Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-14-2023
02:53 AM
Hi it depends how you have configured your environment. If you are using FQDN in every configurations then it shouldn't need any changes after you have updated your DNS. But if you are using IP then...
See more...
Hi it depends how you have configured your environment. If you are using FQDN in every configurations then it shouldn't need any changes after you have updated your DNS. But if you are using IP then you must change those to correct ones or preferred way to use FQDN. Depending your configuration there could be some IPs which has detected automatically, but this is depending on your configuration (mainly in distributed environment with indexer clusters). r. Ismo
09-14-2023
02:49 AM
If needed you could add "|fillnull value=0" at the end.
09-14-2023
02:26 AM
Hi all, We have a new built set up for Splunk Enterprise situated in the Temporary location, we are looking to perform the Data center migration from the Temporary location to permanent location....
See more...
Hi all, We have a new built set up for Splunk Enterprise situated in the Temporary location, we are looking to perform the Data center migration from the Temporary location to permanent location. We want to know the behavior of Splunk Enterprise Installed on the component servers has any impact with the Change of IP address with the DC migration?
Labels
- Labels:
-
administration
-
configuration
-
installation
09-14-2023
02:22 AM
Hi @trashyroadz @richgalloway Thank you for your inputs. I think I got confused between search bundle and deployer bundle. So, I think I need to check the bundle in /opt/splunk/var/run/search...
See more...
Hi @trashyroadz @richgalloway Thank you for your inputs. I think I got confused between search bundle and deployer bundle. So, I think I need to check the bundle in /opt/splunk/var/run/searchpeers in search head. I guess I can also whitelist/blacklist the items that needed to be sent to indexer in the distsearch.conf of search head(captain). Please correct me if it is wrong. There is another issue that we are facing because of which I thought both are related and I started checking the deployer bundle. When we are executing a bundle push command from deployer, it is always taking more than 30 mins to complete and sometimes not getting the successful message/error message. There are many apps and I dont think increasing maxBundleSize will help in reducing the time taken for bundle push. Can you please suggest on this as well.
09-14-2023
02:08 AM
Hi @aditsss, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
09-14-2023
02:07 AM
Hi @aditsss, sorry, but if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value! ...
See more...
Hi @aditsss, sorry, but if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value! Could you better describe your requirement? Ciao. Giuseppe
09-14-2023
02:06 AM
Hello, I have installed sysmon and I try to send it with a UniversalForwarder on that machine to my Splunk-Indexer and Search-Head... I have tryed to add [WinEventLog://Microsoft-Windows-Sy...
See more...
Hello, I have installed sysmon and I try to send it with a UniversalForwarder on that machine to my Splunk-Indexer and Search-Head... I have tryed to add [WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
[WinEventLog://"Applications and Services Logs/Microsoft/Windows/Sysmon/Operational"]
disabled = 0
[WinEventLog://Applications and Services Logs/Microsoft/Windows/Sysmon/Operational]
disabled = 0 to the inputs.conf, but non of that versions worked... I have also restarted the UniversalForwarder and the Indexer / Search-Head has the Sysmom app installed. What am I doing wong?! PS.: Sysmon is running and I see the logged data in the Eventviewer of that machine...
Labels
09-14-2023
01:55 AM
| rex mode=sed field=mac "s/(..):(..):(..):(..):(..):(..)/\1-\2-\3-\4-\5-\6/g"
09-14-2023
01:55 AM
Hi Team, I have below query: index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(se...
See more...
Hi Team, I have below query: index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully"|dedup EBNCStatus | table EBNCStatus True I am deduping my EBNC status so when I am selecting date Filter as yesterday its showing one count but when I am selecting 7 days from date filter still showing one count. I want when I select 7 its should show 7 count . Can someone help me with this,
09-14-2023
01:35 AM
Hello gcusello, Thanks for your inputs, However, like I said the use case is I'm looking for IP that is causing maximum number of http errors(400s,500s) , lets say I'm trying to find a single IP th...
See more...
Hello gcusello, Thanks for your inputs, However, like I said the use case is I'm looking for IP that is causing maximum number of http errors(400s,500s) , lets say I'm trying to find a single IP that is causing over 100 http errors . I think in the query we will have to use eval&case functions too. Please let me know if you need further clarifications on the above. Moh.
09-14-2023
01:27 AM
Hi, this worked for me, in file ...etc\system\local\web_feature.conf: [feature:dashboards_csp] enable_dashboards_redirection_restriction = false
09-14-2023
01:26 AM
Hi @mohsplunking, if you need the total count of errors, the solution from @bowesmana is perfect. let us know if we can help you more, or, please, accept one answer for the other people of Communit...
See more...
Hi @mohsplunking, if you need the total count of errors, the solution from @bowesmana is perfect. let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
09-14-2023
01:02 AM
Thanks for your response, the goal is to list the IP's that is causing maximum http errors. Lets say where errors are >100.
- Tags:
- r you
09-14-2023
01:02 AM
Hello I have this simple imput that stopped working after renaming the sourcetype from linux server -> indexers [monitor:///opt/splunk_connect_for_kafka/kafka_2.13-3.5.1/logs/connect.log] disable...
See more...
Hello I have this simple imput that stopped working after renaming the sourcetype from linux server -> indexers [monitor:///opt/splunk_connect_for_kafka/kafka_2.13-3.5.1/logs/connect.log] disabled = false index = _internal sourcetype = kafka_connect_log I restarted the universal forwarder many times, but it is not helping. Any other troubleshooting steps?
- Tags:
- forwarder
Labels
- Labels:
-
using Splunk Enterprise
09-14-2023
12:59 AM
Hi @Jana42855, the first step is to know the data to search, otherwise it's very difficoult! Anyway, you could start to run a search like the following: index=<your_index> (src=* OR dest_ip=* OR d...
See more...
Hi @Jana42855, the first step is to know the data to search, otherwise it's very difficoult! Anyway, you could start to run a search like the following: index=<your_index> (src=* OR dest_ip=* OR dest_port=*) in this way you have all the events containing these fields. then you can analyze them and identify index and sourcetype to use. Remember that you can see only the indexes where you were enabled, in other words, if you don't have grants to access an index you don't see it. Ciao. Giuseppe
09-14-2023
12:44 AM
i added: | xyseries CT,foo,countE to my query i think its ok
09-14-2023
12:30 AM
Hi, Try this please : <dashboard version="1.1" theme="dark" script="launcher:nopopup.js">
09-14-2023
12:29 AM
Hi, are there any plans to make this add-on compatible with Splunk Cloud?
Labels
- Labels:
-
upgrade
09-14-2023
12:27 AM
Hi Guys, I'm trying to figure out what are the prerequisite to validate the splunk like Running Service Name / Application Name in Control Panel / and Registry path.
Labels
- Labels:
-
authentication
09-14-2023
12:24 AM
You are not doing what I suggested in my first response Remove the key_field=_key You are explicitly telling it to update the SAME row in KV store
