All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am looking to extract this section of an event and have it as a field that I am able to manipulate with. I am unfamiliar with regex and I am getting the wrong results.  Events   <28>1 2025-02-... See more...
I am looking to extract this section of an event and have it as a field that I am able to manipulate with. I am unfamiliar with regex and I am getting the wrong results.  Events   <28>1 2025-02-19T15:14:00.968210+00:00 aleoweul0169x falcon-sensor-bpf 1152 - - CrowdStrike(4): SSLSocket Disconnected from Cloud. <30>1 2025-02-19T15:14:16.104202+00:00 aleoweul0169x falcon-sensor-bpf 1152 - - CrowdStrike(4): SSLSocket connected successfully to ts01-lanner-lion.cloudsink.net:443    I am looking to have a field called Disconnect based on "SSLSocket Disconnected from Cloud"
I want to extract value from the following field while indexing the data to use it to map it with index. vs_name=v-jupiter-prd-cbc-us.sony-443-ipv6 I want to extract every field after v- and till s... See more...
I want to extract value from the following field while indexing the data to use it to map it with index. vs_name=v-jupiter-prd-cbc-us.sony-443-ipv6 I want to extract every field after v- and till sony. I.e., jupiter-prd-cbc-us.sony as fqdn so that this fqdn will check in lookup to map it to correct index. Please help me with props and transforms to extract fqdn correctly.
The reason I want to revert is because of this known issue: 2024-12-03 PSAAS-20901 supervisord failing to start on warm standby instance https://docs.splunk.com/Documentation/SOARonpr... See more...
The reason I want to revert is because of this known issue: 2024-12-03 PSAAS-20901 supervisord failing to start on warm standby instance https://docs.splunk.com/Documentation/SOARonprem/6.3.1/ReleaseNotes/KnownIssues When SOAR needs to be restarted on our warm standby it fails to start because supervisord can't start. The only workaround I've been able to find is disabling the warm standby so it's a primary. Then restarting SOAR after which I set the server as the warm standby again.
Thanks for the reply, I understand that the error is due to there being no results, but that is exactly what I require, that it does not throw an error when there are no results, since when saving my... See more...
Thanks for the reply, I understand that the error is due to there being no results, but that is exactly what I require, that it does not throw an error when there are no results, since when saving my correlation search it always throws an error and never completes a search. Is there any way to avoid this?
Thank you for you reply. I need completely different data source for Table depending on the dropdown selection. If value selected in dropdown is equal to "caddy", set Table datasouce to "ds_EHYzbg0g... See more...
Thank you for you reply. I need completely different data source for Table depending on the dropdown selection. If value selected in dropdown is equal to "caddy", set Table datasouce to "ds_EHYzbg0g", if value is "nginx", set Table datasouce to "ds_8xyubP1c":   "ds_EHYzbg0g": { "type": "ds.search", "options": { "query": "host=\"$select_hosts$\" program=\"$select_program$\" priority=\"$select_log_leel$\" | fields host,program,sourceip" }, "name": "logs_program_caddy" }    
Hi @livehybrid,   I've come to find out that monitoring the search itself is all I was able to find in the logs. I cannot seem to find a trace of an API sync or an API pull. I'm sure it exists, but... See more...
Hi @livehybrid,   I've come to find out that monitoring the search itself is all I was able to find in the logs. I cannot seem to find a trace of an API sync or an API pull. I'm sure it exists, but I can't find anything in the  _internal index related to it. Looking in there was also what was suggested by our technical representative.   I'll mark the monitor the sync as the solution as an alternative   Thanks!
Hi @gcusello ! Also interesting that the alerts in the index seems good: But the loading of the events in the Events dashboard never ending.    
Hi @kemeris  Are the program you want to filter by in the data source? Or do you need to load a completely different data source depending on the dropdown selection? Assuming you want to apply a fi... See more...
Hi @kemeris  Are the program you want to filter by in the data source? Or do you need to load a completely different data source depending on the dropdown selection? Assuming you want to apply a filter to the search based on the dropdown value you would do something like this: index=yourData platform=$platform$ Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi Giuseppe! Thank you for your answer. I double checked, but my alerts are alredy global. I think there is another problem. Thanks, A
Hi @Andras , you can see in Alert Manager App only alerts share at Global level, so you have to change the permissions in your alerts from App level to Global level. Ciao. Giuseppe
Hello Everyone! I installed Splunk and Alert Manager Enterprise in Virtualbox for learning purposes (4cpu /8gb ram). I configured AME via the documentation. Health Check is green. I can send test ... See more...
Hello Everyone! I installed Splunk and Alert Manager Enterprise in Virtualbox for learning purposes (4cpu /8gb ram). I configured AME via the documentation. Health Check is green. I can send test alerts, they appear in the ame_default index.   However the alerts don't appear in the Events. Hang up forever. I have some broken pipe errors, but they also appear in an another working environment. Thank you for your help. A      
Was able to get it working this way.   index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR!=INFO _raw=* | eval error_msg = case(match(_raw, "Disconnected"), "disconected", match(_raw, "rest... See more...
Was able to get it working this way.   index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR!=INFO _raw=* | eval error_msg = case(match(_raw, "Disconnected"), "disconected", match(_raw, "restart failed"), "restart failed", match(_raw, "Failed to start connector"), "failed to start connector") | search error_msg=* | dedup connName | table host connName error_msg ERROR
@Ciccius  You need to configure Data Input similar to how you would setup File Monitor, Performance Monitors etc. Splunk would need to know what to read, from where to read and how frequently to rea... See more...
@Ciccius  You need to configure Data Input similar to how you would setup File Monitor, Performance Monitors etc. Splunk would need to know what to read, from where to read and how frequently to read, where to index and setting up source/sourcetype etc. These you would need to configure in inputs.conf either through Splunk Web or CLI. Refer to the documentation: Get data from APIs and other remote data interfaces through scripted inputs - Splunk Documentation Also read about Writing Reliable scripts documentation, as most of the time scripted inputs have a wrapper script as well as maintain your own last indexed data/recovery/parallel execution etc: https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup  Once you have completely tested and made your scripted input robust for your scenario, you may be able to build an Add on using Splunk Add On Builder or move towards creating your Modular Input to Splunk. https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/ 
 I have drop-down named "Program" and Table with static datasource "ds_EHYzbg0g". How to define dataSource for Table dynamically based on value from drop-down "Program"?       { "opti... See more...
 I have drop-down named "Program" and Table with static datasource "ds_EHYzbg0g". How to define dataSource for Table dynamically based on value from drop-down "Program"?       { "options": { "items": [ { "label": "All", "value": "*" } ], "defaultValue": "*", "token": "select_program" }, "dataSources": { "primary": "ds_8xyubP1c" }, "title": "Program", "type": "input.dropdown" } { "type": "splunk.table", "options": { "tableFormat": { "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByTheme)" }, "columnFormat": { "_raw": { "data": "> table | seriesByName(\"_raw\") | formatByType(_rawColumnFormatEditorConfig)" } }, "count": 50 }, "dataSources": { "primary": "ds_EHYzbg0g" }, "context": { "_rawColumnFormatEditorConfig": { "string": { "unitPosition": "after" } } }, "showProgressBar": true, "containerOptions": {}, "showLastUpdated": false }    
Hi all, I have configured a new script in 'Data inputs' to feed my index with data from a Rest API. The script has been written in python3, do a simple request to the endpoint, gather the data and ... See more...
Hi all, I have configured a new script in 'Data inputs' to feed my index with data from a Rest API. The script has been written in python3, do a simple request to the endpoint, gather the data and do some little manipulation of it,  and write it to the stout by the print() function. The script is placed in the 'bin' folder of my app and using the web UI I configured it without any issue to run every hour. I tested it running manually from the command line and the output is what I expected. In the splunkd.log I have the trace that Splunk ran it as the following: 02-19-2025 10:49:00.001 +0100 INFO ExecProcessor [3193396 ExecProcessor] - setting reschedule_ms=86399999, for command=/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/adsmart_summary/bin/getCampaignData.py ... and nothing more is logged, neither errors nor anything else. But in the index i choose in the web UI there is no data coming from the script. Where I can start to check what is going on? Thanks!
Hey even we have come across the same recquirement to duplicate the grafana dashboard in splunk for observability..... Currently we have our k8's dashboard in grafana but now somehow we need to repl... See more...
Hey even we have come across the same recquirement to duplicate the grafana dashboard in splunk for observability..... Currently we have our k8's dashboard in grafana but now somehow we need to replicate it in splunk observability cloud... How can this be done? Thanks # splunkcloud # grafana
Hi @narenpg , probably you're using a base search in your dashboard, in this case, CSV export is disabled. To export in CSV, you have to open the panel in Search and then export results in csv. Ci... See more...
Hi @narenpg , probably you're using a base search in your dashboard, in this case, CSV export is disabled. To export in CSV, you have to open the panel in Search and then export results in csv. Ciao. Giuseppe
@shashank9  1. Then, when I tried to only grep for 9997 (netstat -tulnp | grep 9997) I did not see any output. --> it means the indexers are NOT listening for incoming data. This could mean, The ... See more...
@shashank9  1. Then, when I tried to only grep for 9997 (netstat -tulnp | grep 9997) I did not see any output. --> it means the indexers are NOT listening for incoming data. This could mean, The HF not configured to listen on port 9997. Network issues preventing the HF from binding to port 9997. Verify that outputs.conf the HF is correctly configured. Ensure there are no typos in the IP addresses or port numbers. --> Your outputs.conf look correct: [tcpout:errorGroup] server=indexr_1_ip_addr:9997 [tcpout:successGroup] server=indexer_2_ip_addr:9997 On the HF, in the file /opt/splunk/var/log/splunk/test.log I changed the user and group ec2-user: --> The file permissions for /opt/splunk/var/log/splunk/test.log seem correct. However, ensure that the Splunk process has the necessary permissions to read the file. You can check the Splunk user running the HF and adjust permissions accordingly. Check the splunkd.log in heavy forwarder:- tail -n 100 /opt/splunk/var/log/splunk/splunkd.log | grep -i "ERROR" tail -n 100 /opt/splunk/var/log/splunk/splunkd.log | grep -i "WARN" Verify that the Splunk process is running on the HF: ps -ef | grep splunkd Finally, I would recommend you add this to the heavy forwarder: Go to cd /opt/splunk/etc/system/local vi inputs.conf [splunktcp://9997] disabled = 0 Restart Splunk.
is it not complete JSON when it arrives. Its a raw data which I have removed unwanted lines in master props.conf by giving SEDCMD and then wrote kv_mode in SH.
Hi @Praz_123  Try the following SPL query, which you can then export / save the results of. | tstats count where index=_dsappevent data.serverClassName=100_IngestAction_AutoGenerated data.action=In... See more...
Hi @Praz_123  Try the following SPL query, which you can then export / save the results of. | tstats count where index=_dsappevent data.serverClassName=100_IngestAction_AutoGenerated data.action=Install by data.clientId, data.serverClassName | rename data.* as * | table serverClassName clientId | append [ tstats count where index=_dsclient by data.build data.clientId data.connectionId data.dns data.guid data.hostname data.instanceId data.instanceName data.ip data.mgmt data.name data.package data.packageType data.splunkVersion data.utsname datetime | dedup data.clientId sortby -datetime | rename data.* as *] | stats values(*) AS * by clientId | table serverClassName clientId hostname Replace "100_IngestAction_AutoGenerated" with your chosen serverclass,   Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will