All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The regex looks fine, although it's not necessary to escape underscore (_) characters. The blacklist5 setting is missing "$XmlRegex=" and delimiters around the regex.
I am running a single instance (i.e. everything on one box). I have updated the local props.conf again and seen no change in the indexed data.  Here is the current output from btool: C:\Program Fil... See more...
I am running a single instance (i.e. everything on one box). I have updated the local props.conf again and seen no change in the indexed data.  Here is the current output from btool: C:\Program Files\Splunk\bin>splunk btool --debug props list aws:s3:csv C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf [aws:s3:csv] C:\Program Files\Splunk\etc\system\default\props.conf ADD_EXTRA_TIME_FIELDS = True C:\Program Files\Splunk\etc\system\default\props.conf ANNOTATE_PUNCT = True C:\Program Files\Splunk\etc\system\default\props.conf AUTO_KV_JSON = true C:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE = C:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE_DATE = True C:\Program Files\Splunk\etc\system\default\props.conf CHARSET = AUTO C:\Program Files\Splunk\etc\apps\Splunk_TA_aws\default\props.conf DATETIME_CONFIG = CURRENT C:\Program Files\Splunk\etc\system\default\props.conf DEPTH_LIMIT = 1000 C:\Program Files\Splunk\etc\system\default\props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf EVENT_BREAKER = [\r\n]+ C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf EVENT_BREAKER_ENABLE = true C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf FIELD_DELIMITER = \t C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf HEADER_FIELD_DELIMITER = \t C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf HEADER_FIELD_LINE_NUMBER = 1 C:\Program Files\Splunk\etc\system\default\props.conf HEADER_MODE = C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf INDEXED_EXTRACTIONS = TSV C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf KV_MODE = multi C:\Program Files\Splunk\etc\system\default\props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000 C:\Program Files\Splunk\etc\system\default\props.conf LEARN_MODEL = true C:\Program Files\Splunk\etc\system\default\props.conf LEARN_SOURCETYPE = true C:\Program Files\Splunk\etc\apps\Splunk_TA_aws\default\props.conf LINE_BREAKER = [\r\n]+ C:\Program Files\Splunk\etc\system\default\props.conf LINE_BREAKER_LOOKBEHIND = 100 C:\Program Files\Splunk\etc\system\default\props.conf MATCH_LIMIT = 100000 C:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_AGO = 2000 C:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_HENCE = 2 C:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_AGO = 3600 C:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_HENCE = 604800 C:\Program Files\Splunk\etc\system\default\props.conf MAX_EVENTS = 256 C:\Program Files\Splunk\etc\system\default\props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 C:\Program Files\Splunk\etc\system\default\props.conf MUST_BREAK_AFTER = C:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_AFTER = C:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_BEFORE = C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION = indexing C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-all = full C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-inner = inner C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-outer = outer C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-raw = none C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-standard = standard C:\Program Files\Splunk\etc\apps\Splunk_TA_aws\default\props.conf SHOULD_LINEMERGE = false C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf TIMESTAMP_FIELDS = timestamp C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf TIME_FORMAT = %s C:\Program Files\Splunk\etc\system\default\props.conf TRANSFORMS = C:\Program Files\Splunk\etc\apps\Splunk_TA_aws\default\props.conf TRUNCATE = 8388608 C:\Program Files\Splunk\etc\system\default\props.conf detect_trailing_nulls = auto C:\Program Files\Splunk\etc\system\default\props.conf maxDist = 100 C:\Program Files\Splunk\etc\system\default\props.conf priority = C:\Program Files\Splunk\etc\system\default\props.conf sourcetype = C:\Program Files\Splunk\etc\system\default\props.conf termFrequencyWeightedDist = false C:\Program Files\Splunk\etc\system\default\props.conf unarchive_cmd_start_mode = shell  
[monitor:///var/log/suricata/eve.json] disabled=true sourcetype= suricata index = suricata Currently not seeing any  eve.json data coming from the suricata box to the splunk server? We do get ot... See more...
[monitor:///var/log/suricata/eve.json] disabled=true sourcetype= suricata index = suricata Currently not seeing any  eve.json data coming from the suricata box to the splunk server? We do get other logs like the syslog but no eve.json data? Tried throwing the TA out in the APPs folder on the server that didn't work. Added index = suricata to the server and it doesn't find it. Any help would be appreciated.  Instructions on deploying the app would be nice. 
Hi @richgalloway @gcusello , Despite testing multiple tests,  unable to achieve a blacklisting. Please, for the sake of accuracy address this issue. blacklist5 = <Data Name='NewProcessName'>(... See more...
Hi @richgalloway @gcusello , Despite testing multiple tests,  unable to achieve a blacklisting. Please, for the sake of accuracy address this issue. blacklist5 = <Data Name='NewProcessName'>(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCncProxy\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCM\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files\\WindowsPowerShell\\Modules\\gytpol\\Client\\fw.\_.\_.+\\GytpolClientFW.\_.\_.\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR\.exe)|(C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy.exe)|(C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCncProxy\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy.exe|(C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCncProxy\.exe)|(C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)|(C:\\Program Files\\AzureConnectedMachineAgent\\GCArcService\\GC\\gc_worker\.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk\.exe)<\/Data> All Events matched with regex  https://regex101.com/r/Xqw7eP/1 Thanks a lot..
So, I found a "fix" or "workaround" that I'm not too happy about, but it seems to solve the issue. Surrounding the "require" with a 5 second "setTimeout" call, seems to work fine, as follows: setTi... See more...
So, I found a "fix" or "workaround" that I'm not too happy about, but it seems to solve the issue. Surrounding the "require" with a 5 second "setTimeout" call, seems to work fine, as follows: setTimeout(function()  {     require(['splunkjs/mvc'], function(mvc) { ... } }, 5000); If anyone can shed any light on this "issue", please advise.
I've done exactly as you said, but it's still not working.  What kind of visualization type should I select to get a multi line graph?  I'm running on a clustered environment using SQL Server 2016 an... See more...
I've done exactly as you said, but it's still not working.  What kind of visualization type should I select to get a multi line graph?  I'm running on a clustered environment using SQL Server 2016 and using DBConnect.  My field in the dashboard still says it is waiting for input.  I updated the Indexes.conf files and did the Rolling Restart on the Index Clustering Manager node.
What data is in Splunk that distinguishes an Idemia machine from the others?  Once you know that, you'll know what to search for.
To work with multi-value fields, look to the mv* functions. | eval match=if(isnotnull(mvfind(DNS_Matched, "(-admin|-mgt|-vip)")),1, 0) The mvfind function uses a regular expression to search an MV ... See more...
To work with multi-value fields, look to the mv* functions. | eval match=if(isnotnull(mvfind(DNS_Matched, "(-admin|-mgt|-vip)")),1, 0) The mvfind function uses a regular expression to search an MV field for certain text.  It returns NULL if the value is not found or an index into the field if it is found.
source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty" | rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>(\w+|\S))\"" | stats count by WifiCountryDetails Pls check the above SPL.. i ... See more...
source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty" | rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>(\w+|\S))\"" | stats count by WifiCountryDetails Pls check the above SPL.. i checked it and its working fine.  to troubleshoot further.. can you pls copy paste two sample logs, one with country and one without country.  (pls remove ip address, important details from the sample logs.. just copy paste the line like these.. {"Type":"status","HardwareRevision":"H6","WifiCountryDetails":"","BatPercent":100,"BatTech":"Rechargeable" {"Type":"status","HardwareRevision":"H6","WifiCountryDetails":"india","BatPercent":100,"BatTech":"Rechargeable" )
I need to search a field called DNS_Matched, that has multi-value fields, for events that have one or more values that meet the criteria of the value ending with -admin, -vip, -mgt, or does not meet ... See more...
I need to search a field called DNS_Matched, that has multi-value fields, for events that have one or more values that meet the criteria of the value ending with -admin, -vip, -mgt, or does not meet any of those three. How can I do that?  Example  DNS_Matched host1 host1-vip host1-mgt host2  host2-admin host2-mgmt host2-vip
pls have a look
please take the screenshot along with the SPL command also seen inside the image (zoom down or keep the browser window small, so big portion can be copied to the image)
After upgrading to 7.2.10, the next step is 8.2.5 then 9.x.
The last answer was given 2 years ago, has the situation changed?
I am aware of this site:  https://docs.splunk.com/Documentation/Splunk/7.2.10/Forwarding/Compatibilitybetweenforwardersandindexers I have several simple Splunk implementations (all functions run on ... See more...
I am aware of this site:  https://docs.splunk.com/Documentation/Splunk/7.2.10/Forwarding/Compatibilitybetweenforwardersandindexers I have several simple Splunk implementations (all functions run on one server).  My indexers are a mixture of 6.5 and 6.6. I plan on upgrading to 7.2.10 with the eventual goal of getting to the latest version. First, I'd like to understand what forwarders can communicate with indexers.  The link above relates to 7.0.0 and later.  I'm at 6.5/6.6 as stated earlier. Secondly, I know I need to upgrade splunk to various incremental versions before I get to 9.x.   What is the recommended path to upgrading to 9.x?  Since I'm 6.5 or 6.6, I believe my next is 7.2.10 (is that right?).  But what is the path after that? Thanks for the help!  
I did exactly same but the again its fetching the next field.. pls look into the screenshot
source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty" | rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>\w+)\"" | stats count by WifiCountryDetails working fine, as suggested previo... See more...
source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty" | rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>\w+)\"" | stats count by WifiCountryDetails working fine, as suggested previously, check screenshot below..  (pls note the rex command closely.. i have edited ur rex little bit.. i added the ("\"\:\") before rex and (\") after the rex). 
Can someone help me with the Splunk code that would be necessary to search for the Idemia Machines? Thank you Anthony
What error messages do you see?  Are the indexes or the disk they're  on full? Restarting or re-installing Splunk may help correct some causes of the problem, but not the most likely ones.
For Simple XML dashboards, see https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Access_tokens_to_show_or_hide_user_interface_components .  For Dashboard Studio, see https://docs.splunk.c... See more...
For Simple XML dashboards, see https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Access_tokens_to_show_or_hide_user_interface_components .  For Dashboard Studio, see https://docs.splunk.com/Documentation/Splunk/9.1.1/DashStudio/setUpDashboard#Conditionally_show_or_hide_panels