All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I was able to figure out the issue. I had to uncheck Enable indexer acknowledgement checkbox, I don't know why that caused the instance from receiving logs. I'm currently using localhost but will eve... See more...
I was able to figure out the issue. I had to uncheck Enable indexer acknowledgement checkbox, I don't know why that caused the instance from receiving logs. I'm currently using localhost but will eventually change that to our domain. Thanks
I was able to figure out the issue. I had to uncheck Enable indexer acknowledgement checkbox, I don't know why that caused the instance from receiving logs. I'm currently using localhost but will eve... See more...
I was able to figure out the issue. I had to uncheck Enable indexer acknowledgement checkbox, I don't know why that caused the instance from receiving logs. I'm currently using localhost but will eventually change that to our domain. Thanks
I was able to figure out the issue. I had to uncheck Enable indexer acknowledgement checkbox, I don't know why that caused the instance from receiving logs. I'm currently using localhost but will eve... See more...
I was able to figure out the issue. I had to uncheck Enable indexer acknowledgement checkbox, I don't know why that caused the instance from receiving logs. I'm currently using localhost but will eventually change that to our domain. Thanks
Wait a second. Where did you try to install the add-on builder? On your cloud instance? You shouldn't do that. It's supposed to be installed on your development instance of Splunk Entrerprise. There... See more...
Wait a second. Where did you try to install the add-on builder? On your cloud instance? You shouldn't do that. It's supposed to be installed on your development instance of Splunk Entrerprise. There you should build your app. This custom app when ready you should submit for vetting and install onto your cloud instance. See https://docs.splunk.com/Documentation/AddonBuilder/4.1.3/UserGuide/Installation
Not really. Maintaining anything uses time and effort. Essentially, it costs money. Even if there was a splunk powershell module 10 years ago, since then both splunk api evolved as well as powershell... See more...
Not really. Maintaining anything uses time and effort. Essentially, it costs money. Even if there was a splunk powershell module 10 years ago, since then both splunk api evolved as well as powershell did. And since windows is not really the main operating system of choice for splunk (yes, you can run splunk on windows but it has some limitations and it's usual;y better to just go with linux) there is much more demand for tools for unix-based admins and devs. Simple as that. On the other hand, you can always run python on windows and use python splunk libs.
Not shocking at all.  Businesses have to make decisions about where to focus their efforts and money and it would seem PowerShell did not make the cut.  Software on GitHub probably was not official a... See more...
Not shocking at all.  Businesses have to make decisions about where to focus their efforts and money and it would seem PowerShell did not make the cut.  Software on GitHub probably was not official and the employee who built it may have moved on to other things.
Hi, Have you tried the one I shared, if yes please share me your updated dashboard xml. It's working for me I could see the time on report.
@vijreddy30 - which role have you assigned to the User? It seems your user don't have access to that page. Usually only admin has access to that page.   I hope this helps!!! Kindly upvote if it do... See more...
@vijreddy30 - which role have you assigned to the User? It seems your user don't have access to that page. Usually only admin has access to that page.   I hope this helps!!! Kindly upvote if it does!!!
Hi Team,   Created test user and assign the viwer  role, and login to test Credentials and select the manage app setting operation  , it displayed the Splunk 404 Forbidden Error window displaye... See more...
Hi Team,   Created test user and assign the viwer  role, and login to test Credentials and select the manage app setting operation  , it displayed the Splunk 404 Forbidden Error window displayed  again click here option displayed in the window  again click and login credentials and click the manage setting working .   How to overcome the 404 Forbidden Error? please help me.     Regards, Vijay .K
Hi, We want to get data in from perception point. we havent seen any add on for it. we thought about spinning up a vm with a UF, but we would prefer to get data in via an addon, even if we have to c... See more...
Hi, We want to get data in from perception point. we havent seen any add on for it. we thought about spinning up a vm with a UF, but we would prefer to get data in via an addon, even if we have to create on ourselves.  the add on builder however is failing to install in our splunk cloud instance
Ok. We're getting somewhere Your appender should be sending the events to the listening components on the localhost. 1. Do you have a UF or a Splunk Enterprise instance on the same host? 2. Doe... See more...
Ok. We're getting somewhere Your appender should be sending the events to the listening components on the localhost. 1. Do you have a UF or a Splunk Enterprise instance on the same host? 2. Does it have an input defined on port 8088? 3. Isn't your network traffic firewalled? 4. Does your http input have TLS enabled or disabled? (your appender configuration will expect plain unencrypted HTTP).  
Hello, Just checking through if the issue was resolved or you have any further questions?
Hello @Albert_Cyber, You have used the right way of Configure -> Incident Management -> Incident Review Settings -> Incident Review - Event Attributes. Just make sure you click the save button at th... See more...
Hello @Albert_Cyber, You have used the right way of Configure -> Incident Management -> Incident Review Settings -> Incident Review - Event Attributes. Just make sure you click the save button at the very bottom (I have seen a customer who had a similar issue and all it needed was to click on the "Save" button at the very end)   If the issue is still not resolved, can you please provide below information / screenshots -   - Search results showing the field is available  - Notable configuration (AR) screenshot  - Event Attributes screenshot
Thank you very much for this suggestion.
Generally speaking.. 1) Alerts are created for monitoring a threshold and get email notification (or other tasks like incident creation, etc) 2) Reports are created for daily/weekly/monthly reports... See more...
Generally speaking.. 1) Alerts are created for monitoring a threshold and get email notification (or other tasks like incident creation, etc) 2) Reports are created for daily/weekly/monthly reports generation(generally on a large dataset) and email the reports.  3) Dashboards are created for viewing/checking/showcasing the current status of a search query/system.  So generally you will not required email notification from dashboard. hope you got it. thanks.    As you are a new member, let me update you that, karma points / upvotes are appreciated by everybody. thanks. 
Hi, If un-necessary fields displaying from token, then please check whether you've unset token 'nf' when 'sf' is present and vice versa if 'nf' present then unset 'sf' fields.
Hi @jerome ... troubleshooting this requires mooore details from you. 1. from the UF, are you able to receive other logs to indexer? 2. was this java logs showing up at indexer previously or.. it d... See more...
Hi @jerome ... troubleshooting this requires mooore details from you. 1. from the UF, are you able to receive other logs to indexer? 2. was this java logs showing up at indexer previously or.. it did not work from you have configured 3. is it a prod or test system... 4. your inputs.conf at the UF configuration please
The most common way to handle this is to use append instead.  The following example uses eventstats. index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*" | eval stuff=split(messag... See more...
The most common way to handle this is to use append instead.  The following example uses eventstats. index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*" | eval stuff=split(message," ") | eval mac=mvindex(stuff,4) | eval mac=substr(mac,1,17) | eval denyListAction=mvindex(stuff,3) | eval denyListAction= replace (denyListAction,":","") | eval reason=mvindex(stuff,5,6) | dedup mac,denyListAction,reason | append [ search index=main host=thestor Username="*adgunn*" | dedup Client_Mac | eval Client_Mac = "*" . replace(Client_Mac,"-",":") . "*" | rename Client_Mac AS mac | fields mac Username ] | eventstats values(UserName) as UserName by mac | where isnotnull(UserName) | table _time,mac,denyListAction,reason,UserName  
I created the index via splunk and have a log4j-spring.xml file where I have the necessary configurations for splunk see below: I'm using log4j as the logging mechanism in my application. <?xm... See more...
I created the index via splunk and have a log4j-spring.xml file where I have the necessary configurations for splunk see below: I'm using log4j as the logging mechanism in my application. <?xml version="1.0" encoding="UTF-8"?> <Configuration> <Appenders> <Console name="console" target="SYSTEM_OUT"> <PatternLayout pattern="%style{%d{ISO8601}} %highlight{%-5level }[%style{%t}{bright,blue}] %style{%C{10}}{bright,yellow}: %msg%n%throwable" /> </Console> <SplunkHttp name="splunkhttp" url="http://localhost:8088" token="*******" host="localhost" index="gam_event_pro_dev" type="raw" source="gameventpro" sourcetype="log4j" messageFormat="text" disableCertificateValidation="true"> <PatternLayout pattern="%m" /> </SplunkHttp> </Appenders> <Loggers> <!-- LOG everything at INFO level --> <Root level="info"> <AppenderRef ref="console" /> <AppenderRef ref="splunkhttp" /> </Root> </Loggers> </Configuration> I have admin access to our splunk account so permission should not be an issue.
I created the index via splunk and have a log4j-spring.xml file where I have the necessary configurations for splunk see below: I'm using log4j as the logging mechanism in my application. <?xm... See more...
I created the index via splunk and have a log4j-spring.xml file where I have the necessary configurations for splunk see below: I'm using log4j as the logging mechanism in my application. <?xml version="1.0" encoding="UTF-8"?> <Configuration> <Appenders> <Console name="console" target="SYSTEM_OUT"> <PatternLayout pattern="%style{%d{ISO8601}} %highlight{%-5level }[%style{%t}{bright,blue}] %style{%C{10}}{bright,yellow}: %msg%n%throwable" /> </Console> <SplunkHttp name="splunkhttp" url="http://localhost:8088" token="*******" host="localhost" index="gam_event_pro_dev" type="raw" source="gameventpro" sourcetype="log4j" messageFormat="text" disableCertificateValidation="true"> <PatternLayout pattern="%m" /> </SplunkHttp> </Appenders> <Loggers> <!-- LOG everything at INFO level --> <Root level="info"> <AppenderRef ref="console" /> <AppenderRef ref="splunkhttp" /> </Root> </Loggers> </Configuration>