Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-08-2023
10:10 AM
My organization is a Splunk Cloud subscriber, and I am working on installing the Cisco Secure eStreamer Client Add-On. Currently, on-prem, we have one Heavy Forwarder (enterprise server) and two UF f...
See more...
My organization is a Splunk Cloud subscriber, and I am working on installing the Cisco Secure eStreamer Client Add-On. Currently, on-prem, we have one Heavy Forwarder (enterprise server) and two UF forwarding events to our cloud indexer. I am wondering what is the best practice for installing the eStreamer Client Add-On. Does the eStreamer Client Add-On have to be installed on the HF or can it go on the UF? I previously installed it on the HF, but it caused errors with I/O latency (there are many millions of events coming from the Cisco FMC). I'm wondering if there is any way to distribute the load - I know the UF is better for handling many events. Any help would be greatly appreciated.
Labels
- Labels:
-
configuration
-
installation
-
troubleshooting
09-08-2023
10:09 AM
Please be a little bit more verbose about what you want to achieve. Especially what is the relationship between the fields in those two csv files and the resulting search.
09-08-2023
10:06 AM
1. i'd check the TA windows for eventtype. There might be one already defined covering your event codes and your search would be more concise. 2. What do you mean by "does not work"?
09-08-2023
10:03 AM
OK. So far you're showing us that your HF receives Syn packets from UF (at least that's what I assume because the IPs are filtered out). We don't see if the HF responds to them. The second log - sho...
See more...
OK. So far you're showing us that your HF receives Syn packets from UF (at least that's what I assume because the IPs are filtered out). We don't see if the HF responds to them. The second log - shows the HF having problems with pushing the events downstream (you're showing the output side logs, not inputs). There is more to this than meets the eye.
09-08-2023
09:24 AM
Does this mean that installation of AppDynamicsAgent via cocoapods will be unavailable for version 2022.5.0 soon?
09-08-2023
09:12 AM
Unfortunately End of Maintenance and Support for version 2022.5.0 was ended on June 23, 2023.
09-08-2023
09:03 AM
1 Karma
Hi Shaiju, thank you for your answer. Does this mean that support for version 2022.5.0 will not be actually ended until this issue will be fixed? According to the https://docs.appdynamics.com/ap...
See more...
Hi Shaiju, thank you for your answer. Does this mean that support for version 2022.5.0 will not be actually ended until this issue will be fixed? According to the https://docs.appdynamics.com/appd/23.x/latest/en/product-and-release-announcements/maintenance-support-for-software-versions , support for version 2022.5.0 was ended on June 23, 2023.
09-08-2023
09:02 AM
I have a UF that's configured to forward to a healthy intermediate HF (9997) . The UF is producing "forcibly closed" errors but the HF is healthy and is accepting TCP 9997 from other UFs. What could...
See more...
I have a UF that's configured to forward to a healthy intermediate HF (9997) . The UF is producing "forcibly closed" errors but the HF is healthy and is accepting TCP 9997 from other UFs. What could be the reason for this? Troubleshooting attempts made: 1. Confirming with network team that rules are in place. 2. TCP Dump from the dest (HF), packets received. 3. Telnet from UF to dest (9997), telnet completes. Any other things I missed? tcpdump from the HF HF's splunkd.log
Labels
- Labels:
-
universal forwarder
09-08-2023
08:44 AM
Is there a way to send a notification automatically to an analyst's email address they are assigned as the owner of a notable event? I have seen the email response action, but that only triggers ...
See more...
Is there a way to send a notification automatically to an analyst's email address they are assigned as the owner of a notable event? I have seen the email response action, but that only triggers when the notable event is created. I have seen the ticketing system apps and that function is not what I am looking for. If this is not an option currently please think about implementing it as a base feature of ES.
Labels
- Labels:
-
administration
09-08-2023
08:37 AM
Do you have an example of the rest call you used to create the HEC?
09-08-2023
07:14 AM
This is currently being investigated to evaluate the alamofire incompatibility for versions succeeding 2022.5.0.
Recommend continue using version 2022.5.0 to solve the problem.
09-08-2023
07:14 AM
Hello, Thanks for the feedback. I will be more specific next time. I wasn’t aware of the dc (distinct count) option in search. In the example you provided, how would I alert in which the dc h...
See more...
Hello, Thanks for the feedback. I will be more specific next time. I wasn’t aware of the dc (distinct count) option in search. In the example you provided, how would I alert in which the dc has a count of over 5? Thank You
09-08-2023
07:08 AM
1 Karma
I had the same issue after a recent Splunk upgrade, the token height was working then it suddenly didn't. I found that it no longer liked the default condition being blank: <set to...
See more...
I had the same issue after a recent Splunk upgrade, the token height was working then it suddenly didn't. I found that it no longer liked the default condition being blank: <set token="table1TableHeightCSS"></set> <set token="table1TableAlertCSS"></set> so i set default to '1' and it worked for me: <set token="table1TableHeightCSS">1</set> <set token="table1TableAlertCSS">1</set>
09-08-2023
06:16 AM
Hello, I need help with increasing the default height of a Dashboard label. I can't figure out how this can be done. Currently, when loading the Dashboard, the label and Description look like this...
See more...
Hello, I need help with increasing the default height of a Dashboard label. I can't figure out how this can be done. Currently, when loading the Dashboard, the label and Description look like this: I can manually increase the Height to look like this: But, i need it to be defaulted at this Height: If it's not possible, is there a way to add a static text box below the Label? Here's the Source for the Label I currently have. <label>SiteOne Automated Health Check Clone</label> <description>test Infrastructure - +13 Press 1 for the Batch Processing Team Press 2 for the Security Team Press 3 for the Network Team Press 4 for the VOIP Team Press 5 for the Monitoring Team Press 6 for the Citrix Team Press 7 for the Server Team</description> <row> <panel> Thanks for any help on this one, Tom
Labels
- Labels:
-
dashboard
-
panel
-
simple XML
09-08-2023
05:21 AM
1 Karma
Use the strptime function to convert the current format into epoch form then use strftime to convert that into the required format. The two functions can be used in a single eval. | eval timefield=...
See more...
Use the strptime function to convert the current format into epoch form then use strftime to convert that into the required format. The two functions can be used in a single eval. | eval timefield=strftime(strptime(timefield, "%d/%m/%y"), "%Y-%m-%d")
09-08-2023
05:19 AM
Hi @Bastiaan, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
09-08-2023
05:19 AM
1 Karma
Hi @dhiraj , you have to use the eval command with the strftime and strptime options, like this: | eval new_date=strftime(strptime(date,"%d/0m/%y"),"%Y-%m-%d") Ciao. Giuseppe
09-08-2023
04:57 AM
Hello, I tested your suggestion and it worked, but my CSV file does not have /128. Can you answer the following questions? I appreciate your help 1. a) Should I add /128 on all IPv6 on my CSV ...
See more...
Hello, I tested your suggestion and it worked, but my CSV file does not have /128. Can you answer the following questions? I appreciate your help 1. a) Should I add /128 on all IPv6 on my CSV file to get this to work? b) If yes, does it mean I need to put extra layer to check which one is IPv6 or IPv4 and then append /128? 2. Will OUPUTNEW work just fine as regular lookup? 3. a) If I update CSV file (with new fields), will the definition lookup still work? b) Is there a way to automate update on the definition lookup? I plan on creating automatic update on CSV, but it looks like the definition ties on specific field. 4. Note that if I use /120, it could return multiple result like the following: expected ip test mask 2 test mask 4 test mask 6 2001:db8:3333:4444:5555:6666::2101
09-08-2023
04:54 AM
Have you tried: Business Transaction Discovery Sessions (appdynamics.com)?
09-08-2023
04:40 AM
Hi, I have dozens of HTML Dashboards (I know it's deprecated...) running on iPad in our production. The Dashboards are used for user input for data our machine can't deliver themselves (like why was...
See more...
Hi, I have dozens of HTML Dashboards (I know it's deprecated...) running on iPad in our production. The Dashboards are used for user input for data our machine can't deliver themselves (like why was the produced unit bad instead of only that is was bad). Basically there are a few big buttons to choose from and select a error reason for example. If the button is pressed a Splunk search is executed with a collect command and the selected data is written into a summary index. This works most of the time but not always. I assume in 10-20% of searches, the search could not be finished because of network connection error. This also happens at logging in into Splunk sometimes, an error "no network connection " occurs. Our network guys didn't find any issues on their side. And the other interesting part is, it only happens on iPads/iOS. On Windows machines it never happens! Does anybody came across the same issues or something similar? Thanks!
Labels
- Labels:
-
dashboard
-
javascript
