All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi,  my env is like - UF->HF->IDX Cluster I have many errors on my HF that it can't received the data some are like: "ERROR TcpInputProc - Message rejected. Received unexpected message of size=36... See more...
Hi,  my env is like - UF->HF->IDX Cluster I have many errors on my HF that it can't received the data some are like: "ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=xxxx:xxxx in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload."   and some are like "ERROR TcpInputProc - Encountered Streaming S2S error = Received reference to unknown channel_code=1 for data received from src=xxx:xxx"   any help?
HI Team, how to write search query for cpu & memory utilization    please help on this    thanks
@stevediaz - This message tells that either: The macro either does not exist. OR the macro is not permissible to execute in the search and in the App it is currently being used.   Any Splunk Ad... See more...
@stevediaz - This message tells that either: The macro either does not exist. OR the macro is not permissible to execute in the search and in the App it is currently being used.   Any Splunk Admin can go and find the macro and its permission from Splunk UI > Advanced search > macros in the settings.   I hope this helps!!! Kindly upvote if it helps!!!
Hi , We have Splunk Website monitoring 2.6 in Splunk Enterprise version 7.2.6, All of sudden I observed that my website monitoring summary page is blank and no URL's are being monitored. Kindly plea... See more...
Hi , We have Splunk Website monitoring 2.6 in Splunk Enterprise version 7.2.6, All of sudden I observed that my website monitoring summary page is blank and no URL's are being monitored. Kindly please help
OK. But on which component did you put this props.conf file? On the UF? Then it's not the proper place for it. UF does not do parsing (except for indexed extractions but it's not the case I suppose) ... See more...
OK. But on which component did you put this props.conf file? On the UF? Then it's not the proper place for it. UF does not do parsing (except for indexed extractions but it's not the case I suppose) and DATETIME_CONFIG is a setting regarding parsing stage. So put it onto your indexer(s) or intermediate HF(s) if you have them. Also - did you configure DATETIME_CONFIG for the proper sourcetype?
OK. So firstly, you need to make sure you get your logging configured consistently across your whole environment (unless you really want it to be set differently on some servers). Then you need to i... See more...
OK. So firstly, you need to make sure you get your logging configured consistently across your whole environment (unless you really want it to be set differently on some servers). Then you need to ingest the files properly. There is an add-on for IIS logs - https://splunkbase.splunk.com/app/3185 Install it, configure inputs as described in the docs (also verify that your IIS logging is configured properly according to the docs), then check if all the files are getting indexed properly.  
HI team ,   let me know please  how can I get cpu amd memory usage by index and API 
@sarit_s6 - Kindly provide sample raw data and tell how you would like to see the events being broken, so we can help.  
@jabezds - Are you getting the full exception trace? Is the error originating from any Python file you have or from a third-party App?  
Data: {"Field1":"xxx","message1":"{0}","message2":"xxx","message3":{"TEXT":"xxxx: xxx\r\n.xxxxx: {\"xxxxx\":{\"@CDI\":\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \",\"@RETURN\":\"xxxx-... See more...
Data: {"Field1":"xxx","message1":"{0}","message2":"xxx","message3":{"TEXT":"xxxx: xxx\r\n.xxxxx: {\"xxxxx\":{\"@CDI\":\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \",\"@RETURN\":\"xxxx-xxxxxxxxxx-xx-xxxxx\",\"@message4\":\"xxxxxx:xxx\",\"message5\":{\"message6............   Want to extract new field highlighted above but not getting any result.    This is what I tried: | rex field=_raw "RETURN\\\"\:\\\"(?<Field2>[^\\]+)"  
@Chase - Did you try the below search? index="myindex1" OSPath="C:\\Users\\Snyder\\*" | timechart count   I hope this helps!! Kindly upvote if it does!!!
Are you sure your value 3 and value 4 do not contain, for example, white space?  I cannot help but notice that you did not quote "value 3" and "value 4".  If the search is illustrative, it should be ... See more...
Are you sure your value 3 and value 4 do not contain, for example, white space?  I cannot help but notice that you did not quote "value 3" and "value 4".  If the search is illustrative, it should be something like index=test_01 EventCode=4670 NOT ("Field 1" = value1 OR "Field 1" = value2) NOT (Process_Name = "value 3" OR Process_Name = "value 4")
@danielbb - This automatic lookup could be present in any App. You can try to find where it is present by going to Splunk UI > Lookups > Automatic lookups and select All App and Any Owner and filter... See more...
@danielbb - This automatic lookup could be present in any App. You can try to find where it is present by going to Splunk UI > Lookups > Automatic lookups and select All App and Any Owner and filter for HTTP_STATUS and trying to find which App contains this lookup. You should be able to fix it from there as well.   I hope this helps!!!
You can use   \b(?<event_name>[^|]+)\|(?<task_id>\d+) (?<event_id>\d+)   You know you don't have to use delimiter to extract fields.  You can select regex instead.  This is one way to do it: ... See more...
You can use   \b(?<event_name>[^|]+)\|(?<task_id>\d+) (?<event_id>\d+)   You know you don't have to use delimiter to extract fields.  You can select regex instead.  This is one way to do it: Alternatively, you can use the selector. (Most of the time, Splunk will come up with a good regex.)
Seems like it is a browser issue. This error is from Chrome, and I changed to Edge and no errors seen.
Just as a follow up with csv I definitely get an error. I get the error: Non-result: ERROR The lookup table 'not_really_my_lookup_name.csv' requires a .csv or KV store lookup definition.. Without .... See more...
Just as a follow up with csv I definitely get an error. I get the error: Non-result: ERROR The lookup table 'not_really_my_lookup_name.csv' requires a .csv or KV store lookup definition.. Without .csv I get the same error but *also*: Non-result: ERROR The lookup table 'not_really_my_lookup_name' is invalid..
I basically have a long playbook consisting of sub-playbooks. I have 5 artifacts in a container I am using, where 4 will be dropped via 4 different decision actions and posted to a Confluent topic. T... See more...
I basically have a long playbook consisting of sub-playbooks. I have 5 artifacts in a container I am using, where 4 will be dropped via 4 different decision actions and posted to a Confluent topic. The final artifact will make it through to the end of the playbook and also be posted in a Confluent topic. When I run each artifact individually, they work perfectly. However, when I try to run "all artifacts (5 in the container)" to simulate the artifacts coming in at the same time, they are each posted 5 times in the Confluent topic, totaling 25 instead of just 5. I have two hunches as to where the problem might be; one where the phantom.decision() is evaluating to True, despite only one artifact matching that criterion and just posting all 5 instead of 1 artifact. The other is that there is no "end" after my Post actions, so each artifact is being posted to Confluent, but then also continuing to the next Playbook against my intentions. I have no idea what is causing this and haven't found much in terms of documentation for my issue. I just find it annoying that they will work perfectly fine individually but the opposite when called together. This might be how it is designed to be, or probably that I'm doing something simply incorrectly, but any help regarding this would be greatly appreciated!
are you looking for this one...  https://splunkbase.splunk.com/app/3283 or, check the other two apps... https://splunkbase.splunk.com/apps?keyword=HL7  
Thanks
Where can I find the HL7 add on for Splunk? We created a solution around this for healthcare field. We now have an official go ahead for a POC with Splunk in Asia. We need HL7 add on. Can you pleas... See more...
Where can I find the HL7 add on for Splunk? We created a solution around this for healthcare field. We now have an official go ahead for a POC with Splunk in Asia. We need HL7 add on. Can you please help us? Thanks, Sanjay