All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

"rsa:syslog"  is sourcetype, and I want to change to another sourcetype. I will try with SOURCE_KEY = _raw. thank you for your help  
Hi @Raja_Selvaraj , if you know the names of the host you can follow my solution. Cisao. Giuseppe  
do you know if this is still possible?
Hi @alexeysharkov , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by a... See more...
Hi @alexeysharkov , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @ak9092 , did you find any solution for this?
Hello all, I'm fresh out the womb with Splunk... so please bear with me.  I am attempting to install Splunk Enterprise 9.4.0 to do some Splunk training on Coursera, and come across an error. I just... See more...
Hello all, I'm fresh out the womb with Splunk... so please bear with me.  I am attempting to install Splunk Enterprise 9.4.0 to do some Splunk training on Coursera, and come across an error. I just got over not being able to find SplunkD.exe in the .bin folder by creating an exception in my antivirus. Now, I cannot seem to get past the next error (below). I searched the Splunk site and Googled it, to no avail. Please help, I have a pending job interview and want to talk somewhat intelligently about Splunk.  Any help will be greatly appreciated.  New guy! law.dennis@infosecagency.com  
| spath path=properties | mvexpand properties | spath input=properties   this works fine for me. Thank you!!
@ITWhisperer  @gcusello  My vendor is perfect hi write  select to_char(systimestamp,'YYYY-MM-DD"T"HH24:MM:SS:FFTZH:TZM') now_time from blabla and use it to save log xml instead  to_char(systim... See more...
@ITWhisperer  @gcusello  My vendor is perfect hi write  select to_char(systimestamp,'YYYY-MM-DD"T"HH24:MM:SS:FFTZH:TZM') now_time from blabla and use it to save log xml instead  to_char(systimestamp,'YYYY-MM-DD"T"HH24:MI:SS:FFTZH:TZM') now_time so date is incorrect  I coming to rewrite it     SORRY  
Again, this event appears to be in the right bucket. Please provide evidence that you have events in the wrong buckets, otherwise, this seems to be a non-problem 
Ok i get find only one xml event  search it  index=hcg_app_damu_prod sourcetype=damu_log_dbz_out earliest=-1d | spath | search (log.referenceId=HKBRZA0000389094 AND log.agrementNumber=4303291972) ... See more...
Ok i get find only one xml event  search it  index=hcg_app_damu_prod sourcetype=damu_log_dbz_out earliest=-1d | spath | search (log.referenceId=HKBRZA0000389094 AND log.agrementNumber=4303291972) And then i build timechart  So event with _time =2025-02-26T14:02:59.970+05:00  Goes to bucket at 2025-02-26 14:00:00   Im sure my events spread on 5 minutes buckets I have no Idea why it go to hour bucket's    
@Lavanya1612  Changing the Task Server port to 1025 should not be an issue in itself, as it is above the privileged port range (<1024) and is less likely to face permission issues. Ensure that port ... See more...
@Lavanya1612  Changing the Task Server port to 1025 should not be an issue in itself, as it is above the privileged port range (<1024) and is less likely to face permission issues. Ensure that port 1025 is not being used by another service and that firewall rules allow communication on this port. Since this worked in the lower environment, there is a good chance it could work in production. However, production environments often have different security policies, firewall rules, and resource loads, which could affect stability. Incompatibility with OpenJDK might lead to failures in JDBC connections, scheduler issues, or unstable behavior of the DB Connect app. If DB Connect fails, any dashboards, alerts, or scheduled searches that rely on database inputs might be impacted. If cost is the main concern, consider using OpenJDK but be prepared with a rollback plan
Hi, We encountered a "DBX Server Error: Cannot communicate with the task server." To resolve this, I changed the Task Server port, and the error was fixed. We successfully tested this in the lower e... See more...
Hi, We encountered a "DBX Server Error: Cannot communicate with the task server." To resolve this, I changed the Task Server port, and the error was fixed. We successfully tested this in the lower environment, as it uses OpenJDK. In production, Oracle JDK (paid version) was installed during setup. To reduce costs for the client, we attempted to switch to OpenJDK, but we encountered the same "DBX Server Error: Cannot communicate with the task server." As a result, we reverted the changes. Given that the documentation states OpenJDK is not compatible and that only JDK/JRE 17 or higher is supported (tested with JDK 17.0.12), would changing the Task Server port to 1025 and switching to OpenJDK potentially cause any issues in production?
Are you saying that this event 13:02:59 is not counted? Or it is counted in the 13:00:00 - 13:04:59 bin? You haven't shown an event which is in the wrong time bucket yet!
HI @gowthammahes , I am facing or getting the same warning messages in Splunk. Do I need to ignore this message or any workaround is available.  
@harishsplunk7  query for 90 days. | tstats latest(_time) as lastTime where index=* by index, sourcetype | eval age=now()-lastTime | where age > 7776000 | eval lastTime=strftime(lastTime, "%Y... See more...
@harishsplunk7  query for 90 days. | tstats latest(_time) as lastTime where index=* by index, sourcetype | eval age=now()-lastTime | where age > 7776000 | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | table index, sourcetype, lastTime  
@harishsplunk7  Try this, you can change the age value to 7776000 (90days)    
@ITWhisperer  Hello i think all messages counted by count . But spreading is incorrect. I 've expected count spread on every 5 min (span=5m) but it count spread every hour  I see time in ROW like ... See more...
@ITWhisperer  Hello i think all messages counted by count . But spreading is incorrect. I 've expected count spread on every 5 min (span=5m) but it count spread every hour  I see time in ROW like this I have search with another sourcetype. _time format is the same/ And similar timechart is OK spreading with span =5 min  work OK   Dontknoooooww    
Hi @mayurr98  Try using $rn|s$ which puts quotes around the token output.  does that work?  
Hi @Karthikeya  did you try the btool commands I posted? What did you get back from them? Thanks
Hi @JJMonster  Unfortunately its not possible to download this from Splunkbase because the developers have not uploaded it there. Instead they require you to login to the Symantec site to access the... See more...
Hi @JJMonster  Unfortunately its not possible to download this from Splunkbase because the developers have not uploaded it there. Instead they require you to login to the Symantec site to access the apps. This could be for a number of reasons, such as licensing agreements etc. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will