Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-12-2023
11:50 AM
Thank you for your help here Rich! I replaced the regex with the one you provided and still am not seeing any data at all. Both my regular expression, as well as the one you provided, worked to loc...
See more...
Thank you for your help here Rich! I replaced the regex with the one you provided and still am not seeing any data at all. Both my regular expression, as well as the one you provided, worked to locate the string "authentication failure" in regex101. This has left me more or less stumped. It's like the Heavy Forwarder is completely ignoring the "set_parse" setting. Perhaps the issue lies with props.conf? I have use props and transforms before, just not sure what the issue is here. What do you think? Thanks Grant
10-12-2023
11:44 AM
i'm trying to find right regex for Splunk search time extraction first, via Splunk GUI.
10-12-2023
11:38 AM
Where in Splunk are you using this regex? If it's in transforms.conf then please share the full stanza.
10-12-2023
11:24 AM
The input is disabled (disabled=true) so nothing will be read from the file. Set disabled=false and restart the Splunk instance.
10-12-2023
11:18 AM
I need help in regex for key and value to be extracted from raw data, below regex working with xml_kv_extraction. While its working in regex101 but not in splunk with rex, any suggesstions. <(?<fiel...
See more...
I need help in regex for key and value to be extracted from raw data, below regex working with xml_kv_extraction. While its working in regex101 but not in splunk with rex, any suggesstions. <(?<field_header>[^>]+)>(?<field_value>[^<]+)<\/\1>https://regex101.com/r/IBsMhK/1 eg: events with <field_title><field_header1>field_value1</field_header1><field_header2>field_value2</field_header2></field_title> Should appear fields as below. field title = <field_header1>field_value1</field_header1><field_header2>field_value2</field_header2> field_header1=field_value1 field_header2=field_value2 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:36:22.742479", LAST_UPDATE_DATE="1997-10-10 13:36:22.74", ACTION="externalFactor", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?>
<externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>"
1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.388887", LAST_UPDATE_DATE="1997-10-10 13:03:58.388", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?>
<externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>"
1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.384984", LAST_UPDATE_DATE="1997-10-10 13:03:58.384", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?>
<externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>"
1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.384947", LAST_UPDATE_DATE="1997-10-10 13:03:58.384", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?>
<externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>"
1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.378965", LAST_UPDATE_DATE="1997-10-10 13:03:58.378", ACTION="externalFactor", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?>
<externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>"
1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.374242", LAST_UPDATE_DATE="1997-10-10 13:03:58.373", ACTION="externalFactor", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?>
<externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>"
1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.374235", LAST_UPDATE_DATE="1997-10-10 13:03:58.373", ACTION="externalFactor", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?>
<externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>"
1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.325953", LAST_UPDATE_DATE="1997-10-10 13:03:58.325", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?>
<externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>" @priit @PriA @yonmost @jameshgibson @bnikhil0584
Labels
10-12-2023
11:07 AM
1 Karma
The regex looks fine, although it's not necessary to escape underscore (_) characters. The blacklist5 setting is missing "$XmlRegex=" and delimiters around the regex.
10-12-2023
10:55 AM
I am running a single instance (i.e. everything on one box). I have updated the local props.conf again and seen no change in the indexed data. Here is the current output from btool: C:\Program Fil...
See more...
I am running a single instance (i.e. everything on one box). I have updated the local props.conf again and seen no change in the indexed data. Here is the current output from btool: C:\Program Files\Splunk\bin>splunk btool --debug props list aws:s3:csv
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf [aws:s3:csv]
C:\Program Files\Splunk\etc\system\default\props.conf ADD_EXTRA_TIME_FIELDS = True
C:\Program Files\Splunk\etc\system\default\props.conf ANNOTATE_PUNCT = True
C:\Program Files\Splunk\etc\system\default\props.conf AUTO_KV_JSON = true
C:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE =
C:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE_DATE = True
C:\Program Files\Splunk\etc\system\default\props.conf CHARSET = AUTO
C:\Program Files\Splunk\etc\apps\Splunk_TA_aws\default\props.conf DATETIME_CONFIG = CURRENT
C:\Program Files\Splunk\etc\system\default\props.conf DEPTH_LIMIT = 1000
C:\Program Files\Splunk\etc\system\default\props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf EVENT_BREAKER = [\r\n]+
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf EVENT_BREAKER_ENABLE = true
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf FIELD_DELIMITER = \t
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf HEADER_FIELD_DELIMITER = \t
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf HEADER_FIELD_LINE_NUMBER = 1
C:\Program Files\Splunk\etc\system\default\props.conf HEADER_MODE =
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf INDEXED_EXTRACTIONS = TSV
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf KV_MODE = multi
C:\Program Files\Splunk\etc\system\default\props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000
C:\Program Files\Splunk\etc\system\default\props.conf LEARN_MODEL = true
C:\Program Files\Splunk\etc\system\default\props.conf LEARN_SOURCETYPE = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_aws\default\props.conf LINE_BREAKER = [\r\n]+
C:\Program Files\Splunk\etc\system\default\props.conf LINE_BREAKER_LOOKBEHIND = 100
C:\Program Files\Splunk\etc\system\default\props.conf MATCH_LIMIT = 100000
C:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_AGO = 2000
C:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_HENCE = 2
C:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_AGO = 3600
C:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_HENCE = 604800
C:\Program Files\Splunk\etc\system\default\props.conf MAX_EVENTS = 256
C:\Program Files\Splunk\etc\system\default\props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
C:\Program Files\Splunk\etc\system\default\props.conf MUST_BREAK_AFTER =
C:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_AFTER =
C:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_BEFORE =
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION = indexing
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-all = full
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-inner = inner
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-outer = outer
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-raw = none
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-standard = standard
C:\Program Files\Splunk\etc\apps\Splunk_TA_aws\default\props.conf SHOULD_LINEMERGE = false
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf TIMESTAMP_FIELDS = timestamp
C:\Program Files\Splunk\etc\apps\new_app_for_s3_data\local\props.conf TIME_FORMAT = %s
C:\Program Files\Splunk\etc\system\default\props.conf TRANSFORMS =
C:\Program Files\Splunk\etc\apps\Splunk_TA_aws\default\props.conf TRUNCATE = 8388608
C:\Program Files\Splunk\etc\system\default\props.conf detect_trailing_nulls = auto
C:\Program Files\Splunk\etc\system\default\props.conf maxDist = 100
C:\Program Files\Splunk\etc\system\default\props.conf priority =
C:\Program Files\Splunk\etc\system\default\props.conf sourcetype =
C:\Program Files\Splunk\etc\system\default\props.conf termFrequencyWeightedDist = false
C:\Program Files\Splunk\etc\system\default\props.conf unarchive_cmd_start_mode = shell
10-12-2023
10:38 AM
[monitor:///var/log/suricata/eve.json]
disabled=true
sourcetype= suricata
index = suricata
Currently not seeing any eve.json data coming from the suricata box to the splunk server? We do get ot...
See more...
[monitor:///var/log/suricata/eve.json]
disabled=true
sourcetype= suricata
index = suricata
Currently not seeing any eve.json data coming from the suricata box to the splunk server? We do get other logs like the syslog but no eve.json data? Tried throwing the TA out in the APPs folder on the server that didn't work. Added index = suricata to the server and it doesn't find it. Any help would be appreciated. Instructions on deploying the app would be nice.
- Tags:
- configuration
Labels
- Labels:
-
syslog
10-12-2023
10:27 AM
Hi @richgalloway @gcusello , Despite testing multiple tests, unable to achieve a blacklisting. Please, for the sake of accuracy address this issue. blacklist5 = <Data Name='NewProcessName'>(...
See more...
Hi @richgalloway @gcusello , Despite testing multiple tests, unable to achieve a blacklisting. Please, for the sake of accuracy address this issue. blacklist5 = <Data Name='NewProcessName'>(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCncProxy\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCM\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files\\WindowsPowerShell\\Modules\\gytpol\\Client\\fw.\_.\_.+\\GytpolClientFW.\_.\_.\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR\.exe)|(C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy.exe)|(C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCncProxy\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy.exe|(C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCncProxy\.exe)|(C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost\.exe)|(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)|(C:\\Program Files\\AzureConnectedMachineAgent\\GCArcService\\GC\\gc_worker\.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk\.exe)<\/Data> All Events matched with regex https://regex101.com/r/Xqw7eP/1 Thanks a lot..
10-12-2023
10:21 AM
So, I found a "fix" or "workaround" that I'm not too happy about, but it seems to solve the issue. Surrounding the "require" with a 5 second "setTimeout" call, seems to work fine, as follows: setTi...
See more...
So, I found a "fix" or "workaround" that I'm not too happy about, but it seems to solve the issue. Surrounding the "require" with a 5 second "setTimeout" call, seems to work fine, as follows: setTimeout(function() { require(['splunkjs/mvc'], function(mvc) { ... } }, 5000); If anyone can shed any light on this "issue", please advise.
10-12-2023
10:05 AM
I've done exactly as you said, but it's still not working. What kind of visualization type should I select to get a multi line graph? I'm running on a clustered environment using SQL Server 2016 an...
See more...
I've done exactly as you said, but it's still not working. What kind of visualization type should I select to get a multi line graph? I'm running on a clustered environment using SQL Server 2016 and using DBConnect. My field in the dashboard still says it is waiting for input. I updated the Indexes.conf files and did the Rolling Restart on the Index Clustering Manager node.
10-12-2023
10:03 AM
What data is in Splunk that distinguishes an Idemia machine from the others? Once you know that, you'll know what to search for.
10-12-2023
10:00 AM
1 Karma
To work with multi-value fields, look to the mv* functions. | eval match=if(isnotnull(mvfind(DNS_Matched, "(-admin|-mgt|-vip)")),1, 0) The mvfind function uses a regular expression to search an MV ...
See more...
To work with multi-value fields, look to the mv* functions. | eval match=if(isnotnull(mvfind(DNS_Matched, "(-admin|-mgt|-vip)")),1, 0) The mvfind function uses a regular expression to search an MV field for certain text. It returns NULL if the value is not found or an index into the field if it is found.
10-12-2023
09:38 AM
source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty"
| rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>(\w+|\S))\""
| stats count by WifiCountryDetails Pls check the above SPL.. i ...
See more...
source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty"
| rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>(\w+|\S))\""
| stats count by WifiCountryDetails Pls check the above SPL.. i checked it and its working fine. to troubleshoot further.. can you pls copy paste two sample logs, one with country and one without country. (pls remove ip address, important details from the sample logs.. just copy paste the line like these.. {"Type":"status","HardwareRevision":"H6","WifiCountryDetails":"","BatPercent":100,"BatTech":"Rechargeable" {"Type":"status","HardwareRevision":"H6","WifiCountryDetails":"india","BatPercent":100,"BatTech":"Rechargeable" )
10-12-2023
09:30 AM
I need to search a field called DNS_Matched, that has multi-value fields, for events that have one or more values that meet the criteria of the value ending with -admin, -vip, -mgt, or does not meet ...
See more...
I need to search a field called DNS_Matched, that has multi-value fields, for events that have one or more values that meet the criteria of the value ending with -admin, -vip, -mgt, or does not meet any of those three. How can I do that? Example DNS_Matched host1 host1-vip host1-mgt host2 host2-admin host2-mgmt host2-vip
10-12-2023
09:24 AM
please take the screenshot along with the SPL command also seen inside the image (zoom down or keep the browser window small, so big portion can be copied to the image)
10-12-2023
09:24 AM
1 Karma
After upgrading to 7.2.10, the next step is 8.2.5 then 9.x.
10-12-2023
09:15 AM
I am aware of this site: https://docs.splunk.com/Documentation/Splunk/7.2.10/Forwarding/Compatibilitybetweenforwardersandindexers I have several simple Splunk implementations (all functions run on ...
See more...
I am aware of this site: https://docs.splunk.com/Documentation/Splunk/7.2.10/Forwarding/Compatibilitybetweenforwardersandindexers I have several simple Splunk implementations (all functions run on one server). My indexers are a mixture of 6.5 and 6.6. I plan on upgrading to 7.2.10 with the eventual goal of getting to the latest version. First, I'd like to understand what forwarders can communicate with indexers. The link above relates to 7.0.0 and later. I'm at 6.5/6.6 as stated earlier. Secondly, I know I need to upgrade splunk to various incremental versions before I get to 9.x. What is the recommended path to upgrading to 9.x? Since I'm 6.5 or 6.6, I believe my next is 7.2.10 (is that right?). But what is the path after that? Thanks for the help!
Labels
- Labels:
-
upgrade
