All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi   Actualy I trying to search data even the archived ones but as you can see in printscreen below I get only the 3 last month, because I think the data older than 3 months was archived.   C... See more...
Hi   Actualy I trying to search data even the archived ones but as you can see in printscreen below I get only the 3 last month, because I think the data older than 3 months was archived.   Could you explain me how to retrieve data older than 3 month in my case.   Regards
Hi, Is there any app in Splunk base to analyze the logs in my Splunk ES to stop the unwanted logs ingestion ? Thanks
Hi, Can anyone pls figure out from these  list of apps which of these apps from web logs are not required for investigation/needed for ingesting in to Splunk to save the license cost ? ssl windows... See more...
Hi, Can anyone pls figure out from these  list of apps which of these apps from web logs are not required for investigation/needed for ingesting in to Splunk to save the license cost ? ssl windows-remote-management web-browsing sap ms-office365-base google-base soap new-relic okta ms-onedrive-base windows-push-notifications dns-over-tls crowdstrike dns-over-https outlook-web-online ms-store paloalto-updates websocket apple-push-notifications gmail-base yahoo-web-analytics whatsapp-web naver-line hotmail http-proxy adobe-creative-cloud-base telegram-base ocsp pan-db-cloud windows-azure-base github-base apple-update deepl-base slack-base egnyte-base teamviewer-base google-meet facebook-chat concur-base google-docs-base qlikview paloalto-wildfire-cloud successfactors reddit-base bananatag google-analytics as2 cisco-spark-base viber-base jabber google-chat taobao appdynamics icloud-mail cloudinary-base zoom-base imgur-base webdav splashtop-remote zscaler-internet-access google-drive-web ms-onedrive-business liveperson discord salesforce-base tokbox quora-base paloalto-dns-security giphy-base vimeo-base giphy-downloading notion-base webex-base openai-base paloalto-cloud-identity zendesk-base paloalto-logging-service dailymotion paloalto-prisma-sdwan-control paloalto-shared-services cloudflare-warp sharepoint-online facebook-video   Thanks
@anissabnk so do you have ONE of each libelle per event, if so then how do you define response time - is it the TIME of the event, so BT time is OUT time - IN time and is there only a SINGLE one of e... See more...
@anissabnk so do you have ONE of each libelle per event, if so then how do you define response time - is it the TIME of the event, so BT time is OUT time - IN time and is there only a SINGLE one of each libelle per flux? Try something like this   index="bloc1rg" AND libelle IN (IN_PREC, OUT_PREC, IN_BT, OUT_BT, IN_RANG, OUT_RANG) earliest=-1mon@mon latest=-1d@d | stats max(eval(if(libelle="IN_PREC", _time, null()))) as IN_PREC_TIME max(eval(if(libelle="OUT_PREC", _time, null()))) as OUT_PREC_TIME max(eval(if(libelle="IN_BT", _time, null()))) as IN_BT_TIME max(eval(if(libelle="OUT_BT", _time, null()))) as OUT_BT_TIME max(eval(if(libelle="IN_RANG", _time, null()))) as IN_RANG_TIME max(eval(if(libelle="OUT_RANG", _time, null()))) as OUT_RANG_TIME by id_flux | eval response=(OUT_PREC_TIME-IN_PREC_TIME) + (OUT_BT_TIME-IN_BT_TIME) + (OUT_RANG_TIME-IN_RANG_TIME) | fields - *_TIME   so you are collecting all the event times for each of the event types by flux id and then just calculating the  response time at the end.  
Use a change stanza in the input, e.g. <input type="text" token="pre_domain"> ... <change> <eval token="actual_domain">replace($pre_domain$,"\\[\\.\\]",".")</eval> </change> </input>
Have you tried any of the eval json functions https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/JSONFunctions json_extract or json_array_to_mv?
@juakashi - Please check the following things: Ensure you have the latest version of the Add-on. Ensure you put the certificate as described and in the described path. Ensure the certificate file... See more...
@juakashi - Please check the following things: Ensure you have the latest version of the Add-on. Ensure you put the certificate as described and in the described path. Ensure the certificate file permissions are proper. (chmod) 600 for public cert files and 400 for private key files. Ensure the environment paths are set properly as described in the video.   I hope this helps!! Kindly upvote if it does!!!
I'm thinking of running a script(.BAT file) with an action in the report schedule. However, when I specify a batch file for the script and run it, but the script is repeatedly executed the same numb... See more...
I'm thinking of running a script(.BAT file) with an action in the report schedule. However, when I specify a batch file for the script and run it, but the script is repeatedly executed the same number of times as the number of search results. I want to set the script execution within the report schedule to once, regardless of the search results. What settings should I make? (ex. Advanced Edit properties)
Sorry  one last question.  Do you suggest us to shift to HF or use indexer?
yep, the props.conf on the UF is very very limited. SEDCMD on props.conf is only for HF or indexer etc.. 
did you create this on the HF, right? hehe no, that's why I started asking about HF. So UF cannot take this SEDCMD configs right?
>>> 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created .....  did you create this on the HF, right? >>> 2. I just copi... See more...
>>> 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created .....  did you create this on the HF, right? >>> 2. I just copied all lines with SEDCMD and cleared #  and just hoping to config should work. after updating the props.conf in Hf, did you restart the splunk service on the HF
Sorry for trouble, As I named myself... 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created 2. I just copied all lines wit... See more...
Sorry for trouble, As I named myself... 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created 2. I just copied all lines with SEDCMD and cleared #  and just hoping to config should work. All this changes made yesterday,  
SEDCMD is a big topic and your one line reply is not helping me/us.  maybe you should provide moooore details and ask precise questions.    upvotes/karma points are appreciated by all. thanks. 
All commands with SEDCMD
that page gives very good list of Splunk commands... which step you are stuck exactly.. 
Sir, If I can frankly say all I'm trying to do is here. Configure the Splunk Add-on for Windows - Splunk Documentation  unfortunately there isn't any information about forwarders here.
Yes, HF requires a license.    For a heavy forwarder (HF), you should set up one of the following options: 1) Make the HF a slave of a license master. This will give the HF all of the enterprise c... See more...
Yes, HF requires a license.    For a heavy forwarder (HF), you should set up one of the following options: 1) Make the HF a slave of a license master. This will give the HF all of the enterprise capabilities - and the HF will consume no license, as long as it does not index data. 2) Install the forwarder license. This will give the HF many enterprise capabilities, but not all. The HF will be able to parse and forward data. However, it will not be permitted to index and it will not be able to act as a deployment server (as an example). This is the option I would usually choose. (Note that the Universal Forwarder has the forwarder license pre-installed.) answer from - https://community.splunk.com/t5/Getting-Data-In/Do-we-need-a-license-for-Heavy-forwarder/m-p/210451  
Hello comrade inventsekar, Thank you for your help, do I need other kind of licensing to use HV?
Hi @BoldKnowsNothin ... the UF, still supports, only very limited props.conf tasks.  https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Propsconf on this document, just do a control-F and sea... See more...
Hi @BoldKnowsNothin ... the UF, still supports, only very limited props.conf tasks.  https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Propsconf on this document, just do a control-F and search for universal.. you will get around 8 matches... only these settings are supported.  >>> Also how do I upgrade to HF? generally you dont want to upgrade a UF to a HF.. you need to install a new/fresh HF separately on a system.  you downlad splunk enterprise package and install it.. and then enable it as a heavy forwarder. let us know if you have doubts.. thanks.