All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @SplunkySplunk, the issue is that sometimes, having special chars (as dot) in the field names the eval command fails, use rename and it will work: | rename ContextData.UserAgent AS ContextData_U... See more...
Hi @SplunkySplunk, the issue is that sometimes, having special chars (as dot) in the field names the eval command fails, use rename and it will work: | rename ContextData.UserAgent AS ContextData_UserAgent | eval UserAgent = if("ContextData_UserAgent"="*ios*","ios","android") Ciao. Giuseppe
Hello I'm trying to count events by field called "UserAgent" If im searching for the events without any calculated field im getting results from different UserAgents But once im using eval, I don'... See more...
Hello I'm trying to count events by field called "UserAgent" If im searching for the events without any calculated field im getting results from different UserAgents But once im using eval, I don't get the expected results For example: I've tried this eval and im getting only "android" also im searching for "ios" only with    "ContextData.UserAgent"=*ios*   as part of my query    | eval UserAgent = if("ContextData.UserAgent"="*ios*","ios","android")    what im doing wrong ?
Hello All! Trying to set up CAC Based Auth for SPLUNK 9.1.1 on Windows Server 2022 for the first time. I have successfully setup LDAP and am able to sign into Splunk using an AD username/password wi... See more...
Hello All! Trying to set up CAC Based Auth for SPLUNK 9.1.1 on Windows Server 2022 for the first time. I have successfully setup LDAP and am able to sign into Splunk using an AD username/password without any issues. When I add in the requiredClientCert, enableCertBasedAuth and certBasedUserAuthMethod stanzas, and attempt to access the Splunk GUI, all users are immediately greeted with an 'Unauthorized' message. I've been fighting this for about a week now, and Splunk support hasn't been able to help me pin this down yet. Any assistance would be greatly appreciated. I've ensured TLS 1.2 registry keys exist in SCHANNEL to Enable TLS 1.2. Corresponding logs from splunkd.log for the logon attempt are:   09-29-2023 09:02:43.191 -0400 INFO AuthenticationProviderLDAP [12404 TcpChannelThread] - Could not find user=" \x84\x07\xd8\xb6\x05" with strategy="123_LDAP" 09-29-2023 09:02:43.192 -0400 ERROR HTTPAuthManager [12404 TcpChannelThread] - SSO failed - User does not exist: \x84\x07\xd8\xb6\x05 09-29-2023 09:02:43.192 -0400 ERROR UiAuth [12404 TcpChannelThread] - user= \x84\x07\xd8\xb6\x05 action=login status=failure reason=sso-failed useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" clientip=<ip> 09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - SAN OtherName not found for configured OIDs in client certificate 09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - CertBasedUserAuth: error fetching username from client certificate   authentication.conf:   [splunk_auth] minPasswordLength = 8 minPasswordUppercase = 0 minPasswordLowercase = 0 minPasswordSpecial = 0 minPasswordDigit = 0 [authentication] authSettings = 123_LDAP authType = LDAP [123_LDAP] SSLEnabled = 1 anonymous_referrals = 0 bindDN = CN=<Account>,OU=Service Accounts,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL bindDNpassword = <removed> charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = OU=SPLUNK Groups,OU=Groups,DC=<command>,DC=NAVY,DC=MIL groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = DC.<Command>.NAVY.MIL nestedGroups = 1 network_timeout = 20 pagelimit = -1 port = 636 realNameAttribute = displayName sizelimit = 1000 timelimit = 15 userBaseDN = OU=Users,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL userNameAttribute = userprincipalname [roleMap_LDAP] admin = SPLUNK AUDITOR can_delete = SPLUNK AUDITOR network = SPLUNK NETWORK user = SPLUNK AUDITOR;SPLUNK USERS   web.conf   [settings] enableSplunkWebSSL = true privKeyPath = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_key.pem serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem sslPassword = <removed> requireClientCert = true sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem enableCertBasedUserAuth=true SSOMode=permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod=PIV   server.conf   [sslConfig] enableSplunkdSSL = true sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem sslPassword = <removed> cliVerifyServerName = true sslVersions = tls1.2 sslVerifyServerCert = true [general] serverName = SPKVSPLUNK2 pass4SymmKey = <removed> trustedIP = 127.0.0.1            
Given that a sourcetype is just a stanza name in a props.conf file, I think you need either the configs/conf-props endpoint or the properties/props endpoint.
You don't say if this a Trial account or not, but Splunk Cloud trial accounts do not have access to the REST API. Time out errors typically come from firewalls or other network devices that drop con... See more...
You don't say if this a Trial account or not, but Splunk Cloud trial accounts do not have access to the REST API. Time out errors typically come from firewalls or other network devices that drop connection attempts.
New link to doc: https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/ConfigureaforwardertouseaSOCKSproxy
Hi, I've been hunting through the REST API Documentation , as well as searching online, for the correct endpoint/curl request for maintaining sourcetypes, but haven't found anything. It is a trivial... See more...
Hi, I've been hunting through the REST API Documentation , as well as searching online, for the correct endpoint/curl request for maintaining sourcetypes, but haven't found anything. It is a trivial task using the UI, but my use case is that I want to spin up a splunk instance using a script, as part of an automated test process, so UI input won' meet the requirement. Can anyone point me in the right direction?
Hi,  We upgraded the Splunk DB Connect app to version 3.14.1, and the drivers as well ojdbc11.jar v.21.11 (Innovation Release)along  with orai18n.jar. While trying to add new input we noticed that f... See more...
Hi,  We upgraded the Splunk DB Connect app to version 3.14.1, and the drivers as well ojdbc11.jar v.21.11 (Innovation Release)along  with orai18n.jar. While trying to add new input we noticed that for some connections we got the error "cannot get schemas". However we are able to add inputs and connections are working. The versions of databases are oracle 19.19 and 12.1.0.2. We downgraded the version of the driver to ojdbc11.jar v.19.20 (Long Term Release) along with respective orai18n.jar but still we "cannot get schemas". All the permissions to the user are given.  In the _internal index we encounter this error message: „Unable to get schemas metadata java.sql.SQLException: Non supported character set (add orai18n.jar in your classpath): EE8ISO8859P2”  but the orai18n.jar is already there. Any kind of help or idea would be appreciated. Thank you in advance !
The login used to download the software doesn't matter.  What matters is that the software *runs* as the right non-root user (typically 'splunk').  The license is already installed on your system and... See more...
The login used to download the software doesn't matter.  What matters is that the software *runs* as the right non-root user (typically 'splunk').  The license is already installed on your system and doesn't change with software versions. Be advised that upgrading from 7.2 to 9.x is not a one-step process.  You will need to install 8.1.x first.  Please read the Release Notes for the versions being skipped as well as https://docs.splunk.com/Documentation/Splunk/9.1.1/Installation/AboutupgradingREADTHISFIRST
Hi @Navanitha , yes you are using an input to take these syslogs, but you have to parse them, and you can parse your logs using the correct Add-On. The Add-on must be installed on the Search Head a... See more...
Hi @Navanitha , yes you are using an input to take these syslogs, but you have to parse them, and you can parse your logs using the correct Add-On. The Add-on must be installed on the Search Head and on the Heavy Forwarder where you enabled input. Ciao. Giuseppe
Hi @AL3Z, if you don't have any recognized field, this means that you have a parsing problem. At first you have to check if you instaled the correct Add-On and if you associated the correct sourcet... See more...
Hi @AL3Z, if you don't have any recognized field, this means that you have a parsing problem. At first you have to check if you instaled the correct Add-On and if you associated the correct sourcetype with yur data flow. Then you have to analyze your data, see the sourcetype associated with these events and see what's the issue, Ciao. Giuseppe
hi, i guess i have the same issue. but with your suggestion, splunk will not start with systemd, for example. so, imho, there should other ways.
Hi there, I want to send email who have 4625 over 20 login fail count. I have search there is no problem about search but i couldn't figure out to send emails to specific users who have 4625 login f... See more...
Hi there, I want to send email who have 4625 over 20 login fail count. I have search there is no problem about search but i couldn't figure out to send emails to specific users who have 4625 login fail events. I know trigger action like send mail but i couldn't figure out how to send specific users. I don't want to send email to a group, i need send email to specific users who have 4625 events.   Any help would be appreciated!
Thanks , I can see the values of some fields in my index as null,  what does it mean the data is ingesting or not ???
I am colleting these logs using Splunk UDP inputs and not through add-on.   However I did install this add-on on our SH to make the data CIM Compatible. 
Hi @Navanitha  are you using the correct CiscoA SA add-On (https://splunkbase.splunk.com/app/1620)? Ciao. Giuseppe
Hi @AL3Z, at first you have to analyze your data and see if you correctly parsed it, in other words, if you're using the correct Add-On. At this point you should'n have NULL values in fields. Ciao... See more...
Hi @AL3Z, at first you have to analyze your data and see if you correctly parsed it, in other words, if you're using the correct Add-On. At this point you should'n have NULL values in fields. Ciao. Giuseppe
They are coming from same source type, sorry the timestamp shown in first set of sample events is Splunk time stamp followed by broken events.   The second set of sample is complete event with time... See more...
They are coming from same source type, sorry the timestamp shown in first set of sample events is Splunk time stamp followed by broken events.   The second set of sample is complete event with timestamp, I removed Splunk timestamp.  Sharing the event below along with Splunk timestamp. 9/29/23 5:57:57.000 AM 2023-09-29T05:57:57-04:00 1x.1xx.2x.1xx %ASA-6-302014: Teardown TCP connection 758830654 for ARCC:1xx.1x.9x.x8/x0 to inside:x0.2xx.x8.x1/4xx17 duration 0:00:00 bytes 0 Failover primary closed 9/29/23 5:57:57.000 AM 2023-09-29T05:57:57-04:00 1x.1xx.2x.1xx %ASA-6-302021: Teardown ICMP connection for faddr 1xx.x5.x0.x4/0 gaddr 1x.xx6.1xx.x6/0 laddr 1x.xx6.1x.x6/0 type 3 code 1
Try something like this <input type="checkbox" token="checkbox" id="checkABC"> <label></label> <choice value="All">All</choice> <choice value="AA">AA</choice> <choice val... See more...
Try something like this <input type="checkbox" token="checkbox" id="checkABC"> <label></label> <choice value="All">All</choice> <choice value="AA">AA</choice> <choice value="BB">BB</choice> <choice value="CC">CC</choice> <change> <condition match="match($checkbox$,&quot;All&quot;)"> <unset token="A"></unset> <unset token="B"></unset> <unset token="C"></unset> <set token="form.checkbox">All</set> </condition> <condition> <eval token="A">if(match($checkbox$,"AA"),"A",null())</eval> <eval token="B">if(match($checkbox$,"BB"),"B",null())</eval> <eval token="C">if(match($checkbox$,"CC"),"C",null())</eval> </condition> </change> <default>AA,BB,CC</default> <initialValue>AA,BB,CC</initialValue> <delimiter>,</delimiter> </input> Once All has been checked, you can't set anything else until All is unchecked. By setting the default to all options, when All is unchecked, all the options are checked. Obviously, you can use a different default if you prefer.