Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-25-2023
02:48 AM
Basically, still not a question. If it is a question, what sort of answer are you expecting?
10-25-2023
02:29 AM
Basically, this is a question , able to see events till 4:00 am and after that not able to see. With the below query able to check the last events :- | tstats count where index=cat by host, i...
See more...
Basically, this is a question , able to see events till 4:00 am and after that not able to see. With the below query able to check the last events :- | tstats count where index=cat by host, index, source, sourcetype, _time | search host=* |sort _time @ITWhisperer
10-25-2023
02:19 AM
yes, the link is still invalid contact https://splunk.my.site.com/customer/
10-25-2023
02:16 AM
>>> we are facing disk storage warning on license master. is it a clustered environment? is it a single indexer, single SH environment? how critical the data is? the license master co-host's any o...
See more...
>>> we are facing disk storage warning on license master. is it a clustered environment? is it a single indexer, single SH environment? how critical the data is? the license master co-host's any other splunk instance?(or there any other SH/indexer created along with the License Master?) >>> Can you suggest if we can remove some DB files. Are these directories huge or small(if they are small, deleting may not save more disk ! )
10-25-2023
02:15 AM
3 Karma
I am getting the error: (502) Insufficient Privileges: You do not have View privilege on Course I am enrolled for the splunk Power user training and i cannot access my learning path because of the e...
See more...
I am getting the error: (502) Insufficient Privileges: You do not have View privilege on Course I am enrolled for the splunk Power user training and i cannot access my learning path because of the error.
- Tags:
- learning portal
10-25-2023
01:34 AM
Can you suggest on this if we remove the 2022 files so will be any impact on splunk </opt/app/splunk/var/lib/splunk/os/db>ls -lrt total 644 -rw------- 1 splunk splunk 10 Jan 18 2022 CreationT...
See more...
Can you suggest on this if we remove the 2022 files so will be any impact on splunk </opt/app/splunk/var/lib/splunk/os/db>ls -lrt total 644 -rw------- 1 splunk splunk 10 Jan 18 2022 CreationTime drwx--x--- 2 splunk splunk 4096 Jan 18 2022 GlobalMetaData drwx--x--- 3 splunk splunk 4096 Jan 18 2022 db_1642559010_1641112260_0 drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1645905109_1644968889_4 drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1625407961_1565097054_1 drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1564424430_1323199008_2 drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1645912526_1645346582_5 drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1644968878_1642559018_3 drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1645931413_1641472459_8 drwx--x--- 3 splunk splunk 4096 Feb 27 2022 db_1646022282_1645905131_11 drwx--x--- 3 splunk splunk 4096 Feb 28 2022 db_1646061049_1646022278_12 drwx--x--- 3 splunk splunk 4096 Mar 31 2022 db_1648760328_1646061038_13 drwx--x--- 3 splunk splunk 4096 May 1 2022 db_1651428760_1648760301_14 drwx--x--- 3 splunk splunk 4096 Jun 1 2022 db_1654064390_1651428766_16 drwx--x--- 3 splunk splunk 4096 Jul 1 2022 db_1656658688_1654064392_17 drwx--x--- 3 splunk splunk 4096 Jul 30 2022 db_1659238089_1656658690_18 drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1625407961_1569499319_9 drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1625407908_1587017816_6 drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1568123891_1361996942_7 drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1566397752_1323199008_10 drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1659536784_1659238115_19 drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1590756532_1590756532_15 drwx--x--- 3 splunk splunk 4096 Sep 12 2022 db_1662507027_1659807171_20 drwx--x--- 3 splunk splunk 4096 Sep 19 2022 db_1663592993_1662507051_21 drwx--x--- 3 splunk splunk 4096 Sep 19 2022 db_1663597969_1663592971_24 drwx--x--- 3 splunk splunk 4096 Sep 19 2022 db_1663600052_1663597937_25 drwx--x--- 3 splunk splunk 4096 Oct 20 2022 db_1666239485_1663600060_26 drwx--x--- 3 splunk splunk 4096 Nov 15 2022 db_1668525038_1666239467_27 drwx--x--- 3 splunk splunk 4096 Nov 15 2022 db_1668525264_1668525013_29 drwx--x--- 3 splunk splunk 4096 Dec 13 2022 db_1660748402_1645073785_31 drwx--x--- 3 splunk splunk 4096 Dec 15 2022 db_1671120985_1668526212_32
Labels
10-25-2023
01:14 AM
Is there a question or are you just reporting this? If it is a question, you should provide more information about what you have tried, and what the actual errors are.
10-25-2023
01:08 AM
Hi Giuseppe thank you for your help it worked
10-25-2023
12:58 AM
Thanks for answering. What do you mean by " editing the lookup_edit file "? I am in "Settings - User Interface - Views" but don't see any way to edit any file or where to alter the text you refer to...
See more...
Thanks for answering. What do you mean by " editing the lookup_edit file "? I am in "Settings - User Interface - Views" but don't see any way to edit any file or where to alter the text you refer to. Where is this file I should edit?
10-25-2023
12:57 AM
Does anyone know where I can find information on installing and configuring ESET TA and the app Linux Splunk enterprise (Debian) and Windows Eset Administrator ? I don't have any information on in...
See more...
Does anyone know where I can find information on installing and configuring ESET TA and the app Linux Splunk enterprise (Debian) and Windows Eset Administrator ? I don't have any information on installing on newer versions compatible with 9.0.5 Splunk Enterprise. Despite having configured according to the logs and syslog eset, I do not see any logs arriving on my search head. https://help.eset.com/protect_admin/90/en-US/admin_server_settings_syslog.html https://splunkbase.splunk.com/app/3931/ https://splunkbase.splunk.com/app/3867/#/details Or https://splunkbase.splunk.com/app/6808
Labels
- Labels:
-
Linux
-
search head
-
Windows
10-25-2023
12:47 AM
1 Karma
Each time I run a search query and click visualisation, the default is "column chart". How do I set this to default to "line chart" for myself, and how do I set this for other users? Thanks in adva...
See more...
Each time I run a search query and click visualisation, the default is "column chart". How do I set this to default to "line chart" for myself, and how do I set this for other users? Thanks in advance
- Tags:
- default chart type
Labels
- Labels:
-
chart
10-25-2023
12:43 AM
1 Karma
Hi @splunkreal , for my knowledge different Indexers, not indexes. There's no sense to duplicate logs in two indexes of the same Indexers. But you have to set the same index name beacuse you reall...
See more...
Hi @splunkreal , for my knowledge different Indexers, not indexes. There's no sense to duplicate logs in two indexes of the same Indexers. But you have to set the same index name beacuse you really set on index in the input stanza. If you want to have a different index name on the second Indexers, you have to override this value on it. Ciao. Giuseppe
10-25-2023
12:37 AM
Hi @gcusello great thanks, however may it work if we set different index for the secondary stanza?
10-25-2023
12:26 AM
Yes, you are right. Second search is useless. index=nessus Risk=Medium earliest=-9d latest=now | stats values(CVE) as CVE_9d by extracted_Host | eval Status=case(isnull(CVE_9d) AND isnotnull(CVE...
See more...
Yes, you are right. Second search is useless. index=nessus Risk=Medium earliest=-9d latest=now | stats values(CVE) as CVE_9d by extracted_Host | eval Status=case(isnull(CVE_9d) AND isnotnull(CVE_now), "New",isnotnull(CVE_9d) AND isnull(CVE_now), "Finished", isnotnull(CVE_9d) AND isnotnull(CVE_now), "Not Changed") | table extracted_Host, Status My Problem is still here. I import vulnerability scans Logs into Splunk and get the Information about which Host has an open CVE and how high critical it is. I want the output if the scanned Host is in the old scan for 7 days and not in the new scan today and get the output that the Host is "Finished", same output for Host if is in the old scan and the new scan then i want the output "Unchanged", same output for Host when it is not in the old scan but in the new scan then i want the output "New" . I need the Information that i can build a Dashboard and see which Host and CVE are "done" , which one are "still open" and which Host and CVE are "New" because i must give the information/Ticket to the Server Admins. Thanks
10-25-2023
12:18 AM
1 Karma
I was fighting with the query, as it kept on giving me results, but seems I overlooked the fact that the "off" trigger happend twice and the other only once Great! Thanks a lot
10-25-2023
12:07 AM
10-25-2023
12:06 AM
1 Karma
Hi @splunkreal , it shoudl be possible using two _TCP_ROUTING items in the inputs.conf pointing to the two different destinations, obviously in different Indexers. but in this way you pay twice the...
See more...
Hi @splunkreal , it shoudl be possible using two _TCP_ROUTING items in the inputs.conf pointing to the two different destinations, obviously in different Indexers. but in this way you pay twice the license because data is indexed twice. for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input Ciao. Giuseppe
10-25-2023
12:00 AM
Hi @bambarita , whic url did you used? please, try this: https://splunk.my.site.com/customer/s Ciao. Giuseppe
10-24-2023
11:39 PM
Hello As far I understand, the Splunk datamodel has two main goals 1) Data models enable users of Pivot to create compelling reports and dashboards without designing the searches that generate the...
See more...
Hello As far I understand, the Splunk datamodel has two main goals 1) Data models enable users of Pivot to create compelling reports and dashboards without designing the searches that generate them. So, the Pivot tool lets to report on a specific data set without the Splunk Search Processing Language 2) It's possible to refer to the CIM data models to normalize different name of data having the same function In this case, we need to normalize data by using tags, alias, eventtypes, etc... Alerts Application State Authentication Certificates Databases Data Loss Prevention Email Interprocess Messaging Intrusion Detection Inventory Java Virtual Machines Malware Network Resolution (DNS) Network Sessions Network Traffic Performance Ticket Management Updates Vulnerabilities Web Is it correct? Thanks
- Tags:
- other
10-24-2023
11:18 PM
Hi @waJesu , yes, in the right top of the Splunk Editor dashboad there's the Import button. Ciao. Giuseppe
