Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-27-2023
03:19 AM
Hi Team, We have 4 Search heads are in cluster in that one Search head is getting the KV store PORT issue asking that change the port remaining 3 SHs working fine. We are unable to restart the Splun...
See more...
Hi Team, We have 4 Search heads are in cluster in that one Search head is getting the KV store PORT issue asking that change the port remaining 3 SHs working fine. We are unable to restart the Splunk on that particular SH. If i check the SH cluster status only 3 servers are showing now. Splunk installed version: 9.0.4.1 for error visibility Please find the attached. Regards, Siva.
Labels
09-27-2023
03:06 AM
Thank you, let me know the outcome of this if possible for you.
09-27-2023
03:01 AM
Hi @gcusello , only the selected part of the events i am trying to exclude.. How we can trouble shoot splunk locally using btool ?
09-27-2023
02:59 AM
@PickleRick , Hello, When I apply this blacklist regex, still I can see the logs. Can we use btool to trouble shoot this issue ?? blacklist8 = "$XmlRegex=#Data Name='ParentProcessName'>C:\\Program...
See more...
@PickleRick , Hello, When I apply this blacklist regex, still I can see the logs. Can we use btool to trouble shoot this issue ?? blacklist8 = "$XmlRegex=#Data Name='ParentProcessName'>C:\\Program Files\\(AzureConnectedMachineAgent\\GCArcService\\GC\\(gc_service|gc_worker)\.exe|Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe|Rapid7\\Insight Agent\\components\\insight_agent\\3\.2\.5\.31\\ir_agent\.exe)#" renderXml=true Thanks
09-27-2023
02:57 AM
Fantastic! It worked. Thanks for the solution.
09-27-2023
02:53 AM
1 Karma
Try without the greedy match at the beginning | rex max_match=0 field=_raw "\"(?<URL>((http|https):\/\/(\S+|\d+\.\d+\.\d+\.\d+\S+)))\""
09-27-2023
02:50 AM
1 Karma
index=mssql sourcetype=SQL_Query source=Sales_Contracts_Activations* OR source=Sales_Contracts_Activations_BOM OR (source=Esigns CALLBACK_STATUS="SUCCESS" STATUS=Complete)
| eval query_source=if(sour...
See more...
index=mssql sourcetype=SQL_Query source=Sales_Contracts_Activations* OR source=Sales_Contracts_Activations_BOM OR (source=Esigns CALLBACK_STATUS="SUCCESS" STATUS=Complete)
| eval query_source=if(source="Esigns", "query2", "query1")
| stats count(eval(source_query="query1")) as count1 count(eval(source_query="query2")) as count2
| eval diff=count1-count2
09-27-2023
02:49 AM
I'm afraid, it still gives a single value output like this, URL http://127.0.0.1:8080 https://facebook.com
09-27-2023
02:41 AM
Try this | rex max_match=0 field=_raw ".*\"(?<URL>((http|https):\/\/(\S+|\d+\.\d+\.\d+\.\d+\S+)))\""
09-27-2023
02:13 AM
How do we capture multiple URLs in a single event? Log1: type=EXECVE msg=audit(1695798790.101:25214323): argc=17 a1="http://127.0.0.1:8080" a2="http://10.0.2.20" a3="https://google.com/data/involve...
See more...
How do we capture multiple URLs in a single event? Log1: type=EXECVE msg=audit(1695798790.101:25214323): argc=17 a1="http://127.0.0.1:8080" a2="http://10.0.2.20" a3="https://google.com/data/involvement/" a4=cat Log2: type=EXECVE msg=audit(1695798790.100:25214323): a2="https://facebook.com" a3="-o" a4="http://127.0.0.1/index.html" a5="-kis" a6="-x" a7="http://10.0.0.10:8080" Currently I'm using below regex which captures only one URL, | rex field=_raw ".*\"(?<URL>((http|https):\/\/(\S+|\d+\.\d+\.\d+\.\d+\S+)))\"" Need all the URLs in the output.
09-27-2023
02:12 AM
hello I have this problem last week and this error occur i searched in any communities but i didn't find any solution i'm using ubuntu 64 bit i checked both interface that connect to my forwarder...
See more...
hello I have this problem last week and this error occur i searched in any communities but i didn't find any solution i'm using ubuntu 64 bit i checked both interface that connect to my forwarder. both of them had this problem and error please help us if every one have solution
09-27-2023
02:06 AM
If you are looking to find what values are not the maximum you could do this example | makeresults
| eval _raw="FieldA FieldB
host1 26
host2 29
host3 29"
| multikv forcehea...
See more...
If you are looking to find what values are not the maximum you could do this example | makeresults
| eval _raw="FieldA FieldB
host1 26
host2 29
host3 29"
| multikv forceheader=1
| table FieldA FieldB
| eventstats dc(FieldB) as counts min(FieldB) as minFieldB max(FieldB) as maxFieldB
| eval result=if(counts>1 AND FieldB<maxFieldB, FieldA, null())
| stats list(eval(if(isnotnull(result), FieldA, null()))) as Hosts list(eval(if(isnotnull(result), FieldB, null()))) as Values to get a list of the hosts and their values that are not the maximum
09-27-2023
01:57 AM
2 Karma
Hi, We have just upgraded to 9.1.1 and our HEC seems to have stopped working. Calling it from a simple PowerShell script worked the day before and running it now throws this error : Unable to con...
See more...
Hi, We have just upgraded to 9.1.1 and our HEC seems to have stopped working. Calling it from a simple PowerShell script worked the day before and running it now throws this error : Unable to connect to the remote server No connection could be made because the target machine actively refused it xxx.xxx.xxx.xxx:8088 So, headed over to the Forwarder where it should be listening, and the tokens do still exist in the Inputs.conf in "/opt/splunkforwarder/etc/apps/splunk_httpinput/local" However, issuing the list command gives us the following : $SPLUNK_HOME/bin/splunk http-event-collector list -uri https://localhost:8089 Token Not Found The HEC is Enabled in the Global Settings but we are also not seeing anything listening on Port 8088 Splunk Enterprise on a Linux build.
- Tags:
- Universal Forwarder
Labels
- Labels:
-
HTTP Event Collector
-
inputs.conf
09-27-2023
01:54 AM
If host1's 26 is not equal to the 29 values of host2 and host3, then what logic do you apply to host2, as its 29 is not equal to the value of host1's 26. So effectively none of them are equal to all...
See more...
If host1's 26 is not equal to the 29 values of host2 and host3, then what logic do you apply to host2, as its 29 is not equal to the value of host1's 26. So effectively none of them are equal to all of the others - how do you know which one is the master value to compare against?
09-27-2023
01:49 AM
Hello, looks like when we enable or disable app from deployment server (GUI for instance) then app.conf in deployment-apps is edited, pushed on forwarders then edited again? Thanks.
Labels
- Labels:
-
inputs.conf
-
monitor
-
universal forwarder
09-27-2023
01:37 AM
https://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/IS-DCRecords.html maybe this helps? I am not really familiar with estreamer in details. ...
See more...
https://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/IS-DCRecords.html maybe this helps? I am not really familiar with estreamer in details. What I understood from a splunk perspective is that, rec_type is the main identifier for the firewall events. The TA also use it to break the events. In the python script you are able to filter out rec_types and fields, based on rec_types. David
09-27-2023
01:31 AM
To be more precise this not only concerns foreing letters, but simply all characters not part of the standard ASCII character list. You will see that after applying the upgrade all dashboard .XML fil...
See more...
To be more precise this not only concerns foreing letters, but simply all characters not part of the standard ASCII character list. You will see that after applying the upgrade all dashboard .XML files will have a current modified date.
09-27-2023
01:27 AM
Hi , I am trying to write a query which compare all field values for a particular field and fetch the results if its not same accordingly with its details. Below is my input : FieldA FieldB ho...
See more...
Hi , I am trying to write a query which compare all field values for a particular field and fetch the results if its not same accordingly with its details. Below is my input : FieldA FieldB host1 26 host2 29 host3 29 I want to compare all field values from fieldB , and if its not same then i want to fetch that count with its fieldA value. eg : here 26 is not equal to other 2 field values , then fieldB value with fieldA values has to be displayed. I tried with if condition | eventstats list(fieldB) as counts | eval value1=mvindex(counts,-2) | eval value2=mvindex(counts,-1) | | eval value3=mvindex(counts,-0) | eval value=if(('value1'=='value2') AND ('value2'=='value3'),"0",""1") Also with below query: |stats dc(metric_value) as count | eval value=if(count>1,"0","1") But with above 2 , i m not able pull its host name where that value is not same. Note: fieldB is dynamic Help me with this !!
Labels
- Labels:
-
development
-
using Splunk Enterprise
09-27-2023
01:22 AM
1 Karma
Hi @karthi2809 Please find order of knowledge object in search time. You will same information in intro to knowledge objects.
09-27-2023
12:58 AM
Hi, There is a bug in the Splunk Enterprise Installer for 9.1.1 on Windows. During the upgrade (coming from 8.2.8) it processes the dashboard XML files obvisously looking for statments to change dur...
See more...
Hi, There is a bug in the Splunk Enterprise Installer for 9.1.1 on Windows. During the upgrade (coming from 8.2.8) it processes the dashboard XML files obvisously looking for statments to change during the upgrade. There seems to be an errorneous conversion of UTF8 files when the upgrade process saves them again on Windows and all special characters like äÄöÖüÜ got eliminated and replaced by special characters across all dashboards by the upgrade. We had to manually check all dashboards after the upgrade. Be warned. Regards
Labels
- Labels:
-
upgrade
