Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-14-2023
09:29 AM
@gcusello I tried below query index=abc sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eva...
See more...
@gcusello I tried below query index=abc sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d") | dedup EBNCStatus Day | search column1=* | table EBNCStatus True Day Getting below error Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")'.
09-14-2023
09:25 AM
Hi ! We're having similar issue as well, with splunk-winevtlog and splunk-perfmon being the culprits, but Signature P4 is not KERNELBASE but the splunk process itself. It only affects Server 2019. Bu...
See more...
Hi ! We're having similar issue as well, with splunk-winevtlog and splunk-perfmon being the culprits, but Signature P4 is not KERNELBASE but the splunk process itself. It only affects Server 2019. Bursts of AppCrash show up every 5 minutes or so. We've tried version 9.0.6 and 9.1.1 We opened a support case, turned on DEBUG logging and sent them diags, etc .. the works .. What we've found was that, clearing the WER folder of AppCrash files C:\ProgramData\Microsoft\Windows\WER ( Settings > Storage > Free Space > Windows Error Report - check delete Files ) .. would cease the issue on that single server .. at least until the issue gets triggered again. Did you get your issue fixed with release version 9.0.6 @PeterBoard ? Thanks
09-14-2023
08:35 AM
I need to join the file_name field between subsearch and main search Your example is like what I done but i have an error message like i said in my example I have also tested to put a rex field jus...
See more...
I need to join the file_name field between subsearch and main search Your example is like what I done but i have an error message like i said in my example I have also tested to put a rex field just before the stats command, I have no error but also no results even if a common event exists between the main search and the subsearch..... | rex field=NewProcessName "(?<file_name>\w+\w+\.exe)"
| stats values(file_name) as file_name....
09-14-2023
08:03 AM
Hi @Manish_Sharma, if you're speaking of servers using universal forwarder, you can use a search like the following: index=_internal
| stats count BY host and check the list with the ones managed ...
See more...
Hi @Manish_Sharma, if you're speaking of servers using universal forwarder, you can use a search like the following: index=_internal
| stats count BY host and check the list with the ones managed by DS. If you're speking of other hosts without universal forwarder, it's alonger search: index=*
| stats count BY host Ciao. Giuseppe
09-14-2023
07:59 AM
Hi @aditsss, if you don't want the last row with some empty fields, you have to remove empty lines. You can do it knowing the name of the first column (that I don't know) and poning a rule (if the ...
See more...
Hi @aditsss, if you don't want the last row with some empty fields, you have to remove empty lines. You can do it knowing the name of the first column (that I don't know) and poning a rule (if the column is called "column1": index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| search column1=*
| table EBNCStatus True Day Ciao. Giuseppe
09-14-2023
07:56 AM
Hi @love0sxy, if you want to manage deploymentclient.conf by Deployment Server you have to follow the procedure I described in my previous answer because files in $SPLUNK_HOME/etc/system/local folde...
See more...
Hi @love0sxy, if you want to manage deploymentclient.conf by Deployment Server you have to follow the procedure I described in my previous answer because files in $SPLUNK_HOME/etc/system/local folder aren't manageable by DS, for this reason the changes aren't effective. Ciao. Giuseppe
09-14-2023
07:56 AM
Hi, Can anyone please help advise there is any quick way to find list of servers not managed by deployment server but transmitting data to Splunk on deployment server or SH itself. Thanks
09-14-2023
07:55 AM
I found a solution by editing the inputs.conf file as follows. [WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index= sysmon
source = XmlWinEventLog:Microso...
See more...
I found a solution by editing the inputs.conf file as follows. [WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index= sysmon
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
09-14-2023
07:53 AM
@gcusello where I need to put this EBNCStatus=* Below is my query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl -...
See more...
@gcusello where I need to put this EBNCStatus=* Below is my query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day | table EBNCStatus True Day
09-14-2023
07:33 AM
We use an asset file correctly configured on ES but we noticed that the enrichment based on "asset_lookup_by_cidr" is not working correctly because the lookup is not sorted by CIDR class. For example...
See more...
We use an asset file correctly configured on ES but we noticed that the enrichment based on "asset_lookup_by_cidr" is not working correctly because the lookup is not sorted by CIDR class. For example in the following sample the sorting is base on "lexicographic" order instead of the real CIDR classes logic: 1.2.30.0/26 1.2.30.128/25 1.2.31.0/24 1.2.32.0/24 1.2.33.0/25 1.2.33.128/25 We tried to solve the problem creating a saved search that automatically performs the right sort but soon after the execution the lookup "asset_lookup_by_cidr" is replaced with "lexicographic" order. My saved search: | inputlookup asset_lookup_by_cidr | eval ip=replace(ip,"\s+","") | eval sorted=case(match(ip,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{2}"),substr(ip,-2),match(ip,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1}"),substr(ip,-1),1=1,"0") | sort limit=0 - sorted | fields - sorted | outputlookup asset_lookup_by_cidr Is there a quick solution to this problem? Because it is a big trouble for notable based on IP addresses.
Labels
- Labels:
-
using Splunk Enterprise
09-14-2023
07:32 AM
How to create top 10 DB queries in AppD dashboards and reports.
Labels
- Labels:
-
Dashboards
09-14-2023
07:32 AM
I 'm trying to accomplish the presence of splunk in all the machines in our environment by creating a shell script and find out the system with out splunk.
Hi all,
there is a way to disable the audience restriction verification on SAML response? because in our case, base on Siteminder configuration, is the only way to resolve.
Thank you!
- Tags:
- splunk search
Labels
- Labels:
-
audit
-
authentication
-
login
-
SAML
-
SSO
09-14-2023
07:15 AM
hi! Esteemed Legend I thank know Manually changing files for uf /etc/system/local/deploymentclient, and restar splunkd.exe it can change deployment server but i use deployment server push a ...
See more...
hi! Esteemed Legend I thank know Manually changing files for uf /etc/system/local/deploymentclient, and restar splunkd.exe it can change deployment server but i use deployment server push a newpath a deploymentclient.conf to UF is Not effective
09-14-2023
07:15 AM
Make sure the path, type, and reg fields are not null. The stats command will not return results for null groupBy fields.
09-14-2023
07:14 AM
@gcusello This query is not working for me index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced succe...
See more...
@gcusello This query is not working for me index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day | table EBNCStatus True Day
09-14-2023
07:12 AM
What are you trying to accomplish? What do you mean by "validate Splunk"?
09-14-2023
07:10 AM
Hi @SplunkSN, ok, but the logs you're using for the alert, come from two different hosts, one active and one passive. So, if I correctly understood, you want to use only host1 if host1 is the activ...
See more...
Hi @SplunkSN, ok, but the logs you're using for the alert, come from two different hosts, one active and one passive. So, if I correctly understood, you want to use only host1 if host1 is the active one and host2 if this is the active one. One question, can you have both logs from host1 and host2? if yes, are they different? if they are the same you could dedup results using the duplicated fields that you have in your alert. or you could group results so the host value isn't relevant, could you share your alert search? Ciao. Giuseppe check if the host field in the results of your alarm is only the active host, in this case you can
09-14-2023
07:09 AM
Depending on what you mean by "cross", the search command may do the job. index=toto event_id=4688
| eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1")
| search [| inputlookup test w...
See more...
Depending on what you mean by "cross", the search command may do the job. index=toto event_id=4688
| eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1")
| search [| inputlookup test where software=pm
| table pm
| rename pm as file_name
| format]
| stats values(file_name) as file_name.....
09-14-2023
06:51 AM
Hi @gcusello , Thank you for the reply. Both the hosts are on same Splunk server. We don't have any parameter in logs which identify. currently active site so we are using Host naming e.g., HostSit...
See more...
Hi @gcusello , Thank you for the reply. Both the hosts are on same Splunk server. We don't have any parameter in logs which identify. currently active site so we are using Host naming e.g., HostSite1, Hostsite2), how we would automate enable/disable of alerts based on the host name.
