All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

hi @dbloms , Glad to hear. happy splunking! P.S.: Karma Points are appreciated by me and the other contributors     
Hi Team, I have been getting a skipped search notification in my CMC overview under Health from quite some time. It is a scheduled report Search name: ESS - Notable Events Cron: every 5 mins ( ... See more...
Hi Team, I have been getting a skipped search notification in my CMC overview under Health from quite some time. It is a scheduled report Search name: ESS - Notable Events Cron: every 5 mins ( 1-59/5 * * * *) Timerange:  earliest - 48d@d  ; latest - +0s (now) Message: The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached Search query:  `notable` | search NOT `suppression` | eval timeDiff_type=case(_time>=relative_time(now(), "-24h@h"),"current", 1=1, "historical") | expandtoken rule_title | table _time,event_id,security_domain,urgency,rule_name,rule_title,src,dest,src_user,user,dvc,status,status_group,owner,timeDiff_type,governance,control | outputlookup es_notable_events | stats count It is writing the output to an output-lookup.  and takes around 8 mins as runtime when checked under job management. Can some help me understand where the issue lies, what's making this search in particular to skip. The percentage skipped it around 50% and the status is critical.  
We are building an iOS app that using URLSession for making network traffics in our app. But AppDynamics does not collect any traffics which built with async/await. For the traffics that use the trad... See more...
We are building an iOS app that using URLSession for making network traffics in our app. But AppDynamics does not collect any traffics which built with async/await. For the traffics that use the traditional ways (completion handler) the AppD still collect properly. AppDynamics 
Yes, you are right. The admin password was changed, now it it starts without problems. Many thanks to you, you saved my day!
in my local i am using EST time zone only. 
Hi @amanthri ,    Disabling the KO is the safest option from your savedsearches.conf [<name_of_your aved_search>] disabled = 1   you can placed in the local directory /local/savedsearches.conf,... See more...
Hi @amanthri ,    Disabling the KO is the safest option from your savedsearches.conf [<name_of_your aved_search>] disabled = 1   you can placed in the local directory /local/savedsearches.conf, it will effectively overide from the default this works for the other KOs too.
Hi @bigchungusfan55 , Please do the following check to find and fix the issue 1. check and confirm that the KV store collection exists 2. Check where the KV Store Lookup is defined 3. Check... See more...
Hi @bigchungusfan55 , Please do the following check to find and fix the issue 1. check and confirm that the KV store collection exists 2. Check where the KV Store Lookup is defined 3. Check the permission for the lookup 4. check lookup defintion and collection configuration.
The error indicates the automation can't authenticate against 127.0.0.1:8089 Accept the license and try with below docker run -d \ --name splunk \ -e SPLUNK_START_ARGS="--accept-license" \ -e SP... See more...
The error indicates the automation can't authenticate against 127.0.0.1:8089 Accept the license and try with below docker run -d \ --name splunk \ -e SPLUNK_START_ARGS="--accept-license" \ -e SPLUNK_PASSWORD="yourpassword" \ splunk/splunk:latest
Hi @Sahansral  Have you set any local user-prefs.conf changes? Please could you run the following: $SPLUNK_HOME/bin/splunk cmd btool user-prefs list --debug In the [general] stanza do you have a "... See more...
Hi @Sahansral  Have you set any local user-prefs.conf changes? Please could you run the following: $SPLUNK_HOME/bin/splunk cmd btool user-prefs list --debug In the [general] stanza do you have a "lang" setting? There is no default so it could be missing but if its there it should be a valid lang value (e.g. "de-DE" not "de") lang = <string> * Specifies the per-user language preference for non-web ui operations, where multiple tags are separated by commas. * If unset, English "en-US" is used when required. * Only tags used in the "Accept-Language" HTTP header are allowed, such as "en-US" or "fr-FR". * Fuzzy matching is supported, where "en" will match "en-US". * Optional quality settings are supported, such as "en-US,en;q=0.8,fr;q=0.6" * No default.    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Thanks livehybrid,  The first option worked perfectly. I only wanted the field to be sanitized at search time and the first option does that. Cheers.  
@Raja_Selvaraj  DATETIME_CONFIG = CURRENT should work normally. But observed few times with monitor input, Splunk still scans the event content or file metadata (modtime) to determine _time, ev... See more...
@Raja_Selvaraj  DATETIME_CONFIG = CURRENT should work normally. But observed few times with monitor input, Splunk still scans the event content or file metadata (modtime) to determine _time, even if DATETIME_CONFIG = CURRENT is set. Are you using monitor input? But you can use the modification at search time. Eg: BASE_SEARCH | eval _time = now() Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hello Community, when we try to open a link to a Splunk Url without language setting, e.g. via the "Show results"-link in an email alert like  https://our-splunk-address/app/some-app/alert?s=some-... See more...
Hello Community, when we try to open a link to a Splunk Url without language setting, e.g. via the "Show results"-link in an email alert like  https://our-splunk-address/app/some-app/alert?s=some-alert the request gets redirected automatically to something like https://our-splunk-address/de/app/some-app/alert?s=some-alert which does not work. The Url should be https://our-splunk-address/de-DE/app/some-app/alert?s=some-alert (see Configure user language and locale | Splunk Docs) This incorrect redirect only happens in our productive environment  and only if the language setting of the browser is set to german. English works fine (redirect is .../en-GB/...) We tested different browsers (Edge, Firefox) with same results. Our test environment uses the same browsers, redirects correctly and we can't fathom any configurations differences between our test and production that could explain this bevaviour. Did you experience a similar phenomenen or can give me a hint where I can look for further clues? Regards, Jens
Hi @Raja_Selvaraj  Can you confirm which server(s) you have put the DATETIME_CONFIG = CURRENT on and what type of instance this is? (Universal Forwarder / Heavy Forwarder / Indexer) ? This needs to... See more...
Hi @Raja_Selvaraj  Can you confirm which server(s) you have put the DATETIME_CONFIG = CURRENT on and what type of instance this is? (Universal Forwarder / Heavy Forwarder / Indexer) ? This needs to be on the first full deployment (HF/Indexer) that the data hits as this is where it is parsed  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Splunkie  Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix? You could... See more...
Hi @Splunkie  Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix? You could do the following at search time: | rex field=Username_Field mode=sed "s/ sophos_event_input$//" (See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex) Alternatively you could use a REPLACE function: | eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","") You could also make this an automatic calculated field so that you dont need to include it in your SPL:   If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this: # props.conf # [yourSourcetype] SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Splunkie , do you want to do this at index time, recording the modified events or at search time (only in visualization)? if at search time, you can use a regex in your searches like the follow... See more...
Hi @Splunkie , do you want to do this at index time, recording the modified events or at search time (only in visualization)? if at search time, you can use a regex in your searches like the following: | rex mode=sed "s/sophos_event_input/ /g" if at index time, you should put in the props.conf: [<your_sourcetype>] SEDCMD = "s/sophos_event_input/ /g" This conf file must be located in the first full Splunk instance where data pass through, in other words in the first Heavy Forwarder (if present) or otherwise on the Indexers. Ciao. Giuseppe
I am trying to remove a field which  has a suffix of sophos_event_input after the username. Example Username_Field Joe-Smith, Adams sophos_event_input Jane-Doe, Smith sophos_event_input I would l... See more...
I am trying to remove a field which  has a suffix of sophos_event_input after the username. Example Username_Field Joe-Smith, Adams sophos_event_input Jane-Doe, Smith sophos_event_input I would like to change the Username field to only contain the users name, Example Username_Field Joe-Smith, Adams  Jane-Doe, Smith  Basically I want to get rid of the sophos_event_input suffix. How will I go about this? 
Your "table" must come with a sequence or the whole problem is unsolvable.  The sequence may come in the form of a _time field, or a special field such as sequence_number, or in the form of sheer ord... See more...
Your "table" must come with a sequence or the whole problem is unsolvable.  The sequence may come in the form of a _time field, or a special field such as sequence_number, or in the form of sheer order of the table. The whole point is, you can use transaction command to get what you need if your table Has a _time field and Is in reverse time order. | transaction "change #" "user ID" startswith="Mod_type=OLD" endswith="Mod_type=NEW" If, for any reason, your "table" doesn't come with a _time field, you can always make sure it is in reverse time order, and make up a _time field.  You can also use stats to do the same.  The bottom line is: join is seldom the answer. Here is a data emulation for you to play with and compare with real data. | makeresults format=csv data="Mod_type, user ID,Email,change #,Active NEW,123,Me@hotmail.com,152,Yes OLD,123,Me@hotmail.com,152,No" | eval _time = now()
yeah, im not set it up on default folder. so it should be same with that condition. Additionaly, this is distributed indexer (3 instance).
@livehybrid  Thanks for the response. Yes, some servers having custom certificates on those servers, we are having issue If I try changing to the default local certificate, then it works roo... See more...
@livehybrid  Thanks for the response. Yes, some servers having custom certificates on those servers, we are having issue If I try changing to the default local certificate, then it works root@test02:/opt/splunk/bin# ./splunk cmd openssl verify -verbose -x509_strict -CAfile /opt/splunk/etc/auth/cacert.pem.default /opt/splunk/etc/auth/server.pem_old /opt/splunk/etc/auth/server.pem_old: OK root@test02:/opt/splunk/bin# root@test02:/opt/splunk/bin# root@test02:/opt/splunk/bin# root@test02:/opt/splunk/bin# ./splunk cmd openssl verify -verbose -x509_strict -CAfile /opt/splunk/etc/auth/cacert.pem /opt/splunk/etc/auth/server.pem error 20 at 0 depth lookup: unable to get local issuer certificate ./splunk cmd btool server list --debug kvstore /opt/splunk/etc/system/default/server.conf [kvstore] /opt/splunk/etc/system/default/server.conf clientConnectionPoolSize = 500 /opt/splunk/etc/system/default/server.conf clientConnectionTimeout = 10 /opt/splunk/etc/system/default/server.conf clientSocketTimeout = 300 /opt/splunk/etc/system/default/server.conf dbCursorOperationTimeout = 300 /opt/splunk/etc/system/default/server.conf dbPath = $SPLUNK_DB/kvstore /opt/splunk/etc/system/default/server.conf defaultKVStoreType = local /opt/splunk/etc/system/default/server.conf delayShutdownOnBackupRestoreInProgress = false /opt/splunk/etc/system/default/server.conf disabled = false /opt/splunk/etc/system/default/server.conf initAttempts = 300 /opt/splunk/etc/system/default/server.conf initialSyncMaxFetcherRestarts = 0 /opt/splunk/etc/system/default/server.conf kvstoreUpgradeCheckInterval = 5 /opt/splunk/etc/system/default/server.conf kvstoreUpgradeOnStartupDelay = 60 /opt/splunk/etc/system/default/server.conf kvstoreUpgradeOnStartupEnabled = true /opt/splunk/etc/system/default/server.conf kvstoreUpgradeOnStartupRetries = 2 /opt/splunk/etc/system/default/server.conf minSnapshotHistoryWindow = 5 /opt/splunk/etc/system/default/server.conf oplogSize = 1000 /opt/splunk/etc/system/default/server.conf percRAMForCache = 15 /opt/splunk/etc/system/default/server.conf port = 8191 /opt/splunk/etc/system/default/server.conf replicaset = splunkrs /opt/splunk/etc/system/default/server.conf replicationWriteTimeout = 1800 /opt/splunk/etc/system/default/server.conf shutdownTimeout = 100 /opt/splunk/etc/system/default/server.conf sslVerifyServerCert = false /opt/splunk/etc/system/default/server.conf sslVerifyServerName = false /opt/splunk/etc/system/default/server.conf storageEngine = wiredTiger /opt/splunk/etc/system/default/server.conf storageEngineMigration = false