Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-10-2023
08:56 AM
1 Karma
Looking at it as every 3 hours from 7am to 10pm gets you * 7-21/3 * * *. Change the first asterisk to a number (0-59) if you want the schedule to be once each hour rather than every minute.
10-10-2023
08:53 AM
The blacklist setting supports neither of those. See my earlier reply for the list of supported keywords/fields.
10-10-2023
08:25 AM
Hi @PickleRick @gcusello I was reading this reply and I am currently in need to set up this from your post. ============== Another relatively well working idea is to use Windows Event Forwardi...
See more...
Hi @PickleRick @gcusello I was reading this reply and I am currently in need to set up this from your post. ============== Another relatively well working idea is to use Windows Event Forwarding (easy to set up in a domain environment, can be also confuigured in domainless setup but then it gets complicated but still possible) and pull windows from a central eventlog collector. I use it quite a lot. Be aware of possible performance issues as you scale horizontally too far. =========== Do you have any guide/link which tells this step by step; how to setup WEF on two servers.
10-10-2023
08:23 AM
How to write a cron schedule for
every 3 hours exclude from 10pm to 7 am
Labels
- Labels:
-
using Splunk Enterprise
10-10-2023
08:21 AM
There was some maintenance activity was there
10-10-2023
08:05 AM
Hi @richgalloway , Need a clarification on blacklisting the field which one we need to put under blacklist is it newprocessname or parentprocessname ?? Thanks
10-10-2023
07:57 AM
1 Karma
I need to use the German standard to display number 287.560,5 as a single value visualization instead of the English format that uses a comma to separate thousands and a dot for decimal numbers — 28...
See more...
I need to use the German standard to display number 287.560,5 as a single value visualization instead of the English format that uses a comma to separate thousands and a dot for decimal numbers — 287,560.8. The solution that was described here did not help: Decimal : how to use "," vs "." ? - Splunk Community When I look at the number before it is saved as a report in a dishboard, it does not have any commas. Could anyone help me with this question? At the moment, I just set the "shouldUseThousandSeparators" in json to false to remove the commas altogether. But I eventually want to use the dot for thousands and a comma for decimals for better legibility. Thank you in advance
- Tags:
- dashboard
Labels
- Labels:
-
single value
10-10-2023
07:50 AM
We have distributed Splunk Enterprise setup, we are trying to establish secure TLS communication between UF-> HF-> Indexer. We do have certificates configured for Search heads, Indexers and Heavy Fo...
See more...
We have distributed Splunk Enterprise setup, we are trying to establish secure TLS communication between UF-> HF-> Indexer. We do have certificates configured for Search heads, Indexers and Heavy Forwarders. We have also opened required receiving ports on both Indexer and HF. On the other hand, we have around 200 UF's, can someone please tell me, if we need to generate 200 client certificates or we can use general certificate which we can deploy on all 200 UF's for establishing communication between UF and Indexers
Labels
- Labels:
-
administration
-
configuration
10-10-2023
06:21 AM
can someone help me with this issue where splunk is reading the file, but 'adding' a information that is NOT in the original file.
If you search below
index="acob_controls_summary" sourcety...
See more...
can someone help me with this issue where splunk is reading the file, but 'adding' a information that is NOT in the original file.
If you search below
index="acob_controls_summary" sourcetype=acob:json source="/var/log/acobjson/*100223*rtm*"
|search system=CHE control_id=AU2_A_2_1 compliance_status=100%
You will get two result, and mainly separated by “last_test_date”
one showing "2023-10-02 15:42:30.784049" and other showing
"2023-10-02 14:56:45.047265"
ironically,
attached file is the SAME file (just changed the file name after copied onto my machine), that we are seeing from the splunk,
yet there is only ONE entry which is the second the one "2023-10-02 14:56:45.047265
where does that “2023-10-02 15:42:30.784049” came from?
we have a cluster environment therefore many splunk-server auto creates but why is it making a new 'test date' which actually separates one entry into two, AND give one a good return yet another one with wrong info.
Labels
- Labels:
-
universal forwarder
10-10-2023
06:20 AM
Hi Splunkers! How to assign the pie chart in same vertical if we are having dropdown in one specific pie chart. Having dropdown in one pie chart because of that other pie chart in same row g...
See more...
Hi Splunkers! How to assign the pie chart in same vertical if we are having dropdown in one specific pie chart. Having dropdown in one pie chart because of that other pie chart in same row got misaligned, need to have same height of pie charts in the row Thanks in Advance!
10-10-2023
06:08 AM
Created a fresh Add-on using Splunk add-on builder v4.1.3 and getting check_for_vulnerable_javascript_library_usage failures in AppInspect. Tried this suggestion https://community.splunk.com/t5/Buil...
See more...
Created a fresh Add-on using Splunk add-on builder v4.1.3 and getting check_for_vulnerable_javascript_library_usage failures in AppInspect. Tried this suggestion https://community.splunk.com/t5/Building-for-the-Splunk-Platform/How-to-update-a-Splunk-Add-on-Builder-built-app-or-add-on/m-p/587702 export, delete, import and generated add-on multiple times but still the issue persists. Please suggest a fix for this issue. Thanks.
10-10-2023
06:08 AM
eploy command is pushing an app without the local folder from deployer -> shc Our deployer settings are set to full [shclustering] deployer_push_mode = full
- Tags:
- deployer
Labels
- Labels:
-
configuration
10-10-2023
05:29 AM
1 Karma
I'm not aware of such a document, but you can find the number of concurrent searches using the Monitoring Console (MC). The maximum number of concurrent systems is 6+<numCPUs>. That formula can be ...
See more...
I'm not aware of such a document, but you can find the number of concurrent searches using the Monitoring Console (MC). The maximum number of concurrent systems is 6+<numCPUs>. That formula can be modified using limits.conf settings, but is good for most environments. If you see errors in the MC about searches being skipped because the maximum number of concurrent searches has been reached then you are not under-utilizing your server. Try re-distributing your scheduled searches so fewer are running at the same time. After that, if you still see the error then you are over-using the server and need more CPUs (or fewer searches). If there are times when the server is not running any searches, then you are under-using it at those times. The CPUs need to be available for times when searches run, however. Perhaps you need lower-powered CPUs rather than fewer CPUs.
10-10-2023
05:15 AM
1 Karma
I see a few problems here. 1. The blacklist1 setting is not in the proper format. It must be a list of event IDs or a keyword followed by "=" followed by a regular expression. 2. The regex shown i...
See more...
I see a few problems here. 1. The blacklist1 setting is not in the proper format. It must be a list of event IDs or a keyword followed by "=" followed by a regular expression. 2. The regex shown is trying to match XML, but the sample event is not in XML. 3. The regex is looking for text ("4688", "MsSense.exe", "TaniumCX.exe") that is not in the sample event. Any of these would cause the blacklist to fail. To fix them: 1. Put the blacklist1 setting in an expected format. 2. Examine the log entry as Splunk sees it (_raw) rather than as shown by another program (which may have changed it for display purposes). 3. Ensure the regex matches the sample data.
10-10-2023
04:52 AM
1 Karma
These series colors from the documentation are not the real colors used. Instead, the colors are as follows (taken from $SPLUNK_HOME$/share/splunk/search_mrsparkle/exposed/js/splunk/palettes/ColorCod...
See more...
These series colors from the documentation are not the real colors used. Instead, the colors are as follows (taken from $SPLUNK_HOME$/share/splunk/search_mrsparkle/exposed/js/splunk/palettes/ColorCodes.js): [0x006d9c, 0x4fa484, 0xec9960, 0xaf575a, 0xb6c75a, 0x62b3b2, 0x294e70, 0x738795, 0xedd051, 0xbd9872, 0x5a4575, 0x7ea77b, 0x708794, 0xd7c6b7, 0x339bb2, 0x55672d, 0xe6e1ae, 0x96907f, 0x87bc65, 0xcf7e60, 0x7b5547, 0x77d6d8, 0x4a7f2c, 0xf589ad, 0x6a2c5d, 0xaaabae, 0x9a7438, 0xa4d563, 0x7672a4, 0x184b81, 0x7fb6ce, 0xa7d2c2, 0xf6ccb0, 0xd7abad, 0xdbe3ad, 0xb1d9d9, 0x94a7b8, 0xb9c3ca, 0xf6e8a8, 0xdeccb9, 0xb7acca, 0xb2cab0, 0xa5b2bf, 0xe9ddd4, 0x66c3d0, 0xaab396, 0xf3f0d7, 0xc1bcb3, 0xb6d7a3, 0xe1b2a1, 0xdec4ba, 0xabe6e8, 0x91b282, 0xf8b7ce, 0xcba3c2, 0xcccdce, 0xc3ab89, 0xc7e6a3, 0xada9c8, 0xa4bbe0]
10-10-2023
04:45 AM
1 Karma
This kind of errors typically show problems either on the network level (some firewall in the middle not allowing traffic from the UF to the indexers) or the host firewall on the indexer not allowing...
See more...
This kind of errors typically show problems either on the network level (some firewall in the middle not allowing traffic from the UF to the indexers) or the host firewall on the indexer not allowing the incoming traffic.
10-10-2023
04:43 AM
With Splunk there is no way to delete data from the index other than the normal rolling oldest buckets to frozen. There is the "delete" command but it doesn't actually delete the data from the index...
See more...
With Splunk there is no way to delete data from the index other than the normal rolling oldest buckets to frozen. There is the "delete" command but it doesn't actually delete the data from the index files (since the index files are immutable after creation and may be - as mentioned above - only rolled as a whole) but it marks that data as not searchable. That's one of the reasons why you should test your configurations - especially the input-related elements - in a dev/test environment before deploying it to production.
10-10-2023
04:15 AM
The section of the troubleshooting guide your refer to is wrong in fixing this app's issue with respect to the certificates. That section refers to splunk server side authentication not the app.
10-10-2023
04:14 AM
Hi How to delete only specific data from the specific index(note: not the entire data)in clustered environment
Labels
- Labels:
-
indexer clustering
10-10-2023
04:11 AM
Good morning sorry for ask again for the same theme, im triying to install on Solaris 11.4 splunk in but i can bcs my solaris doestn recognize the comand for the installation
