All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Blessy.Helen Mathew, Since this got no reply from the community, you can try contacting AppD Support. How do I submit a Support ticket? An FAQ 
Hi @Hemnaath, here, you can find the latest version (7.0.0): https://docs.splunk.com/Documentation/AddOns/released/AWS/Releasenotes?_gl=1*x0j3gx*_ga*OTc5MjcyOTc3LjE2ODY5ODEzNDg.*_ga_GS7YF8S63Y*MTY5M... See more...
Hi @Hemnaath, here, you can find the latest version (7.0.0): https://docs.splunk.com/Documentation/AddOns/released/AWS/Releasenotes?_gl=1*x0j3gx*_ga*OTc5MjcyOTc3LjE2ODY5ODEzNDg.*_ga_GS7YF8S63Y*MTY5MzIzNjMxMi4xNjUuMS4xNjkzMjM4MTYwLjAuMC4w*_ga_5EPM2P39FV*MTY5MzIzNjI5MC4yODcuMS4xNjkzMjM4MTYxLjAuMC4w&_ga=2.237100681.821286860.1692543785-979272977.1686981348&_gac=1.57004760.1693210375.Cj0KCQjwi7GnBhDXARIsAFLvH4ll56r7e9by3rn-eGJ4TTl27Zaz5Z020GdxkWHFSFpu81Fzu6Nd8pwaAvpnEALw_wcB but there isn't any previous version. Anyway, it's a Splunk Supported App, so you can open a ticket to Splunk Support. Ciao. Giuseppe
Hi @aditsss, you have to put the checkmark replacing True not the following double quotes: index="abc*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-ra... See more...
Hi @aditsss, you have to put the checkmark replacing True not the following double quotes: index="abc*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully"),"✔","") | eval phrase="ReadFileImpl - ebnc event balanced successfully" | table phrase keyword Probably it isn't correctly visualized in this page. Ciao. Giuseppe
Hi @karthikm, ok for the input phase, but you need an Ad-On for the parsing phase, so you must have an Add-On otherwise, you have to manually create all the parsing rules. Anyway, the approach is t... See more...
Hi @karthikm, ok for the input phase, but you need an Ad-On for the parsing phase, so you must have an Add-On otherwise, you have to manually create all the parsing rules. Anyway, the approach is the one I described: you have to override the index value. In addition I hint to analyze the Splunk Add-On for Amazon Web Services (AWS) at https://splunkbase.splunk.com/app/1876 because maybe it could help you. Ciao. Giuseppe
Hi @Anu, if you don't have the NAME field the main search will always not have results. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated ... See more...
Hi @Anu, if you don't have the NAME field the main search will always not have results. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @yr, as @PickleRick sais, you have only one sourcetype: WinEventLog (or XmlWinEventLog if you're ingesting them as XML), it was chenged: before you have wineventlog:Security. You can distinguish... See more...
Hi @yr, as @PickleRick sais, you have only one sourcetype: WinEventLog (or XmlWinEventLog if you're ingesting them as XML), it was chenged: before you have wineventlog:Security. You can distinguish logs based on source. Ciao. Giuseppe
That worked! Thanks a lot
Hi @sekhar463, let me understand: you have to perform a join to extract the status field from the second search using as keys Node=hostname, is it correct? If this is your requirement, appendcols i... See more...
Hi @sekhar463, let me understand: you have to perform a join to extract the status field from the second search using as keys Node=hostname, is it correct? If this is your requirement, appendcols isn't the solution, you could use "join" but I don't like it because there's the limit of 50,000 results in the second search and because it's very slow. You should correlate events using stats, something like this: (index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Windows) OR (index=ivz_em_solarwinds source="solwarwinds_query://Test_unmanaged_Nodes_Data") | rename hostname=coalesce(hostname,Node) | stats latest(_time) AS _time values(status) AS status BY hostname | eval age=(now()-_time) | eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S") | eval Status=if(age< 3600,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | lookup 0010_Solarwinds_Nodes_Export Caption as hostname OUTPUT Application_Primary_Support_Group AS CMDB2_Application_Primary_Support_Group, Application_Primary AS CMDB2_Application_Primary, Support_Group AS CMDB2_Support_Group NodeID AS SW2_NodeID Enriched_SW AS Enriched_SW2 Environment AS CMDB2_Environment | eval Assign_To_Support_Group=if(Assign_To_Support_Group_Tag="CMDB_Support_Group", CMDB2_Support_Group, CMDB2_Application_Primary_Support_Group) | table _time, hostname,sourceIp, Status, LastActiveTime, Age, SW2_NodeID,Assign_To_Support_Group, CMDB2_Support_Group,CMDB2_Environment | where Status="DOWN" AND NOT isnull(SW2_NodeID) AND CMDB2_Environment="Production" | sort 0 hostname please see the approach, if some field is missing, add it to the stats command. ciao. Giuseppe
Events from EventLog are ingested with WinEventLog (or XmlWinEventLog if you're ingesting them as XML)  sourcetype. There should be no other sourcetypes. The events are distinguishable by source (not... See more...
Events from EventLog are ingested with WinEventLog (or XmlWinEventLog if you're ingesting them as XML)  sourcetype. There should be no other sourcetypes. The events are distinguishable by source (not sourcetype).
I solved it using the "first" function
Hi @Dayalss, I confirm what @richgalloway said: there isn't any tool or Add-On to directly ingest Excel Files, the only way is passing through a csv conversion to perform out of Splunk before ingest... See more...
Hi @Dayalss, I confirm what @richgalloway said: there isn't any tool or Add-On to directly ingest Excel Files, the only way is passing through a csv conversion to perform out of Splunk before ingestistion. You can do this is a script (e.g. in Python) like the ones described in these pages: https://www.google.com/search?q=script+to+convert+an+excel+file+in+csv&rlz=1C1VDKB_itIT1048IT1048&oq=script+to+convert+an+excel+file+in+csv&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIHCAEQABiiBDIHCAIQABiiBDIHCAMQABiiBNIBCTE1ODA3ajFqN6gCALACAA&sourceid=chrome&ie=UTF-8 Ciao. Giuseppe
I've just come here to post the same issue and verified on a fresh install that this not just an issue with our instance. I have been doing some experimentation and the issue lies in the iframe that... See more...
I've just come here to post the same issue and verified on a fresh install that this not just an issue with our instance. I have been doing some experimentation and the issue lies in the iframe that the SVG is placed in to. There is a CSS attribute called "color scheme" that has two values: light and dark. Having either of those set forces the background colour of the iframe to be either white, or dark mode. The SVG itself isn't broken, the transparency is just showing the underlying background colour. I removed that attribute in the CSS editor and all is well now:   I would have no idea how to override that for now though.
i have tried with appendcols command but not getting column from sub search  index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Windows... See more...
i have tried with appendcols command but not getting column from sub search  index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Windows | dedup hostname | eval age=(now()-_time) | eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S") | eval Status=if(age< 3600,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | lookup 0010_Solarwinds_Nodes_Export Caption as hostname OUTPUT Application_Primary_Support_Group AS CMDB2_Application_Primary_Support_Group, Application_Primary AS CMDB2_Application_Primary, Support_Group AS CMDB2_Support_Group NodeID AS SW2_NodeID Enriched_SW AS Enriched_SW2 Environment AS CMDB2_Environment | eval Assign_To_Support_Group=if(Assign_To_Support_Group_Tag="CMDB_Support_Group", CMDB2_Support_Group, CMDB2_Application_Primary_Support_Group) | table _time, hostname,Status, sourceIp, LastActiveTime, Age, SW2_NodeID, Assign_To_Support_Group, CMDB2_Support_Group, CMDB2_Environment | appendcols [search index=ivz_em_solarwinds source=solwarwinds_query://Solarwinds_PROD_unmanaged_Nodes_Data | table Node Account Status From Until | dedup Node]
Thank you, will give that a shot
I only get sourcetype wineventlog but when i add to security or application or system than does not search  any. i have disabled=0 in all inputs.conf stanza   thank you for your help
Is there a way to view license usage from the Splunk search head? I'm on Splunk 9.0.3. I've attempted to forward license_usage.log to the Splunk indexer and directly to the Splunk search head from... See more...
Is there a way to view license usage from the Splunk search head? I'm on Splunk 9.0.3. I've attempted to forward license_usage.log to the Splunk indexer and directly to the Splunk search head from the manager node. The file seems to forward however the contents are replaced with a message stating the information is only viewable from the manager node. Another possibility is license_usage.log is generated by default on both the indexer and search head so it only looks as though the log is being forwarded.  Due to the way our Splunk deployment is distributed, I need to have the web interface disabled on the manager node so simply logging into the manager node web interface is not an option. To reiterate the question above, is there a way to view licensing information (either through search or monitoring console) from the Splunk search head?
@hanks @richgalloway this help
Thanks @ITWhisperer 
It depends on the type of Excel file.  A .xls file is binary and so will not be ingested by Splunk.  The UF's splunkd.log file should confirm this. Newer Excel files are .xlsx, which is XML format. ... See more...
It depends on the type of Excel file.  A .xls file is binary and so will not be ingested by Splunk.  The UF's splunkd.log file should confirm this. Newer Excel files are .xlsx, which is XML format.  That can be ingested by Splunk, but may be of limited utility if you can't interpret the XML. There's also .xlsm files, which contain macros, but I'm not sure how they're stored. Again, the UF should log a message when it's unable to monitor/ingest a file.
No changes need to be made to the data.  Just configure the HF as described earlier.  there is an app you must download from your Splunk Cloud search head. Go to the "Universal Forwarder" app and cli... See more...
No changes need to be made to the data.  Just configure the HF as described earlier.  there is an app you must download from your Splunk Cloud search head. Go to the "Universal Forwarder" app and click the green download button. Install the downloaded app on the HFs. Despite the name, the app can be used on either UFs or HFs.