Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-30-2023
05:03 AM
Hello @gcusello , I've already added to the stanza but still failling
09-30-2023
03:57 AM
Hi @ucorral, use INDEXED_EXTRACTIONS = csv. You could tray to manually upload your file using the GUI that guides you in the best sourcetype definition. Ciao. Giuseppe
09-30-2023
03:55 AM
Hello guys!, I have a month trying to forward my logs from iMacs using the UF with the following format: Resources,line,data,process
2023-09-30T06:35:02,"Scanned disks....... "
2023-09-...
See more...
Hello guys!, I have a month trying to forward my logs from iMacs using the UF with the following format: Resources,line,data,process
2023-09-30T06:35:02,"Scanned disks....... "
2023-09-30T06:35:02,User: ......
2023-09-30T06:35:02,...........
2023-09-30T06:35:02,............
2023-09-30T06:35:02,Time of completion: .......... but when the log get into Splunk it only shows the first row: Resources,line,data,process and the rest of the log reaches splunk 6 hours later. I've added the following rule in props.conf but it still failling. path: /Applications/SplunkForwarder/etc/system/local/props.conf [name_of_my_sourcetype]
CHARSET=UTF-8
TIME_FORMAT=%Y-%m-%dT%H:%M:%S,
TIME_PREFIX=^
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TZ=America/Mexico_City
disabled=false Every change I made I always restart the splunk forwarder using ./splunk restart I have no access to the Splunk server (SSH) but if needed I could try to make some configurations but I do not where.
Labels
- Labels:
-
Mac
-
props.conf
-
universal forwarder
09-30-2023
03:52 AM
1 Karma
Hi @felipesodre , when your bucket completely exceed the retention time (also the earliest event in the bucket) or the bucket reaches the maxSize it can be discarded or moved to offline in a differe...
See more...
Hi @felipesodre , when your bucket completely exceed the retention time (also the earliest event in the bucket) or the bucket reaches the maxSize it can be discarded or moved to offline in a different folder. As described at https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Indexesconf , it dependa on the parameter coldToFrozenScript that specifies a script to run when data is to leave the splunk index system, in other words, what happens to the bucket after the retention period. If, using a script, you move your Cold Bucket to offline, you can re use them copying them in the Thawed path. Otherwise you can discard them and the entire bucket is deleted. You can find more details in this document https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setaretirementandarchivingpolicy Ciao. Giuseppe
09-30-2023
03:41 AM
1 Karma
Hi @PavelP, I believe that the Splunk app menu configuration page is indecent, for this purpose I made a request on Splunk Ideas that please vote for the idea https://ideas.splunk.com/ideas/EID-I -7...
See more...
Hi @PavelP, I believe that the Splunk app menu configuration page is indecent, for this purpose I made a request on Splunk Ideas that please vote for the idea https://ideas.splunk.com/ideas/EID-I -72 . In any case, the only way to do it could be a phyton script, but there would always be the problem of rights: do all users have the right to modify the menu of an app? For these reasons, I am sorry, but I believe that your request cannot be satisfied. Ciao. Giuseppe
09-30-2023
03:22 AM
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/de...
See more...
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/default.xml)? from: <nav>
<view name="summary"/>
<collection label="NEW">
<view name="summary_new"/>
</collection>
</nav> to: <nav>
<view name="summary_new"/>
<collection label="OLD">
<view name="summary"/>
</collection>
</nav> Currently the user must use UI to create a custom navigation setting (by creating local/data/ui/nav/default.xml).
Labels
- Labels:
-
javascript
09-30-2023
12:51 AM
@TNV20 - If you are using Splunklib (Splunk-SDK-Python) then you could do it with Option. https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.2/searchcommands.html from splunklib.searchcomman...
See more...
@TNV20 - If you are using Splunklib (Splunk-SDK-Python) then you could do it with Option. https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.2/searchcommands.html from splunklib.searchcommands.decorators import Option
file1 = Option(
doc=''' **Syntax:** **file=***<file1>*
**Description:** Name of the first file''',
require=True) And you can use it like: | compare file1="file1.csv" file2="file2.csv" I hope this helps!!!
09-29-2023
11:30 PM
Hi @Praz_123 , It isn't so easy to create a dashboard, because you must use JavaScripts. I created a dashboard similar ro your requirement, but to selct and modify only one row not all the table. ...
See more...
Hi @Praz_123 , It isn't so easy to create a dashboard, because you must use JavaScripts. I created a dashboard similar ro your requirement, but to selct and modify only one row not all the table. And anyway my dashboard isn't so easy to use as Lookup Editor. Ciao. Giuseppe
09-29-2023
11:28 PM
Hi @Splunk235 , yes, you can test your regex and it runs. let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe ...
See more...
Hi @Splunk235 , yes, you can test your regex and it runs. let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
09-29-2023
11:25 PM
This query extracts all keys in JSON, after Properties.Activity column, In results first column in Properties.Activity and rest all are extracted from json is it possible to get the table ...
See more...
This query extracts all keys in JSON, after Properties.Activity column, In results first column in Properties.Activity and rest all are extracted from json is it possible to get the table data in the below-mentioned columns? If so can you help to complete only for these 4 column "ActivityType, ClientId, Source, Properties.Activity"
09-29-2023
11:24 PM
Hi @splunkguy , follow these steps: make a copy of the Apps to migrate from the old SH to the SHC, install and configure the SH Cluster, copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/...
See more...
Hi @splunkguy , follow these steps: make a copy of the Apps to migrate from the old SH to the SHC, install and configure the SH Cluster, copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/etc/shcluster, Deploy them using the command splunk apply shcluster-bundle -target URI:management_port -auth username:password You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.1/DistSearch/PropagateSHCconfigurationchanges Ciao. Giuseppe
09-29-2023
11:18 PM
1 Karma
response from support / development: (last week) and now testing, worked and looks good sofar temporary workaround: --=-=--=-=-=-==-=-sendmail.py-=--=-=-=-=-- Do you have a test instance to che...
See more...
response from support / development: (last week) and now testing, worked and looks good sofar temporary workaround: --=-=--=-=-=-==-=-sendmail.py-=--=-=-=-=-- Do you have a test instance to check the one parameter? We got an update from the developer team, to check the below parameter, open the file SPLUNK_HOME/etc/apps/search/bin/sendemail.py and you would find (approx line number 1571): clear_password = cli_common.decrypt(encrypted_password, setEnv=True) The setEnv flag needs to be modified from True to False, restart Splunk, and then check if the problem is resolved. Note: Try with your test instance. As the setEnv flag needs to be modified from True to False will be considered a temporary workaround for this issue. In the next release version 9.1.2, It will be fixed completely. -=-=-=-=-=---=-icon-=-=-=-=--= Additionally, the "loading" icon got stuck issue also will be fixed in version 9.1.2. -=-=--=-= regards AP @wskinner @isoutamo
09-29-2023
10:56 PM
How do I migrate Dashboards and alerts from older standalone search head to new standalone search
Labels
- Labels:
-
search head
-
upgrade
09-29-2023
09:31 PM
Wow, that's a very useful information. Thanks for explaining @yuanliu. It's working perfectly!!!
09-29-2023
09:15 PM
Hi all, I try to develop a custom Python script and i want to input parameter from Search to my script. Could i do it? Example my script name is compare (already register on searchhead), and it nee...
See more...
Hi all, I try to develop a custom Python script and i want to input parameter from Search to my script. Could i do it? Example my script name is compare (already register on searchhead), and it need 2 parameter to work, like: | makeresults a=1 | compare file1.csv file2.csv (file1.csv, file2.csv is parameter). Thanks so much.
09-29-2023
08:02 PM
I'm also a beginner. Please speak to me like I know very little. Because that's where I'm at. But I think it's an error with either the certificate/the certificate chain or in decrypting it
09-29-2023
07:59 PM
I'm in General Settings. I Enabled SSL (HTTPS) in Splunk Web. I restarted Splunk. It reads unable to connect. Warning Potential Security Risk Ahead because it is a self sign certificate. I pressed on...
See more...
I'm in General Settings. I Enabled SSL (HTTPS) in Splunk Web. I restarted Splunk. It reads unable to connect. Warning Potential Security Risk Ahead because it is a self sign certificate. I pressed on Go Back Button(Recommended) when I should of pressed advanced and continue. Now All I get is a window That reads Unable to Connect. The Warning Potential Security Risk Ahead window is no longer available. I can't press advanced and continue. What do I do? I can't access Splunk. The connection was reset it says.
- Tags:
- certificate
- ssl
Labels
- Labels:
-
Linux
09-29-2023
05:33 PM
So, is it safe to assume that if no new data is ingested into this index the data should be gone by tomorrow (the same time I changed the config)? Thanks again
09-29-2023
05:26 PM
2 Karma
Probably because there are also events (at least one) in that bucket that are younger.
09-29-2023
04:39 PM
I am so confused as to why there are still buckets with data in which the endEpochTime is older than the "Searchable Retention" Thanks again
