Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-21-2023
07:39 AM
2.3.3 From here: https://splunkbase.splunk.com/app/5222
09-21-2023
07:32 AM
Can you please add which version of the addon you're running?
09-21-2023
07:23 AM
thank you @richgalloway for the reply attached is an example of my search
09-21-2023
07:20 AM
I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this. Context I have 2 apps 1) mainapp with savedsearches, macros, dashboards, etc. 2)...
See more...
I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this. Context I have 2 apps 1) mainapp with savedsearches, macros, dashboards, etc. 2) mainapp_TA, containing most of the *.config files (props, transforms, etc.) Based on the GUI Settings > pages, all ... * savedsearches are all set to owner=nobody * macros are set to owner= No Owner * Sharing is set to App for everything Issue One of my 7 savedsearches will NOT run using a CRON schedule when the owner=nobody. The other savedsearches run just fine. However, once I set owner=greg in /metadata/local.meta, the CRON schedule runs just fine. Note: I tried setting owner to another user in our environment, and the the CRON would NOT run. So, somehow this savedsearch is tied to me and I am not sure how to "untie" it. When the owner=nobody on this savedsearch, I can manually hit "run" from the Settings > Searches, Reports, and Alerts page and it works every time. I cannot figure out WHY this savedsearch is special and requires me to be the owner. I have to be missing something but not sure where to look now. Any help is greatly appreciated. Regards, Greg
09-21-2023
07:14 AM
@bowesmana It looks like you are very knowledgeable in Splunk, and possibly spent quite a bit of time on your replies, and I really appreciate your help. No wonder you have earned so many badges! I ...
See more...
@bowesmana It looks like you are very knowledgeable in Splunk, and possibly spent quite a bit of time on your replies, and I really appreciate your help. No wonder you have earned so many badges! I tried what you suggested, and probably due to my inexperience, it comes back with no results every time. I can run a query, that does not use dropdowns, that works how I'd like it but I am trying to simplify things for my maintenance teammates that do not have Splunk knowledge so that they just select items from dropdowns. If you can spare a little more time I would truly appreciate it. An example of the results I am looking for are shown below (the EventLocation is pulled from a message).
09-21-2023
07:10 AM
The regular expression shown could be good, but we can't tell without seeing a sample event (not just a file path).
09-21-2023
07:03 AM
The inputlookup command reads from a single lookup. There is no provision for reading multiple files at once (via wildcards, for instance). Go to https://ideas.splunk.com to make a case for this en...
See more...
The inputlookup command reads from a single lookup. There is no provision for reading multiple files at once (via wildcards, for instance). Go to https://ideas.splunk.com to make a case for this enhancement to inputlookup.
09-21-2023
07:01 AM
Hello I am trying to get filename (name.exe) from a full path (dir + filename) from windows folders, ex: C:\dir1\dir2\filename.ext using code as below: index = os_sysmon NOT Image="*...
See more...
Hello I am trying to get filename (name.exe) from a full path (dir + filename) from windows folders, ex: C:\dir1\dir2\filename.ext using code as below: index = os_sysmon NOT Image="*Sysmon*" EventCode=1
| rex field=Image "Executable=(?P<Executable>[^\\\]+)$"
| table Image Executable Problem: Executable always empty Can you please advise? best regards Altin
- Tags:
- rex
Labels
- Labels:
-
rex
09-21-2023
06:46 AM
Hello I am trying to test the functionality of sending an email that will be sent because of an alert. For that, first I tried to send an email using the sendemail command. I used the free subscript...
See more...
Hello I am trying to test the functionality of sending an email that will be sent because of an alert. For that, first I tried to send an email using the sendemail command. I used the free subscription of Brevo to get an accessible SMTP server to send an email. Then I tried configuring the email settings in my Splunk Enterprise. Below are the SS of my email settings For the password, I am using the MasterKey provided in the Brevo for my SMPT For the rest of the settings, I kept them as the default I am trying to send the data to a dummy email in Mailinator. Below is my searched SPL with the error. It is giving me an error for the email set as Send Email as user(Splunk) which I kept as default. I tried using my personal Gmail ID as well but got the same error for that ID. Can anyone please help me on how to debug or resolve this issue.
Labels
09-21-2023
06:41 AM
https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setupmultipleindexes You don't have to add your app to the indexers but you must define your index on the indexers. A stand alone insta...
See more...
https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setupmultipleindexes You don't have to add your app to the indexers but you must define your index on the indexers. A stand alone instance can define via GUI management, however if you have an indexing cluster you must use the CLI to edit an indexes.conf file which is pushed in the CM bundle to the IDX tier.
09-21-2023
06:39 AM
2 Karma
Fill in the empty values using the mvmap function. | makeresults
| eval _raw="{\"name\": \"my name\", \"values\": [{\"rank\": 1, \"value\": \"\"}, {\"rank\": 2, \"value\": \"a\"}, {\"rank\": 3, \"va...
See more...
Fill in the empty values using the mvmap function. | makeresults
| eval _raw="{\"name\": \"my name\", \"values\": [{\"rank\": 1, \"value\": \"\"}, {\"rank\": 2, \"value\": \"a\"}, {\"rank\": 3, \"value\": \"b\"}, {\"rank\": 4, \"value\": \"c\"}]}"
| spath
| rename values{}.rank as rank
| rename values{}.value as value
| eval value=mvmap(value,if(value="", "[empty]", value))
| table name, rank, value
09-21-2023
06:37 AM
@dural_yyz Thanks for the insight, I've declared the index in my app's indexes.conf which is installed on the HF which essentially is being populated by scripted input. But is there a way around w...
See more...
@dural_yyz Thanks for the insight, I've declared the index in my app's indexes.conf which is installed on the HF which essentially is being populated by scripted input. But is there a way around where I don't have to install my app on the indexers? And also can you please provide the reference where it mentions that I have to install my app in Indexer?
09-21-2023
06:35 AM
It appears that the field action has text values and you are trying to apply a volume limit where statement. You could create a new field of 'tmp' if action IN (value1 value2), "1","0"). At that po...
See more...
It appears that the field action has text values and you are trying to apply a volume limit where statement. You could create a new field of 'tmp' if action IN (value1 value2), "1","0"). At that point you can stats count or sum the new field and apply your where statement based upon your own needs. Just a thought.
09-21-2023
06:33 AM
That exam is in its beta period. Exam results will not be returned until Splunk has enough results to assess the exam itself. It could be months until we learn how we did.
09-21-2023
06:33 AM
1 Karma
Hi @yasit, it isn't correct: if you are trying to send logs to a not existing index, you have a message (someting like this: "unconfigured/disabled/deleted index=wineventlog with source="source::Win...
See more...
Hi @yasit, it isn't correct: if you are trying to send logs to a not existing index, you have a message (someting like this: "unconfigured/disabled/deleted index=wineventlog with source="source::WinEventLog:System"), but the index isn't automatically created. Ciao. Giuseppe
09-21-2023
06:33 AM
1 Karma
Hello! I am trying to get the streamfwd app to capture traffic on an interface located on my virtual machine. Does this app not recognize link layer virtualization? This is the error I am receiving ...
See more...
Hello! I am trying to get the streamfwd app to capture traffic on an interface located on my virtual machine. Does this app not recognize link layer virtualization? This is the error I am receiving and currently can't find a workaround... "(SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor unrecognized link layer for device <lo0>: 253" I was also receiving the same error when I changed my streamfwd.conf to capture on a different network interface. Even tried putting the interface into promiscuous mode. Any help/troubleshooting on this would be appreciated! Fysa, I am using a 64bit CentOS8.
- Tags:
- streamfwd
Labels
- Labels:
-
universal forwarder
09-21-2023
06:30 AM
Agreed - you need to have the index defined on the indexers. Since the HF cooks the data when it comes across you need to have matching configuration at the receiving side. Failure to do this will ...
See more...
Agreed - you need to have the index defined on the indexers. Since the HF cooks the data when it comes across you need to have matching configuration at the receiving side. Failure to do this will mean your data will route to the last chance index. On the indexer check btool config for indexes.conf [default] lastChanceIndex = <index name>
* An index that receives events that are otherwise not associated
with a valid index.
* If you do not specify a valid index with this setting, such events are
dropped entirely.
* Routes the following kinds of events to the specified index:
* events with a non-existent index specified at an input layer, like an
invalid "index" setting in inputs.conf
* events with a non-existent index computed at index-time, like an invalid
_MetaData:Index value set from a "FORMAT" setting in transforms.conf
* You must set 'lastChanceIndex' to an existing, enabled index.
Splunk software cannot start otherwise.
* If set to "default", then the default index specified by the
'defaultDatabase' setting is used as a last chance index.
* Default: empty string
09-21-2023
06:29 AM
thanks @gcusello what seems to be the issue? my understanding was that by default if Splunk receives data for an index that doesn't exist, it will attempt to create the index dynamically.
09-21-2023
06:23 AM
1 Karma
Hi @yasit, you have two choices: install the app also on Indexers (I don't hint), manually create the index on the Indexer. usually this is described in the instructions, which is the app? Cia...
See more...
Hi @yasit, you have two choices: install the app also on Indexers (I don't hint), manually create the index on the Indexer. usually this is described in the instructions, which is the app? Ciao. Giuseppe
