Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-14-2023
08:47 AM
Hi @Jose.Macias,
Thanks for sharing all that additional info with me via PM. I've been told this issue has to be escalated to be further investigated. I will provide an update here, unless it requi...
See more...
Hi @Jose.Macias,
Thanks for sharing all that additional info with me via PM. I've been told this issue has to be escalated to be further investigated. I will provide an update here, unless it requires more sensitive info, if so, I will reach out via a PM again.
11-14-2023
08:46 AM
@apps_inpaytechI am seeing the same issue. Did you ever find a solution? I also tried using the new Add-On for Cloud Services, but that also has a different sourcetype with different fields so that w...
See more...
@apps_inpaytechI am seeing the same issue. Did you ever find a solution? I also tried using the new Add-On for Cloud Services, but that also has a different sourcetype with different fields so that was no better.
11-14-2023
08:44 AM
Rather than $click.value$, try $click.name2$
11-14-2023
08:28 AM
2 Karma
Hi There's a documentation bug for 2.0.0 as the tenant_uid has to be specified now. The correct search would be: | makeresults | eval user="World", src="192.168.0.1", action="create test event" | ...
See more...
Hi There's a documentation bug for 2.0.0 as the tenant_uid has to be specified now. The correct search would be: | makeresults | eval user="World", src="192.168.0.1", action="create test event" | sendalert create_alert param.title="Hello $result.user$" param.template=default param.tenant_uid=default Hope this helps!
11-14-2023
08:28 AM
1 Karma
Thankyou! This worked
11-14-2023
08:10 AM
I don't have your answer...but it might be helpful to cross-post your question here: Alert Manager Enterprise - Splunk Community That is the "place" where questions about the Alert Manager Ent...
See more...
I don't have your answer...but it might be helpful to cross-post your question here: Alert Manager Enterprise - Splunk Community That is the "place" where questions about the Alert Manager Enterprise app on Splunkbase would go now, but I don't think there is any way to link this post with app right now. Also, the folks at Datapunctum AG might have their eyes on that area for there app, and not here, for answering any questions. I'm going to tag one person I know at Datapunctum that I think worked on this app: @my2ndhead
11-14-2023
08:06 AM
Timestamp correct. Timestamp received by Splunk matches what is recorded on the appliance. All time (real-time) is the only search that allows me to see logs. Searching any other time does not wo...
See more...
Timestamp correct. Timestamp received by Splunk matches what is recorded on the appliance. All time (real-time) is the only search that allows me to see logs. Searching any other time does not work. For example, look at pictures below. Searching in previous 5 minutes shows no logs. I switch to All time (real-time) and all logs are being shown.
11-14-2023
08:04 AM
This is a part of result. What I want, to get in one line only mobileNumber and countryCode, on other line lastName, firstName, not all log where this words are meet.
11-14-2023
08:03 AM
...That's quite an out of date version that is way out of support. Also, I'm not sure what your ru.js file is doing, since the typical localization process involves creating the po/mo files within t...
See more...
...That's quite an out of date version that is way out of support. Also, I'm not sure what your ru.js file is doing, since the typical localization process involves creating the po/mo files within the mrsparkle library localization folders. The localization stuff in Splunk is based on gettext. For your version of Splunk these are the localization instructions here and here Have you tried editing the portable object files for your formatting?
11-14-2023
07:58 AM
Not sure why but this gives error on line 19, unexpected close of query.
11-14-2023
07:55 AM
it's still happening - just not with $app_query|u$ showing as a string in the query. see the xml & screenshot below: <form version="1.1" theme="dark">
<label>Error Overview</label>
<descript...
See more...
it's still happening - just not with $app_query|u$ showing as a string in the query. see the xml & screenshot below: <form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">case($click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",$click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",$click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",$click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",$click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",$click.value$=="SecurePackageDelivery", "(source="ivssspd")",$click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",$click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",$click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",$click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",$click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",$click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",$click.value$=="KmsService", "(SourceName="KmsService")",$click.value$=="AutoSigner", "(SourceName="AutoSigner")",$click.value$=="DebugToken", "(SourceName="DebugToken")",$click.value$=="FlashbackCache", "(SourceName="FlashbackCache")",$click.value$=="KeyBundler", "(SourceName="KeyBundler")",$click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")",$click.value$=="SecureOTACore", "(SourceName="SecureOTACore")",$click.value$=="SecurePaaK", "(SourceName="SecurePaaK")",$click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",$click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")",$click.value$=="SecureRekey", "(SourceName="SecureRekey")",$click.value$=="SecureSigner", "(SourceName="SecureSigner")",$click.value$=="SupplierFeed", "(SourceName="SupplierFeed")",$click.value$=="TRON", "(SourceName="TRON")",$click.value$=="WSLAgent5", "(SourceName="WSLAgent5")",$click.value$=="MMU", "(SourceName="MMU")")</eval>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query|u$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
11-14-2023
07:55 AM
Hi @law175 , check if the timestamp is correct nad don't use for testing Real Time. Ciao. giuseppe
11-14-2023
07:55 AM
Please share a sample of the events you expect to be returned
11-14-2023
07:53 AM
UDP. Just UDP. I only did TCP for testing purposes. I only want to receive UDP. I switched the time from (past 5 minutes) to All Time (real time) and logs are appearing. There is an issue with ho...
See more...
UDP. Just UDP. I only did TCP for testing purposes. I only want to receive UDP. I switched the time from (past 5 minutes) to All Time (real time) and logs are appearing. There is an issue with how Splunk is processing Time from these logs it seems.
11-14-2023
07:53 AM
yes, I tried like this, bus 0 events are returned
11-14-2023
07:51 AM
Do you mean this? index="source*" | where matching="mobileNumber,countryCode" | stats count
11-14-2023
07:48 AM
Hi @law175, let me understand: are you sending UDP9008 or TCP9008 or both? which ones you whould have? which ones are you receiving? Ciao. Giuseppe
11-14-2023
07:46 AM
Try using $app_query|u$ in the link to URL encode the token value
11-14-2023
07:42 AM
This query is giving this result but, I want to count by 2 or more words. Thank You
11-14-2023
07:32 AM
1 Karma
Thanks for the tip! Non-streaming type pushes like this are often a challenge, and this is one way to manage the coupling of something that likes to be working in the real-time space (Splunk) versu...
See more...
Thanks for the tip! Non-streaming type pushes like this are often a challenge, and this is one way to manage the coupling of something that likes to be working in the real-time space (Splunk) versus more of a batch space (the DB).
