Hi @nill, you can download the Universal Forwarder installation package at https://www.splunk.com/en_us/download/universal-forwarder.html then the instruction for installation are at https://docs.s...
See more...
Hi @nill, you can download the Universal Forwarder installation package at https://www.splunk.com/en_us/download/universal-forwarder.html then the instruction for installation are at https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_Linux Ciao. Giuseppe
Try something like this: | rex max_match=0 "\s+\S+\s+\S+\s+\S+\s+\S+\s+(?<file>OU_\S+)" In future, please paste the text of your event into a code block </> much like I have done with the SPL above...
See more...
Try something like this: | rex max_match=0 "\s+\S+\s+\S+\s+\S+\s+\S+\s+(?<file>OU_\S+)" In future, please paste the text of your event into a code block </> much like I have done with the SPL above. This prevents the text from being reformatted and losing spaces and new lines etc.
How to split the above table in one line each and wanted to have threshold if the current Block size exceeds Max Block size i.,e (85%) i want to trigger alert
Hello, Can anyone help me to extract the below file name which is OU_..... from the below raw data.
12:04:19.85 14/09/2023 directory="E:\data\Test" ECHO is off.
Volume in drive E is Data Vol...
See more...
Hello, Can anyone help me to extract the below file name which is OU_..... from the below raw data.
12:04:19.85 14/09/2023 directory="E:\data\Test" ECHO is off.
Volume in drive E is Data Volume Serial Number is 7808-CA1B
Directory of E:\data\Test 13/09/2023 13:22
<DIR> XXX\xxxx . 13/09/2023 13:22 <DIR> xxx\xxx .. 12/09/2023 09:31 95 xxx\xxx dir_details.bat 13/09/2023 13:41 171 xxx\xxx dir_details_copy.bat 07/09/2023 13:26 0 xxx\xxx edsadsad.txt 07/09/2023 13:26 22 xxx\xxx OU_kljdajdklsajkdl.zip 07/09/2023 13:26 22 xxx\xxx OU_kljdajdklsajkewew.zip 07/09/2023 13:26 22 xxx\xxx OU_kljdajdklsajkewewdsads.zip 6 File(s) 332 bytes 2 Dir(s) 20718067712 bytes free
@gcusello I have selected last 7 days but its showing only 2 with below query index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ...
See more...
@gcusello I have selected last 7 days but its showing only 2 with below query index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔",""), EBNCStatus="ebnc event balanced successfully", Day=strftime(_time,"%Y-%m-%d") | dedup EBNCStatus Day | table EBNCStatus True Day
I got the following errors in my Splunk Error Logs: Failed to find Event Log with channel name=Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Init failed, unable to subscribe t...
See more...
I got the following errors in my Splunk Error Logs: Failed to find Event Log with channel name=Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5
Hi @love0sxy, how did you configure the deploymentclient.conf file in your UFs? if this file in in a custom Add-On deployed using the Deployment Server, you can modify this file in the app to deplo...
See more...
Hi @love0sxy, how did you configure the deploymentclient.conf file in your UFs? if this file in in a custom Add-On deployed using the Deployment Server, you can modify this file in the app to deploy and the new addressing is deployed to all the UFs. If instead you configured it using the CLI command and the deploymentclient.conf file is in $SPLUNK_HOME/etc/system/local, there isn't any automatic way to change the DS addressing. In this case, you could deploy an add-on containing this file using the old DS and run a remote script that deletes the old deploymentclient.conf file and restarts Splunk. Ciao. Giuseppe
Hello, guys I want change my universal forward for new deployment_server,how to use Current deployment server。 I am currently pushing the app for universal forwarder, but can‘t change deployment_server
Hi @aditsss, as I said, if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value! ...
See more...
Hi @aditsss, as I said, if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value! try to delete the dedup row and see what happens. You could try to dedup for the EBNCStatus field and another field (e.g. day), something like this: index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval
True=if(searchmatch("ebnc event balanced successfully"),"✔",""),
EBNCStatus="ebnc event balanced successfully",
Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| table EBNCStatus True Day Ciao. Giuseppe
@gcusello Currently when I am doing dedup and selecting last 7 days its showing only event. I want when I select last 7 days it should show 7 times that message. when I select last 30 days it...
See more...
@gcusello Currently when I am doing dedup and selecting last 7 days its showing only event. I want when I select last 7 days it should show 7 times that message. when I select last 30 days it should 30 times that message. Can you help me with this.
Hi here is link to old post for your replication issue https://community.splunk.com/t5/Splunk-Search/Large-lookup-caused-the-bundle-replication-to-fail-What-are-my/m-p/194594 there are some more if ...
See more...
Hi here is link to old post for your replication issue https://community.splunk.com/t5/Splunk-Search/Large-lookup-caused-the-bundle-replication-to-fail-What-are-my/m-p/194594 there are some more if you need. Can you describe your SHC environment, so we can better understand your issue (OS, versions, size, apps, lookups etc.)? r. Ismo
Hi it depends how you have configured your environment. If you are using FQDN in every configurations then it shouldn't need any changes after you have updated your DNS. But if you are using IP then...
See more...
Hi it depends how you have configured your environment. If you are using FQDN in every configurations then it shouldn't need any changes after you have updated your DNS. But if you are using IP then you must change those to correct ones or preferred way to use FQDN. Depending your configuration there could be some IPs which has detected automatically, but this is depending on your configuration (mainly in distributed environment with indexer clusters). r. Ismo
Hi all, We have a new built set up for Splunk Enterprise situated in the Temporary location, we are looking to perform the Data center migration from the Temporary location to permanent location....
See more...
Hi all, We have a new built set up for Splunk Enterprise situated in the Temporary location, we are looking to perform the Data center migration from the Temporary location to permanent location. We want to know the behavior of Splunk Enterprise Installed on the component servers has any impact with the Change of IP address with the DC migration?
Hi @trashyroadz @richgalloway Thank you for your inputs. I think I got confused between search bundle and deployer bundle. So, I think I need to check the bundle in /opt/splunk/var/run/search...
See more...
Hi @trashyroadz @richgalloway Thank you for your inputs. I think I got confused between search bundle and deployer bundle. So, I think I need to check the bundle in /opt/splunk/var/run/searchpeers in search head. I guess I can also whitelist/blacklist the items that needed to be sent to indexer in the distsearch.conf of search head(captain). Please correct me if it is wrong. There is another issue that we are facing because of which I thought both are related and I started checking the deployer bundle. When we are executing a bundle push command from deployer, it is always taking more than 30 mins to complete and sometimes not getting the successful message/error message. There are many apps and I dont think increasing maxBundleSize will help in reducing the time taken for bundle push. Can you please suggest on this as well.
Hi @aditsss, sorry, but if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value! ...
See more...
Hi @aditsss, sorry, but if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value! Could you better describe your requirement? Ciao. Giuseppe