All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I am new to Ingest Processor and have had some success but am having an issue with the rex command so I have created a very simple example copied from the manual here https://docs.splunk.com/Doc... See more...
Hi, I am new to Ingest Processor and have had some success but am having an issue with the rex command so I have created a very simple example copied from the manual here https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples#2._Regular_expressions_with_character_classes But I am getting this error: Any ideas why? Thanks      
Hi @whar_garbl  I think what you have done with "CHECK_METHOD" in props.conf should work.   [source::<yoursource>] CHECK_METHOD = modtime   However, you may also need to set the crcSalt in input... See more...
Hi @whar_garbl  I think what you have done with "CHECK_METHOD" in props.conf should work.   [source::<yoursource>] CHECK_METHOD = modtime   However, you may also need to set the crcSalt in inputs.conf   [monitor://<path>] crcSalt = <SOURCE>   Here are a few other useful links which might also help! https://community.splunk.com/t5/Getting-Data-In/Ingesting-file-data/td-p/81645 https://community.splunk.com/t5/Knowledge-Management/Modtime-is-newer-than-stored-will-reread-file-with-9-x-x/td-p/677930 << Beware of this possible bug Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will  
Further to my last message - this is a great blog post on getting started with UCC so well worth checking out https://www.splunk.com/en_us/blog/customers/managing-splunk-add-ons-with-ucc-framework.h... See more...
Further to my last message - this is a great blog post on getting started with UCC so well worth checking out https://www.splunk.com/en_us/blog/customers/managing-splunk-add-ons-with-ucc-framework.html Let us know how you get on and if you have any further questions Will
Hi @dolj  If there isnt already a Splunkbase app for the API you want to work with then you may be best using the Splunk Universal Configuration Console (UCC) framework to build yourself a custom ap... See more...
Hi @dolj  If there isnt already a Splunkbase app for the API you want to work with then you may be best using the Splunk Universal Configuration Console (UCC) framework to build yourself a custom app. This has had much more development recently than Add-on builder and is easier to manage moving forwards. Here is a sample app which might give some insight on how it works, this is taken from a Conf talk I did on creating a simple API app in 2023. https://github.com/livehybrid/conf23-dev1091b/ Also have a look at the UCC docs (https://splunk.github.io/addonfactory-ucc-generator/) for more information and to get started. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will  
Hi @Namdev  Please could you confirm which user the Splunk Forwarder is running as? Is it splunkfwd, splunk or something else? Please could you show a screenshot of the permissions on your /opt/log... See more...
Hi @Namdev  Please could you confirm which user the Splunk Forwarder is running as? Is it splunkfwd, splunk or something else? Please could you show a screenshot of the permissions on your /opt/log files in question.  Did you run anything like this against the directory to give splunk access? setfacl -R -m u:splunkfwd:r-x /opt/log  Are there any logs in splunkd.log relating to these files?  Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @DaveyJones  Please could you provide the search you ended up using so I can look into this further for you? Thanks Will
Hi @cbyrd  Given that the 400 error is coming from the Google API, I'd start off by checking for config issues on the Google side. Check API Permissions: Ensure that the Google Workspace service ... See more...
Hi @cbyrd  Given that the 400 error is coming from the Google API, I'd start off by checking for config issues on the Google side. Check API Permissions: Ensure that the Google Workspace service account you're using has the necessary permissions to access user data. The service account should have the "Directory API" enabled and the appropriate scopes granted, such as https://www.googleapis.com/auth/admin.directory.user.readonly. Verify API Scopes: Double-check that the OAuth 2.0 scopes configured for the service account include the necessary permissions. You might need to add or adjust scopes in the Google Cloud Console. Customer ID: Ensure that the customer parameter in the API request is correct. It should be the unique ID of your Google Workspace account. You can find this ID in the Admin console under Account settings. View Type: The viewType parameter can be either admin_view or domain_public. Make sure that the view type you are using is appropriate for your use case and that the account has the necessary permissions to access the data with that view type. API Quotas and Limits: Check if you are hitting any API quotas or limits. Google APIs have usage limits, and exceeding them can result in errors. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
  It looks like the certificate is good for either client or server authentication.      
Thanks for the explanations. I have made an updated version where there are no need of spesial characters. Also cleaned up the code some.
Found out why: Release v5.1.0 · splunk/contentctl · GitHub The latest release give an Error instead of a warning for bad DataSource. Since it juste release, the latest version of Splunk ESCU was si... See more...
Found out why: Release v5.1.0 · splunk/contentctl · GitHub The latest release give an Error instead of a warning for bad DataSource. Since it juste release, the latest version of Splunk ESCU was simply build with an older version and had a pile of non blocking Warning.
I haven’t use slack alert action, so I just give general hints. Usually alert actions are written some log what happened into _internal index you should try to found something which is related to it.
We are using the Splunk Add-On for GWS Version3.0.3 for Splunk Cloud and receiving this error when attempting to pull in the (user) identities portion. I have tried both 'admin_view' and 'domain_publ... See more...
We are using the Splunk Add-On for GWS Version3.0.3 for Splunk Cloud and receiving this error when attempting to pull in the (user) identities portion. I have tried both 'admin_view' and 'domain_public' in the Inputs config with same error. All other functions are working fine. I need to bring in this sourcetype "gws_users_identity" to populate our identities lookup. Has anyone else encountered this? Maybe you found a "fix"?   ERROR pid=<redacted> tid=MainThread file=log.py:log_exception:351 | exc_l="User Identity Error" Exception raised while ingesting data for users: <HttpError 400 when requesting https[:]//admin.googleapis.com/admin/directory/v1/users?customer=<redacted>&orderBy=email&maxResults=500&viewType=domain_public&alt=json returned "Bad Request". Details: "[{'message': 'Bad Request', 'domain': 'global', 'reason': 'badRequest'}]">. Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_Google_Workspace/bin/gws_user_identity.py", line 139, in stream_events service.users()  
@marnall After replacing the package, the files mentioned in the error message are deleted. So as expected, no mentions of the older package version appear in our code after the older version is dele... See more...
@marnall After replacing the package, the files mentioned in the error message are deleted. So as expected, no mentions of the older package version appear in our code after the older version is deleted & replaced. We're not sure why we're still facing this issue, and I'm wondering if this issue can be attributed to AppInspect in some way?
It's the calling shell that does the file expansion first so disabling globbing inside the function (which runs in a subshell) will not work.   Here's an example that hopefully demonstrates this more... See more...
It's the calling shell that does the file expansion first so disabling globbing inside the function (which runs in a subshell) will not work.   Here's an example that hopefully demonstrates this more clearly ... $ mkdir empty $ mv test.func empty/.test.func $ cd empty $ ls # no files $ ls -a # globbing ignores hidden files . .. .test.func $ . .test.func $ test * 2 3 # no files so no globbling and * works opt=x**x#x file=* stansa=2 search=3 $ touch newfile $ ls newfile $ test * 2 3 opt=x**x#x file=newfile stansa=2 search=3 $ test \* 2 3 opt=x**x#x file=* stansa=2 search=3 $ set -f $ test * 2 3 opt=x**x#x file=* stansa=2 search=3 $  Agree, that using -a switch may be a cleaner way to represent all files though. 
Sorry to be a bother, but what if there is a special char like = involved. I can't add the equal sign into my search query.   | eval msxxxt="*Action=GexxxxdledxxxxReport Duration=853*" | rex "Dura... See more...
Sorry to be a bother, but what if there is a special char like = involved. I can't add the equal sign into my search query.   | eval msxxxt="*Action=GexxxxdledxxxxReport Duration=853*" | rex "Duration (<?Duration>\d+)" | timechart span=1h avg(Duration) AS avg_response by msxxxt   Thanks again for your help
What is the best practice to have a Splunk heavy forwarder call out to a third party API and pull logs into Splunk. Most of the solutions I use have apps on Splunk base but this one does not. Do I ha... See more...
What is the best practice to have a Splunk heavy forwarder call out to a third party API and pull logs into Splunk. Most of the solutions I use have apps on Splunk base but this one does not. Do I have to build a custom add-on using something like the add-on builder? 
I took a look at our existing servercert .pem file in vi. It did not contain the private key; it did include the root and intermediate certs   I copied the contents of our private key .pem file to th... See more...
I took a look at our existing servercert .pem file in vi. It did not contain the private key; it did include the root and intermediate certs   I copied the contents of our private key .pem file to the location you suggested. mainCert/private key/intermediate cert/root cert I saved the new .pem file with a new name and put it in a new location under /opt/splunk/etc/auth/newssl and updated the inputs.conf file (below) at system/local. disabled = false connection_host=ip index =main [tcp:514] disabled = false connection_host=ip index =main [udp://514] index = main sourcetype=syslog disabled = no [tcp-ssl:6514] sourcetype = syslog index=syslog disabled = 0 [sslConfig] sslPassword = $7$pZd1k8bLJzFgGDno3jU7PQ4lAIFBoUbdhOAaFDZojyT1H6DGb5RdRA== serverCert = /opt/splunk/etc/auth/newssl/prcertkey.pem requireClientCert = false However, when testing the connection with openssl,  I get the same behavior, a tcp connection is made, but no certificate activity.  I get a CONNECTED(00000148) message which hasn't led me to anything specific. I'm still missing something. peter  
Thank you for the edit, I got it to work after adding a : after usage as without it nothing was generating. Thank you for your assistance index=”main” source=”C:\\Admin\StorageLogs\storage_usage.log... See more...
Thank you for the edit, I got it to work after adding a : after usage as without it nothing was generating. Thank you for your assistance index=”main” source=”C:\\Admin\StorageLogs\storage_usage.log” | rex "usage: (?<usage>[^%]+)% used" | where usage >= 75
Hello Ismo, I am able to create an alert, but it does not send the alerts to Slack. I did check that the Slack Alert Setup has an updated "Slack App OAuth Token". Are there any steps I am missing?... See more...
Hello Ismo, I am able to create an alert, but it does not send the alerts to Slack. I did check that the Slack Alert Setup has an updated "Slack App OAuth Token". Are there any steps I am missing? (By the way, if I chose email instead of Slack the alerts go through)
It is highly reliant on what your servers are like, but here is a google search that might help you to install Java on various systems for Splunk: https://www.google.com/search?q=site%3Asplunk.com... See more...
It is highly reliant on what your servers are like, but here is a google search that might help you to install Java on various systems for Splunk: https://www.google.com/search?q=site%3Asplunk.com+install+java&sca_esv=2e83ef3dd22d1d30&sxsrf=AHTn8zrseyxi7n8sOS4aReBlluQXY9Begg%3A1741116613013&source=hp&ei=xFTHZ_O3O8fJkPIPl5aKkAM&iflsig=ACkRmUkAAAAAZ8di1WdaKSpaLHxDPruYGfC6ofRv9ytT&ved=0ahUKEwjzqerplPGLAxXHJEQIHReLAjIQ4dUDCBo&uact=5&oq=site%3Asplunk.com+install+java&gs_lp=Egdnd3Mtd2l6IhxzaXRlOnNwbHVuay5jb20gaW5zdGFsbCBqYXZhSM1uUL0LWMo0cAF4AJABAJgBVqABtwyqAQIyOLgBA8gBAPgBAZgCBqACiAOoAgrCAgcQIxgnGOoCwgINECMY8AUYJxjJAhjqAsICChAjGIAEGCcYigXCAgQQIxgnwgIREC4YgAQYsQMY0QMYgwEYxwHCAg4QABiABBixAxiDARiKBcICCxAAGIAEGLEDGIMBwgIOEC4YgAQYsQMYgwEY1ALCAggQABiABBixA8ICCxAuGIAEGLEDGNQCwgIFEC4YgATCAg4QLhiABBixAxjRAxjHAcICDhAuGIAEGMcBGI4FGK8BwgIIEC4YgAQYsQPCAgsQLhiABBjHARivAcICCxAuGIAEGNEDGMcBwgIFEAAYgATCAgQQABgDmAMF8QWTnhX-_AYE35IHATagB6tQ&sclient=gws-wiz