All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@livehybrid this instance of Splunk Cloud was created yesterday. So all the events are new and from my test. My search is set to last 7 days by default. But none of the events have the data. If yo... See more...
@livehybrid this instance of Splunk Cloud was created yesterday. So all the events are new and from my test. My search is set to last 7 days by default. But none of the events have the data. If you see the raw event details in my second screenshot, it shows the format "json" but not the raw data.   Am I looking in the right place? 
So jumping into this search  question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/save... See more...
So jumping into this search  question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/saved/searches splunk_server=local | search disabled=0 |table title, disabled, action.hangout_chat_alert, action.email I came a across the question of there is any documentation on what the 1, 0 or Blank means? on some of the fields . I have this alert that only has HangoutChat alert setup when I run this query below It shows title disabled=0  action.hangout_chat_alert=0 and action.email=0 I'm confused as to why email and hangout are returning the value 0 shouldn't it be like. disabled = 0 is returning me all alerts that are active and 1 is alerts that are actually disabled. title disabled=0  action.hangout_chat_alert=0 and action.email=blank my understanding with the 1 , 0 , and blank is 1 is enabled 0 is disabled and blank is that it was not setup with that action. Now on the original post you can see Mr @woodcock is explaining below that alert.track=1 means its a alert and 0 means its a report. with all the other ones I don't believe it works the same . is there a documentation that has this topic covered? and how does my alert above fall into with action.email=0 even though I clearly have not set that action with my alert.  only hangoutchat as the action.   ALL APPS: |rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule Search app only: |rest/servicesNS/-/search/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule  
Thank You. I discovered the options with the custom property before.  But as I understand it is static mapping.  I can add custom property not to dimension but to the particular value of this dimen... See more...
Thank You. I discovered the options with the custom property before.  But as I understand it is static mapping.  I can add custom property not to dimension but to the particular value of this dimension. Am I right? Lets suppose, I have 3 databases with the azure_resource_id like: /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE1 /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE2 /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE3 To use custom property I need to choose particular value /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE1 in the Metric Metadata and add new custom property DBNAME=THE_NAME_OF_DATABASE1. The same I need to do for the second and the third database. After that I can use custom property DBNAME in the chart only for these three databases. But I need to have ability make correlation between any /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE_N and THE_NAME_OF_DATABASE_N without N addition of custom property. Please could You answer this?      
Hi @swlf  Whilst its showing as 0 bytes, it does show that there are 11 events in your index?  Try doing a search for all-time on that index (since there is only 11 events) to confirm if this is/is... See more...
Hi @swlf  Whilst its showing as 0 bytes, it does show that there are 11 events in your index?  Try doing a search for all-time on that index (since there is only 11 events) to confirm if this is/isnt the data you are expecting? It could be that the 0 Bytes shown just a rounding error given the small number of events! Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
I'm not seeing any Karpenter logs show up. We're using very basic deployment of Splunk Otel Chart. Any advice on whats needed to get Karpenter logs to show up ?
You can set a custom property such as 'the_name_of_the_database' and map it to a current dimension's name/value pair. You can do this in settings -> metric metadata. In your case, you would likely ke... See more...
You can set a custom property such as 'the_name_of_the_database' and map it to a current dimension's name/value pair. You can do this in settings -> metric metadata. In your case, you would likely key off of "DatabaseResourceId=/SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE" and then set a custom property of "the_name_of_the_database=THE_NAME_OF_THE_DATABASE". To get started, search for 'DatabaseResourceId' in the metric metadata. Metric Metadata: https://docs.splunk.com/observability/en/metrics-and-metadata/metrics-finder-metadata-catalog.html You may also want to leverage the SignalFlow promote() function (depending on what you want to do with that custom property). You can filter/search without using promote() but if you want to display the_name_of_the_database on a chart, you'll likely need to use promote(). https://dev.splunk.com/observability/docs/signalflow/methods/promote_stream_method/    
Hi @Cievo - please can you reference the documentation relating to "enableSplunkdSidechannel"? This isnt something that I am familiar with. @kiran_panchavat The information on "you must download the... See more...
Hi @Cievo - please can you reference the documentation relating to "enableSplunkdSidechannel"? This isnt something that I am familiar with. @kiran_panchavat The information on "you must download the ACS Open API 3.0 specification" is incorrect in relation to this? This does not relate to the question and is not a requirement for using ACS?  @stevensk Whilst I'm not able to give the answer you might want, I do not believe its possible to see a per-source breakdown for data received from HEC. I have tried this in the past and it led nowhere, however hopefully someone here might be able to shine more light on it. You can see metrics in "index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector" which will give info at per-HEC-token level - however there arent logs which combine a metric for HEC Token and source. The only other way to approach this would be to improve segregation with your HEC tokens so that you can maybe search specific indexes/sourcetype/sources for data you know comes from a specific HEC token, OR add a custom field into the HEC payload which you can then use to determine the metrics you need (this is what I ended up doing!) Good luck Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi! This is my first time using Splunk and I am on the free tiral version. I setup an HEC token and ran a test on Windows following this command:   curl -k https://prd-p-n38b3.splunkcloud.com:8088/... See more...
Hi! This is my first time using Splunk and I am on the free tiral version. I setup an HEC token and ran a test on Windows following this command:   curl -k https://prd-p-n38b3.splunkcloud.com:8088/services/collector -H "Authorization: Splunk 78c2aexx-xxxx-xxxxx-xxxx-xxxxx869e53" -d "{\"sourcetype\": \"event\", \"event\": \"Test message\"}"    While the events are being generated, I see 0 bytes. What am I doing wrong? I also see the events in the HEC logs but no data.    
@stevensk  Before using the ACS API, you must download the ACS Open API 3.0 specification, which includes the parameters, codes, and other data you need to work with the ACS API. You must also creat... See more...
@stevensk  Before using the ACS API, you must download the ACS Open API 3.0 specification, which includes the parameters, codes, and other data you need to work with the ACS API. You must also create an authentication token in Splunk Cloud Platform for use with ACS endpoint requests. For details on how to set up the ACS API, see  https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ACSusage#Set_up_the_ACS_API  https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ManageHECtokens?_gl=1*68bsg2*_gcl_au*OTIzODM2My4xNzM5OTM3OTYz*FPAU*OTIzODM2My4xNzM5OTM3OTYz*_ga*MzkwNjAzMDUwLjE3MzIwMzQ4MDY.*_ga_5EPM2P39FV*MTc0MDE2MDc5MC4xMDAuMS4xNzQwMTYxNjI3LjAuMC42ODQ4NzQ1NDc.*_fplc*OSUyRnhkdFR5S2pWUnJJcTlqTW9pYUtYVWhKRzNRWWl3ZjUlMkZFMVNxU1RhVENWdHdRaTFWNDZyNjQ3RldWNnRoR2lCc3NaS2F0NVE3eVVXWW95OWM0Vm5ON25SNnZpNFF1OEQ4QmZES2xLMG51enBqZDNzN0Z2V3ZBd3dXRHFXUSUzRCUzRA..#View_existing_HEC_tokens_2   
@stevensk  To monitor which sources or devices are using specific HEC tokens in Splunk Cloud, you can leverage the Admin Config Service (ACS) API. Here's a high-level overview of how you can achieve... See more...
@stevensk  To monitor which sources or devices are using specific HEC tokens in Splunk Cloud, you can leverage the Admin Config Service (ACS) API. Here's a high-level overview of how you can achieve this: https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ManageHECtokens 
Hi Thanks for the info. This is Splunk Cloud so we cannot edit any conf files, nor is there an option in the Web UI when creating HEC tokens to enable this. The following search seems to give all ... See more...
Hi Thanks for the info. This is Splunk Cloud so we cannot edit any conf files, nor is there an option in the Web UI when creating HEC tokens to enable this. The following search seems to give all Errors for devices trying to connect with a HEC token, but I do not seem to see successful sources, only failed. index=_internal sourcetype=splunkd component=HttpInputDataHandler   Also the source_IP value, since it is Splunk Cloud, are the Splunk Cloud Loadbalancer IPs. We were told this in a case with Splunk.  
@stevensk  You could get configured HEC tokens/inputs from HEC node e.g. | rest splunk_server=<your hec node> /services/data/inputs/http Of course you should have added that node to peer your SH o... See more...
@stevensk  You could get configured HEC tokens/inputs from HEC node e.g. | rest splunk_server=<your hec node> /services/data/inputs/http Of course you should have added that node to peer your SH or just run above towards your HEC node(s) with curl. That query shows allowed indexes and forced indexes for those tokens. Another way to check which tokens are used is You can check which HEC token is in use in _introspection Index with below query. index=_introspection host=YOUR_HEC_HOST sourcetype=http_event_collector_metrics data.token_name=* | rename data.* as * | table host, component, token_name, num_* If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.    
I am pushing the configs from the cluster master to two indexers. No HF. The change in transforms still did not work.  I am using the  Splunk_TA_mcafee-wg . Is it possible that  a configuration is ta... See more...
I am pushing the configs from the cluster master to two indexers. No HF. The change in transforms still did not work.  I am using the  Splunk_TA_mcafee-wg . Is it possible that  a configuration is taking precedence over my changes? I have tried making a local folder in the app and adding the props and transforms there. No luck. 
Hello @stevensk  To be able to see the source IP of HEC forwarders you need to enable logging on HEC's input.conf file: [http] enableSplunkdSidechannel = true And then run search to see logs cont... See more...
Hello @stevensk  To be able to see the source IP of HEC forwarders you need to enable logging on HEC's input.conf file: [http] enableSplunkdSidechannel = true And then run search to see logs containing specific token: index=_internal sourcetype=splunkd "token=" To filter by source IP you can run for example this search: index=_internal sourcetype=splunkd "token=" | rex "sourceIp=(?<source_ip>\d+\.\d+\.\d+\.\d+)" | stats count by source_ip I hope this will help you. Have a nice day,      
@gcusello  I see  As for you comment "if instead you need to exclude both the holidays and the one following days, you have to implement a mix between the two solutions " its a no. its more sim... See more...
@gcusello  I see  As for you comment "if instead you need to exclude both the holidays and the one following days, you have to implement a mix between the two solutions " its a no. its more simply than that. Just need to add one following day to the lookuptable date. for Muting Tried my query but doesn't seem like the results are correct. or how would you go about it?
We want to be able to monitor what sources/devices are using what HEC tokens. I know we can use _introspection to retrieve metrics on a HEC token to see if it is being used, but need to know "what" ... See more...
We want to be able to monitor what sources/devices are using what HEC tokens. I know we can use _introspection to retrieve metrics on a HEC token to see if it is being used, but need to know "what" is sending to/using a HEC token.  What sources (IP or host) are sending to a HEC token. We are using Splunk Cloud.       
Create another dashboard or panel which displays the event as you would like it and modify the drilldown on the original panel(s) to link to the new dashboard or make the new panel visible in the cur... See more...
Create another dashboard or panel which displays the event as you would like it and modify the drilldown on the original panel(s) to link to the new dashboard or make the new panel visible in the current dashboard.
Check the ulimits settings to make they meet or exceed Splunk's recommendations. Verify THP is disabled. If both of the above pass then open a case with Splunk Support.
Well, I expected it to authenticate the account when there is a token present. When Splunk knows that the account exists (It has authenticated before AND it has a token), why is that not sufficient ... See more...
Well, I expected it to authenticate the account when there is a token present. When Splunk knows that the account exists (It has authenticated before AND it has a token), why is that not sufficient for authentication?
We ended up creating local (splunk) accounts for authenticating with token. Sorry for the late response.