All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Did you ever get an anwer for this, I'm having the same problem, my universal forwarder sends it to my indexer to specific index, but the TA_cisco_ios doesn't  seem to do transform to correct the hos... See more...
Did you ever get an anwer for this, I'm having the same problem, my universal forwarder sends it to my indexer to specific index, but the TA_cisco_ios doesn't  seem to do transform to correct the hostname for me.  I'm not clear on what specific change on TA props.conf or transform.conf to read the specific index.
Hi,   I am trying to form a custom link to the episode/event in the email alert triggered from SPlunk ITSI.   However, when I open the link to that event or episode directly it always opens the a... See more...
Hi,   I am trying to form a custom link to the episode/event in the email alert triggered from SPlunk ITSI.   However, when I open the link to that event or episode directly it always opens the alert and episode link and you the have to again search for the events and check the details.   Is there a way to get the link to the episode directly taht a person can open without searching from the ist of the events?   the link to specific episode e.g. https://splunkcloud.com/en-US/app/itsi/itsi_event_management?tab=layout_1&emid=1sdfdff-3cd3-11f0-b7a7-44561c0a81024&earliest=%40d&latest=now&tabid=all-events when opened in separate window does not open that specific episode the above url is modified to not share the exact url for the episode.  
thanks for response ! @livehybrid @richgalloway  @richgalloway  - yes, the documentation does mention that numerics will be sorted as numbers. I am confused because I thought that by putting quote... See more...
thanks for response ! @livehybrid @richgalloway  @richgalloway  - yes, the documentation does mention that numerics will be sorted as numbers. I am confused because I thought that by putting quotes around the numbers, they would automatically get appended as strings to the fruit field and not as numbers.  So is it right to conclude that even though I added double quotes for numbers while appending them, by default Splunk does not take it as a string? Explicit type conversion is required as an additional step?
Hi @sswigart  Please can you confirm if you can see the _internal events for the hosts which are monitoring those files?  Did this answer help you? If so, please consider: Adding karma to show ... See more...
Hi @sswigart  Please can you confirm if you can see the _internal events for the hosts which are monitoring those files?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I have a requirement to monitor log files created by Trellix on my windows 11 and 2019 hosts.  The log files are located at C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log... See more...
I have a requirement to monitor log files created by Trellix on my windows 11 and 2019 hosts.  The log files are located at C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log                                                                                                                                                               \ExploitPrevention_Activity.log                                                                                                                                                                \OnDemandScan_Activity.log                                                                                                                                                                 \SelfProtection_Activity.log   My stanza in the input.conf are configured as:   [monitor://C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log disabled = 0 index = winlogs sourcetype = WinEventLog:HIPS start_from = oldest current_only = 0 checkpointInterval = 5 renderXel = false   Same format for each log. For some reason Splunk is not ingesting the log data.
Hi @cboillot  In that case, you could use props/transforms like this on the first HF/Indexer that the data hits: # props.conf [your_sourcetype] TRANSFORMS-host = ise_host_extraction # transforms.c... See more...
Hi @cboillot  In that case, you could use props/transforms like this on the first HF/Indexer that the data hits: # props.conf [your_sourcetype] TRANSFORMS-host = ise_host_extraction # transforms.conf [ise_host_extraction] # https://regex101.com/r/7VrxpN/1 REGEX = ^\S+\s+\S+\s+\S+\s+(\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
I am trying to invoke the threadPrint operation on the MBean java.lang:type=Runtime.  I think the UI is telling me that it takes a String array as input, but I can't figure out how to specify an arra... See more...
I am trying to invoke the threadPrint operation on the MBean java.lang:type=Runtime.  I think the UI is telling me that it takes a String array as input, but I can't figure out how to specify an array. I have tried many combinations: Blank Empty double quotes Empty single quotes Double-quoted values Single-quoted values Curly braces Square braces A single character Multiple characters A few give an immediate syntax error, like quotes aren't allowed.  Most give something like this: failed with error = Unsupported type = [Ljava.lang.String;, value = l  I think it's trying to tell me that my input is not a String array. How do I specify an array?   thanks  
Hello PickleRick,   I now know what you mean, the demo link using "| makeresults" fails. Lucky for me the html I use seems OK, and I do get the display of the table and the data iin the html code/... See more...
Hello PickleRick,   I now know what you mean, the demo link using "| makeresults" fails. Lucky for me the html I use seems OK, and I do get the display of the table and the data iin the html code/file, thanks for the TIP.  @eholz1
Yes, it is possible exactly that way @livehybrid described. But you still have to manually log in to CM and validate the bundle and push it so it doesn't save you much work (and makes the process... ... See more...
Yes, it is possible exactly that way @livehybrid described. But you still have to manually log in to CM and validate the bundle and push it so it doesn't save you much work (and makes the process... less obvious)
Be aware though that allowing displaying an unescaped, unsanitized HTML code from potentially unknown source is not always a best idea.
I know it has been a while, but did you ever find a solution? I have just encountered this same problem.
@livehybrid  Thank you for the quick response . Let me a give a shot on this will keep posted here how it goes . 
Hi @vikasg  It’s possible to do this by setting the repositoryLocation value in deploymentclient.conf however in terms of supportability and recommendations…well.. I’m not sure you’ll get much posit... See more...
Hi @vikasg  It’s possible to do this by setting the repositoryLocation value in deploymentclient.conf however in terms of supportability and recommendations…well.. I’m not sure you’ll get much positive encouragement to do this as it’s not really recommended. This approach may also break the UI editing capability for managing clients because the UI is not built to manage this setting.  repositoryLocation = $SPLUNK_HOME/etc/apps * The location where content installs when downloaded from a deployment server. * For the Splunk platform instance on the deployment client to recognize an app or configuration content, install the app or content in the default location: $SPLUNK_HOME/etc/apps. * NOTE: Apps and configuration content for deployment can be in other locations on the deployment server. Set both 'repositoryLocation' and 'serverRepositoryLocationPolicy' explicitly to ensure that the content installs on the deployment client in the correct location, which is $SPLUNK_HOME/etc/apps. * The deployment client uses the following 'serverRepositoryLocationPolicy' to determine the value of 'repositoryLocation'. Check out https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Deploymentclientconf docs for more info.    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing.
Hello Experts ,  I have never done this and wonder if there is a best way to achieve below  I want to use DS to push intial configurations from DS to CM and then use CM as porxy for IDX cluster .  ... See more...
Hello Experts ,  I have never done this and wonder if there is a best way to achieve below  I want to use DS to push intial configurations from DS to CM and then use CM as porxy for IDX cluster .  I tried below  1) added CM as client and for the serverclass I have added 'stateOnClient = noop' to each of the app entries just to make sure those application does not work locally no the CM  2) after above step confs lands on cm under /opt/splunk/etc/apps ,however I want them to land to /opt/splukn/etc/master-apps question is can DS put the directories in a diffferent locations than default that is /opt/splunk/etc/apps
No, I am not using proxy however when I set the Time Format, Time_prefix and MAX_TIMESTAMP_LOOKAHEAD it started working. Thanks for your help.
@livehybrid Thank you for your quick response. It is a custom method.  But does HEC not helps? or any apps?
Hello There  Ultra Champ,   Thanks for quick response. I will take a look at the process. Thanks again, @eholz1
Thanks. The server name is not in the sourcepath, but it is in the log right after the date. Jul 27 23:01:51.020755 SDNWISEP0077 0018346907 (...) I tried to use extract field from the event view, b... See more...
Thanks. The server name is not in the sourcepath, but it is in the log right after the date. Jul 27 23:01:51.020755 SDNWISEP0077 0018346907 (...) I tried to use extract field from the event view, but that didn't work
Hi @cboillot Does the host value have the correct source name, or does this show the syslog server too?  Does the syslog server write the files to a folder structure that contains the source hostna... See more...
Hi @cboillot Does the host value have the correct source name, or does this show the syslog server too?  Does the syslog server write the files to a folder structure that contains the source hostname that you need within it? e.g. /var/log/syslog/<deviceName/blah.log?  If so you would be able to use the host_segment value https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf#:~:text=host_regex%27.%0A*%20No%20default.-,host_segment%20%3D%20%3Cinteger%3E,-*%20If%20set%20to to specify the host as the source of the log. AFAIK, ise_servername ultimately comes from the 'host' field. If you cannot do the host_segment then another option is to use a REGEX props/transform to extract this from the raw event (assuming it is present there)? If the other option isnt possible and you'd like some further help wrtiting this then please provide a sample event.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @eholz1  This is possible with some custom JS with a classic dashboard, but not yet possible with Dashboard Studio. Rather then me pasting the whole process here, check out https://community.spl... See more...
Hi @eholz1  This is possible with some custom JS with a classic dashboard, but not yet possible with Dashboard Studio. Rather then me pasting the whole process here, check out https://community.splunk.com/t5/Dashboards-Visualizations/Render-HTML-code-from-search-result-in-Splunk-dashboard/m-p/221935 which gives an example of how to achieve this.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing