All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is a fantastic case study of how Splunk handles major breaker tokens. Splunk is representing the field, jobName as containing "(W6)" truncating the remainder of the value. I don't believe it ... See more...
This is a fantastic case study of how Splunk handles major breaker tokens. Splunk is representing the field, jobName as containing "(W6)" truncating the remainder of the value. I don't believe it is terminating because of the ") " in the value. After examining how other fields are extracted in this sample, I am convinced that it terminates the string exactly because the ")" closes the opening "(".   I'm sure this is described in some linguistic documents but I don't know how to find them. So here's a series of tests  to observe. The simplest case: | makeresults | eval _raw = "no_separator=abcdef, quote1 = \"abc\"def, quote2 = 'abc'def, bracket1=(abc)def, bracket2=[abc]def, bracket3 = {abc}def, white_space=abc def" | extract kvdelim="=" pairdelim=, Here, I'm explicitly prescribing kvdelim and pairdelim to avoid additional weirdness. bracket1 bracket2 bracket3 no_separator quote1 quote2 white_space (abc) [abc] {abc} abcdef abc 'abc' abc The second one is perhaps trivial except I added a trailing comma after whitespace entry: | makeresults | eval _raw = "quote1a = abc\"def\", quote2a = abc'def', bracket1a=abc(def), bracket2a=abc[def], bracket3a = abc{def}, white_space1=abc def," | extract kvdelim="=" pairdelim=, bracket1a bracket2a bracket3a quote1a quote2a white_space1 abc(def) abc[def] abc{def} abc"def" abc'def' abc def By adding a trailing comma, white_space1 now includes the part after white space. Among these, white space behaviors are the most intriguing.  So, the following is dedicated to its weirdness: | makeresults | eval _raw = "white_space2=abc def, white_space3 =abc def, white_space4= abc def, white_space5 = abc def, white_space6 = abc def, white_space7 = abc def," | extract kvdelim="=" pairdelim=, white_space2 white_space3 white_space5 white_space6 white_space7 abc def abc def abc def abc abc def Here, you see some dynamics between white space(s) before and after "="; white space(s) before and after the first consequential non-space string also have some dynamics. White space dynamics also affects other brackets.  Double quote is perhaps the best protection of intention: | makeresults | eval _raw = "quote1b=\"abc\" def, quote1c =\"abc\" def, quote1d= \"abc\" def, quote1e = \"abc\" def, quote1f = \"abc\" def, quote1g = \"abc\" def," | extract kvdelim="=" pairdelim=, quote1b quote1c quote1e quote1f quote1g abc abc abc abc abc   The takeaway from all these is that developers need to express their intention by properly quote values and, like @PickleRick suggests, judiciously use white spaces.  Unprotected strings are subject to wild guesses by Splunk - or any other language. To joggle Mark's memory: Pierre had launched an initiative to encourage/beg developers to standardize logging practice so logs are more Splunk-friendly. (I would qualify this as "machine-friendly", not just for Splunk.)  Any treatment after logs are written - such as the workaround @livehybrid proposes, is bound to be broken again when careless developers make random decisions.  Your best bet is to carry on the torch and give developers a good whip.
If you remove the read permission for that user role from the app permission, that user will no longer be able to select that app.
Need to provide user upload lookup only on one particular app permission. Hi I need to assign permission to particular role/User so that they can upload there CSV lookup files to only that perticular... See more...
Need to provide user upload lookup only on one particular app permission. Hi I need to assign permission to particular role/User so that they can upload there CSV lookup files to only that perticular app, not to any other apps. Can anyone help me with it.
Hi @kiran_panchavat, In my case, if I don't use INDEXED_EXTRACTIONS = JSON. Which I believe helps to automatically handle and ignore square brackets [] based on the detection of the JSON format. Sin... See more...
Hi @kiran_panchavat, In my case, if I don't use INDEXED_EXTRACTIONS = JSON. Which I believe helps to automatically handle and ignore square brackets [] based on the detection of the JSON format. Since I'm using transforms.conf to assign a sourcetype, every time the file is ingested, the indexer treats the [ character as a separate event. Do you know if there's anyway to ignore the square brackets if i do not use INDEXED_EXTRACTIONS = JSON? Additionally, I've noticed another issue: whenever the JSON file gets overwritten with new content. Whether it contains previously indexed data or new data. My script pulls it again, and the indexer re-indexes the file, resulting in duplicate entries in the index.  
You should rise a support ticket if you are paid customer otherwise create an idea for this in ideas.splunk.com. Community is not an official Splunk support forum and they don’t take and create cases ... See more...
You should rise a support ticket if you are paid customer otherwise create an idea for this in ideas.splunk.com. Community is not an official Splunk support forum and they don’t take and create cases by questions which are asked here.
There's a small mistake in @gcusello's formula.  src_interface and src_int should be coalesced (also a small spelling error), not renamed. (index=network "arp-inspection" OR "packets received") OR (... See more...
There's a small mistake in @gcusello's formula.  src_interface and src_int should be coalesced (also a small spelling error), not renamed. (index=network "arp-inspection" OR "packets received") OR (index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*") | eval NetworkDeviceName=coalesce(NetworkDeviceName, Network_Device), src_int = coalesce(src_int, src_interface) | rename mnemonic AS Port_Status | stats earliest(device_time) AS device_time values(User_Name) AS User_Name values(src_ip) AS src_ip values(src_mac) AS src_mac values(message_text) AS message_text values(Location) AS Location values(Port_Status) AS Port_Status BY "NetworkDeviceName" , "src_int" | table device_time, NetworkDeviceName, User_Name, src_int, src_ip, src_mac, message_text, Location, Port_Status  
SIX years later and this is still the behavior. Why is this even allowed to persist? The DESIGN of your software practically means the only foolproof way to deploy ssl is to use the password "passwo... See more...
SIX years later and this is still the behavior. Why is this even allowed to persist? The DESIGN of your software practically means the only foolproof way to deploy ssl is to use the password "password" because splunk *just might not* feel like re-hashing anything.  Do YOU think it's worth your time to fix this for the love of the hundreds of millions of dollars you've earned? @splunk You owe me and my partner some hair. 
This seems to be some fancy modern top-like program. And I supose it shows separate threads of single splunkd process. Notice that the memory usage is identical for all those entries.
I can also confirm that UF is working on my environment with several macOS 15.4 both intel and M3. But initial versions of those have been lower than 9.4 and then those are updated.
It’s exactly this way what you need to do. In Yourcase this must do everything with props and transforms instead of defining it on inputs.conf. Clone sourcetype to sent it to HF and filter it like yo... See more...
It’s exactly this way what you need to do. In Yourcase this must do everything with props and transforms instead of defining it on inputs.conf. Clone sourcetype to sent it to HF and filter it like you need. And send original into local indexers. You can check the next links: - https://community.splunk.com/t5/Getting-Data-In/How-can-I-use-CLONE-SOURCETYPE-to-send-a-cloned-modified-event/m-p/317487 and - https://www.tekstream.com/blog/routing-pii-data-to-multiple-indexes/ Those explains this with samples.
You must add all needed fields in stats command if you want those to be present after its execution. Use values(a) as a values(b) as b like there is already used. Here is one old post which explains... See more...
You must add all needed fields in stats command if you want those to be present after its execution. Use values(a) as a values(b) as b like there is already used. Here is one old post which explains who you should replace different joins in SPL. https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948
This seems to work but does not return any of the fields from the Index=cisco_ise. these are the fields in reference to the data.   Index=network src_interface Network_Device message_text Index... See more...
This seems to work but does not return any of the fields from the Index=cisco_ise. these are the fields in reference to the data.   Index=network src_interface Network_Device message_text Index=cisco_ise src_int NetworkDeviceName User_Name Location src_ip src_mac   Thank you.
Example?  Screenshot?
For multiple sourcetypes, linecount is 2, while clearly, it should be 1. Has anybody encountered this case?
Hi @Nicolas2203  Soo...if you want to redact your logs sent to one place but not redact them sent to the other then I think you would have to use CLONE_SOURCETYPE and then apply some redaction and r... See more...
Hi @Nicolas2203  Soo...if you want to redact your logs sent to one place but not redact them sent to the other then I think you would have to use CLONE_SOURCETYPE and then apply some redaction and routing of this new sourcetype as required.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @gpalau  Please could you confirm the permissions that you have on the installation? ls -ltr /Applications/SplunkForwarder Are you intending to run Splunk as your own user?  According to the ... See more...
Hi @gpalau  Please could you confirm the permissions that you have on the installation? ls -ltr /Applications/SplunkForwarder Are you intending to run Splunk as your own user?  According to the docs (https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#:~:text=for%20this%20platform.-,Mac%20operating%20systems,-The%20table%20lists) Mac OS 15.4 Sequoia is not yet supported *however* I am running this myself on an M1 Silicon Mac running 15.4 without issue, so it should work, but consider that it might not be officially supported. For reference, on my installation the permissions are as follows: ls -l /Applications/ | grep SplunkForwarder >> drwxr-xr-x@ 17 MyUsername wheel 544 17 Apr 17:07 SplunkForwarder ls -l /Applications/SplunkForwarder drwxr-xr-x 27 MyUsername wheel 864 20 Feb 19:41 bin -r--r--r-- 1 MyUsername wheel 57 20 Feb 16:30 copyright.txt drwxr-xr-x 32 MyUsername wheel 1024 17 Apr 17:07 etc -rw-r--r--@ 1 root wheel 0 17 Apr 17:06 Icon? drwxr-xr-x 3 MyUsername wheel 96 20 Feb 19:23 include drwxr-xr-x 32 MyUsername wheel 1024 17 Apr 17:06 lib -r--r--r-- 1 MyUsername wheel 59708 20 Feb 16:30 license-eula.txt drwxr-xr-x 5 MyUsername wheel 160 17 Apr 17:07 openssl -r--r--r-- 1 MyUsername wheel 522 20 Feb 18:01 README-splunk.txt drwxr-xr-x 4 MyUsername wheel 128 20 Feb 19:23 share -r--r--r-- 1 MyUsername wheel 53332 20 Feb 19:41 splunkforwarder-9.4.1-e3bdab203ac8-darwin-universal2-manifest drwxr-xr-x 3 MyUsername wheel 96 20 Feb 19:24 swidtag -rw-r--r-- 1 MyUsername wheel 0 20 Feb 19:23 uf drwx--x--- 7 MyUsername wheel 224 17 Apr 17:07 var  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
@gpalau  You're running macOS 15.4 (Sequoia), which is not officially listed as supported yet. The permission errors you're encountering when running Splunk Universal Forwarder 9.4.1 on macOS 15.4 ... See more...
@gpalau  You're running macOS 15.4 (Sequoia), which is not officially listed as supported yet. The permission errors you're encountering when running Splunk Universal Forwarder 9.4.1 on macOS 15.4 are likely due to incorrect ownership or permissions for the Splunk Forwarder directories, or the process not being run with sufficient privileges.   If the permissions issue persists, you can try resetting the permissions for the entire Splunk Forwarder directory: sudo chown -R $(whoami) /Applications/SplunkForwarder sudo chmod -R 755 /Applications/SplunkForwarder   MacOS Supports the below         
I went ahead and re-installed the Splunk Forwarder manually, and on the last step of the .pkg install it reads: Click the "Splunk" icon on the Desktop to start and connect to Splunk. To start Sp... See more...
I went ahead and re-installed the Splunk Forwarder manually, and on the last step of the .pkg install it reads: Click the "Splunk" icon on the Desktop to start and connect to Splunk. To start Splunk manually, open a Terminal window and run the command: 
$ /Applications/Splunk/bin/splunk start Documentation: http://docs.splunk.com/Documentation/Splunk However the installation path is /Applications/Splunk Forwarder/bin Then you have to manually run a command line to approve the license?  
Hi @MrGlass , Splunk isn't a database, so the join command must be used only when there isn't any other solution and when you have few data, instead use stats, somerhing lie this: (index=network "a... See more...
Hi @MrGlass , Splunk isn't a database, so the join command must be used only when there isn't any other solution and when you have few data, instead use stats, somerhing lie this: (index=network "arp-inspection" OR "packets received") OR (index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*") | eval NetworkDeviceName=coalece(NetworkDeviceName, Network_Device) | rename mnemonic AS Port_Status | rename src_interface AS "src_int" | stats earliest(device_time) AS device_time values(User_Name) AS User_Name values(src_ip) AS src_ip values(src_mac) AS src_mac values(message_text) AS message_text values(Location) AS Location values(Port_Status) AS Port_Status BY "NetworkDeviceName" , "src_int" | table device_time, NetworkDeviceName, User_Name, src_int, src_ip, src_mac, message_text, Location, Port_Status Ciao. Giuseppe
I installed Splunk Forwarder 9.4.1 on macOS 15.4 and on first run I get a bunch of permission errors: Warning: cannot create "/Applications/SplunkForwarder/var/log/splunk Warning: cannot create "/Ap... See more...
I installed Splunk Forwarder 9.4.1 on macOS 15.4 and on first run I get a bunch of permission errors: Warning: cannot create "/Applications/SplunkForwarder/var/log/splunk Warning: cannot create "/Applications/SplunkForwarder/var/log/introspection" Warning: cannot create "/Applications/SplunkForwarder/var/log/watchdog" Warning: cannot create "/Applications/SplunkForwarder/var/log/client_events" This appears to be your first time running this version of Splunk. Could not open log file "/Applications/SplunkForwarder/var/log/splunk/first_install.log" for writing (2).   However these folders have the right permissions. A bit lost as to what to do here.