All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

As the title suggests, I am having multiple Universal Forwarders sharing the same Instance GUID due to the mistake of the owners of the servers, as they were just copying the .conf files from servers... See more...
As the title suggests, I am having multiple Universal Forwarders sharing the same Instance GUID due to the mistake of the owners of the servers, as they were just copying the .conf files from servers to servers. So my question is, what is the impact of this. I think missing the logs from these machines is one of the impact, as every 10-20 seconds, the IP and Hostname change, but the Instance GUID and Instance Name remains the same. And of course the obvious question, how do I fix this? Solving from the higher level of the system is prefer, like using the deployment server (which I can SSH into), since I have limited access to the servers, and probably have to TeamView them or write a guide for them. I read that the GUID is now in the `$SPLUNK_HOME/etc/instance.cfg` file, and there is probably a GUID there, which would be the same across the servers. Can I just delete the GUID line and restart the splunk service, and the deployment server would give it a new one? Can I delete the record from the Deployment Server UI and it would generated a new one and auto update the instance.cfg file of the Forwarder? I read the docs instance.cfg.conf - Splunk Documentation and it mention not to edit the file, so I am a bit confused. And I also saw that the docs mentioned that server.conf also has the GUID value, so do I have to do anything in the server.conf file?
Very kewl   Thank you Will give it a shot for sure ! 
Oh, unless you can make very strong assumptions about your data, you're in for a treat. 1. You will replace any escaped single quotes which might be in the original data. (and no, doing single backs... See more...
Oh, unless you can make very strong assumptions about your data, you're in for a treat. 1. You will replace any escaped single quotes which might be in the original data. (and no, doing single backslash negative lookback will not cut it). 2. You will not replace any unescaped double quotes from the original data (and again - finding them and properly escaping is not so easy in general case - see p.1. Long story short - don't manipulate structured data with regexes!
Hi @epw0rrell  Try the following index=* <<Your Other Search Criteria>> | lookup your_lookup_table user AS user OUTPUT src AS lookup_src | where isnotnull(lookup_src) AND src != lookup_src | table... See more...
Hi @epw0rrell  Try the following index=* <<Your Other Search Criteria>> | lookup your_lookup_table user AS user OUTPUT src AS lookup_src | where isnotnull(lookup_src) AND src != lookup_src | table user src Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Here is a working example using makeresults too | makeresults | eval _raw="EventType=\"Device\" Event=\"InstallProfileConfirmed\" User=\"sysadmin\" EnrollmentUser=\"hasubram\" DeviceFriendlyName=\"... See more...
Here is a working example using makeresults too | makeresults | eval _raw="EventType=\"Device\" Event=\"InstallProfileConfirmed\" User=\"sysadmin\" EnrollmentUser=\"hasubram\" DeviceFriendlyName=\"blabla MacBook Air macOS 15.3.2 Q6LW\" EventSource=\"Device\" EventModule=\"Devices\" EventCategory=\"Command\" EventData=\"Profile=Apple macOS Apple Intelligence Restrictions\" Event Timestamp: Mar 28 09:29:40" | append [| makeresults | eval _raw="EventType=\"Device\" Event=\"DeviceOperatingSystemChanged\" User=\"sysadmin\" EnrollmentUser=\"hasubram\" DeviceFriendlyName=\"blabla MacBook Air macOS 15.3.2 Q6LW\" EventSource=\"Device\" EventModule=\"Devices\" EventCategory=\"Assignment\" EventData=\"Device=75639\" Event Timestamp: Mar 28 09:29:29"] | kv | rex field=_raw "Event Timestamp: (?<EventTime>.+)$" | eval _time=strptime(EventTime, "%b %d %H:%M:%S") | search DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW" | eval {Event}_time=_time | stats latest(*_time) as *_time values(Event) as events by DeviceFriendlyName | where MATCH(events, "DeviceOperatingSystemChanged") AND MATCH(events, "InstallProfileConfirmed") AND DeviceOperatingSystemChanged_time < InstallProfileConfirmed_time   Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @Blueochotona  Have a look at the following, does this achieve what you're looking for? index=*** <<Search Parameters>> NOT DeviceFriendlyName IN (*15.3.0*,*15.3.1*) ( (EventType="Device" Ev... See more...
Hi @Blueochotona  Have a look at the following, does this achieve what you're looking for? index=*** <<Search Parameters>> NOT DeviceFriendlyName IN (*15.3.0*,*15.3.1*) ( (EventType="Device" Event="DeviceOperatingSystemChanged") OR (EventType="Device" Event="InstallProfileConfirmed") ) | eval {Event}_time=_time | stats latest(*_time) as *_time values(Event) as events by DeviceFriendlyName | where MATCH(events, "DeviceOperatingSystemChanged") AND MATCH(events, "InstallProfileConfirmed") AND DeviceOperatingSystemChanged_time < InstallProfileConfirmed_time Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hello, I have a lookup table with fields user and src. I want to table results [user src] where the src within my search != the src listed within the lookup table. So first I need to search for ma... See more...
Hello, I have a lookup table with fields user and src. I want to table results [user src] where the src within my search != the src listed within the lookup table. So first I need to search for matching user rows, then I need to compare the src of the search with the src value in the lookup file. If the src is different, I want to table the new src value from the search. Can someone help me with this?  Thanks so very much.
As the title suggests, I am having multiple Universal Forwarders sharing the same Instance GUID due to the mistake of the owners of the servers, as they were just copying the .conf files from servers... See more...
As the title suggests, I am having multiple Universal Forwarders sharing the same Instance GUID due to the mistake of the owners of the servers, as they were just copying the .conf files from servers to servers. So my question is, what is the impact of this. I think missing the logs from these machines is one of the impact, as every 10-20 seconds, the IP and Hostname change, but the Instance GUID and Instance Name remains the same. And of course the obvious question, how do I fix this? Solving from the higher level of the system is prefer, like using the deployment server (which I can SSH into), since I have limited access to the servers, and probably have to TeamView them or write a guide for them. I read that the GUID is now in the `$SPLUNK_HOME/etc/instance.cfg` file, and there is probably a GUID there, which would be the same across the servers. Can I just delete the GUID line and restart the splunk service, and the deployment server would give it a new one? Can I delete the record from the Deployment Server UI and it would generated a new one and auto update the instance.cfg file of the Forwarder? I read the docs instance.cfg.conf - Splunk Documentation and it mention not to edit the file, so I am a bit confused. And I also saw that the docs mentioned that server.conf also has the GUID value, so do I have to do anything in the server.conf file?
This is the splunkd file.
I solved the issue by unchecking the inputs in the app, since they are disabled by default and making sure the API permissions in Sentinel One. In my case, i just create a new service user in Sentine... See more...
I solved the issue by unchecking the inputs in the app, since they are disabled by default and making sure the API permissions in Sentinel One. In my case, i just create a new service user in Sentinel One and use the api generated from the service user. The user has the scope of access to the site.
You are correct. I had prepared and found steps for fixing indexers, but they seemed fine. The configuration for manager_uri and alike is largely based on IP (which is another topic on its own), t... See more...
You are correct. I had prepared and found steps for fixing indexers, but they seemed fine. The configuration for manager_uri and alike is largely based on IP (which is another topic on its own), the IP did not change. So endpoints should be able to reach the "modified" server (but may expect a different response). I have to dig into indexer_discovery (and alike). I did not prepare for it. To my documentation it is not configured.
how to check splunkd errors in UI?
@Karthikeya  HTTP 404: This status code means the requested resource (in this case, likely a Splunk REST API endpoint) could not be found. This could happen if the app is trying to interact with an ... See more...
@Karthikeya  HTTP 404: This status code means the requested resource (in this case, likely a Splunk REST API endpoint) could not be found. This could happen if the app is trying to interact with an endpoint that doesn’t exist or is misconfigured.   Action Forbidden: This implies that even if the endpoint exists, the user or process attempting the action lacks the necessary permissions to complete it, or the action itself is restricted.   If your API credentials (Client Token, Client Secret, Access Token, Hostname) are wrong or don't have the required permissions, it might return a 403/404 error.   Did you restart the HF after installing the add-on? Check splunkd.log for any Akamai-related errors Validate Akamai credentials and endpoint format    
The two raw results are as follows :  (1) EventType="Device" Event="InstallProfileConfirmed" User="sysadmin" EnrollmentUser="hasubram" DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW" Even... See more...
The two raw results are as follows :  (1) EventType="Device" Event="InstallProfileConfirmed" User="sysadmin" EnrollmentUser="hasubram" DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW" EventSource="Device" EventModule="Devices" EventCategory="Command" EventData="Profile=Apple macOS Apple Intelligence Restrictions" Event Timestamp: Mar 28 09:29:40 (2) EventType="Device" Event="DeviceOperatingSystemChanged" User="sysadmin" EnrollmentUser="hasubram" DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW" EventSource="Device" EventModule="Devices" EventCategory="Assignment" EventData="Device=75639" Event Timestamp: Mar 28 09:29:29 Hoping to combine a search to identify (1)‘s DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW" which is a shared key between two results , as long (2) happens before (1) from a chronological experience. I am already using the following to try and exclude certain results too :  Index=*** <<Search Parameters>> NOT  DeviceFriendlyName IN (*15.3.0*,*15.3.1*)   Thank you
Hi all, I am trying to pull Akamai logs to Splunk. Hence installed this app in HF  - https://splunkbase.splunk.com/app/4310 and in data inputs given all the required fields (that provided my akamai) ... See more...
Hi all, I am trying to pull Akamai logs to Splunk. Hence installed this app in HF  - https://splunkbase.splunk.com/app/4310 and in data inputs given all the required fields (that provided my akamai) and when trying to save it the following error came - Encountered the following error while trying to save: HTTP 404 -- Action forbidden. What is the meaning of this error? is it issue from Akamai end or Splunk end? We have recently enabled our HF and this error is showing? Is this issue related to this error? Please help me to get rid of this issue and the error?  
I'm pretty sure the SH were in the "Settings->General Setup" (Listed as remote-instances), as I wanted to apply the config to make the name change applied to the apps lookups (splunk_ apps). At that ... See more...
I'm pretty sure the SH were in the "Settings->General Setup" (Listed as remote-instances), as I wanted to apply the config to make the name change applied to the apps lookups (splunk_ apps). At that time I was still thinking the unreachable status was a timing/communication thing. So to verify my point, I checked the shcluster-status (CLI) on the SH just to discover that the SHC failed (was not able to query the state). Thats when I chickened out and reverted back the configuration. I will add this to my checklist. In reflection, I messed up. I missed to take evidence of the situation (e.g. screenshots and error messages). Focusing on restoring the service.
The logic is that searches only execute when all tokens in that particular search have been defined. Tokens effectively have three states (it is really only two, but for the purposes of this explanat... See more...
The logic is that searches only execute when all tokens in that particular search have been defined. Tokens effectively have three states (it is really only two, but for the purposes of this explanation we'll go with three). The token is either set to a value (non-empty), or is empty (these first two are really one state), or the token is unset (or set to null(), which equates to the same thing). The depends attribute on the panel (or row), identifies which tokens need to be set (non-null). For completeness, the rejects attribute identifies which tokens need to be unset (or null). By setting the relevant token to  nothing, the token can satisfy the depends attribute, and when used in the search does not add any additional SPL. By unsetting the relevant token (or setting it to null()), the depends attribute is not satisfied (so the panel/row is hidden), and the search stops executing (because it is waiting for the token to be set). The strftime() is used in the done handler to set tokens so that you can visually see when the search is complete, i.e. to give you the confidence that the search is or is not running. You don't need them if you are happy with your searches only executing when they are supposed to.
Ah yes good spot @goji  By editing in the config file directly you are bypassing the validation that is built-in that stops you saving it via the UI. At this point the Verify=true in the python code... See more...
Ah yes good spot @goji  By editing in the config file directly you are bypassing the validation that is built-in that stops you saving it via the UI. At this point the Verify=true in the python code has no effect because its using http anyway Thanks for letting me know.  
Hi @BRFZ  useAck=false is the default value in outputs.conf for whether or not to use indexer acknowledgment. Essentially, with this set to true it means that the forwarder saves the event until th... See more...
Hi @BRFZ  useAck=false is the default value in outputs.conf for whether or not to use indexer acknowledgment. Essentially, with this set to true it means that the forwarder saves the event until the indexer has acknowledged that it has fully processed the event (typically that it is written to disk). For more info check out https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/Outputsconf#:~:text=Distributed%20Deployment%20manual.-,useACK%20%3D%20%3Cboolean%3E,-*%20Whether%20or%20not Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will