All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi colleagues, hope everyone is doing well! I need some advice. I have a server that writes logs to /var/log/test_log.json. On the Splunk side, I opened a port via "Data Input -> TCP". The logs in... See more...
Hi colleagues, hope everyone is doing well! I need some advice. I have a server that writes logs to /var/log/test_log.json. On the Splunk side, I opened a port via "Data Input -> TCP". The logs in  test_log.json are written line by line. Example: {"timestamp":"2025/02/27 00:00:15","description":"Event 1"} {"timestamp":"2025/02/27 00:00:16","description":"Event 2"} {"timestamp":"2025/02/27 00:00:17","description":"Event 3"} Could anyone suggest if they have a ready-made rsyslog configuration file for correctly reading this log file? The file is continuously updated with new logs, each on a new line. I want rsyslog to read the file and send each newly appearing line as a separate log. Has anyone encountered this before and could help with a ready-made rsyslog configuration? Thank you!
Hi @kjehth93  In order to specify which hosts this goes to, you probably need to look at your Deployment Server configuration - are you already using this to deploy an app with the inputs.conf in? ... See more...
Hi @kjehth93  In order to specify which hosts this goes to, you probably need to look at your Deployment Server configuration - are you already using this to deploy an app with the inputs.conf in? Place the app in /opt/splunk/etc/deployment-apps/<yourAppName> Go to https://yourSplunkInstance/en-US/manager/system/deploymentserver On the "Server Class" tab select "New Server Class", and give it a name. Then proceed to add your App, and then head to add Clients. When adding clients you can use wildcards alongwith IPs and/or hostnames in an allow/deny approach to target the hosts you'd like to deploy this inputs.conf to. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Ryan, Thank you for the quick reply. It looks like there is no way, via an API, to pull the Dashboard's share URL. I am pursuing a possible solution with an SQL query to the appD database and see wh... See more...
Ryan, Thank you for the quick reply. It looks like there is no way, via an API, to pull the Dashboard's share URL. I am pursuing a possible solution with an SQL query to the appD database and see what that can provide. 
I would like to run powershell scripts and commands out to my endpoints via the Universal Forwarder, but based on the script or command i would like to specifiy which endpoint it goes to/which it col... See more...
I would like to run powershell scripts and commands out to my endpoints via the Universal Forwarder, but based on the script or command i would like to specifiy which endpoint it goes to/which it collects an output from. I have attempted this with the following entry in the local inputs.conf, but it still ran on all the endpoints. [powershell://find_version]       script = [powershell command here] host = [XXX] index = [index here] schedule = [cron here] disabled = 0
I'm having a similar issue with the Egnyte Collaborate TA - https://splunkbase.splunk.com/app/5653.  When trying to use the add-on - I keep getting the following error:  “01-22-2025 16:45:55.409 +0... See more...
I'm having a similar issue with the Egnyte Collaborate TA - https://splunkbase.splunk.com/app/5653.  When trying to use the add-on - I keep getting the following error:  “01-22-2025 16:45:55.409 +0000 ERROR PersistentScript [1693337 PersistentScriptIo] - From {/opt/splunk/bin/python3.9 /opt/splunk/etc/apps/TA-egnyte-connect/bin/TA_egnyte_connect_rh_settings.py persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#TA-egnyte-connect#configs/conf-ta_egnyte_connect_settings, user=proxy.” The issue is I'm running Splunk Cloud - and don't have the ability to modify local conf files. Any ideas on how to get this resolved for Slunk Cloud customers? Cheers.
Hello, Newb here trying to get up to speed... I need to create dashboards that will allow me to perform the audit events listed in the JSIG: 1. Authentication events:     (1) Logons (Success/Fail... See more...
Hello, Newb here trying to get up to speed... I need to create dashboards that will allow me to perform the audit events listed in the JSIG: 1. Authentication events:     (1) Logons (Success/Failure)     (2) Logoffs (Success) 2. Security Relevant File and Objects events:     (1) Create (Success/Failure)     (2) Access (Success/Failure)     (3) Delete (Success/Failure)     (4) Modify (Success/Failure)     (5) Permission Modification (Success/Failure)     (6) Ownership Modification (Success/Failure) 3. Export/Writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure) 4. Import/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure) 5. User and Group Management events:     (1) User add, delete, modify, disable, lock (Success/Failure)     (2) Group/Role add, delete, modify (Success/Failure) 6. Use of Privileged/Special Rights events:     (1) Security or audit policy changes (Success/Failure)     (2) Configuration changes (Success/Failure) 7. Admin or root-level access (Success/Failure) 8. Privilege/Role escalation (Success/Failure) 9. Audit and security relevant log data accesses (Success/Failure) 10. System reboot, restart and shutdown (Success/Failure) 11. Print to a device (Success/Failure) 12. Print to a file (e.g., pdf format) (Success/Failure) 13. Application (e.g., Adobe, Firefox, MS Office Suite) initialization   Are there templated Splunk search commands for these? And if so, could you point me to them? Many thanks!
I don't have admin rights in Splunk. Is there an easy way to enforces this in the search query? 
issues had been resolved. I did the props.conf and transforms.conf on the search heads alone, it didn't work. I also both props.conf and transforms.conf on the heavyforwarder, then it works. thank... See more...
issues had been resolved. I did the props.conf and transforms.conf on the search heads alone, it didn't work. I also both props.conf and transforms.conf on the heavyforwarder, then it works. thank you for your helps!!!
I don't have admin rights in Splunk. Is there an easy way to enforces this in the search query? 
Hi @FAnalyst  The answers provided so far look to either look at forwarders sending data to your Splunk indexers, or look at allowlist configurations in serverclasses, however I believe you are look... See more...
Hi @FAnalyst  The answers provided so far look to either look at forwarders sending data to your Splunk indexers, or look at allowlist configurations in serverclasses, however I believe you are looking for the host and IP of deployment clients when they connect? If that is the case then try the below search:   | tstats latest(_time) as lastPhoneHome WHERE index=_dsphonehome earliest=-24h latest=now by data.clientId | append [| tstats latest(_time) as lastRestart where index=_dsclient earliest=0 latest=now by data.name, data.build, data.clientId, data.splunkVersion data.package, data.hostname] | stats latest(*) AS * by data.clientId | eval lastPhoneHomeFriendly=strftime(lastPhoneHome,"%d/%m/%Y %H:%M:%S")   This was tested on SPlunk 9.3 but I believe should work from <9.2 Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @shabamichae , yes, you can do it. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hello I got the same question that was also asked in 2017.(The solution is outdated and doesn't work anymore) "With a SAAS controler, how can i get a clear report of how many licences are consumed... See more...
Hello I got the same question that was also asked in 2017.(The solution is outdated and doesn't work anymore) "With a SAAS controler, how can i get a clear report of how many licences are consumed by application ? I dont need the speed dials that tell me how many licenses are consumed total. What i need is the license count per actual application that i have created in appDynamics. We need this to figure out what is the cost per application." have it been implemented or its there a way in 2024 to get this?
@FAnalyst  Try this  index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections | dedup sourceHost | table sourceHost fwdType
@FAnalyst  You should be able to get list of whitelist servers using following query. | rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname |... See more...
@FAnalyst  You should be able to get list of whitelist servers using following query. | rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname You can put it to in a lookup file or just use the rest query itself and compare it against deployment/server/clients to know which clients that are configured in serverclass.conf but not sending phonehome. Something like this | rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname | eval state="configured" | append [| rest /services/deployment/server/clients | table title | rename title as hostname | eval state="phonehome" ] | stats values(state) as state by hostname | where mvcount(state)=1 AND state="configured"  
Thanks
@FAnalyst  Use the below search to get an exportable list of deployment clients. | rest splunk_server=local /services/deployment/server/clients | table hostname utsname | sort utsname Another ... See more...
@FAnalyst  Use the below search to get an exportable list of deployment clients. | rest splunk_server=local /services/deployment/server/clients | table hostname utsname | sort utsname Another way to find forwarders is to search the internal index for incoming TCP connections. index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections | dedup sourceHost | table sourceHost fwdType   To see all hosts that send data, not just forwarders, count the hosts found in all indexes. | tstats count where index=* host=* by host  
thank you for your answer ,I tried the search you shared is does not show the IP  address of the hosts , also the number does not match the number showing in the forwarder management dashboard 
You can serch using following searches: | tstats values(splunk_server) as Host, values(clientip) as IP from _internal where index=_internal sourcetype=splunkd by host or  index=_internal sou... See more...
You can serch using following searches: | tstats values(splunk_server) as Host, values(clientip) as IP from _internal where index=_internal sourcetype=splunkd by host or  index=_internal sourcetype=splunkd | stats values(clientip) as IP by host Enjoy,  
@att35If you find the provided solution satisfactory, please proceed with accepting it.
I see there is a forwarder management dashboard in the monitoring console  where you can check if the host is reporting or not , I want the search that is used as the table contains the host name and... See more...
I see there is a forwarder management dashboard in the monitoring console  where you can check if the host is reporting or not , I want the search that is used as the table contains the host name and the IP address , also there is no option for export in that dashboard , there is another similar dashboard in the monitoring console named forwarder_deployment but does not show the IP address only the host name , can you help with that ?