What do you mean by "exclude" here? You want to blacklist them on input or exclude them from search results? And why would you need a single regex to match dwo different patterns? You put this post ...
See more...
What do you mean by "exclude" here? You want to blacklist them on input or exclude them from search results? And why would you need a single regex to match dwo different patterns? You put this post in "deployment architecture" section when it has nothing to do with architecture and tagged it with "deployment server" which again it has nothing to do with. So what is it about?
Ok. So your whole environment is not supported anymore so if it works, it works but if it doesn't noone will officially help you. Having said that - any relatively modern (7.0+) forwarder should work...
See more...
Ok. So your whole environment is not supported anymore so if it works, it works but if it doesn't noone will officially help you. Having said that - any relatively modern (7.0+) forwarder should work. If you use 9.x forwarders you'll have to disable configtracker input because you don't have corresponding index on 8.x indexers and the events would generate warning and possibly go to your last resort index if you have one configured.
Hi All,
Can any one pls share a regex for the below events to exclude(text in red).
1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Wind...
See more...
Apologies for the delay in reporting back on this issue. We raised a support ticket for this and were told there was a fix applied that should have resolved the problem. We can confirm that we again ...
See more...
Apologies for the delay in reporting back on this issue. We raised a support ticket for this and were told there was a fix applied that should have resolved the problem. We can confirm that we again able to download the appdynamics npm dependency (23.7) from the CDN as expected. npm install appdynamics Thanks! Jeff
You just search for events which have your file(s) as source field value. If they stopped being ingested at some point your blacklisting works. Unless of course you have some additional config overwr...
See more...
You just search for events which have your file(s) as source field value. If they stopped being ingested at some point your blacklisting works. Unless of course you have some additional config overwriting the source field but then it's up to you to find those events - we don't know your setup.
Yes, it has to do with a bad log format in Squid and no one updated the docs. I solved via Squid docs and process of elimination. I can't seem to get the ssl::sni to work at all but this is all of...
See more...
Yes, it has to do with a bad log format in Squid and no one updated the docs. I solved via Squid docs and process of elimination. I can't seem to get the ssl::sni to work at all but this is all of the options without ssl::sni. logformat splunk_recommended_squid %ts.%03tu logformat=splunk_recommended_squid duration=%tr src_ip=%>a src_port=%>p dest_ip=%<a dest_port=%<p user_ident="%ui" user="%un" local_time=[%tl] http_method=%rm request_method_from_client=%<rm request_method_to_server=%>rm url="%ru" http_referrer="%{Referer}>h" http_user_agent="%{User-Agent}>h" status=%>Hs vendor_action=%Ss dest_status=%Sh total_time_milliseconds=%<tt http_content_type="%mt" bytes=%st bytes_in=%>st bytes_out=%<st
Hi Everyone, I've recently applied a blacklist file path regex to one of the apps inputs.conf in the serverclass on the host in DS. How can I determine it's working or not?
Not sure if you are still looking into this, but I ran into a similar issue and aggregate several searches into Assets. Either the CMDB is missing items or some other agent has additional informatio...
See more...
Not sure if you are still looking into this, but I ran into a similar issue and aggregate several searches into Assets. Either the CMDB is missing items or some other agent has additional information for an asset. Very basic instructions: 1. Create search that returns info you want 2. https://docs.splunk.com/Documentation/ES/7.0.1/Admin/Formatassetoridentitylist for table in search. You may have to rename some fields to match 3. Save As - Report 4. Schedule it 5. Title and description 6. Settings-Lookups-lookup definitions 7. Create new definition 8. Dest App = SA-IdentityManagement 9. name it 10. File-based 11. Lookup file = name of the outputlookup csv you had in search. If it's not in the list manually re-run the saved search. 12. Open Enterprise security app 13. Configure-Data Enrichment-Asset&Identity 14. New Configuration 15. Choose source -- will be the lookup name 16 Save. You are correct in letting Asset and Identity Management manage the merge. You can set the rank of all of the sources on that page as well.
How and where did you create the index? It must be on the indexers and (optionally) on the search heads. If the index was added by editing indexes.conf then the Splunk instances must be restarted. ...
See more...
How and where did you create the index? It must be on the indexers and (optionally) on the search heads. If the index was added by editing indexes.conf then the Splunk instances must be restarted. Ensure the inputs.conf files use the *exact* same index name that was created. Also, be sure to use the right index name when searching for data. Check splunkd.log to see if the indexers are reporting errors writing to the new index.
hi we have create new index on our platform but they collect any data The inputs.conf stanza are welll configurated with the new index name but our index are empty So i try to list the check to do...
See more...
hi we have create new index on our platform but they collect any data The inputs.conf stanza are welll configurated with the new index name but our index are empty So i try to list the check to do in order to make our index working thanks
Hi @gebr As 8.0.x no longer supporrted by splunk as per support policy from https://www.splunk.com/en_us/legal/splunk-software-support-policy.html#core I would suggest to upgarde your infra ...
See more...
Hi @gebr As 8.0.x no longer supporrted by splunk as per support policy from https://www.splunk.com/en_us/legal/splunk-software-support-policy.html#core I would suggest to upgarde your infra to last version of Splunk. e.g 9.0.x. if you are not able to upgrade for sometime , may be i would suggest to go for 8.0.1 splunk UF or same version as HF/Indexer you can download from older version from https://www.splunk.com/en_us/download/previous-releases-universal-forwarder.html