All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

can anyone help please.
Hi @gcusello ,   Thanks for responding. I figured out that the report was not being shown because of the eval command in the search. ( marked in red) When I remove the line and save the repor... See more...
Hi @gcusello ,   Thanks for responding. I figured out that the report was not being shown because of the eval command in the search. ( marked in red) When I remove the line and save the report, I can see the report when the filter is applied. Not sure how could the eval command affect the report.   Regards, Pravin  
Hi @Jack90 , this is exactly what I meant: see if there's a role to use as starting point, then clone it (don't use inheritance!) c and eventally modify it before saving. Ciao. Giuseppe
Hi, but do you mean all 13 capabilities for power user? I am trying to find what they actually do, to determinate if they should be user/power/admin.    BR J
Hi @Jack90 , it depends on what then new role has to do. Anyway, surely not admin role, eventually power user. Ciao. Giuseppe
@R15Odd question for you but did you run the fillnull command? 
Hi Gcusello,  thank you for quick reply. OK I understand, but I couldn't find at the Splunk documentation the information what that capabilities does- I am not sure if "user" role should be granted... See more...
Hi Gcusello,  thank you for quick reply. OK I understand, but I couldn't find at the Splunk documentation the information what that capabilities does- I am not sure if "user" role should be granted with them, or only "admin" role. BR J
hi @brat_1990 , rsyslog and SC4S require alinux UF. in documentation is described (I never tried) that it's possible to enable syslog receiving also on a Windows Universal Forwarder (surely it's po... See more...
hi @brat_1990 , rsyslog and SC4S require alinux UF. in documentation is described (I never tried) that it's possible to enable syslog receiving also on a Windows Universal Forwarder (surely it's possible on an Heavy Forwarder), obviously manually inserting inputs in inputs.conf file. Ciao. Giuseppe
Hi, I am new to Splunk, and I am doing some testing with Blue Prism Data gateway with Splunk. How can I get the Splunk URL and API Token
Hello, I'm looking for assistance with a webmail-only report, I ran a query and I only got ActiveSync output, my customer is only interested in OWA not ActiveSync as a report for their users. Code ... See more...
Hello, I'm looking for assistance with a webmail-only report, I ran a query and I only got ActiveSync output, my customer is only interested in OWA not ActiveSync as a report for their users. Code which produced only Active Sync. index="iis_logs_exchxxx" sourcetype="iis" s_port="443" c_ip!="10.*" c_ip!="127.0.0.1" c_ip!="::1" cs_method!="HEAD" cs_username="*@domain.com" | iplocation c_ip | eval alert_time=_time | convert ctime(alert_time) timeformat="%m/%d/%Y %H:%M:%S %Z" | table alert_time,cs_username,cs_User_Agent,c_ip, City, Region, Country | stats values(c_ip) by alert_time,cs_username,cs_User_Agent,City,Region,Country | rename cs_username AS "Username", values(c_ip) AS "IP addresses", cs_User_Agent AS "Device Type", alert_time AS "Date/Time"
Hi @dm2001 , it's been a long since I used tokens on JavaScript but when I used them I usually had these methods: var defaultTokenModel = mvc.Components.getInstance('default', { create: true });... See more...
Hi @dm2001 , it's been a long since I used tokens on JavaScript but when I used them I usually had these methods: var defaultTokenModel = mvc.Components.getInstance('default', { create: true }); var submittedTokenModel = mvc.Components.getInstance('submitted', { create: true }); function setToken(name, value) { defaultTokenModel.set(name, value); submittedTokenModel.set(name, value); }; function unsetToken(name) { defaultTokenModel.unset(name); submittedTokenModel.unset(name); }; Then in your JS you can use the methods freely to set any token to a value or unset them. I hope it helps.  
Hi @Jack90 , about user features I usually copy the same features of User role, but without inheritance to avoid that the new role has the same indexes access grants:you have to amnually enable the ... See more...
Hi @Jack90 , about user features I usually copy the same features of User role, but without inheritance to avoid that the new role has the same indexes access grants:you have to amnually enable the same features or (easier) you can clone theUser role, changing the indexes access grants. Ciao. Giuseppe
Hi, I am runing Splunk Stream to collect DNS data from Domain Controllers. On some of the busy DCs the Splunk_TA_stream is generating lots of the following errors:     ERROR [9412] (SplunkSenderM... See more...
Hi, I am runing Splunk Stream to collect DNS data from Domain Controllers. On some of the busy DCs the Splunk_TA_stream is generating lots of the following errors:     ERROR [9412] (SplunkSenderModularInput.cpp:435) stream.SplunkSenderModularInput - Event queue overflow; dropping 10001 events     Looking at the Splunk Stream Admin-Network Metrics dashboard these seem to occur at the same the Active Network Flows seem to be hitting a limit: I would like to increase the number of network flows allowed in an attempt to stop the event queue overflows. Looking at the documentation I can see 2 configurations that seem relevant: maxTcpSessionCount = <integer> * Defines maximum number of concurrent TCP/UDP flows per processing thread. processingThreads = <integer> * Defines number of threads to use for processing network traffic. Questions: 1) What is the default for maxTcpSessionCount and processingThreads? 2) Would parameter would it be better to increase? Also are these the correct parameters to be looking to tune with the errors I am getting. If not what should I look at?
Hi @gcusello, Appreciate your response and support. Since we are using a Windows server for the application I might want to know more about this aspect, please. The below link suggests using UF to... See more...
Hi @gcusello, Appreciate your response and support. Since we are using a Windows server for the application I might want to know more about this aspect, please. The below link suggests using UF to monitor TCP/UDP. Please share your take on the same Both Splunk Enterprise and the universal forwarder support monitoring over UDP Also, I would like to know if the SC4S app can be installed directly on the Windows server or if it needs any *nix environment to work.
hi @Mohamad_Alaa , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
hi @Mohamad_Alaa , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hello, I am managing Splunk roles. I want to adjust capabilities to roles, but unfortunately for few of them I did not find what exactly they do.  Searching did not give me results or the results we... See more...
Hello, I am managing Splunk roles. I want to adjust capabilities to roles, but unfortunately for few of them I did not find what exactly they do.  Searching did not give me results or the results were not satisfying. If you have some extract with all capabilities and their description, please advise me what exactly following capabilities do (screenshot attached)  
can anyone please tell me  the scenario based interview questions for splunk admin role ?
@tscroggins @rasad4468 @richgalloway @PickleRick  Can we use this method to blacklist  like this  blacklist3 = EventCode=%^4688$% Message=%SplunkUniversalForwarder% blacklist4 = EventCode=%^4688... See more...
@tscroggins @rasad4468 @richgalloway @PickleRick  Can we use this method to blacklist  like this  blacklist3 = EventCode=%^4688$% Message=%SplunkUniversalForwarder% blacklist4 = EventCode=%^4688$% Message=%Tanium%blacklist5 = EventCode=%^4688$% Message=%Rapid7% my raw events are showing like this after adding why ?  
problem solved, i appreciate all your responses once i search in SH, i should use the parameter splunk_server=* in order to see results So obviously this was my issue as i should see results with... See more...
problem solved, i appreciate all your responses once i search in SH, i should use the parameter splunk_server=* in order to see results So obviously this was my issue as i should see results without such paramter modified the below on SH, solved it C:\Program Files\Splunk\etc\system\local\distsearch.conf [distributedSearch:dmc_group_indexer] default = false