All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Where can I find the icons that I can use for a splunk architecture diagram?
1. Golden shovel for you You're responding to a 13 years old post. 2. <p> tag contains a paragraph of text. Linebreaks are not rendered and spaces can (depending on css settings) be squished toge... See more...
1. Golden shovel for you You're responding to a 13 years old post. 2. <p> tag contains a paragraph of text. Linebreaks are not rendered and spaces can (depending on css settings) be squished together. Either split your text into multiple paragraphs (separate <p> tags), break the text with <br> linebreaks or indeed use a preformatted block.
Thank you so much! It was help me a lot with a SPL problem to break line. But in my dashboard it wasn't working (I'm using HTML / CSS to customize it). I was sending the result to a token to be load... See more...
Thank you so much! It was help me a lot with a SPL problem to break line. But in my dashboard it wasn't working (I'm using HTML / CSS to customize it). I was sending the result to a token to be loaded in a <p> tag. Changing <p> tag for <pre> the result was loaded was I wished for.
I am experiencing the exact same problem. Version: 9.2.4 Build: c103a21bb11d
This IF is NOT a heavy forwarder.  It is only a light forwarder and does not do any indexing. I added "force_local_processing=true" to my props.conf and I am finally making progress!!   Now the lo... See more...
This IF is NOT a heavy forwarder.  It is only a light forwarder and does not do any indexing. I added "force_local_processing=true" to my props.conf and I am finally making progress!!   Now the logs that originate from the IF are tagging with the IntermediateForwarder,GUIDe, Project_ID and the debug1 This is exactly as expected now that the force_local_processing is forcing it to actually use the props and transforms.  (it also has debug1=debugonIF)   Oddly the logs that the IF is forwarding are still NOT tagged with IntermediateForwarder and debug1 tags that I expect them to be. The logs do have the GUIDe, Project_ID tags since that it configured on the UF clients.   These are my latest configs. == props.conf == [default] TRANSFORMS-setCustomMetadata=setCustomMetadata force_local_processing=true   [host:: <IFhostname>] TRANSFORMS-setCustomMetadata=setThisHostMetadata   == transforms.conf == [setCustomMetadata] INGEST_EVAL = IntermediateForwarder:=COALESCE(IntermediateForwarder," <IFhostname>"), debug1:=COALESCE(debug1,"testdebug") [setThisHostMetadata] INGEST_EVAL = = IntermediateForwarder:=COALESCE(IntermediateForwarder," <IFhostname>"), GUIDe:=COALESCE(GUIDe,"123456"), Project_ID:=COALESCE(ProjectID,"54321"), debug1:=COALESCE(debug1,"debugonIF")  
Hi Will, I have given this under throttle conditions:  
Hi @livehybrid , I had checked the throttle checkbox and enabled Suppress triggering for 30 minutes time to not trigger another incident.
Hi @livehybrid , I am getting all the 3 alerts all at the same time. Not sure where the alert is going wrong?
Hi @avi123  Do you get the 3 alerts all at the same time, or 7 mins apart? Regarding the "Suppress results" under the Throttle checkbox, what did you put into this textbox? Please let me know how ... See more...
Hi @avi123  Do you get the 3 alerts all at the same time, or 7 mins apart? Regarding the "Suppress results" under the Throttle checkbox, what did you put into this textbox? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @MichaelM1  Just to check - is your IF a UF or HF?  If its a UF the transforms might not apply without force_local_processing=true Please let me know how you get on and consider adding karma to... See more...
Hi @MichaelM1  Just to check - is your IF a UF or HF?  If its a UF the transforms might not apply without force_local_processing=true Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi All, I have a splunk alert that is having this search query: index="dcn_b2b_use_case_analytics" sourcetype=lime_process_monitoring | where BCD_AU_UP_01=0 OR BDC_BA_01=0 | dedup host | eval ... See more...
Hi All, I have a splunk alert that is having this search query: index="dcn_b2b_use_case_analytics" sourcetype=lime_process_monitoring | where BCD_AU_UP_01=0 OR BDC_BA_01=0 | dedup host | eval failed_processes=mvappend( if(BCD_AU_UP_01=0, "BCD_AU_UP_01", NULL), if(BDC_BA_01=0, "BDC_BA_01", NULL) ) | eval failed_process_list=mvjoin(failed_processes, ", ") | eval metricLabel="Labware - Services has been stopped in Server--Test Incident--Please Ignore" | eval metricValue_part1="Hello Application Support team, The below service has been stopped in the server, Service name: " | eval metricValue_part2=failed_process_list | eval metricValue_part3=" Server name: " | eval metricValue_part4=host | eval metricValue_part5=" Please take the required action to resume the service. Thank you. Regards, Background Service Check Automation Bot" | eval metricValue=metricValue_part1 + metricValue_part2 + metricValue_part3 + metricValue_part4 + metricValue_part5 | eval querypattern="default" | eval assignmentgroup="SmartTech Team" | eval business_service="SmartTech Business Service" | eval serviceoffering="SmartTech service offering" | eval Interface="CAB" | eval urgency=3 | eval impact=3 (Please note: here process status = 0 is failed process and =1 is successful process) ALERT CONFIG: Alert type: Scheduled Cron Expression: */7 * * * * Expires 24 hours Trigger Once Throttle (was checked in checkbox) Suppress triggering for 30 minutes When triggered - Alert Action- PTIX SNOWALERT(trigger incident in SNOW)   This should trigger only one incident having the Service names and the Server name, but not sure why this alert is triggering three different tickets-please help me correct the alert to trigger single ticket whenever alert is enabled.
This app has been archived https://lantern.splunk.com/Splunk_Platform/Product_Tips/Extending_the_Platform/SimpleXML_Examples_app_end_of_life_FAQ  
Hi Will,   many thanks for you support. I tried your code directly and became this view (Screenshot 2025-03-24 145511.jpg). Not so as your screenshot. And it is not clear for me, where is considere... See more...
Hi Will,   many thanks for you support. I tried your code directly and became this view (Screenshot 2025-03-24 145511.jpg). Not so as your screenshot. And it is not clear for me, where is considered the dlt. As a duration of the state.
@livehybrid This is definitely an intermediate forwarder that I want to setup. And it is forwarding logs from many UFs that I have point to it.  The UF are tagging their logs just fine from the UF co... See more...
@livehybrid This is definitely an intermediate forwarder that I want to setup. And it is forwarding logs from many UFs that I have point to it.  The UF are tagging their logs just fine from the UF configs that they have.  It is just that the IF itself is not tagging its own logs.   @PickleRick This intermediate forward is only receiving data UFs and I don’t have any HF in my architecture @livehybrid I don’t think that the transforms are working at all.  This is my current config for props and transforms and I have simplified as you and @isoutamo suggested   == props.conf == [default] TRANSFORMS-setCustomMetadata=setCustomMetadata [host::macdev] TRANSFORMS-setCustomMetadata=setThisHostMetadata   == transforms.conf == [setCustomMetadata] INGEST_EVAL = IntermediateForwarder:=COALESCE(IntermediateForwarder," <IFhostname>"), debug1:=COALESCE(debug1,"testdebug") [setThisHostMetadata] INGEST_EVAL = = IntermediateForwarder:=COALESCE(IntermediateForwarder," <IFhostname>"), GUIDe:=COALESCE(GUIDe,"123456"), ProjectID:=COALESCE(ProjectID,"54321"), debug1:=COALESCE(debug1,"debugonIF")   I get this warning in the splunkd.log that could be related   WARN TcpOutputProc [19444 parsing]  - Pipeline data does not have indexKey. [_path]  =  e:\program files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe\n[_stmid]blah\n[Metadata:Source] = source::WinEventLog\n[MetaData:Host]  =  host::<IFhostname>\n[MetaData:Sourcetype] = sourcetype::WinEvtLog\n[_done] = _done\n[_conf] = source::WinEventLog:host::< IFhostname>:WinEventLog|\n   This this config I would expect that the logs forwarding though from the UFs should get the debug1 but it does not.  I don’t know why it does not seem to be doing anything at all   Thank you for all your help btw
Hello @Stanley_F , I would suggest to file an support case as if it looks issue with app.
Hi @livehybrid and @isoutamo  Below is the complete conf data. requirement is  from same log file "traffic|session|firewall|deny|accept" related events should get indexed in "index=nw_fortigate" so... See more...
Hi @livehybrid and @isoutamo  Below is the complete conf data. requirement is  from same log file "traffic|session|firewall|deny|accept" related events should get indexed in "index=nw_fortigate" sourcetype=fortigate and other events should get indexed in "index=os_linux" sourcetype=os Kindly let me know do i need to any corrections in the conf and change the order in the transforms as well. inputs.conf [monitor:///TUC-RST50/OOB/TUC-RST50M*.log] disabled = false props.conf [source::.../TUC-*/OOB/TUC-*(50M)*.log] TRANSFORMS-routing = route_fortigate_traffic, route_nix_messages transforms.conf [route_fortigate_traffic] DEST_KEY = _MetaData:Index REGEX = (?i)\b(traffic|session|firewall|deny|accept)\b FORMAT = nw_fortigate [route_nix_messages] DEST_KEY = _MetaData:Index REGEX = .* FORMAT = os_linux
The documentation is about the same regardless of wheteher it's windows or linux. (the only minute difference is CA trust store definition if you use the OS store). The question is what do you need.... See more...
The documentation is about the same regardless of wheteher it's windows or linux. (the only minute difference is CA trust store definition if you use the OS store). The question is what do you need. There are two layers here. 1. Configuration of connection encryption (which should be enabled by default) and server's identity verification. 2. Configuration of forwarder authentication to your receiver with TLS. You should first make sure that the first point is properly configured. Then you can go to configuring the second one. People often try to do both things at the same time and get confused with different settings and different results.
Page not found for the link.
The "Details" tab on splunkbase has link to github where you have a description of the app and its usage.
@PickleRick  Thanks for the Reply and spending time for replying ,  Can i get any document regarding to this MAPS+ visualisation for code patterns and commands to load for MAPS+ .