All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have devices using a specific v4 address range and a specific v6 address range. I'd like to get the percent of devices using the v6 range so we can track the progress of the conversion. I'm new to ... See more...
I have devices using a specific v4 address range and a specific v6 address range. I'd like to get the percent of devices using the v6 range so we can track the progress of the conversion. I'm new to Splunk so I'm not sure how to proceed. 
Hi @markturner14  The easiest way is from the Monitoring Console, Click Settings -> Forwarder Monitoring Setup, then click "Rebuild Forwarder assets..." This will rebuild the lookup table based on ... See more...
Hi @markturner14  The easiest way is from the Monitoring Console, Click Settings -> Forwarder Monitoring Setup, then click "Rebuild Forwarder assets..." This will rebuild the lookup table based on the time period you select.   Alternatively you can use a search  (within splunk_monitoring_console app) or lookup editor to manually delete entries - although rebuild is generally advised instead unless you have so many forwarders that the search would take a long time to run. |inputlookup dmc_forwarder_assets where NOT hostname IN ("host1ToRemove","host2ToRemove) | outputlookup dmc_forwarder_assets    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
That causes Splunk to rebuild whole forwarders database from scratch which might be a bit resource-intensive. If someone is brave enough and knows what they're doing, one can try to manually filter ... See more...
That causes Splunk to rebuild whole forwarders database from scratch which might be a bit resource-intensive. If someone is brave enough and knows what they're doing, one can try to manually filter out entries from the dmc_forwarder_assets lookup. But be warned - you might break things and need to rebuild the database anyway.
I have updated my response (I couldn't remember if the default was to format with "OR" or not!)
Hi @ITWhisperer ,  Thank your help.  With your suggestion, I also included a format command to format the output with "OR," which is now working. index=* [| inputlookup hostList.csv | eval... See more...
Hi @ITWhisperer ,  Thank your help.  With your suggestion, I also included a format command to format the output with "OR," which is now working. index=* [| inputlookup hostList.csv | eval string="host=".host."*" | table string | format] Once again, Thank you for the help @ITWhisperer .
In the CMC, go to Forwarders->Forwarder monitoring setup and click the "Rebuild forwarder assets" button.
Hi All, I`m looking to remove missing forwarders, where the servers have been permanently removed, reported by CMC. I cannot see anyway of doing this.  Is this something that i have to raise a ... See more...
Hi All, I`m looking to remove missing forwarders, where the servers have been permanently removed, reported by CMC. I cannot see anyway of doing this.  Is this something that i have to raise a support case for? many thanks Mark
Don't you have some search-time field defined overriding the original one? What does the search log say (especially the LISPY part) when you search for a specific sourcetype?
Hi @livehybrid  I'll assess again with the SQS-s3 Connector, and I'll need to ingest both historic data as well as ongoing data stream. By the initial observations I think I'll need to use multiple... See more...
Hi @livehybrid  I'll assess again with the SQS-s3 Connector, and I'll need to ingest both historic data as well as ongoing data stream. By the initial observations I think I'll need to use multiple SQS-s3 Connectors or would need to use Lambda to process those into single SQS-s3 Connector. Please let me know if there's any other alternative to this assumption. Thanks!
Hi Guys, I'm trying to run a playbook and send an email using the SMTP services but not able to do it. When I tested send email from the SOAR CLI it was working but from the console it's not happeni... See more...
Hi Guys, I'm trying to run a playbook and send an email using the SMTP services but not able to do it. When I tested send email from the SOAR CLI it was working but from the console it's not happening. Can anyone tell me how to send emails from SOAR using "Passwordless" method? Unable to find the instructions or SOP on Splunk.   I've tested the connectivity over port 25 towards the SMTP server, and it's working.
Hi all, I want to extract fields from a custom log format. Here's my transforms.conf: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(.... See more...
Hi all, I want to extract fields from a custom log format. Here's my transforms.conf: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(.*) FORMAT = name::$1 version::$2 message::$3 DEST_KEY = _meta This regex is supposed to extract the following from a log like: Jul 27 14:10:05 1.2.3.4 1 2025-07-27T14:09:05Z QQQ123-G12-W4-AB iLO6 - - - iLO time update failed. Unable to contact NTP server. Expected extracted fields: name = QQQ123-G12-W4-AB version = iLO6 message = iLO time update failed. Unable to contact NTP server. The regex works correctly when tested independently, and all three groups are matched. However, in Splunk, only the first two fields (name and version) are extracted correctly. The message field only includes the first word: iLO. It seems Splunk is stopping at the first space for the message field, despite the regex using (.*) at the end. Any idea what could be causing this behavior? Is there a setting or context where Splunk treats fields as single-token values by default? Any advice would be appreciated!
Unfortunately No! And after weeks yet I don't know what the problem is!
Almost bizarre that there is no repo available for a product pretending a bussiness product. 
Question is whether you don't blacklist them (to be honest, I don't remember how whitelist/blacklist interact - which one prevails). And about the thruput issue - it shouldn't drop events selectivel... See more...
Question is whether you don't blacklist them (to be honest, I don't remember how whitelist/blacklist interact - which one prevails). And about the thruput issue - it shouldn't drop events selectively - it would throttle output which in turn would throttle input so you would have a (possibly huge) lag ingesting events from this UF but it shouldn't just drop events. Dropping events could occur in an extreme case if you lagged so much that windows rotated the underlying event log so that the UF couldn't read the events from a saved checkpoint. But that's relatively unlikely and you'd notice that becuse this UF would have been significantly delayed already.
@n_hoh  Can you share your inputs.conf and event flow(like UF->HF->Idx)
@PrewinThomas need to be capturing all event IDs associated with cert services, however for testing purposes was looking specifically for 4876, 4877. And yes the CA server is running universal forwar... See more...
@PrewinThomas need to be capturing all event IDs associated with cert services, however for testing purposes was looking specifically for 4876, 4877. And yes the CA server is running universal forwarder. Unsure how to check if Splunk is dropping high-volume events so if you could point me in the right direction for that I will check on that , however looking at the event logs on the CA server would not say these events are particularly high-volume <100 in the past week across all the events for cert services.
@PickleRick the events are in the Security eventlog which other than the event IDs related to cert services e.g. 4876, 4877, 4885, 4886, 4887, 4888, 4889 can be seen in Splunk. All these event IDs ar... See more...
@PickleRick the events are in the Security eventlog which other than the event IDs related to cert services e.g. 4876, 4877, 4885, 4886, 4887, 4888, 4889 can be seen in Splunk. All these event IDs are whitelisted for the WinEventLog security channel in the inputs.conf
If I understand correctly, the events you're interested in are not in the Security eventlog but in another one (Certification Services\Operational?). Since you've probably not created an input for t... See more...
If I understand correctly, the events you're interested in are not in the Security eventlog but in another one (Certification Services\Operational?). Since you've probably not created an input for this eventlog, you're not pulling events from it. You have to create inputs.conf stanza for that particular eventlog if you want it to be pulled from the server.
@n_hoh  Which event IDs are you looking for (4886, 4887, 4888, 4889, 4885)? Assuming your CA server is running UF, Does Splunk drop high-volume events due to bandwidth throttling? If yes, try setti... See more...
@n_hoh  Which event IDs are you looking for (4886, 4887, 4888, 4889, 4885)? Assuming your CA server is running UF, Does Splunk drop high-volume events due to bandwidth throttling? If yes, try setting the throughput in limits.conf. [thruput] maxKBps = 0 Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi All I've been tasked with setting up logging for Windows Certification Services and getting this into Splunk. Have enabled the logging for Certification Services and can see the events for this... See more...
Hi All I've been tasked with setting up logging for Windows Certification Services and getting this into Splunk. Have enabled the logging for Certification Services and can see the events for this in the Windows Security log, in Splunk I can see the Windows Security logs for the CA server however the Certification Services events are missing. I've confirmed in the inputs.conf that the event IDs I'm looking for are whitelisted, does anyone have any other suggestions on what can be checked?