Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-02-2023
02:14 AM
Hi @bosseres, usually logs are indexed as they are. Then you can display them aggregated as you like or detailed for each event. Could you betetr describe your requirement? Ciao. Giuseppe
10-02-2023
02:09 AM
Hello everyone! Do anybody know, is it possible to aggregate (bind) auditd events (I mean logs from audit/audit.log) in one by Record ID (Event ID)? I want to make in on parsing study, and to get...
See more...
Hello everyone! Do anybody know, is it possible to aggregate (bind) auditd events (I mean logs from audit/audit.log) in one by Record ID (Event ID)? I want to make in on parsing study, and to get in my index already aggregated events in one.
Labels
- Labels:
-
data
-
props.conf
10-02-2023
01:17 AM
Hello, We are investigating if we can install with helm Splunk OpenTelemetry Collector for Kubernetes to collect and ingest our logs to Splunk Cloud. We would like to split the system log from the ...
See more...
Hello, We are investigating if we can install with helm Splunk OpenTelemetry Collector for Kubernetes to collect and ingest our logs to Splunk Cloud. We would like to split the system log from the other logs into two different indexes. Reading the documentation I saw that it is possible to indicate the index as an annotation in the namespaces or pods, but in the values.yaml of the helm the index field is required, but it seems to be usable for only one index. In summary we will want to use two different indexes, setting one as default and the other using namespace annotations. Could you kindly show me a configuration for our problem?
Labels
- Labels:
-
configuration
-
using Splunk Cloud
10-01-2023
11:45 PM
I'm also getting the same error, do you have any solutions yet?
10-01-2023
11:33 PM
Hi @BoldKnowsNothin , what do you mean with "reduce space"? alias are applied at search time, meaning there isn't any additional disk usage. About license usage, the number of aliases or data elab...
See more...
Hi @BoldKnowsNothin , what do you mean with "reduce space"? alias are applied at search time, meaning there isn't any additional disk usage. About license usage, the number of aliases or data elaborations don't consume any additional license: license is only the volume of daily indexed logs. Ciao. Giuseppe
10-01-2023
11:03 PM
Hi @AMAN0113 .. please check these pages: https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/limitfieldfiltering https://community.splunk.com/t5/Splunk-Search/How-to-restrict-search-access...
See more...
Hi @AMAN0113 .. please check these pages: https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/limitfieldfiltering https://community.splunk.com/t5/Splunk-Search/How-to-restrict-search-access-to-certain-hosts-or-fields-on-a/m-p/192290
10-01-2023
10:59 PM
Hi @shoyo ... please check the sendemail command.. https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Sendemail#Examples
10-01-2023
10:58 PM
1 Karma
The following should do what you want: | eval pwdExpire = if(type="staff", strftime(relative_time(_time, "+90d"),"%F %T"), strftime(relative_time(_time, "+180d"),"%F %T") ) You may need to adjus...
See more...
The following should do what you want: | eval pwdExpire = if(type="staff", strftime(relative_time(_time, "+90d"),"%F %T"), strftime(relative_time(_time, "+180d"),"%F %T") ) You may need to adjust the time format (I've used %F %T) to suit your requirements.
10-01-2023
10:55 PM
Hi @BoldKnowsNothin ... ya, i got it.. please note that, for the field names will not occupy lot of space. lets say, you have a CSV file with three fields field1,field2,field3longName
data1,data2,...
See more...
Hi @BoldKnowsNothin ... ya, i got it.. please note that, for the field names will not occupy lot of space. lets say, you have a CSV file with three fields field1,field2,field3longName
data1,data2,data3 and then you have ten thousand data/records in that CSV file. now, the field3 is named as "field3longName"... even if you use alias, the indexer will store it only once. but, for license usage... you can analyze these 3 fields and if you dont want, lets say field2, .. then you can totally ignore the field2 while data onboarding. this will save lot of license. hope you understood, thanks.
10-01-2023
10:18 PM
Hi @inventsekar this is a production Splunk and we have a cluster of indexers and a cluster of search heads I think the number of UFs is not important in this problem Thanks
10-01-2023
08:07 PM
Is it possible to have the true and false parts of an if statement contain eval statements. | eval pwdExpire=if(type="staff", | eval relative_time(_time, "+90day") , | eval relative_time(_ti...
See more...
Is it possible to have the true and false parts of an if statement contain eval statements. | eval pwdExpire=if(type="staff", | eval relative_time(_time, "+90day") , | eval relative_time(_time, "+180day") ) Desired results is: If type="staff" calculate pwdExpiry as _time + 90 days, else calculate pwdExpiry as _time + 180 days. I will then format pwdExpiry and display in a table.
Labels
- Labels:
-
eval
10-01-2023
06:31 PM
Hello inventsekar, Sir, all this only for reduce our license usage, currently we afraid to exclude logs, and looking something else to reduce. Many thanks,
10-01-2023
06:29 PM
Hi, I want to restrict access to different teams based on hosts but don't want to do it by creating multiple indexes for this. The data would be present in one index and teams would be given access...
See more...
Hi, I want to restrict access to different teams based on hosts but don't want to do it by creating multiple indexes for this. The data would be present in one index and teams would be given access to this index, however they should be able to see only the data they own. Is there a way host-based restriction can be achieved?
Labels
- Labels:
-
access control
10-01-2023
06:24 PM
>>> But does this field alias reduces space? Do you mean, after doing data onboarding (so the fields are indexed properly), if you apply the field alias, will it reduce the index size?.. as per my...
See more...
>>> But does this field alias reduces space? Do you mean, after doing data onboarding (so the fields are indexed properly), if you apply the field alias, will it reduce the index size?.. as per my understanding it wont reduce the index size ( Even if it reduces, it will only reduce very negligible amount only)
10-01-2023
06:21 PM
Hi @VK18 .. please check this post: https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/m-p/94513
10-01-2023
06:20 PM
I am using ITSI's KPI-based search for text log monitoring. If the text logs match the search criteria, the flow is to send an alert via email. I would like to quote the contents of the text logs tha...
See more...
I am using ITSI's KPI-based search for text log monitoring. If the text logs match the search criteria, the flow is to send an alert via email. I would like to quote the contents of the text logs that matched the detection criteria in the body of the email. Is it possible to implement such requirements with Splunk ITSI? If so, I would like to know the detailed content of the implementation. If not, I would like to know the reason why.
Labels
- Labels:
-
using ITSI
10-01-2023
06:08 PM
Hi All, Is there a way to retrieve a specific alert without using short ID in the incident review page? I was thinking of using "rule_id" field or "event_hash" of the alert, but couldn't be able to...
See more...
Hi All, Is there a way to retrieve a specific alert without using short ID in the incident review page? I was thinking of using "rule_id" field or "event_hash" of the alert, but couldn't be able to pull the specific alert. Please suggest any other alternate method other than using short id. Thanks.
Labels
- Labels:
-
using Enterprise Security
10-01-2023
05:46 PM
Hello gcusello, Sir, I just surfed that link you provided to me, many thanks. But does this field alias reduces space? Thanks again,
10-01-2023
05:03 PM
We are currently using a regex pattern to match events against our raw data, and it works perfectly when we use the search app. The pattern we are using is: C:\\Windows\\system32\\cmd\.exe*C:\\Progr...
See more...
We are currently using a regex pattern to match events against our raw data, and it works perfectly when we use the search app. The pattern we are using is: C:\\Windows\\system32\\cmd\.exe*C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14\.3\.8289\.5000\.105\\Data\\Definitions\\WebExtDefs\\20230830\.063\\webextbridge\.exe* However, when we try to use this regex pattern in a lookup table, the events are not being matched. This seems to be because of the wildcard in the pattern. Despite defining the field name in the lookup definition (e.g., WILDCARD(process)), it still doesn't match the events. I'm wondering if Splunk lookup supports wildcards within strings, or does it only support them at the beginning and end of strings? Any insights or guidance on this matter would be greatly appreciated. Regards VK
Labels
- Labels:
-
configuration
10-01-2023
03:43 PM
Hi @lionkesler ... maybe you should update us some more details pls.. provide us the full SPL search query pls.. is the macro's working previously or just recently you found out this issue..
- Tags:
- macro
