All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

OK. Let me stop you right there. 1. It is of course a DN - it has its fields. Why do you want to lose that information? 2. Remember that LDAP DN can have properly escaped commas or equal signs.
In dashboard classic it was possible to add a heatmap overlay to a tabular chart.  Is it possible to add the heatmap data overlay to a tabular chart in Dashboard Studio?
Hi at all, Splunk Support solved my issue in a very strange way that I report for the other people of Community: I removed the stanza from the default folder, I added a stanza wioth disabled = 1 ... See more...
Hi at all, Splunk Support solved my issue in a very strange way that I report for the other people of Community: I removed the stanza from the default folder, I added a stanza wioth disabled = 1 in local folder, I removed the stanza from the $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/README/inputs.conf.spec file. I didn't understand why the last step, but at least solved my issue. Ciao. Giuseppe  
Hi at all, I have to use in Splunk Enterprise an external authentication using LDAP. I'm mapping roles with AD groups. I don't see empty AD gropus (groups without associated users) in the mapping ... See more...
Hi at all, I have to use in Splunk Enterprise an external authentication using LDAP. I'm mapping roles with AD groups. I don't see empty AD gropus (groups without associated users) in the mapping page. Do you think that there could be a misconfiguration or (as I suppose) it isn't possible to see them until a user is inserted in?  Thank you for your confirmation. Ciao. Giuseppe
Try something like this | makeresults | eval dn="cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr" | rex field=dn "cn=(?<cn>[^=]+)(?<!,)(?<!o)(?<!u)" | rex... See more...
Try something like this | makeresults | eval dn="cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr" | rex field=dn "cn=(?<cn>[^=]+)(?<!,)(?<!o)(?<!u)" | rex field=dn max_match=0 "ou=(?<ou>[^=]+)(?<!,)(?<!o|d)(?<!u|c)" | rex field=dn max_match=0 "dc=(?<dc>[^=]+)(?<!,)(?<!d)(?<!c)"
Hello, I'm facing an issue when trying to create a user or access to savedsearch list. for example When I use the Splunk web interface to create a user, the page remains blank and doesn't display a... See more...
Hello, I'm facing an issue when trying to create a user or access to savedsearch list. for example When I use the Splunk web interface to create a user, the page remains blank and doesn't display as expected, as shown in the screenshot. Additionally,   I attempted to create a user through the CLI using the "splunk add" command, but I received no response, as indicated in the screenshot.   Have you encountered this problem before? How can I debug it? I'd like to mention that even when I attempt to view saved searches, the page remains blank and doesn't display them.   Thank you
my DN field value "cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr" I need rex to extract anything after "="and end ",ou=" if it see "=" need to stop two ... See more...
my DN field value "cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr" I need rex to extract anything after "="and end ",ou=" if it see "=" need to stop two letter and "," so in this instance cn field as "first_field" value="jsuwus, jkhzdhkjc"  ou field as "2_field" value="sdsfefv accounts" ou field as "3_field" value="ffdsrew users" dc field as "4_field" value="hgsywy" dc field as "5_field" value="tre" dc field as "6_field" value="hyt" dc field as "7_field" value=kuhytr" Thanks in advance
We recently had a short metric gaps in the controller UI (SaaS Controller) for several apps and different agents (DB, App and Machine). The log files of all the different agents all have a common ... See more...
We recently had a short metric gaps in the controller UI (SaaS Controller) for several apps and different agents (DB, App and Machine). The log files of all the different agents all have a common theme: "Connection back off limitation in effect" "Fatal transport error while connecting to URL" also comes up sometimes as a similar error logged by agents. I did a quick search online and this seems to be an AppD agent specific log file entry. The AppD community also had about 12 entries going back to 2017, all with no clear solution to this error message. (Summary below) Docs site search returns nothing. I opened an AppD support case and will see what they say, but it is frustrating to see that this is a common thing reported by different agents without a clear cause for it documented anywhere. I wonder why something like this is logged the way it is which makes me think its something to do with a limitation on the Controller side of things, when all other community posts and agent logs make it look like it is not Controller related.  Examples of our recent issue: * I tried to redact the important bits DB Agent v23.2.2 [Entity-Registration-Scheduler-19] 31 Oct 2023 10:50:25,932 WARN EntityRegistrar - Fail to register [DBSession] entities: java.lang.RuntimeException: Connection back off limitation in effect: /controller/instance/***/registerServerSatelliteEntity at com.singularity.ee.agent.dbagent.task.reporter.EntityRegistrar.registerEntities(EntityRegistrar.java:276) ~[db-agent.jar:Database Agent v23.2.0.0 GA compatible with 4.5.2.0 Build Date 2023-02-22] Other DB Agent v23.2.2 [<**DB Collector Name***>-Transient-Event-Scheduler-2] 31 Oct 2023 10:51:22,737 WARN SystemAgentTransientEventChannel - Error sending event data to controller: Connection back off limitation in effect: /controller/instance/***/transient-channel Different DB agent v23.8.8 [<**DB Collector Name***>-Scheduler-3] 31 Oct 2023 10:51:52,288 INFO ADBCollector - Collected one-minute data for *** [Entity-Registration-Scheduler-2] 31 Oct 2023 10:51:52,850 WARN EntityRegistrar - Fail to register [Query] entities: java.lang.RuntimeException: Connection back off limitation in effect: /controller/instance/3945944/registerSQLQuery SIM (Machine)Agent **ServerName**==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:56,554 ERROR ManagedMonitorDelegate - Error sending metrics - will requeue for later transmission com.singularity.ee.agent.commonservices.metricgeneration.metrics.MetricSendException: Connection back off limitation in effect: /controller/instance/***/metrics SIM Agent v22x ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 ERROR ManagedMonitorDelegate - Fatal transport error while connecting to URL [/controller/instance/***/metrics]: org.apache.http.conn.ConnectTimeoutException: Connect to ***:443 [***/***, ***, ***] failed: connect timed out ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 WARN ManagedMonitorDelegate - Error sending metric data to controller:Fatal transport error while connecting to URL [/controller/instance/***/metrics] ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 ERROR ManagedMonitorDelegate - Error sending metrics - will requeue for later transmission com.singularity.ee.agent.commonservices.metricgeneration.metrics.MetricSendException: Fatal transport error while connecting to URL [/controller/instance/***/metrics] Summary of other AppD community posts with a similar error from agent log files: 2017 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/Azure-Cloud-Service-No-load-detected-App-agent-status-0/td-p/26538 No solutions in ticket/unresolved 2017 Community post no 2 https://community.appdynamics.com/t5/Dynamic-Languages-Node-JS-Python/Could-not-connect-to-the-controller-invalid-response-from/td-p/28680 Python agent issues Mentions proxy setup for outbound requests from agent server, but no clear answer other than bringing the node online on controller, whatever that means 2017 Community post no3 https://community.appdynamics.com/t5/NET-Agent-Installation/Failed-to-add-web-app-to-AppDynamics/td-p/23699 No confirmed solution, but last posts suggests using non ssl settings which is not a great solution if that is the fix 2017 Community post no4 https://community.appdynamics.com/t5/NET-Agent-Installation/net-Agent-registering-issue/td-p/29595 Proxy setting highlighted but no ultimate solution 2018 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/BT-requests-and-survival/td-p/29629 Answers do not address the "Connection back off limitation in effect" issue 2018 Community post no2 https://community.appdynamics.com/t5/NET-Agent-Installation/After-NET-Agent-upgrade-to-4-3-7-1-we-are-not-seeing-load-for/td-p/34528 Issue shown in one log file extract but not addressed 2018 Community post no3 https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Unable-to-connect-to-the-controller/td-p/30857 No final solution 2018 Community post no4 https://community.appdynamics.com/t5/NET-Agent-Installation/Need-help-on-installation-of-agent/td-p/34673 Post never had a resolution 2019 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/no-metrics-in-controller-after-net-agent-installation-in-linux/td-p/37848 Possible issue with AppDynamicsConfig.json No clear answer/solution 2019 Community post no2 https://community.appdynamics.com/t5/NET-Agent-Installation/Net-core-agent-Linux-is-not-connecting-to-the-saas-controller/td-p/37867 No solution 2021 Community post https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-install-the-NET-Core-Microservices-Agent-for-Windows/ta-p/33191 Answers do not address the "Connection back off limitation in effect" issue 2023 Community post https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Could-not-connect-to-the-controller-invalid-response-from/m-p/50571#M3319 Suggests ignoring or disabling the errors Here is to hoping there is a solution or better answer to this issue.
Looking for the facepalm emoji! Thanks @ITWhisperer 
Hi @smanojkumar, let me understand: you need to index WinEvenLog events, is it correct? in this case you don't need to monitor an evtx file but there's a dedicated collector. More more infos see a... See more...
Hi @smanojkumar, let me understand: you need to index WinEvenLog events, is it correct? in this case you don't need to monitor an evtx file but there's a dedicated collector. More more infos see at  https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/MonitorWindowseventlogdata  https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-windows.html Ciao. Giuseppe
Hi Splunkers!    I would like to know how to define a .evtx file,    I had defined in this way, but it didn't works [monitor://C:\Windows\System32\Winevt\Logs\Data Security.evtx]   Thanks!
OK - I have never come across that  in SimpleXML, indeed, it doesn't seem to work for me. Whatever the case, it seems like it isn't defined for you in Studio either.
Hi all, I have a forwarder in my cluster and it sends events to the indexers. The events are json formatted and I want to drop some events if a specific key has specific value. For example consider ... See more...
Hi all, I have a forwarder in my cluster and it sends events to the indexers. The events are json formatted and I want to drop some events if a specific key has specific value. For example consider following event:   {"process_exec":{"process":{"exec_id":"xXXXXXXXXXx==","pid":1111111,"cwd":"/tmp","binary":"/bin/sleep","arguments":"10"}}}   I want to for example if the binary was equal to X, the forwarder drops the event and not send to indexers no index. I created props.conf and transforms.conf. The content of these files are:   [json_no_timestamp] TRANSFORMS-filter = filterLinux   and   [filterLinux] REGEX = process.process_exec.binary = '/usr/bin/timeout' DEST_KEY=queue FORMAT=nullQueue   But the events are not dropped. Any help is appreciated.
Hello Comunity I am trying to identify the following. What would be the best data source/s on Win Systems to gain visibility over the Services (which should be different from Processes) and their D... See more...
Hello Comunity I am trying to identify the following. What would be the best data source/s on Win Systems to gain visibility over the Services (which should be different from Processes) and their DLLs, executables, hashes, and paths? The Endpoint Data Model requires fields related to the above: https://docs.splunk.com/Documentation/CIM/5.2.0/User/Endpoint Any help will be much appreciated! Thank you.  
Hi, I searched in the Dashboard code. "CurDate" is not set anywhere in the code. Looks like "CurDate" is kind of build in variable in Classic XML Dashboard.   Thanks, Ravikumar
Try putting the field names in single quotes in the where command | where isnull('Ticket Number') OR 'Ticket Number'=""
Any solution for this?  I would like to do the same
I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no re... See more...
I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no results. Essentially this is used to extract ticket numbers and descriptions entered into a freeform text box and I'm trying to pick up when this isn't entered or entered incorrectly. My search:   index=<MyIndex> sourcetype=<MySourceType> log_subtype=general description=CommitAll* | rex field=description "JobId=(?<JobId>.*?)\." | rename JobId as "Job ID" | rex field=description "User:\s(?<user>.*?)\." | rename user as User | rex field=description "Commit Description:\s(?<CommitDescription>.*)" | rename CommitDescription as "Commit Description" | rex field=description "(?<JobDescription>.*).*JobId" | rename JobDescription as "Job Description" | rex field=description "device-group\s(?<DeviceGroup>.*?)\s" | rename DeviceGroup as "Device Group" | rex field=description "template\s(?<Template>.*?)\s" | rename template as Template | rex field="Commit Description" "\b(?<TicketNumber>\d{5})\b" | rename TicketNumber as "Ticket Number" | transaction "Job ID" | table _time,host,"Job ID",User,"Ticket Number","Commit Description","Template","Device Group","Job Description"   I have tried adding:   | where isnull("Ticket Number") OR "Ticket Number"=""   I'm assuming that if the search is unable to extract the fields because a ticket number or description has not been entered then the field won't exists to search? I'm going round in circle here as I don't really understand what happens if the field extraction REX doesn't find a match.
Hi Experts, I am trying to convert a Splunk classic XML dashboard to  Splunk Dashboard Studio. Below is my classic XML dashboard  code. <fieldset autoRun="True" submitButton="false"> <input type=... See more...
Hi Experts, I am trying to convert a Splunk classic XML dashboard to  Splunk Dashboard Studio. Below is my classic XML dashboard  code. <fieldset autoRun="True" submitButton="false"> <input type="text" token="SelectedDay" searchWhenChanged="true"> <label>Enter Date (MM/DD/YYYY)</label> <default>$CurDate$</default> </input> </fieldset> The above code got converted to Splunk Dashboard Studio code as shown below. But when the Dashboard is displayed, token SelectedDay is set to "$CurDate$" instead of current date.  Could you please help me on this ?    "inputs": { "input_9ejCAUHM": { "type": "input.text", "options": { "token": "SelectedDay", "selectFirstSearchResult": true, "defaultValue": "$CurDate$" }, "title": "Enter Date (MM/DD/YYYY)" } },   Thanks, Ravikumar