All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have a file I'm monitoring that changes several times a day. It is likely that sometimes the file contents will be the same as a previous iteration, but not guaranteed (the file name name does not ... See more...
I have a file I'm monitoring that changes several times a day. It is likely that sometimes the file contents will be the same as a previous iteration, but not guaranteed (the file name name does not change). The file is in text format and is a few dozen lines long. I want to process the file every time the modtime changes, even if the content is 100% the same, and I want to create a single event with the contents each time. props.conf: [my_sourcetype] DATETIME_CONFIG = current BREAK_ONLY_AFTER = nevereverbreak [source::/path/to/file-to-be-read] CHECK_METHOD = modtime sourcetype = my_sourcetype inputs.conf: [monitor:///path/to/file-to-be-read] disabled = 0 sourcetype = my_sourcetype crcSalt = some_random_value_to_try_to_make_it_always_read   If I update file-to-be-read manually by adding new lines to the end, it gets read in immediately and I get an event just like I want. But when the automated process creates the file (with an updated modtime), Splunk seems not to be interested in it. Perms are correct and splunkd.log reflects that the modtime is different and it's re-reading the file... but it doesn't create a new event. I'm sure I'm missing something obvious, but I'd appreciate any advice. Cheers.  
@coreyCLI, thank you for this. Adding "flex-basis" resolved the issue for me.
@kiran_panchavat in Akamai docs, it is given Akamai Splunk Connector requires Java 8 (JRE 1.8) or above.  But here you have give JDK. Is it fine to install JDK instead of JRE? is it the same?
@kiran_panchavat thank you. In EC2 instance which path I need to run all these commands?
Hi @livehybrid  Thanks for your response, below is a sample log file names server.log.20250303.1 server.log.20250303.10 server.log.20250303.11 server.log.20250303.12 server.log.20250303.13 ser... See more...
Hi @livehybrid  Thanks for your response, below is a sample log file names server.log.20250303.1 server.log.20250303.10 server.log.20250303.11 server.log.20250303.12 server.log.20250303.13 server.log.20250303.14 server.log.20250303.15
Are you using the API to dispatch and retrieve the results of a search? If so, does the search take roughly the same amount of time on its own?
Hello, I'll ask around, but I imagine looking at Splunk/AppDynamics pages on LinkedIn should show you open jobs. https://www.splunk.com/en_us/careers.html  
That is odd. I don't know how AppInspect works internally so I could not say for sure it is an issue with AppInspect. Are you able to find any mention of these files with text searches? It is indeed ... See more...
That is odd. I don't know how AppInspect works internally so I could not say for sure it is an issue with AppInspect. Are you able to find any mention of these files with text searches? It is indeed very strange that it would complain about these files after they are deleted and replaced.
Excellent. Always good to give it a restart to refresh everything.
I recommend checking the internal logs for the forwarder. It may contain error messages that indicate why /opt/log/ is not logging. You can use various keywords: index=_internal host=<forwardername>... See more...
I recommend checking the internal logs for the forwarder. It may contain error messages that indicate why /opt/log/ is not logging. You can use various keywords: index=_internal host=<forwardername> log_level=ERROR /opt/log/
that worked thank you!
Try something like this | eval resp_bytes=if(resp_bytes=0, "0B",if(resp_bytes<1000000,round(resp_bytes/1024,2) . "KB",if(resp_bytes>1000000,round(resp_bytes/1024/1024,2) . "MB", null)))
Thanks, but those links don't help that much. I also tried to replicated the CI/CD workflow (security_content/.github/workflows/build.yml at develop · splunk/security_content · GitHub) locally by do... See more...
Thanks, but those links don't help that much. I also tried to replicated the CI/CD workflow (security_content/.github/workflows/build.yml at develop · splunk/security_content · GitHub) locally by doing: pip install contentctl git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti contentctl build --enrichments Without any success.
Hello, I am trying to write a search query for responding byte sizes that is a catch all. Currently I have: index=index  8.8.8.8 | stats sum(resp_bytes) as resp_bytes | eval resp_bytes=if(resp_by... See more...
Hello, I am trying to write a search query for responding byte sizes that is a catch all. Currently I have: index=index  8.8.8.8 | stats sum(resp_bytes) as resp_bytes | eval resp_bytes=if(resp_bytes=0, "0B",if(resp_bytes<1000000,resp_bytes/1024 . "KB",if(resp_bytes>1000000,resp_bytes/1024/1024 . "MB", null)))  I have tested this and it works, but now i am trying to add in a "round" to the 2nd decimal spot. and Im not sure where it would go.  
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues.  Distributed environment consists of below components with Splunk free  licences - 4 Inde... See more...
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues.  Distributed environment consists of below components with Splunk free  licences - 4 Indexers (part of an Indexer Cluster) - 1 Cluster Manager (for managing the indexer cluster) - 2 Universal Forwarders (UFs) sending data - 1 DS/LM/MC (Deployment Server + License Manager + Monitoring Console combined on one server) - 1 Search Head (for searching and dashboards)    I am facing an issue to enable Splunk monitoring for /opt/log directory. I have checked that /var/log can be monitored successfully whereas Splunk forwarder is failed to monitor /opt/log directory. I have checked permission issue other things but no luck 
Hi @narenpg  You need to use FIELD_NAMES in your props to set the field names in this case,: eg FIELD_NAMES=name,count,count_perc,region   for this test CSV:   "name","count","count%","region"... See more...
Hi @narenpg  You need to use FIELD_NAMES in your props to set the field names in this case,: eg FIELD_NAMES=name,count,count_perc,region   for this test CSV:   "name","count","count%","region" "John Smith","245","12.3%","North" "Mary Johnson","189","9.5%","South" "James Williams","167","8.4%","East" "Sarah Davis","156","7.8%","West" "Michael Brown","143","7.2%","North" "Jennifer Wilson","134","6.7%","South" "Robert Taylor","128","6.4%","East" "Elizabeth Anderson","112","5.6%","West" "David Martinez","98","4.9%","North" "Susan Thompson","87","4.4%","South"   Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
@User3  Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors Troubleshooting common errors - Spl... See more...
@User3  Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors Troubleshooting common errors - Splunk Documentation [BUG] - Build Failing Everytime · Issue #2894 · splunk/security_content   
@Karthikeya  Pls have a look https://www.youtube.com/watch?v=njniDvVqWik  https://www.youtube.com/watch?v=YY_Qk8EqzQw 
@Karthikeya  To install Java on your Splunk instances running in AWS, follow these steps based on your instance’s OS: For Amazon Linux / RHEL / CentOS Update the package manager: sudo yum updat... See more...
@Karthikeya  To install Java on your Splunk instances running in AWS, follow these steps based on your instance’s OS: For Amazon Linux / RHEL / CentOS Update the package manager: sudo yum update -y Install OpenJDK (recommended) or Oracle JDK: For OpenJDK 11 (recommended for Splunk): sudo yum install -y java-11-openjdk If you need Java 8: sudo yum install -y java-1.8.0-openjdk Verify installation: java -version For Ubuntu/Debian Update the package manager: sudo apt update && sudo apt upgrade -y Install OpenJDK (recommended) or Oracle JDK: For OpenJDK 11 (recommended for Splunk): sudo apt install -y openjdk-11-jdk If you need Java 8: sudo apt install -y openjdk-8-jdk Verify installation: java -version For Amazon Linux 2023 Amazon Linux 2023 uses dnf instead of yum: sudo dnf install -y java-11-amazon-corretto Setting JAVA_HOME (if required) Find the Java installation path: sudo update-alternatives --config java or readlink -f $(which java) Add the JAVA_HOME path to /etc/environment: echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk' | sudo tee -a /etc/environment source /etc/environment  
@Karthikeya  Please check this https://stackoverflow.com/questions/77418759/how-do-i-install-java-in-an-ec2-instance