Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-02-2023
02:33 PM
1 Karma
Ok. That's interesting because the SplunkUniversalForwarder app is an app which indeed as @gcusello pointed out comes with your UF installation but it typically does not contain the local directory. ...
See more...
Ok. That's interesting because the SplunkUniversalForwarder app is an app which indeed as @gcusello pointed out comes with your UF installation but it typically does not contain the local directory. As far as I remember the configurations you make with CLI splunk commands (like splunk add monitor) land in etc/system/local directory so they should not be there either. While technically you can make changes to the default apps you shouldn't do so because in case of upgrade you'll overwrite the changes in apps that come with the installation package with your own versions again which might be undesirable. So you should not touch the default apps. So I'd try to see where did those settings come from - either someone configured them manually (which is the "least bad" case here because on upgrade the "default" directory should get overwritten but "local" should should stay untouched) or your DS is serving this app (in which case you might want to check where it is being pushed to). Anyway, if it's been done manually, you can always just do your favourite configuration automation software (ansible?) and just remove the file from your UFs. Or you can just deploy an app with a higher precedence which will override the settings from the problematic config. See https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Wheretofindtheconfigurationfiles
10-02-2023
02:32 PM
Did you ever get an answer to this?
10-02-2023
02:13 PM
Things don't happen by themselves usually. You must have sone something as root so that resulting files ended up being owned by root.
10-02-2023
02:11 PM
1 Karma
One additional remark about time manipulation - don't render it to a string unless you are absolutely sure you won't be doing anything else with it. And even better - don't render the _value_ to a st...
See more...
One additional remark about time manipulation - don't render it to a string unless you are absolutely sure you won't be doing anything else with it. And even better - don't render the _value_ to a string - leave the value in an epoch timestamp but use fieldformat command to only display it rendered to a string.
10-02-2023
02:08 PM
Perfect @chris_barrett . Thanks for the response.
10-02-2023
02:08 PM
Don't know about the provider but the database is updated only on Splunk upgrades. You can do manual updates but they will be overwritten when you upgrade your Splunk installation unless you set a cu...
See more...
Don't know about the provider but the database is updated only on Splunk upgrades. You can do manual updates but they will be overwritten when you upgrade your Splunk installation unless you set a custom path to the database file.
10-02-2023
01:58 PM
1 Karma
There is more than one way to do it but they all boil down to the same thing - categorize your data into two sets and then count them. <your_initial_search> | eval account=if(account=="verified","v...
See more...
There is more than one way to do it but they all boil down to the same thing - categorize your data into two sets and then count them. <your_initial_search> | eval account=if(account=="verified","verified","unverified") | stats count by account
10-02-2023
01:55 PM
Is it possible to modify the value of a token obtained from a dashboard input prior to it being used in a panel? In the scenario that I have a domain value is input to have various searches executed ...
See more...
Is it possible to modify the value of a token obtained from a dashboard input prior to it being used in a panel? In the scenario that I have a domain value is input to have various searches executed on it. Sometimes the domain is provided to the users in a "sanitized" format to avoid clicking of links. The "." is replaced with "[.]". I want to give the users the option of inputting domains in either format, sanitized or not, and having the token value rewritten to remove the square brackets, something akin to | replace "[.]" WITH "." IN $domain$ The dashboard was created in the Classic format. I have been unable to figure out how I might modify the dashboard source to eval or modify the value into the consistent formatting. One of the things I tried was to add an <eval> tag in the source to evaluate the token into a new token value and leverage a replace command to modify it in the process but got a message stating "Invalid child="eval" is not allowed in node="dashboard"" So if an <eval> tag is the solution I am not sure where to put it. Does anyone have insight on how I might achieve this token modification cleanly?
10-02-2023
01:45 PM
More words please. You showed two summarizing searches which do not seem to share any fields so it's unclear how you would like to join them. Especially that you wrote about matching events.
10-02-2023
01:35 PM
After creating the /opt/splunk/etc/apps/search/README directory, I ran "cat > alert_actions.conf.spec" within the README directory.
10-02-2023
01:12 PM
Hello, I've been tasked with having the results of a playbook show up as a note in a different phase. Any instruction or ideas welcome. Thanks so much.
- Tags:
- playbook
Labels
- Labels:
-
using SOAR ⁄ Phantom
10-02-2023
11:42 AM
Hi all, I searched my issue on community. There are lots of threads but i couldn't find my issue. As i know i can not see 2 event ID's fields (both of them) in same search because fields are differe...
See more...
Hi all, I searched my issue on community. There are lots of threads but i couldn't find my issue. As i know i can not see 2 event ID's fields (both of them) in same search because fields are different. I want to see 2 different event ID's fields in same search. My issue is bit complicated. For this reason i will explain with basic fields and i will change later. First search: index=wineventlog EventID=1 process_name=chrome.exe | stats count by Image process_name process_path CommandLine Second search: index=wineventlog EventID=3 DestinationHostname=google.com | stats count by Image SourceIP DestinationIP DestinationHostname I want join these 2 searches in same search and i want to see 2 different event ID' s fields in same search. I found join command but i couldn't figure out how to use that. Any help would be appreciated!
Labels
- Labels:
-
join
10-02-2023
11:37 AM
Hello Rich, "Furthermore, Splunk recently changed geo-ip providers and no longer ships with a MaxMind database." What company is now the Splunk geo-ip DB provider, in 2023, since Splunk no longer s...
See more...
Hello Rich, "Furthermore, Splunk recently changed geo-ip providers and no longer ships with a MaxMind database." What company is now the Splunk geo-ip DB provider, in 2023, since Splunk no longer ships with a MaxMind database as you mentioned? Also, what is the new DB file name, what directory is it located in, and does the new iplocation DB get updated after the initial SE installation, or not ? Best regards, Dennis
10-02-2023
11:24 AM
Getting the same warning. I'll submit a support ticket.
10-02-2023
11:13 AM
Seeing this same issue doing an instance replacement with 9.0.4 or 9.0.5. Was there ever a solution?
10-02-2023
10:56 AM
Have following data in the logfile
{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC5"}
{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC6","account":"verified"}
{xxxx},{"GUID":"5561859B8D624FFC8F...
See more...
Have following data in the logfile
{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC5"}
{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC6","account":"verified"}
{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC7","account":"unverified"}
{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC8","account":"verified"}
{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC9"}
Need Report like the following so that I should get the count of "verified" where it is explicitly mentioned otherwise it should show under "unverified" -
Type Count
Verified 2
Unverified 3
How can we achieve this. Will appreciate your inputs!
Labels
- Labels:
-
count
-
search job inspector
-
subsearch
-
table
10-02-2023
10:55 AM
Hi @sathishkumar.R,
Can you share any insight on what you did or what happened for the issue to be resolved?
10-02-2023
10:33 AM
Similar has happened to me for my last 2 upgrades (9.0.5 and 9.1.0.2). In both cases after the upgrade, some conf files end up with root:root ownership. Before the upgrade they were splunk:splunk. ...
See more...
Similar has happened to me for my last 2 upgrades (9.0.5 and 9.1.0.2). In both cases after the upgrade, some conf files end up with root:root ownership. Before the upgrade they were splunk:splunk. Offending files (plus 1 .pyc file and migration.log in var/log/splunk): etc/system/local/eventtypes.conf etc/system/local/web-features.conf etc/system/local/authorize.conf Primary concern are the conf files. The upgrade is by .tgz file run as splunk:splunk. The initial start is run by root cuz it needs root permissions to create the systemd boot-start file. Is this just going to keep happening since I need to run "splunk enable boot-start . . . " as root? It's not a big deal to run chown to fix everything, but it is a manually step when is sometimes forgotten.
10-02-2023
10:04 AM
1 Karma
Data models don't hold data past its retention period. To do that, use a summary index.
10-02-2023
09:59 AM
1 Karma
That worked! thanks!
