All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This may not be elegant... Try to include an assertion in the exception handling to see if it works: except Exception as e: print ("The script threw an exception.") assert False,"other exc... See more...
This may not be elegant... Try to include an assertion in the exception handling to see if it works: except Exception as e: print ("The script threw an exception.") assert False,"other exception"  After the job ran, you will notice the session fails because of assertion failure. regards, Terence
Hi @krutika_ag ... what @richgalloway said was an excellent answer.  For Splunk newbies, let me rephrase it(the url link for your ref -  https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/M... See more...
Hi @krutika_ag ... what @richgalloway said was an excellent answer.  For Splunk newbies, let me rephrase it(the url link for your ref -  https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/Monitorfilesanddirectories) as follows: How the forwarder monitors archive files In order to monitor archived files, forwarders decompress archive files, such as a TAR or ZIP file, prior to processing. Splunk then processes these files in a "single threaded format" (there are pros and cons, but that is a different topic). The following types of archive files are supported: TAR GZ BZ2 TAR.GZ and TGZ TBZ and TBZ2 ZIP Z If you add new data to an existing archive file, the forwarder reprocesses the entire file rather than just the new data. This can result in event duplication. so, to avoid duplication, you should monitor the whole archive file.  Lets say if these files are small, then you can monitor the whole archive and the license usage may not be impacted so much (the search time vs index time... should be considered clearly and well planned for this task).  One more thing to consider: are you using UF or HF      --- or both      ---- or neither(you may directly upload thru SH GUI) - Splunk Support does not support this deployment model)    hope this helped some new Splunkers, thanks. 
Hi, I have a synthetic script that sometimes ends a run as a "broken job". I see in the documentation that this happens because of an unhandled exception. So I added: try: ....      wait.until(E... See more...
Hi, I have a synthetic script that sometimes ends a run as a "broken job". I see in the documentation that this happens because of an unhandled exception. So I added: try: ....      wait.until(EC.element_to_be_clickable((By.ID, "username"))).click() except Exception as e:     print ("The script threw an exception.") But now, the script runs and if the job has a timeout exception the job status shows as "success", but I can see in the script output that it printed "The script threw an exception." How do I make it so that if an exception is thrown the script status shows as failed? Thanks, Roberto
Hi @krutika_ag , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all ... See more...
Hi @krutika_ag , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
@jbanAtSplunk - It's not documented anywhere what you are trying to achieve. I would suggest opening a Splunk support ticket with Splunk.   I hope this helps!!! Kindly upvote if it does!!
Splunk cannot monitor a single file within a zip file.  You must monitor the entire zip file or have a script extract the desired file into a monitored location.
Hi All,   There are 50 zip files in a folder in those zip folders there are many other files- log/txt/png, out of which I want to monitor a specific log file.   Below is the code i have written b... See more...
Hi All,   There are 50 zip files in a folder in those zip folders there are many other files- log/txt/png, out of which I want to monitor a specific log file.   Below is the code i have written but it is failing to monitor that log file, please suggest. [monitor:///home/splunk/*.zip:./WalkbackDetails.log] disabled = false index = ziptest  
This is the query that helped me get the required output. index=_internal sourcetype=splunkd | stats count by source,host | regex source="(?:\/|\x5c)splunkd\.log$" | rex field=source "(?<installat... See more...
This is the query that helped me get the required output. index=_internal sourcetype=splunkd | stats count by source,host | regex source="(?:\/|\x5c)splunkd\.log$" | rex field=source "(?<installation_path>.*)(?:\/|\x5c)var(?:\/|\x5c)"
Everything ingested by Splunk should have props.conf settings.  Start with the "Great 8": LINE_BREAKER, SHOULD_LINEMERGE, TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, TRUNCATE, EVENT_BREAKER_EN... See more...
Everything ingested by Splunk should have props.conf settings.  Start with the "Great 8": LINE_BREAKER, SHOULD_LINEMERGE, TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, TRUNCATE, EVENT_BREAKER_ENABLE, and EVENT_BREAKER. Field extraction from events like this are tricky because the field delimiter is also an allowed character within a field.  It means using lookahead to determine if the current character is part of a field name or field value.  As it turns out, Splunk is not great with lookahead.  Try these settings to see if they work for you. Props.conf:     [mysourcetype] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true TIME_PREFIX=\s\d\s TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z TRANSFORMS-extract = tripwire_fields TRUNCATE = 10000 EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)     Transforms.conf:     [tripwire_fields] REGEX = (\w+)=(.*?)(?=\s\w+=) FORMAT = $1::$2    
Self resolved. Splunk 9.1.2 was not compatible with ITSI 4.11.6. Therefore, downgrading Splunk 9.1.2 allowed us to upgrade ITSI.
Most Simplified Explanation != is a field expression that returns every event that has a value in the field, where that value does not match the value you specify. Events that do not have a value in... See more...
Most Simplified Explanation != is a field expression that returns every event that has a value in the field, where that value does not match the value you specify. Events that do not have a value in the field are not included in the results. For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are returned. Events that do not have Location value are not included in the results. On the other hand, NOT is an operator that returns every event except the events that contain the value you specify. This includes events that do not have a value in the field. For example, if you search using:  NOT Location="Calaveras Farms", every event is returned except the events that contain the value “Calaveras Farms”. This includes events that do not have a Location value.   Here’s an example to illustrate the difference between the two methods. Suppose you have the following events: Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104F5 Lyra Bay   104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 102M7 Dash Black Calaveras Farms 102M1 Roan     101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures If you search with Location!="Calaveras Farms", every event that has a value in the Location field, where that value does not match Calaveras Farms, is returned. Events that do not have a value in the Location field are not included in the results. The following events are returned: Output Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures   If you search with NOT Location="Calaveras Farms", every event is returned except the events that contain the value Calaveras Farms. This includes events that do not have a Location value. The following events are returned: Output Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104F5 Lyra Bay   104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 102M1 Roan     101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures
Hi @Gomathy.Govindarajan,  I recently started using this community little regularly now, I see you posted it quite sometime back. Did you able to find solution for your issue? If yes, would you mine ... See more...
Hi @Gomathy.Govindarajan,  I recently started using this community little regularly now, I see you posted it quite sometime back. Did you able to find solution for your issue? If yes, would you mine to post the solution you applied, will help me and may help others as well. Thank you, Mahendra Shetty 
I appreciate all the help and apologize for my late response. I am still a low man on the totem pole and been trying to research more into this with the recommendations. The file gets automatically u... See more...
I appreciate all the help and apologize for my late response. I am still a low man on the totem pole and been trying to research more into this with the recommendations. The file gets automatically updated periodically with all the new intel we ingest, this one specifically regarding malicious URLs. My higher up suggested recently a recommendation from a 13 year old Splunk community post to try and fix this issues. (https://community.splunk.com/t5/Splunk-Search/Lookup-table-Limits/m-p/75336) I am not familiar with this recommendation so need to look into it. If anyone believes this is not a good recommendation from a 13 year old post then please let me know. Thank you very much.
I think the addition of a few evals can account for the error line as well. Maybe something like this? <base_search> | rex field=_raw "Processing\s+(?<process>[^\-]+)\-" | rex field=_... See more...
I think the addition of a few evals can account for the error line as well. Maybe something like this? <base_search> | rex field=_raw "Processing\s+(?<process>[^\-]+)\-" | rex field=_raw "Person\s+Name\:\s+(?<person_name>[^\,]+)\," | sort 0 +_time | streamstats reset_before="("isnotnull(process)")" values(process) as current_process | streamstats window=2 first(_raw) as previous_log | rex field=previous_log "Person\s+Name\:\s+(?<previous_log_person_name>[^\,]+)\," | eval checked_person_name=if( match(previous_log, "\-Check\s+for\s+Person\-"), 'person_name', null() ), status_error_person=if( match(previous_log, "Person\s+Name:\s+") AND match(_raw, "\-error\s+in\s+checking\s+status"), 'previous_log_person_name', null() ) | stats min(_time) as _time by current_process, status_error_person | fields + _time, current_process, status_error_person
Hi, Everyone!  Not everyone starts with a vanilla environment. How to address your customization needs with agent management?  Come check out the existing questions here: Smart Agent FAQ | Custom ... See more...
Hi, Everyone!  Not everyone starts with a vanilla environment. How to address your customization needs with agent management?  Come check out the existing questions here: Smart Agent FAQ | Custom configuration files, monitors, and extensions What do you think? Our team would love to hear your thoughts, including how we can add to and improve the FAQ Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate this quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
Hi, Everyone!   Planning your Smart Agent installation mise-en-place? Get the facts, encouragement, and inspiration here: Smart Agent FAQ | Getting Started: Installation What do you think? D... See more...
Hi, Everyone!   Planning your Smart Agent installation mise-en-place? Get the facts, encouragement, and inspiration here: Smart Agent FAQ | Getting Started: Installation What do you think? Don't forget to ask your own questions and share your insights! As a community, we are all here to help! Our team would love to hear your thoughts, including how we can add to and improve the FAQ Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate this quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
Hi, Everyone!   So, what can you expect from the Agent Management UI?  There are many new improvements to the user interface to support agent management, and we have been addressing many questions ... See more...
Hi, Everyone!   So, what can you expect from the Agent Management UI?  There are many new improvements to the user interface to support agent management, and we have been addressing many questions that are sure to help you on your journey. Controller Agent Management console? RBAC? Check out these and other UI-related frequently asked questions here: Smart Agent FAQ | Agent Management User Interface What do you think? Have a question of your own? Post it here and let us help. Our team would love to hear your thoughts, including how we can add to and improve the FAQ. Post your questions here and let us help. Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate this quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
Hi, Everyone!   Thinking about how Smart Agent integrates with your CI/CD pipelines? Is agent management encouraged for existing CI/CD pipelines? Um..., yes! See the details here, and please sha... See more...
Hi, Everyone!   Thinking about how Smart Agent integrates with your CI/CD pipelines? Is agent management encouraged for existing CI/CD pipelines? Um..., yes! See the details here, and please share your questions and impressions below: Smart Agent FAQ | Tooling Pipeline Guidelines What do you think? Our team would love to hear your thoughts, including how we can add to and improve the FAQ Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate a quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
@dtburrows3  We are so close. Actually I did not mention about the error. The logs looks like this: ----error in checking status-------- ----Person Name: abcd, Status=active--------- -----Check fo... See more...
@dtburrows3  We are so close. Actually I did not mention about the error. The logs looks like this: ----error in checking status-------- ----Person Name: abcd, Status=active--------- -----Check for Status------ ------success : true-------- -----Start  Processing XXX---------- So I want to get the Person name for only  "error in checking status"
  Following three logs "Unexpected event id" ( 9.1.2 still logs) "Invalid ACK received from indexer" ( 9.1.2 should not log) "Got unexpected ACK with eventid" (9.1.2 should not log) What exa... See more...
  Following three logs "Unexpected event id" ( 9.1.2 still logs) "Invalid ACK received from indexer" ( 9.1.2 should not log) "Got unexpected ACK with eventid" (9.1.2 should not log) What exactly the issue you are hitting?