Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-30-2023
01:56 AM
Events as usually found in reverse chronological order, having searched an index you just need to the first event, e.g. use the head command | head 1
10-30-2023
01:52 AM
Many Thank gcusello for the shared document.
10-30-2023
01:42 AM
Hi @maede_yavari, you can have all the combination you like: single site or multi site Indexer Cluster stand alone Search Heads or Search Head Cluster. It dwepends on your requisite. For more in...
See more...
Hi @maede_yavari, you can have all the combination you like: single site or multi site Indexer Cluster stand alone Search Heads or Search Head Cluster. It dwepends on your requisite. For more infos see at https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf but anyway engage a Certified Splunk Architect, my answer could be not sufficient to design your architecture (even if I'm a Certified Splunk Architect)! Ciao. Giuseppe
10-30-2023
01:39 AM
1 Karma
Hi @Leon88 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
10-30-2023
01:38 AM
Hi @RSS_STT , please try this regex: (?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*) that you can test at https://regex101.com/r/fndJqR/2 Cia...
See more...
Hi @RSS_STT , please try this regex: (?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*) that you can test at https://regex101.com/r/fndJqR/2 Ciao. Giuseppe
10-30-2023
01:37 AM
Many thanks for your answer gcusello. If I deploy Multi site cluster architecture, would it be possible to have search heads clustering?
10-30-2023
01:35 AM
Hi @jip31, are you sure that data are in your datamodel? test this using pivot. Ciao. Giuseppe
10-30-2023
01:33 AM
Hello The Splunkd Services are not working after starting/restarting the services and it is getting stopped, I have tried several times. So, could you please help me to sort it out from this iss...
See more...
Hello The Splunkd Services are not working after starting/restarting the services and it is getting stopped, I have tried several times. So, could you please help me to sort it out from this issue. Thanks in advance.
Labels
- Labels:
-
forwarder management
10-30-2023
01:30 AM
1 Karma
Hi @Leon88, you have to use a regex to extract this field, something like this: index=your_index
| rex "\<ResponseID\>(?<ResponseID>[^\<]*)"
| table _time ResponseID that you can test at https://r...
See more...
Hi @Leon88, you have to use a regex to extract this field, something like this: index=your_index
| rex "\<ResponseID\>(?<ResponseID>[^\<]*)"
| table _time ResponseID that you can test at https://regex101.com/r/Sj8hDe/1 Ciao. Giuseppe
10-30-2023
01:29 AM
Hi Gcusello I can see the fields extracted in my datamodel And even if i use your search below I have no results | tstats count from datamodel=TEST where TEST.EventCode=100 I have only res...
See more...
Hi Gcusello I can see the fields extracted in my datamodel And even if i use your search below I have no results | tstats count from datamodel=TEST where TEST.EventCode=100 I have only results heriteld fields like host, sourcetype, source
- Tags:
- other
10-30-2023
01:29 AM
It's not working..
10-30-2023
01:26 AM
Hi @maede_yavari, multisite architecture is required only if you need Disaster Recovery, otherwise, you can have a single site Indexer Cluster even if servers are in more than one site, even if a mu...
See more...
Hi @maede_yavari, multisite architecture is required only if you need Disaster Recovery, otherwise, you can have a single site Indexer Cluster even if servers are in more than one site, even if a multisite cluster, setting Search Affinity, permits to your SHs to search in the local Indexers instead in all the Indexers. About Search Heads, a Search Head Cluster gives you knowledge objects replication, but you can also have stand alone SHs that access the Indexer Cluster. Anyway, don't use different clusters for different scopes, you will be crazy in logs separation and you'll surely have duplication of data because there are logs that must be used for more than one purpose. Data replication, can be configured and anyway grants you more safe in case of fault. Ciao. Giuseppe
10-30-2023
01:12 AM
Thanks for your reply. Splunk Architect recommend multi site architecture. but in the multi site architecture , I need to replicate data between sites to search them by search heads. also as I know ...
See more...
Thanks for your reply. Splunk Architect recommend multi site architecture. but in the multi site architecture , I need to replicate data between sites to search them by search heads. also as I know we can not cluster search heads together in multi site architecture, because each site needs its own search head. Actually permission is not my concern. I want to decrease replication load and bandwidth usage by separate indexes.
- Tags:
- f
10-30-2023
01:07 AM
Hi all, I have a case about monitoring Linux servers. Here what i am trying to do. I am not sure this is possible or not but i have to do these things with possibilities because System Staff wanted ...
See more...
Hi all, I have a case about monitoring Linux servers. Here what i am trying to do. I am not sure this is possible or not but i have to do these things with possibilities because System Staff wanted these from me. 1-Root SSH access enabled servers --> Need Help 2-When someone changed sudoers file --> Done. 3-Root password change --> Done. 4-Users who have "0" ID except root --> Need Help I did some steps but i need help about 2 step. Any help would be appreciated!
Labels
- Labels:
-
alert action
10-30-2023
01:04 AM
hi all, is there a way to demote a case to a container using a playbook? thank you in advance
Labels
- Labels:
-
using SOAR ⁄ Phantom
10-30-2023
01:02 AM
Is there a built-in solution in splunk that does the frequency analysis (for ex. on domain names) ? There is a solution by Mark Baggett in https://github.com/MarkBaggett/freq but I had problems usin...
See more...
Is there a built-in solution in splunk that does the frequency analysis (for ex. on domain names) ? There is a solution by Mark Baggett in https://github.com/MarkBaggett/freq but I had problems using it in splunk. It either can be run using the python script: $ python3 freq.py freqtable2018.freq -m splunk.com (6.0006, 5.0954) Or using curl: $ curl http://127.0.0.1:20304/measure/splunk.com (6.0006, 5.0954) I want to run it against a field for ex. called "query" in my zeek dns logs and calculate the frequency and save it in another field
10-30-2023
01:02 AM
Hi @RSS_STT , please try this: | rex "\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);(?<CI_3>[^;\"]*);(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)" Ciao. Giuseppe
10-30-2023
01:01 AM
Hello Team, help me with splunk query to trigger: 1-Bruteforce attacks, 2- malicious payloads and 3- zeroday exploits by creating , Splunk query and create email Alerts for it? Thank you
- Tags:
- Splunk Enterprise
Labels
- Labels:
-
using Splunk Enterprise
10-30-2023
01:00 AM
Hi @mukhan1, ok, perform also the check I hinted to verify connection because telnet is important but it isn't the only check to perform: you could have an open connectin but you could not correctly...
See more...
Hi @mukhan1, ok, perform also the check I hinted to verify connection because telnet is important but it isn't the only check to perform: you could have an open connectin but you could not correctly configure outputs.conf in your Forwarder! let me know if you solved or if I can help you more. Ciao. Giuseppe P.S.: Karma Points are appreciated
10-30-2023
12:56 AM
Hi @maede_yavari, your architecture has no sense: you can have a very performant architecture with HA and you want to divide it, why? My hint is to engage a Certified Splunk Architect to design you...
See more...
Hi @maede_yavari, your architecture has no sense: you can have a very performant architecture with HA and you want to divide it, why? My hint is to engage a Certified Splunk Architect to design your architecture. You can separate accesses to data using different indexers in the Cluster giving different permissions top them. In this way you have a linear infrastructure with one Cluster mstr that manage all the Indexers and a Search Head (eventually clustered!) that access all the indexes in all the Indexers. Then you can separate access to data creating different roles to access security indexes or IT Operation indexes. Ciao. Giuseppe
