All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

sorry, it was my typo here. in my my transforms.conf is "\,\s+aduit\.admin thank you for catching that.
Hi @gcusello , There are many host names like more than 80 host names from the mentioned search results. 
Hi @jtran9373  You have put "adudit" in your regex, not "audit" - is this typo in Splunk too or just on here? This might explain you issue. Please let me know how you get on and consider accepting ... See more...
Hi @jtran9373  You have put "adudit" in your regex, not "audit" - is this typo in Splunk too or just on here? This might explain you issue. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
We were told the following - Confluent Vendor has provided the Telemetry URL to configure in the Splunk's Open Telemetry collector to push the metrics from Confluent to Splunk.  Is this the right In... See more...
We were told the following - Confluent Vendor has provided the Telemetry URL to configure in the Splunk's Open Telemetry collector to push the metrics from Confluent to Splunk.  Is this the right Integration between Confluent and Splunk, meaning via the Open Telemetry Collector (OTEL)?
feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info inputs.conf ... See more...
feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info inputs.conf  sourcetype = rsa:syslog my props.conf   I would like to change sourcetype base "admin", OR "system" depend on raw events. [rsa:syslog] TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype my transforms.conf [change_admin_sourcetype] DESK_KEY = MetaData:Sourcetype REGEX = \,\s+adudit\.admin FORMAT = sourcetype::rsa:admin [change_system_sourcetype] DESK_KEY = MetaData:Sourcetype REGEX = \,\s+adudit\.system FORMAT = sourcetype::rsa:system   but it doesnt' work. thank you for your help.
That's what I thought.  Thank you for confirming.
Changing the name made it work. I had the same class names in the transforms that had different regex. I appreciate the assistance. 
Thanks Will, I`ve already configured the allow list, although you made a valid point and there`s a high chance that I`ve not listed all possible IPs - something I need to look at. I had another loo... See more...
Thanks Will, I`ve already configured the allow list, although you made a valid point and there`s a high chance that I`ve not listed all possible IPs - something I need to look at. I had another look at the firewall logs and found a field called vendor_action=server-rst - I would imagine this means the connection was reset by the server, although not entirely sure why.  
I presume you are trying to install Splunk Enterprise on a Windows machine? Have you considered setting up a WSL (Windows Subsystem for Linux) virtual machine and installing Splunk there? This might ... See more...
I presume you are trying to install Splunk Enterprise on a Windows machine? Have you considered setting up a WSL (Windows Subsystem for Linux) virtual machine and installing Splunk there? This might be easier than wrangling your anti-virus software!
Hi @tomapatan  You mentioned that there are no blocks on your internal firewall - are there multiple egress IPs that your connection can connect out on? Are all possible egress IPs allow-listed in S... See more...
Hi @tomapatan  You mentioned that there are no blocks on your internal firewall - are there multiple egress IPs that your connection can connect out on? Are all possible egress IPs allow-listed in Splunk Cloud for Mgmt port / API access to the SHs?  If you havent already, you can configure the allow list via: Splunk Web - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Admin/ConfigureIPAllowList ACS API - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ConfigureIPAllowList ACS CLI - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ACSCLI   Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @TheEggi98  That is very odd! Its not something I also see the same issue you are getting (Splunk returning 25920. I would suggest filing a support case (https://www.splunk.com/en_us/about-splun... See more...
Hi @TheEggi98  That is very odd! Its not something I also see the same issue you are getting (Splunk returning 25920. I would suggest filing a support case (https://www.splunk.com/en_us/about-splunk/contact-us.html#customer-support) and raise this so that a bug can be raised internally. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @vikashperiwal , there isn't any GUI bulk command to do this, the fastest way is to work on the metadata.local file. Ciao. Giuseppe
Hi fellow splunkers, recently i deployed WinPrintMon inputs to our printserver, to check driver versions and found out that splunk falsly calculated modulus. Tested in Enterprise 9.3.2 and 9.4.0 ... See more...
Hi fellow splunkers, recently i deployed WinPrintMon inputs to our printserver, to check driver versions and found out that splunk falsly calculated modulus. Tested in Enterprise 9.3.2 and 9.4.0 in the calculated version i found out, that the revision of a driver differs from the printmanagement on that printserver directly. i calculate the revision like that: version % pow(2,16) In my case the calculation translates to 17171305019303231 % 65536 splunk calculates 25920 which isn't correct, it is 25919
Hi @siemsplunk  Could you try that command again but use current_member_uri instead? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helpe... See more...
Hi @siemsplunk  Could you try that command again but use current_member_uri instead? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @Roy_9 , see if this old answer can help you.: https://community.splunk.com/t5/Splunk-Enterprise/Splunk-on-ARM-Achitecture/m-p/512005 if you don't find it in the download section, open a ticket ... See more...
Hi @Roy_9 , see if this old answer can help you.: https://community.splunk.com/t5/Splunk-Enterprise/Splunk-on-ARM-Achitecture/m-p/512005 if you don't find it in the download section, open a ticket to Splunk Support. Ciao. Giuseppe
Hello, I am looking to download Forwarder package  windows ARM for Surface 7 laptops and not finding the link, please help me with it.   Thanks
Hi, I`m trying to make an API request from my local machine to our Splunk Cloud instance, without much success. Checked the Firewall logs and I can`t see any blocked/denied traffic. Using: -  cur... See more...
Hi, I`m trying to make an API request from my local machine to our Splunk Cloud instance, without much success. Checked the Firewall logs and I can`t see any blocked/denied traffic. Using: -  curl 7.29.0 - nss-3.90 Error received:   * Host myDomain.splunkcloud.com:8089 was resolved. * IPv6: (none) * IPv4: xx.xx.xx.xxx * Trying xx.xx.xx.xxx:8089... * Connected to myDomain.splunkcloud.com (xx.xx.xx.xxx) port 8089 * schannel: disabled automatic use of client certificate * ALPN: curl offers http/1.1 * Recv failure: Connection was reset * schannel: failed to receive handshake, SSL/TLS connection failed * closing connection #0 curl: (35) Recv failure: Connection was reset    
Hi,   I have a case where I was to restrict user from edit option and cloning the dashbaord. Currently we have 200+ dashboards with read-write permission and we can't exclude them from current rol... See more...
Hi,   I have a case where I was to restrict user from edit option and cloning the dashbaord. Currently we have 200+ dashboards with read-write permission and we can't exclude them from current role. What I did now  I created new role say restricted and plan is to keep every thing as it is and make dashboard enable with new role . Issue We have 200+ dashboards, manually doing is not feasible here...is there way I can one shot revoke the write access(current role) and assign dashboard with new role which will restrict users.
When I run ./splunk add shcluster-member -new_member_uri https://<CAPTAIN_IP>:8089 I get Failed to proxy call to member https://<CAPTAIN_IP>:8089. ERROR: Node splsearch02 is already part of clu... See more...
When I run ./splunk add shcluster-member -new_member_uri https://<CAPTAIN_IP>:8089 I get Failed to proxy call to member https://<CAPTAIN_IP>:8089. ERROR: Node splsearch02 is already part of cluster id=2A5DDFE0-B873-4201-8B68-D2ACB4873DA7. A node cannot be part of two clusters. If you want to re-purpose this node, run 'splunk clean all' to clean this instance and then add to the cluster.
Hi @Singh10 , why are you using _TCP_ROUTING? did you configured the sample value on outputs.conf? Ciao. Giuseppe