All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

On the deployer right and push it to SHs? And where can I configure this?
@KarthikeyaIf a Heavy Forwarder (HF) is not available, install it on the search head.
tanhks , i chaged config  then reolved problem best regard
We have deployment server which receives data from UF. We have cluster manager and deployer and SHs. Where to install and configure this add-on? in DS or Deployer or SHs? Please confirm I am confused... See more...
We have deployment server which receives data from UF. We have cluster manager and deployer and SHs. Where to install and configure this add-on? in DS or Deployer or SHs? Please confirm I am confused. We don't have HF at the moment. Normally where we need to configure data inputs?
Hi All, In SPL2 Ingest Pipeline I want to assemble a regular expression and then use that in a rex command but I am having trouble. For example this simple test I am specifying the regex as a text ... See more...
Hi All, In SPL2 Ingest Pipeline I want to assemble a regular expression and then use that in a rex command but I am having trouble. For example this simple test I am specifying the regex as a text string on the rex command works: But this version doesnt: Any idea what I am doing wrong? Thanks
The search command cannot search for '*'.  The '=' character also is a challenge.  You can, however, use regex to filter on these and other "special" characters. | eval msxxxt="*Action=Gexxxxdledxxx... See more...
The search command cannot search for '*'.  The '=' character also is a challenge.  You can, however, use regex to filter on these and other "special" characters. | eval msxxxt="*Action=GexxxxdledxxxxReport Duration=853*" | regex "=" | rex "Duration (<?Duration>\d+)" | timechart span=1h avg(Duration) AS avg_response by msxxxt
Hello isoutamo;  Thank you for the links; a lot of useful info. I am not an expert in the area of PKI Certificates etc.  I  have a basic understanding only.  The term leaf certificate was new to me. ... See more...
Hello isoutamo;  Thank you for the links; a lot of useful info. I am not an expert in the area of PKI Certificates etc.  I  have a basic understanding only.  The term leaf certificate was new to me.   Ptrsnk    
Hi, I am new to Ingest Processor and have had some success but am having an issue with the rex command so I have created a very simple example copied from the manual here https://docs.splunk.com/Doc... See more...
Hi, I am new to Ingest Processor and have had some success but am having an issue with the rex command so I have created a very simple example copied from the manual here https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples#2._Regular_expressions_with_character_classes But I am getting this error: Any ideas why? Thanks      
Hi @whar_garbl  I think what you have done with "CHECK_METHOD" in props.conf should work.   [source::<yoursource>] CHECK_METHOD = modtime   However, you may also need to set the crcSalt in input... See more...
Hi @whar_garbl  I think what you have done with "CHECK_METHOD" in props.conf should work.   [source::<yoursource>] CHECK_METHOD = modtime   However, you may also need to set the crcSalt in inputs.conf   [monitor://<path>] crcSalt = <SOURCE>   Here are a few other useful links which might also help! https://community.splunk.com/t5/Getting-Data-In/Ingesting-file-data/td-p/81645 https://community.splunk.com/t5/Knowledge-Management/Modtime-is-newer-than-stored-will-reread-file-with-9-x-x/td-p/677930 << Beware of this possible bug Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will  
Further to my last message - this is a great blog post on getting started with UCC so well worth checking out https://www.splunk.com/en_us/blog/customers/managing-splunk-add-ons-with-ucc-framework.h... See more...
Further to my last message - this is a great blog post on getting started with UCC so well worth checking out https://www.splunk.com/en_us/blog/customers/managing-splunk-add-ons-with-ucc-framework.html Let us know how you get on and if you have any further questions Will
Hi @dolj  If there isnt already a Splunkbase app for the API you want to work with then you may be best using the Splunk Universal Configuration Console (UCC) framework to build yourself a custom ap... See more...
Hi @dolj  If there isnt already a Splunkbase app for the API you want to work with then you may be best using the Splunk Universal Configuration Console (UCC) framework to build yourself a custom app. This has had much more development recently than Add-on builder and is easier to manage moving forwards. Here is a sample app which might give some insight on how it works, this is taken from a Conf talk I did on creating a simple API app in 2023. https://github.com/livehybrid/conf23-dev1091b/ Also have a look at the UCC docs (https://splunk.github.io/addonfactory-ucc-generator/) for more information and to get started. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will  
Hi @Namdev  Please could you confirm which user the Splunk Forwarder is running as? Is it splunkfwd, splunk or something else? Please could you show a screenshot of the permissions on your /opt/log... See more...
Hi @Namdev  Please could you confirm which user the Splunk Forwarder is running as? Is it splunkfwd, splunk or something else? Please could you show a screenshot of the permissions on your /opt/log files in question.  Did you run anything like this against the directory to give splunk access? setfacl -R -m u:splunkfwd:r-x /opt/log  Are there any logs in splunkd.log relating to these files?  Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @DaveyJones  Please could you provide the search you ended up using so I can look into this further for you? Thanks Will
Hi @cbyrd  Given that the 400 error is coming from the Google API, I'd start off by checking for config issues on the Google side. Check API Permissions: Ensure that the Google Workspace service ... See more...
Hi @cbyrd  Given that the 400 error is coming from the Google API, I'd start off by checking for config issues on the Google side. Check API Permissions: Ensure that the Google Workspace service account you're using has the necessary permissions to access user data. The service account should have the "Directory API" enabled and the appropriate scopes granted, such as https://www.googleapis.com/auth/admin.directory.user.readonly. Verify API Scopes: Double-check that the OAuth 2.0 scopes configured for the service account include the necessary permissions. You might need to add or adjust scopes in the Google Cloud Console. Customer ID: Ensure that the customer parameter in the API request is correct. It should be the unique ID of your Google Workspace account. You can find this ID in the Admin console under Account settings. View Type: The viewType parameter can be either admin_view or domain_public. Make sure that the view type you are using is appropriate for your use case and that the account has the necessary permissions to access the data with that view type. API Quotas and Limits: Check if you are hitting any API quotas or limits. Google APIs have usage limits, and exceeding them can result in errors. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
  It looks like the certificate is good for either client or server authentication.      
Thanks for the explanations. I have made an updated version where there are no need of spesial characters. Also cleaned up the code some.
Found out why: Release v5.1.0 · splunk/contentctl · GitHub The latest release give an Error instead of a warning for bad DataSource. Since it juste release, the latest version of Splunk ESCU was si... See more...
Found out why: Release v5.1.0 · splunk/contentctl · GitHub The latest release give an Error instead of a warning for bad DataSource. Since it juste release, the latest version of Splunk ESCU was simply build with an older version and had a pile of non blocking Warning.
I haven’t use slack alert action, so I just give general hints. Usually alert actions are written some log what happened into _internal index you should try to found something which is related to it.
We are using the Splunk Add-On for GWS Version3.0.3 for Splunk Cloud and receiving this error when attempting to pull in the (user) identities portion. I have tried both 'admin_view' and 'domain_publ... See more...
We are using the Splunk Add-On for GWS Version3.0.3 for Splunk Cloud and receiving this error when attempting to pull in the (user) identities portion. I have tried both 'admin_view' and 'domain_public' in the Inputs config with same error. All other functions are working fine. I need to bring in this sourcetype "gws_users_identity" to populate our identities lookup. Has anyone else encountered this? Maybe you found a "fix"?   ERROR pid=<redacted> tid=MainThread file=log.py:log_exception:351 | exc_l="User Identity Error" Exception raised while ingesting data for users: <HttpError 400 when requesting https[:]//admin.googleapis.com/admin/directory/v1/users?customer=<redacted>&orderBy=email&maxResults=500&viewType=domain_public&alt=json returned "Bad Request". Details: "[{'message': 'Bad Request', 'domain': 'global', 'reason': 'badRequest'}]">. Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_Google_Workspace/bin/gws_user_identity.py", line 139, in stream_events service.users()  
@marnall After replacing the package, the files mentioned in the error message are deleted. So as expected, no mentions of the older package version appear in our code after the older version is dele... See more...
@marnall After replacing the package, the files mentioned in the error message are deleted. So as expected, no mentions of the older package version appear in our code after the older version is deleted & replaced. We're not sure why we're still facing this issue, and I'm wondering if this issue can be attributed to AppInspect in some way?