Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-24-2023
04:35 AM
1 Karma
Hi How you have installed your splunk into your AMI and how you have configured it before you have created AMI from that EC2 node? I suppose that you haven't clear GUID for that instance before you...
See more...
Hi How you have installed your splunk into your AMI and how you have configured it before you have created AMI from that EC2 node? I suppose that you haven't clear GUID for that instance before you created it as AMI? Here is instructions how to do it for Windows UF clients https://docs.splunk.com/Documentation/Splunk/latest/Admin/Integrateauniversalforwarderontoasystemimage Unfortunately I'm afraid that this is not working on Linux? But you could try to the next Clean event data splunk stop splunk clean eventdata remove $SPLUNK_HOME/etc/instance.cfg remove current hostname etc. from $SPLUNK_HOME/etc/system/local/*.conf files Probably something else is also needed and if you have anything specific you should add/remove those based on your needs. Anther option (even better) is use as standard AMI without splunk part and have some automation which installs needed splunk UF version and needed configurations always when you launch a new EC2 node. r. Ismo
11-24-2023
04:23 AM
Thanks. How about outputs of splunk list inputstatus as @PickleRick asked? That command shows what files it has read and how much has managed. Also you could try splunk btool inputs list moni...
See more...
Thanks. How about outputs of splunk list inputstatus as @PickleRick asked? That command shows what files it has read and how much has managed. Also you could try splunk btool inputs list monitor:///home/sicpa_operator/deploy/PROD/machine/monitoring/ --debug to see if there is somewhere defined some weird defaults for your inputs.
11-24-2023
04:21 AM
What search are the alerts using? What events do you have already ingested into Splunk?
11-24-2023
04:19 AM
How should I try to count the number of successes and failure? With the Alert rules I can't seem to find a way to be able to count the number of successes and failures in my browser test? Maybe im mi...
See more...
How should I try to count the number of successes and failure? With the Alert rules I can't seem to find a way to be able to count the number of successes and failures in my browser test? Maybe im missing something
11-24-2023
04:02 AM
I've set up Splunk on one of my EC2 instances and created an AMI from it. However, when I launch new EC2 instances using this AMI, Splunk stops working on the original EC2 instance. What could be cau...
See more...
I've set up Splunk on one of my EC2 instances and created an AMI from it. However, when I launch new EC2 instances using this AMI, Splunk stops working on the original EC2 instance. What could be causing this issue? And it is not working on the new machine also.
11-24-2023
03:48 AM
I don't know this app but first thing I'd do with any such issue would be to do "open in search" on those panels and see what is the underlying search and try to see why it's not working properly. Ma...
See more...
I don't know this app but first thing I'd do with any such issue would be to do "open in search" on those panels and see what is the underlying search and try to see why it's not working properly. Maybe it expects other data than you have. Maybe it searches from a wrong place....
11-24-2023
03:34 AM
Hi I have one problem : Splunk ver 9.1.1 pymqi Version: 1.12.10 client MQ ver. 9.2 when I download messages from 'IBM MQ' I receive the following error: ERROR ExecProcessor [678315 ExecProce...
See more...
Hi I have one problem : Splunk ver 9.1.1 pymqi Version: 1.12.10 client MQ ver. 9.2 when I download messages from 'IBM MQ' I receive the following error: ERROR ExecProcessor [678315 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-mq/bin/mqinput.py" Exception occurred while handling response output: 'ascii' codec can't decode byte 0xf1 in position 0: ordinal not in range(128) mqinput_stanza:mqinput://TEST_MQ
Labels
- Labels:
-
troubleshooting
11-24-2023
02:49 AM
1 Karma
Question is what logs are you ingesting from that host. If you have TA_nix installed, you can use uptime.sh input to get system's uptime.
11-24-2023
02:39 AM
You should extend the search to cover a period of time and count how many times the test succeeds and and how many times it fails. From this, you can work out a percentage success rate. Use this in y...
See more...
You should extend the search to cover a period of time and count how many times the test succeeds and and how many times it fails. From this, you can work out a percentage success rate. Use this in your alert.
11-24-2023
02:17 AM
Hi Splunkers, in our environment we are collecting Microsoft Windows logs that, currently, come in xml format. Customer demand us to switch off xml: on Splunk Console, he want to see logs in legacy/t...
See more...
Hi Splunkers, in our environment we are collecting Microsoft Windows logs that, currently, come in xml format. Customer demand us to switch off xml: on Splunk Console, he want to see logs in legacy/traditional format and not xml one. I don't remember how this can be achieved; am I wrong or I have to change a parameter in addon configuration? By the way, those are essential data for our scenario: Collection mode: UF installed on each Windows data sources. Logs are sent to an HF and then to a Splunk SaaS, so final flow is: log sources (with UF) -> HF -> Splunk SaaS (both Core and ES). UF management: all UF are managed with a Deployment Server Addon used: the "classic" one, https://splunkbase.splunk.com/app/742 Addon installation: on both SaaS env and HF
Labels
- Labels:
-
administration
-
configuration
11-24-2023
02:11 AM
Hi, I have a Nanalog Streaming Service (NSS) from Zscaler that I have connected to Splunk. The problem is it doesn't show any data on the dashboard. But if I look into 'search' , there is data. ...
See more...
Hi, I have a Nanalog Streaming Service (NSS) from Zscaler that I have connected to Splunk. The problem is it doesn't show any data on the dashboard. But if I look into 'search' , there is data. This is the feed output format I have configured on the Zscaler Admin Portal for my splunk feed : "%s{time}","%s{login}","%s{proto}","%s{eurl}","%s{action}","%s{appname}","%s{appclass}","%d{reqsize}","%d{respsize}","%s{urlclass}","%s{urlsupercat}","%s{urlcat}","%s{malwarecat}","%s{threatname}","%d{riskscore}","%s{dlpeng}","%s{dlpdict}","%s{location}","%s{dept}","%s{cip}","%s{sip}","%s{reqmethod}","%s{respcode}","%s{ua}","%s{ereferer}","%s{ruletype}","%s{rulelabel}","%s{contenttype}","%s{unscannabletype}","%s{deviceowner}","%s{devicehostname}","%s{keyprotectiontype}" Any suggestions on how I can further troubleshoot?
Labels
- Labels:
-
dashboard
11-24-2023
12:59 AM
Hi, Currently I have a browser test set up and I would like it so that if the uptime falls below 98% I want an email sent out to certain people. However, now the alerting with uptime works on an ...
See more...
Hi, Currently I have a browser test set up and I would like it so that if the uptime falls below 98% I want an email sent out to certain people. However, now the alerting with uptime works on an per test basis, in that the uptime is either 100 or 0 if a test fails. How can I set it so that the uptime views the uptime throughout a period of time and not per test? The Image below might show better what I mean with what I currently have.
11-24-2023
12:53 AM
I have installed akamai add on for splunk in our HF. https://splunkbase.splunk.com/app/4310 I followed the documentation but after installing the add on not seeing any option to add api input...
See more...
I have installed akamai add on for splunk in our HF. https://splunkbase.splunk.com/app/4310 I followed the documentation but after installing the add on not seeing any option to add api input. It shows only dashboard. Not seeing any option called “ Akamai Security Incident Event Manager API” under data inputs. So, not able to ingest data. Can anyone help here please.
Labels
- Labels:
-
heavy forwarder
11-24-2023
12:49 AM
I have search result outputs as the following, tactic technique searchName Data from Information Repositories collection search Name A Valid Accounts persistence search Name B Us...
See more...
I have search result outputs as the following, tactic technique searchName Data from Information Repositories collection search Name A Valid Accounts persistence search Name B Use Alternate Authentication Material: Pass the Ticket lateral movement search Name C and so on... I need to add a dashboard panel as shown below Need help in the search query for my dashboard panel where the count of the number of custom searches created is displayed for every technique.
11-24-2023
12:22 AM
Hello Ismo, inputs.conf definition looks like this: [monitor:///home/sicpa_operator/deploy/PROD/machine/monitoring/*production_statistics.csv] index = sts disabled = false sourcetype = STSLOGM...
See more...
Hello Ismo, inputs.conf definition looks like this: [monitor:///home/sicpa_operator/deploy/PROD/machine/monitoring/*production_statistics.csv] index = sts disabled = false sourcetype = STSLOGMPPS crcSalt = <SOURCE> by *production_statistics.csv I make sure all the files have to be synced they only contain different dates at the beginning of each file name. Seems I´m able sync only the files by the deployment date. Means files from date when UF been deployed are synced but the everything before not. BR
11-24-2023
12:15 AM
1 Karma
Hi, I have a dashboard that uses HTML links for logging on to devices via VNC, SSH, SCP etc. After a short maintenance on the server, now it does not recognise all of them as links anymore. ssh2 a...
See more...
Hi, I have a dashboard that uses HTML links for logging on to devices via VNC, SSH, SCP etc. After a short maintenance on the server, now it does not recognise all of them as links anymore. ssh2 and vnc2 are fine, but the rest are no go... Neither chrome nor edge nor firefox are seeing them as links. <panel>
<html>
<p align="center">
<a href="vnc:$exampleIp$" target="_blank">VNC</a>
</p>
<p align="center">
<a href="scp://admin:password@$exampleIp$" target="_blank">SCP</a>
</p>
<p align="center">
<a href="http://$exampleIp$" target="_blank">WEB</a>
</p>
<p align="center">
<a href="ssh2://admin:password@$exampleIp$/">SSH</a>
</p>
<p align="center">
<a href="vnc2:$exampleIp$:5901" target="_blank">VNC2</a>
</p>
</html>
</panel> Inspected element:
Labels
- Labels:
-
dashboard
-
simple XML
11-23-2023
11:05 PM
I am collecting logs from an Ubuntu server (16.04) using Splunk and would like to create an alert for when the Ubuntu system restarts. Does anyone know which logs or events I can utilize to trigger a...
See more...
I am collecting logs from an Ubuntu server (16.04) using Splunk and would like to create an alert for when the Ubuntu system restarts. Does anyone know which logs or events I can utilize to trigger an alert when the Ubuntu server restarts?
Labels
11-23-2023
10:51 PM
Hi as you have Mac with Apple silicon and you are trying to install Splunk into linux which are running in Mx it didn't work until Splunk (hopeful) will deliver ARM splunk version for us. You can ru...
See more...
Hi as you have Mac with Apple silicon and you are trying to install Splunk into linux which are running in Mx it didn't work until Splunk (hopeful) will deliver ARM splunk version for us. You can run Splunk on Apple Silicon only in macOS with rosetta2. I have heard some rumours that you can use docker with somehow to use linux x86_64 binaries too, but haven't seen or used it by myself. r. Ismo
11-23-2023
10:43 PM
This is one course which you should take, if you are responsible to define monitoring etc. for splunk https://www.splunk.com/en_us/pdfs/training/splunk-enterprise-data-administration-course-descripti...
See more...
This is one course which you should take, if you are responsible to define monitoring etc. for splunk https://www.splunk.com/en_us/pdfs/training/splunk-enterprise-data-administration-course-description.pdf
11-23-2023
10:40 PM
Hi Are you sure that you haven't set this? ignoreOlderThan Can you post your inputs.conf for this source, so we can check if there is something else which can cause this behaviour? r. Ismo
