]+)\s+\-" | rex field=_raw "\-\s+\([^\)]+\)\s+(?<message_detail>(?:.*(?:[\r\n]+)*)*)" | rex field=_raw "user\s+\'(?<user>[^\']+)\'" | rex field=_raw "client\s+(?<client>\d{1,3}(?:\.\d{1,3}){3})\:(?<port>\d+)" | rex field=_raw "\[TID\:(?<tid>[^\]]+)\]" | rex field=_raw "\]\s+[A-Z]+\s+[a-zA-Z0-9]+(?:\.[a-zA-Z0-9]+)*\s+\-\s+(?<message>.*)" | rex field=_raw "(?i)cannot\s+open\s+(?<service>[^\s]+)\s+service\s+on\s+computer\s+\'(?<computer>[^\']+)\'" ``` log_type="Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner" ``` | rex field=_raw "(?i)\s+\-\s+(?<app>.*?)\s+unable\s+to\s+connect\s+to\s+(?<hostname>[^\s]+)\s+with\s+exception\s+(?<exception_type>[^\:]+)\:\s+(?<exception_message>.*)" ``` log_type="Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner" error_message ``` | rex field=_raw "(?i)\s+\-\s+retrieving\s+the\s+(?<class>[^\s]+)\s+class\s+factory\s+for\s+remote\s+component\s+with\s+clsid\s+\{(?<clsid>[^\}]+)\}\s+from\s+machine\s+(?<hostname>[^\s]+)\s+failed\s+due\s+to\s+the\s+following\s+error\:\s+(?<error_code>[^\s]+)" | rex field=_raw "(?i)(?<exception_type>\w+(\.\w+)*exception)\:\s+(?<exception_message>.*)"   Since the evals to standardize messages probably isn't all that scalable with these logs, it may make sense to set up eventtyping around them to assist with any sort of analysis. Once you have eventtypes set up that can assist with targeting specific type of events and finding patterns that you can develop regex for and pull out all the necessary fields. screenshot below for reference of what the above regex should do.  
Hello, I am having the same issue, and I understood that it could be due to a license violation. I just found out that even when a license peer can't connect to license manager for 72 hours it will c... See more...
Hello, I am having the same issue, and I understood that it could be due to a license violation. I just found out that even when a license peer can't connect to license manager for 72 hours it will cause warnings (I m not sure yet if for a single error message = a warning or not!!) check your internal logs (if you still have them) for this: index=_internal component=LMTracker ("failed to send rows" OR "unable to connect")   then i understood that the warning/violation will be reset after 30days (this period could be different too!), so I am assuming that after 30days of the violation, the issue will disappear!  The other possibility is to change the file: /opt/splunk/share/splunk/search_mrsparkle/templates/licensing/overview.html and comment the section where it checks for the pool quota violation (I haven't tried that yet).  
Thanks @dtburrows3 , I have another use case is discovery process from AD to Secret server like scan AD and finds the local id creates the id/password into secret. 1. Sample event: 2024-01-02 ... See more...
Thanks @dtburrows3 , I have another use case is discovery process from AD to Secret server like scan AD and finds the local id creates the id/password into secret. 1. Sample event: 2024-01-02 11:18:28,597 [CID:] [C:] [TID:131] ERROR Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner - WMI (IIS) Unable to connect to WINDOWS1.mf.win.cisco.com with Exception System.Management.ManagementException: Invalid namespace at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner.<>c__DisplayClass10_0.<IsIisRunningWmi>b__0(Object x) - (null) 2. Sample event: 2024-01-02 11:18:14,330 [CID:] [C:] [TID:PriorityScheduler Elastic Thread @ Normal] ERROR Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner - Service Controller (IIS) Unable to connect to LINUX.mf.win.cisco.com with Exception System.InvalidOperationException: Cannot open W3SVC service on computer 'LINUX.mf.win.cisco.com'. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) at System.ServiceProcess.ServiceController.GenerateStatus() at System.ServiceProcess.ServiceController.get_Status() at Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner.IsIisRunningServiceController() - (null) 3. Sample Event : 2024-01-02 11:18:06,544 [CID:] [C:] [TID:PriorityScheduler Elastic Thread @ Normal] ERROR Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner - Retrieving the COM class factory for remote component with CLSID {45RFGHDH-FFSG-6474-HDHDH-1454TGGD} from machine UBUNTU.mf.win.cisco.com failed due to the following error: 80070005 UBUNTU.mf.win.cisco.com. - (null) System.UnauthorizedAccessException: Retrieving the COM class factory for remote component with CLSID {2YHFDO-3443-4FGDH-5353-RFRRE6} from machine UBUNTU.mf.win.cisco.com failed due to the following error: 80070005 UBUNTU.mf.win.cisco.com. at Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner.ScanIIS7AndAbove() 4. Sample event : 2024-01-02 11:18:03,664 [CID:] [C:] [TID:PriorityScheduler Elastic Thread @ Normal] ERROR Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner - Service Controller (IIS) Unable to connect to IHUIHD13.mf.win.cisco.com with Exception System.InvalidOperationException: Cannot open W3SVC service on computer 'YHGVDJ.mf.win.cisco.com'. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) at System.ServiceProcess.ServiceController.GenerateStatus() at System.ServiceProcess.ServiceController.get_Status() at Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner.IsIisRunningServiceController() - (null) Thanks.
Something like this maybe?   <base_search> | rex field=_raw "\]\s+(?<log_level>[A-Z]+)\s+(?<log_type>[^\s]+)\s+\-\s+(?<message>.*?)\s+\-" | rex field=_raw "\-\s+\([^\)]+\)\s+(?<message_deta... See more...
Something like this maybe?   <base_search> | rex field=_raw "\]\s+(?<log_level>[A-Z]+)\s+(?<log_type>[^\s]+)\s+\-\s+(?<message>.*?)\s+\-" | rex field=_raw "\-\s+\([^\)]+\)\s+(?<message_detail>(?:.*(?:[\r\n]+)*)*)" | rex field=_raw "user\s+\'(?<user>[^\']+)\'" | rex field=_raw "client\s+(?<client>\d{1,3}(?:\.\d{1,3}){3})\:(?<port>\d+)" | rex field=_raw "\[TID\:(?<tid>[^\]]+)\]"   Not familiar with the data but based on the 2 sample logs you provided was able to identify a few fields that I think would be useful. You can see from the screenshot below that these fields appear to be successfully extracted. And to standardize the messages (at least for these examples) you can add an eval like this after the field extractions. | eval standardized_message=replace(replace(message, "client\s+(\d{1,3}(?:\.\d{1,3}){3})\:(\d+)", "client"), "user\s+\'([^\']+)\'", "user")  You can see in the screenshot that the field 'standardized_message' removes any variable data so you can do some sort of aggregate analysis against the standardized message itself if needed.  
Hi friends, Could anyone pls help me in parsing these event and use case( when ever we launch rdp/proxy from secret server we are seeing some drop in the connection like one for the client and anoth... See more...
Hi friends, Could anyone pls help me in parsing these event and use case( when ever we launch rdp/proxy from secret server we are seeing some drop in the connection like one for the client and another for the user) out of this event. how we can we extract the relevant fields to make a search out of these events ? 1. Sample event : 2024-01-02 10:04:01,420 [CID:] [C:] [TID:151] ERROR Thycotic.RDPProxy.CLI.Session.ProxyConnection - Error encountered in RDP handshake for client xx.xx.xx.xx:53475 - (null) System.Exception: Assertion violated: stream.ReadByteInto(bufferStream) == 0x03 at Thycotic.RDPProxy.ContractSlim.Assert(Boolean condition, String conditionStr, String actualStr) at Thycotic.RDPProxy.Readers.ConnectionRequestProvider.ReadConnectionRequest(Stream stream, AuthenticationState clientState) at Thycotic.RDPProxy.CLI.Session.ProxyConnection.<DoHandshakeAndForward>d__20.MoveNext() 2. Sample event : 2024-01-02 09:27:42,911 [CID:] [C:] [TID:137] ERROR Thycotic.DE.Feature.SS.RdpProxy.EngineRdpProxySessionService - An error was encountered while attempt to fetch proxy credentials for user 'Jhoncena' - (null) Thanks  
Ahh yes it works now, thank you! I was going crazy trying to think of reasons the regex wasn't matching.
Hi all, I am very new to Splunk and trying to avoid sending metrics to Splunk from the sc4s container. Memory consumption is really growing to > 250Mb and we use sc4s only for sending ~100 lines ev... See more...
Hi all, I am very new to Splunk and trying to avoid sending metrics to Splunk from the sc4s container. Memory consumption is really growing to > 250Mb and we use sc4s only for sending ~100 lines every 10m, so  metrics is really not necessary for us. I have tried to set syslog-ng source s_internal  to a null destination but cant make it work. Any advice would be greatly appreciated. Thank you very much Daniel
Check your permissions in local.meta or default.meta of your test app. If you want this extractions to work in other app contexts then you may need to export and make it readable to your desired r... See more...
Check your permissions in local.meta or default.meta of your test app. If you want this extractions to work in other app contexts then you may need to export and make it readable to your desired roles. Example: $SPLUNK_HOME/etc/apps/<test_app>/metadata/local.meta [props/emm_syslog/EXTRACT-emm_syslog] access = read : [ * ], write : [ admin ] export = system  
I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog] LINE_BREAKER = ([\r\n... See more...
I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog] LINE_BREAKER = ([\r\n]+) category = Application disabled = false EXTRACT-emm_syslog = <(?<priority>[\d]+)>\d (?<timestamp>\S+) (?<hostname>\S+) (?<app_name>\S+) (?<proc_id>\S+) (?<msg_id>\S+) \[(?<sd_id>\S+) auditType=\"(?<audit_type>\S+)\" tenantId=\"(?<tenant_id>\S+)\"\] (?<message>.*)   This regex matches my test event on regex101.com: <135>1 2024-01-02T14:34:51.429Z TestServer EMM_Console 9176 FULL [emmAudit@18060 auditType="Console" tenantId="EMM"] "Console","2024-01-02T14:34:51.429+00:00","username","127.0.0.1","","CCON0030","Admin Login",,"Info","SUCCESS","0",,"Admin User Login Success (HTTPS)"   Within the Search app, however, none of these capture groups are extracted. Am I doing something obviously wrong here, or how should I proceed with troubleshooting ?
Hi @navarec  - I’m a Community Moderator in the Splunk Community.  This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend th... See more...
Hi @navarec  - I’m a Community Moderator in the Splunk Community.  This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
I'm not an AWS expert, but increasing the amount of memory on the instance probably will incur additional cost. The Monitoring Console (MC) should show how much memory searches are using.  In the MC... See more...
I'm not an AWS expert, but increasing the amount of memory on the instance probably will incur additional cost. The Monitoring Console (MC) should show how much memory searches are using.  In the MC, go to Resource Usage->Resource Usage: Instance
Hello, I have got similar issue. Were you able to solve it?
HI Is it possible to 1st Export OTEL data to file(or something) 2nd Import that file to a new Splunk install? We have a cluster with 3 INDEXERS and I want to export specific host data out of it a... See more...
HI Is it possible to 1st Export OTEL data to file(or something) 2nd Import that file to a new Splunk install? We have a cluster with 3 INDEXERS and I want to export specific host data out of it and import it to a Test and Development Install. Is this possible? @js15  Regards Robert
Good morning, We had the same error and attempted to resolve this through the same method above, but the difference we have is the fact that we have a cluster of events services. In other words we h... See more...
Good morning, We had the same error and attempted to resolve this through the same method above, but the difference we have is the fact that we have a cluster of events services. In other words we have 3 master nodes. One node will work fine, but the other two will start and then shut down stating the elasticsearch never started. Is there a similar solution for that?