Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-29-2023
04:09 AM
Hi @Navanitha are you using the correct CiscoA SA add-On (https://splunkbase.splunk.com/app/1620)? Ciao. Giuseppe
09-29-2023
04:03 AM
Hi @AL3Z, at first you have to analyze your data and see if you correctly parsed it, in other words, if you're using the correct Add-On. At this point you should'n have NULL values in fields. Ciao...
See more...
Hi @AL3Z, at first you have to analyze your data and see if you correctly parsed it, in other words, if you're using the correct Add-On. At this point you should'n have NULL values in fields. Ciao. Giuseppe
09-29-2023
04:01 AM
They are coming from same source type, sorry the timestamp shown in first set of sample events is Splunk time stamp followed by broken events. The second set of sample is complete event with time...
See more...
They are coming from same source type, sorry the timestamp shown in first set of sample events is Splunk time stamp followed by broken events. The second set of sample is complete event with timestamp, I removed Splunk timestamp. Sharing the event below along with Splunk timestamp. 9/29/23 5:57:57.000 AM 2023-09-29T05:57:57-04:00 1x.1xx.2x.1xx %ASA-6-302014: Teardown TCP connection 758830654 for ARCC:1xx.1x.9x.x8/x0 to inside:x0.2xx.x8.x1/4xx17 duration 0:00:00 bytes 0 Failover primary closed 9/29/23 5:57:57.000 AM 2023-09-29T05:57:57-04:00 1x.1xx.2x.1xx %ASA-6-302021: Teardown ICMP connection for faddr 1xx.x5.x0.x4/0 gaddr 1x.xx6.1xx.x6/0 laddr 1x.xx6.1x.x6/0 type 3 code 1
09-29-2023
04:00 AM
Try something like this <input type="checkbox" token="checkbox" id="checkABC">
<label></label>
<choice value="All">All</choice>
<choice value="AA">AA</choice>
<choice val...
See more...
Try something like this <input type="checkbox" token="checkbox" id="checkABC">
<label></label>
<choice value="All">All</choice>
<choice value="AA">AA</choice>
<choice value="BB">BB</choice>
<choice value="CC">CC</choice>
<change>
<condition match="match($checkbox$,"All")">
<unset token="A"></unset>
<unset token="B"></unset>
<unset token="C"></unset>
<set token="form.checkbox">All</set>
</condition>
<condition>
<eval token="A">if(match($checkbox$,"AA"),"A",null())</eval>
<eval token="B">if(match($checkbox$,"BB"),"B",null())</eval>
<eval token="C">if(match($checkbox$,"CC"),"C",null())</eval>
</condition>
</change>
<default>AA,BB,CC</default>
<initialValue>AA,BB,CC</initialValue>
<delimiter>,</delimiter>
</input> Once All has been checked, you can't set anything else until All is unchecked. By setting the default to all options, when All is unchecked, all the options are checked. Obviously, you can use a different default if you prefer.
09-29-2023
03:43 AM
Hi Splunk Experts, The timewrap command is using d(24 hr) format, but I'm wondering is it possible to make it Today format. Ex: If Current time is 10AM, then it's displaying timechart of 12 AM ...
See more...
Hi Splunk Experts, The timewrap command is using d(24 hr) format, but I'm wondering is it possible to make it Today format. Ex: If Current time is 10AM, then it's displaying timechart of 12 AM to 10AM (12, 14, 16, 18, 20, 22, 00, 02, 04, 06, 08, 10), but I'm looking for 00 AM to 22 (00, 02, 04, 06, 08, 10, 12, 14, 16, 18, 20, 22). Any advice would be much appreciated. index="_internal" error
| timechart span=10m count as Counts
| timewrap d series=exact time_format="%Y-%m-%d"
- Tags:
- search
Labels
- Labels:
-
timechart
09-29-2023
03:39 AM
Hello, I was trying to look for indexed null values and will decide to ingest after knowing them.
09-29-2023
03:23 AM
Hi @AL3Z, could you better describe what you whould do? if you already indexed a log, you canot remove an avent or a part of it. If you want to exclude some null values from a search you can do iy...
See more...
Hi @AL3Z, could you better describe what you whould do? if you already indexed a log, you canot remove an avent or a part of it. If you want to exclude some null values from a search you can do iy in the search. So what' your requirement? Ciao. Giuseppe
09-29-2023
03:20 AM
Hi @BoldKnowsNothin, did you tried field aliases (https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Addaliasestofields)? Ciao. Giuseppe
09-29-2023
03:18 AM
Hi @AL3Z, if you don't have results to the control search and you have all the other logs, you solved your issue. Ciao. Giuseppe
09-29-2023
03:17 AM
1 Karma
Hi @Navanitha , publish the solution when you'll solve for the other people of Community. Ciao. Giuseppe P.S.: Karma Points are appreciated
09-29-2023
03:15 AM
Hi @AL3Z, modify the regex in Search and see if the new regex matches all the events to filter. Ciao. Giuseppe
09-29-2023
03:14 AM
Hi @Navanitha, I see that the TIME_FORMAT is different, are these logs coming from the same source? maybe you have to apply different sourcetypes and different timestamp formatting. Ciao. Giuseppe
09-29-2023
03:03 AM
Some of the event logs in Splunk are getting truncated at the beginning. Tried some prop's to break before date, line_breaking at new line but nothing seems to be working. Truncated events 9/29/23...
See more...
Some of the event logs in Splunk are getting truncated at the beginning. Tried some prop's to break before date, line_breaking at new line but nothing seems to be working. Truncated events 9/29/23 5:40:46.000 AM entFacing:1x.1xx.1xx.2xx/4565 to inside:1x.9x.x4x.x4x/43 duration 0:00:00 bytes 0 9/29/23 5:40:36.000 AM 53 (1x.x8.2xx.2xx/34) 9/29/23 5:37:21.000 AM bytes 1275 Well parsed events - 2023-09-29T05:57:57-04:00 1x.xx.2.1xx %ASA-6-302014: Teardown TCP connection 758830654 for ARCC:1xx.x7.9x.1x/xx to inside:1x.2xx.6x.x1/xx17 duration 0:00:00 bytes 0 Failover primary closed 2023-09-29T05:57:57-04:00 1x.xx.2.1xx %ASA-6-302021: Teardown ICMP connection for faddr 1x0.x5.0.1x/0 gaddr 1x.2x6.1xx6.x6/0 laddr 1x.xx6.1xx.x6/0 type 3 code 1 My props TZ = UTC SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 disabled=false TIME_FORMAT=%Y-%m-%dT%H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=32
Labels
- Labels:
-
kvstore
-
workflow action
09-29-2023
03:01 AM
Hello comrades, I'm just curios is there anyway to shorten frequent words? For example: <Data Name='IpAddress'>::ffff:10.95.81.99</Data> IpAddress to ipaddr or something like IPa. Many than...
See more...
Hello comrades, I'm just curios is there anyway to shorten frequent words? For example: <Data Name='IpAddress'>::ffff:10.95.81.99</Data> IpAddress to ipaddr or something like IPa. Many thanks,
Labels
- Labels:
-
indexer
-
inputs.conf
-
universal forwarder
-
Windows
09-29-2023
02:55 AM
Hi @gcusello I'm trying to blacklist the below paths .. C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe C:\Program Files\WindowsPowerShell\Modules\gytpol\Cl...
See more...
Hi @gcusello I'm trying to blacklist the below paths .. C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe C:\Program Files\WindowsPowerShell\Modules\gytpol\Client\fw4_6_2\GytpolClientFW4_6_2.exe Can we use like.* in place of version if it gets new version it can also be blacklisted ?? ---- Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent.exe)|WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*.exe) Thanks
09-29-2023
02:53 AM
I tried installing the add-on on HF but no luck. I am working with Splunk support on this and they figured that the KV store for Checkpoint add-on is not loading as the regex is not matching our eve...
See more...
I tried installing the add-on on HF but no luck. I am working with Splunk support on this and they figured that the KV store for Checkpoint add-on is not loading as the regex is not matching our events. They are working on giving me a regex, will try it out once I have it.
09-29-2023
02:40 AM
Hello, I was trying to explore all the null values in my index but is it not working as expected do we need any changes in the search index=vpn earliest=-7d | fieldsummary | where match(values...
See more...
Hello, I was trying to explore all the null values in my index but is it not working as expected do we need any changes in the search index=vpn earliest=-7d | fieldsummary | where match(values, "^\[{\"value\":\"null\",\"count\":\d+\}\]$") Thanks
Labels
- Labels:
-
blacklist
09-29-2023
02:08 AM
Hi, @gcusello , yes I've modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server. When I try this in search head it is not...
See more...
Hi, @gcusello , yes I've modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server. When I try this in search head it is not giving any results , Do we need to modify spl ? index=winsec host=xxx | regex "(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)" Thanks
09-29-2023
12:47 AM
Hi there I've run into an issue where I can sort of guess why I'm having issues though have no clear idea regarding how to solve it. In our distributed environment we have a "lookup app" in our dep...
See more...
Hi there I've run into an issue where I can sort of guess why I'm having issues though have no clear idea regarding how to solve it. In our distributed environment we have a "lookup app" in our deployer, TA_lookups/lookups/lookupfile.csv Recently a coworker added a few new lookup files and made additions to the file in question. This is where the problem manifests, logging onto the deployer, checking that the correct files are present in /opt/splunk/etc/shcluster/apps/TA_lookups/lookups/lookupfile.csv Everything looks great. Applying the bundle worked without any complaints/errors. All the new csv files show up in the cluster and are accesible from the GUI, however. This one file, the "lookupfile.csv" is not updated. So I can sort of guess that it may have something to do with the file being in use or something, though I am stompt as to how I should go about solving this? I've tried making some additional changes to the file, checked for any wierd linebraking or something, and nothing. I can se from the CLI that this one file has not been modified since the initial deployment, so the deployer applies the bundle, there are no complaints on either end that I can find, it just skips this one pre-existing csv file completely and as far as I can see, silently. What do I do here? Is there a way to "force" the push? Is the only way to solve this to just manually remove the app from the SH cluster an push again? All suggestions are welcome Best regards
- Tags:
- deployment
- lookup
Labels
- Labels:
-
using Splunk Enterprise
09-29-2023
12:18 AM
Hi @AL3Z, I suppose that you modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server, is it correct? To be more sure, check...
See more...
Hi @AL3Z, I suppose that you modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server, is it correct? To be more sure, check if the regex you used is correct in the search dashboard. Ciao. Giuseppe
