Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-06-2023
03:23 AM
Everything that is needed should hopefully be found here: https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller LOGON_USERNAME="<do...
See more...
Everything that is needed should hopefully be found here: https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller LOGON_USERNAME="<domain\username>" LOGON_PASSWORD="<pass>" Provide domain\username and password information for the user to run the SplunkForwarder service. Specify the domain with the username in the format: domain\username. If you don't include these flags, the universal forwarder installs as the Local System user. The Troubleshooting at the bottom of the link could also lead to answers regarding permissions and local admin groups
11-06-2023
03:20 AM
1 Karma
Hi @olawalePS, dot is a special char and sometimes requires the quotes or the rename. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
11-06-2023
03:17 AM
Thanks, it works, but do you know why it did not work previously, there is no space in the "computerGeneral.lastEnrolledDate" field
11-06-2023
03:15 AM
re @Wiessiet I also looked at that for a while and found these 2 articles which helped me: https://www.michev.info/blog/post/3180/exchange-api-permissions-missing https://www.michev.info/bl...
See more...
re @Wiessiet I also looked at that for a while and found these 2 articles which helped me: https://www.michev.info/blog/post/3180/exchange-api-permissions-missing https://www.michev.info/blog/post/4067/modern-authentication-oauth-support-for-the-reporting-web-service-in-office-365 In short, these are the steps: To get there, App Registrations -> Select our app -> API permissions Then Add a permission -> go to APIs my organization uses -> paste: Office 365 Exchange Online -> Click the Office 365 Exchange Online API section -> then Application permissions Paste the ReportingWebService.Read.All permissions and tick it + approve afterwards. It took me a while as well. + the Global reader permission addition from Roles & admins -> Global Reader -> add assignments -> paste the app name and grant your app the role rights... https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/manage-roles-portal
11-06-2023
03:03 AM
1 Karma
Hi @olawalePS, try to rename the field: index="jamf" sourcetype="jssUapiComputer:computerGeneral"
| dedup computer_meta.serial
| rename computerGeneral.lastEnrolledDate AS lastEnrolledDate
| eval t...
See more...
Hi @olawalePS, try to rename the field: index="jamf" sourcetype="jssUapiComputer:computerGeneral"
| dedup computer_meta.serial
| rename computerGeneral.lastEnrolledDate AS lastEnrolledDate
| eval timestamp = strptime(lastEnrolledDate, "%Y-%m-%dT%H:%M:%S.%3QZ")
| eval sixtyDaysAgo = relative_time(now(), "-60d")
| table computer_meta.name, lastEnrolledDate,timestamp, sixtyDaysAgo or using quotes ('). ciao. Giuseppe
11-06-2023
02:59 AM
What is wrong with the query below, it does not return any value in the timestamp field. The attached image shows a result sample index="jamf" sourcetype="jssUapiComputer:computerGeneral"
| dedup co...
See more...
What is wrong with the query below, it does not return any value in the timestamp field. The attached image shows a result sample index="jamf" sourcetype="jssUapiComputer:computerGeneral"
| dedup computer_meta.serial
| eval timestamp = strptime(computerGeneral.lastEnrolledDate, "%Y-%m-%dT%H:%M:%S.%3QZ")
| eval sixtyDaysAgo = relative_time(now(), "-60d")
| table computer_meta.name, computerGeneral.lastEnrolledDate,timestamp, sixtyDaysAgo
- Tags:
- strptime
Labels
- Labels:
-
eval
11-06-2023
02:56 AM
11-06-2023
02:56 AM
Without knowing what your events look like, it is difficult to say whether this is right or not. For example, do CPUPercentage and MemoryPercentage appear in the same event? Having said that "stats ...
See more...
Without knowing what your events look like, it is difficult to say whether this is right or not. For example, do CPUPercentage and MemoryPercentage appear in the same event? Having said that "stats count by metricCount" is almost certainly wrong as all you will be left with a single field called count so the where command will always be false. Also, you title suggests an AND condition but your where command is using an OR condition. This is a bit confusing. Please clarify what you are trying to do and include some (anonymised) representative sample event, preferably unformatted in a code block </>
11-06-2023
02:49 AM
Hi, most of the splunk forwarder installed on servers are on NT Authority and will like to change this to local admin. I have tried modifying the ansible roles to fix the this but havent been succ...
See more...
Hi, most of the splunk forwarder installed on servers are on NT Authority and will like to change this to local admin. I have tried modifying the ansible roles to fix the this but havent been successful any ideas on what can be done will be appreciated.
Labels
- Labels:
-
universal forwarder
-
Windows
11-06-2023
02:36 AM
Hi Everyone, Hope everyone is alright. I have the below base search. I am trying to built an alert index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" metricName=MemoryPercentage OR me...
See more...
Hi Everyone, Hope everyone is alright. I have the below base search. I am trying to built an alert index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" metricName=MemoryPercentage OR metricName=CpuPercentage This is the below condition which I have to follow- CPUPercentage > 85 MemoryPercentage > 85, where CPUPercentage and MemoryPercentage are values of a field called metricName. I am doing like this - index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*"
| eval metricCount=if((metricName="MemoryPercentage" OR metricName="CpuPercentage"),1,0)
| stats count by metricCount
| where MemoryPercentage > 85 OR CpuPercentage > 85 not sure if this is correct way to do. Could anyone pls suggest a better way. Thanks in advance
11-06-2023
02:23 AM
I haven't worked with this particular addon but normally if you would like to exclude events from indexing you'd create a section in the transforms.conf [choose_a_unique_name]
REGEX = regex_that...
See more...
I haven't worked with this particular addon but normally if you would like to exclude events from indexing you'd create a section in the transforms.conf [choose_a_unique_name]
REGEX = regex_that_matches_events_that_you_want_to_exclude
DEST_KEY = queue
FORMAT = nullQueue and then add it to you the sourcetype/source/host in the props.conf. [sourcetype_name]
TRANSFORMS-unique_name = name_from_the_transforms.conf Since this is an addon not developed by you these changes should be done in local. Eventtypes are used on data that is already indexed in Splunk. This is why you cant use them to stop certain data from getting indexed into Splunk since they are calculated at search time.
11-06-2023
02:10 AM
1 Karma
Hi @Bisho-Fouad , if you're using a wrong password, you have a different message. I suppose that there's something strange in your installation. In generai I'd hint to reinstall the system, but th...
See more...
Hi @Bisho-Fouad , if you're using a wrong password, you have a different message. I suppose that there's something strange in your installation. In generai I'd hint to reinstall the system, but the ya re Cluster Manager an Deployment Server, so it isn't possible! Open a case to Splunk Support, it's the best solution! Ciao. Giuseppe
11-06-2023
02:08 AM
1 Karma
Could this help maybe? https://community.splunk.com/t5/Splunk-Search/Why-are-large-Splunk-searches-causing-quot-Request-URI-too-long/m-p/437368
11-06-2023
01:55 AM
Try something like this index="dockerlogs-silver" source="*gps-external-processor-prod*" "Handle 500 Server error" OR "Handle 4xx error" | where traceID IN ([search index="dockerlogs-silver" source=...
See more...
Try something like this index="dockerlogs-silver" source="*gps-external-processor-prod*" "Handle 500 Server error" OR "Handle 4xx error" | where traceID IN ([search index="dockerlogs-silver" source="*gps-external-processor-prod*" "00012342231515417786" | stats count by traceID
| eval search="\"".traceID."\""
| stats values(search) as search
| eval search = mvjoin(search,",")])
11-06-2023
01:54 AM
Hi community, I have installed Splunk Add on for Salesforce on Heavy Forwarder and have been collecting data from Salesforce Object and Event Log. I've noticed that sfdc:logfile is huge and I do...
See more...
Hi community, I have installed Splunk Add on for Salesforce on Heavy Forwarder and have been collecting data from Salesforce Object and Event Log. I've noticed that sfdc:logfile is huge and I don't need all the records but from UI there is no why to filter out the collection. Is there a way where we can filter out the EVENT_TYPE? I need only events with EVENT_TYPE="LightningPageView" Any help is appreciated. Thank you Marta
Labels
- Labels:
-
configuration
-
development
11-06-2023
01:30 AM
Hi @gcusello 1- Did you tried using this admin account ? yes I tired, and that the account which face the issue Also its the only user I have in the system any other recommendations ?
11-06-2023
01:26 AM
If you want to see only data that is before the 30th the following line does not make sense: | eval timeline2=relative_time(timeline1,"-1w@w1") The data is correct but since you reduce the ti...
See more...
If you want to see only data that is before the 30th the following line does not make sense: | eval timeline2=relative_time(timeline1,"-1w@w1") The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th.. Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change. Just remove this line and the data should be correct Additionally I'd suggest using the same time conversion. Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query. | eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")
|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline
| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following: |where lastmodifiedWeek>=new_timeline
11-06-2023
01:21 AM
Your where command is excluding events which are earlier than 30-Oct-23, which is why you are seeing no data from then.
11-06-2023
01:17 AM
when I run your search I got too many results , with rare I got only 10 results. there is no options to use rare and add more fields to the table?
11-06-2023
01:02 AM
Looking at your data, it appears that the rex would give you multi-valued fields, which you can't then do arithmetic on. Please explain what it is you are trying to actually do.
