All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ankitarath2011 , Apologies for the delay, as I have been out of the office. The issue you are reporting is very different than what is discussed on the current post, and needs a new thread. Could ... See more...
@ankitarath2011 , Apologies for the delay, as I have been out of the office. The issue you are reporting is very different than what is discussed on the current post, and needs a new thread. Could you rephrase your full question in a new post, and tag me in it? I tried to start a new one for you that we could continue on but I'm not certain the full context of your issue and question. Regarding increasing maxBundleSize, it is normally a better practice to manage bundle sizes using the [replicationWhitelist] or [replicationBlacklist] stanzas in distsearch.conf.  Raising bundle size limits or raising bundle replication timeouts can cause bundles to take longer to reach your indexers. By default, Search Heads use knowledge bundles to send nearly the entire contents of all of their apps to the indexers. If an app contains large binaries that do not need to be shared with the indexers, reduce the size of the bundle by whitelisting or blacklisting particular files or types of files. See: Splunk Documentation: Limit the knowledge bundle size    Also as an aside... in the event this might be helpful, Admins Little Helper for Splunk can be used to view bundle contents (and computed/expected contents). I will be out this coming week also but will check periodically for your new post. I will not respond on this thread. Thank you,
I would write a script that converts the CSV into K=V format and run it as a scripted input.
Hi, Hello, thank you for your answer. I want to determine the active use of the old SMBv1 protocol. Because as you may know, SMBv1 is not secure at all. So we want to analyze all the ser... See more...
Hi, Hello, thank you for your answer. I want to determine the active use of the old SMBv1 protocol. Because as you may know, SMBv1 is not secure at all. So we want to analyze all the servers in the AD with event ID 3000 and sort them according to the number of events corresponding to event code 3000 that occurred on each of them. thanks for the reply.   I want to determine using actively the old protocol SMBv1.   Because as you may know smbv1 is not secure at all.   so we want to scan all servers in AD with event id 3000. and sort then bye tne number of event matching event code 3000 taht occure on each of them.   Regards
Hi all, I have CSV files  (they are exports from the Garmin R10 launch monitor session data via the Garmin Golf app) that contain 2 header lines, the first header line contains the field names and t... See more...
Hi all, I have CSV files  (they are exports from the Garmin R10 launch monitor session data via the Garmin Golf app) that contain 2 header lines, the first header line contains the field names and the second header line contains the unit of measurement (or blank if not applicable) For example: Date,Player,Club Name,Club Type,Club Speed,Attack Angle,... ,,,,[mph],[deg],... 09/10/23 10:00:45 AM,Johan,7 Iron,7 Iron,70.30108663634557,-7.360383987426758,...   Now, I would like to index the data in one of 2 ways: Add the unit of measurement to the value so that would become "70.30108663634557mph" for the Club Speed field Add an additional column that contains the unit of measurement Add column "Club Speed UOM" with value mph for every line indexed from the CSV file and do this for every column that contains a valid unit of measurement For me, option 2 would be the preferred option A third option, would be to skip the unit of measurement line altogether but I would rather not use this option.   I would appreciate any help that points me in the right direction to solve this challenge.   Thanx in advance.
Hi @michael_vi  for monotoring forwarders, no configuration is required from forwarders side. in the  moniroting console MC > settings> Forwarder moniroting setup ---> forwarder monitoring--->e... See more...
Hi @michael_vi  for monotoring forwarders, no configuration is required from forwarders side. in the  moniroting console MC > settings> Forwarder moniroting setup ---> forwarder monitoring--->enable and save after sometime in MC > Forwarders > Forwarders: Deployment shows the forwarders list and their health. P.S: deployment sevrer can not monitor forwarder health
Hi, I didn't find detailed info, how to connect Universal Forwarders to Monitoring Console. In our organization there is no deployment server, but we do want to monitor Splunk UF/HF with monitori... See more...
Hi, I didn't find detailed info, how to connect Universal Forwarders to Monitoring Console. In our organization there is no deployment server, but we do want to monitor Splunk UF/HF with monitoring console, so the info can be seen on MC > Forwarders > Forwarders: Deployment What are the steps on the UF side to configure this. Thanks
Hi @darphboubou, you have to do two actions: exactly identify and list in a document what you need to display: e.g. stats for users, table displaying a list of fields (e.g. timestamp, user, host, ... See more...
Hi @darphboubou, you have to do two actions: exactly identify and list in a document what you need to display: e.g. stats for users, table displaying a list of fields (e.g. timestamp, user, host, ip, etc...) create  some searches to execute your requirements. the most difficoult action is the first (usually a job in Splunk requires 70% of target technology knowledge and 30% of Splunk knowledge). Abour Splunk knowledge, I hint to follow the Splunk Search Tutorial ( http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial ) that teach you how to search in Splunk. So, please, describe your use cases. Ciao. Giuseppe
Hi,   We wonder how to monitor the smbV1 access in a domain.   We are already enabled the eventcode 3000 log on windows log.   Now we want to know who use smbV1 to access on every host:   to ... See more...
Hi,   We wonder how to monitor the smbV1 access in a domain.   We are already enabled the eventcode 3000 log on windows log.   Now we want to know who use smbV1 to access on every host:   to start we use this request:       index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit"         but now we want to display in a table / stats ... foreach host each computers / users access to them.     Could you help us please
Im having the same issue as ownerpost I tried your index=_internal host=___ I typed in my agent1 , agent2 and agent3 along with controller each tiime and data popped up for each 4 of them. but when I... See more...
Im having the same issue as ownerpost I tried your index=_internal host=___ I typed in my agent1 , agent2 and agent3 along with controller each tiime and data popped up for each 4 of them. but when I type in the command Index=”main” host=* | table host | dedup host it does not show anything at all? Can you help me troubleshoot this
I am learning splunk for the first time in my course, I had this task of setting up 4 VMs through VMware workstation , 1 being controller a Centos GUI, and the other 3 being agents centos CLI. I went... See more...
I am learning splunk for the first time in my course, I had this task of setting up 4 VMs through VMware workstation , 1 being controller a Centos GUI, and the other 3 being agents centos CLI. I went through the configuration of the VMs they all ping each other fine. I SSH the splunk onto the 4 VMs using mobaxterms. After creating the 9997 port on the controller and saving the port I configured each agent to have their agents ip address forward to the port of my controller. After going through my lab at the last part I had to type in an input Index=”main” host=* | table host | dedup host this had no results I was told if nothing popped up I would to troubleshoot by rebooting my vm and my host system but that didn't fix it would love some insights
Just because you installed two components, doesn't mean they know how to talk to each other. 1. What version of Splunk did you install? (Splunk Free or Splunk Enterprise with a proper commercial or ... See more...
Just because you installed two components, doesn't mean they know how to talk to each other. 1. What version of Splunk did you install? (Splunk Free or Splunk Enterprise with a proper commercial or trial license) 2. Did you configure the UF on/after installation in any way?
I believe it's the https://docs.splunk.com/Documentation/DBX/3.14.1/DeployDBX/Prerequisites#Configure_Java_Runtime_Environment_.28JRE.29_for_Splunk_DB_Connect step. (True, the docs could say how to d... See more...
I believe it's the https://docs.splunk.com/Documentation/DBX/3.14.1/DeployDBX/Prerequisites#Configure_Java_Runtime_Environment_.28JRE.29_for_Splunk_DB_Connect step. (True, the docs could say how to do it without the GUI; it might be worth posting a docs feedback - bottom of the webpage)
Hi @Cranie, if in your events you have one of the two fields RunID, ControllingRunID, you can use the solution from @yuanliu even if you could  simplify your token search:   | inputlookup errorLog... See more...
Hi @Cranie, if in your events you have one of the two fields RunID, ControllingRunID, you can use the solution from @yuanliu even if you could  simplify your token search:   | inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") | eval RunID = coalesce(RunID, ControllingRunID) | stats values(RunID) as RunID   If instead you could have in the same event both the two fields, you should use a more structured search: in the token: | inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") | rename RunID AS token | fields token | append [ | inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") | rename ControllingRunID AS token | fields token ] | dedup token | fields token and in the search: <your_search> (ControllingRunID="$token$" OR RunID="$token$") Ciao. Giuseppe
HI @Aus01, the usual issue in this situations are the following: did you enabled Receiving on the Splunk Enterprise VM [ Settings > Forwardring and Receiving > Receiving ]? did you configured you... See more...
HI @Aus01, the usual issue in this situations are the following: did you enabled Receiving on the Splunk Enterprise VM [ Settings > Forwardring and Receiving > Receiving ]? did you configured your Universal Forwarder to send logs to the Splunk Enterprise VM? Did you disabled local firewall on the both the machines? Ciao. Giuseppe
Splunk does not have a IP version check per se.  But you can hack ipmask to your advantage.  ipmask only works with IPv4.  So, if you are confident that your query returns legitimate IP addresses, yo... See more...
Splunk does not have a IP version check per se.  But you can hack ipmask to your advantage.  ipmask only works with IPv4.  So, if you are confident that your query returns legitimate IP addresses, you can tell IPv4 from IPv6. | dbxquery query="select IP from tableCompany" | eval IP = if(isnull(ipmask("255.255.255.255", IP)), IP . "/128", IP . "/32") Here is a snippet to help you observe how ipmask works in this context: | makeresults | eval ip = mvappend("10.11.12.13", "::") | mvexpand ip | eval hostmask4 = ipmask("255.255.255.255", ip) Netmask 255.255.255.255 also serves as an IPv4 validator.  IPv6 can be validated using regex, but if your database is trustworthy, you can save this trouble.
I know this is an old one, but my searches brought me here and it might bring someone else here. After going through installing new java versions and all the JAVA HOME settings, I used my EDR tool... See more...
I know this is an old one, but my searches brought me here and it might bring someone else here. After going through installing new java versions and all the JAVA HOME settings, I used my EDR tool and noticed this file was being called: /opt/splunk/etc/apps/splunk_app_db_connect/linux_x86_64/bin/customized.java.path It had reference to the older java versions and not the new one. Updated the path in there.  So for anyone who finds this and has problems starting up the taskserver after updating Java. search for the "customized.java.path" file in the dbConnect app folders.  
Hello, The CSV file is derived from dbxQuery, so I need to figure out how to append/128 for ipv6 and /32 for ipv6. Does Splunk have a function to check if an IP is IPv4 or IPv6? | dbxquery query... See more...
Hello, The CSV file is derived from dbxQuery, so I need to figure out how to append/128 for ipv6 and /32 for ipv6. Does Splunk have a function to check if an IP is IPv4 or IPv6? | dbxquery query="select IP from tableCompany" |   eval IP = if ( isIPv4(IP),  IP=IP . "/32",  IP=IP . "/128") Thank you so much
I have installed the splunk forwarder on a Windows 10 VM and have splunk installed on a Debian VM. I have restarted the splunk forwarder on the Win10 VM but when i log into splunk enterprise on the D... See more...
I have installed the splunk forwarder on a Windows 10 VM and have splunk installed on a Debian VM. I have restarted the splunk forwarder on the Win10 VM but when i log into splunk enterprise on the Debian VM and go into Search & Reporting > Data Summary there is no listing of the Win10 VM in either hosts or source list.  Does anyone have any idea what i could be doing wrong or any suggestions of things i could try?
Thank you. 
The add-on requires Python so it must be installed on a HF.  This is per the docs at https://www.cisco.com/c/en/us/td/docs/security/firepower/70/api/eNcore/eNcore_Operations_Guide_v08.html#_Toc765564... See more...
The add-on requires Python so it must be installed on a HF.  This is per the docs at https://www.cisco.com/c/en/us/td/docs/security/firepower/70/api/eNcore/eNcore_Operations_Guide_v08.html#_Toc76556476 Consider standing up a separate HF for eStreamer inputs.