All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Instead of making the positions for the lines fixed, I want to include lower and upper bounds for the average height and length based on a fourth, fifth, sixth and seventh column. Therefore i want to... See more...
Instead of making the positions for the lines fixed, I want to include lower and upper bounds for the average height and length based on a fourth, fifth, sixth and seventh column. Therefore i want to use tokens to set these values based on the outcome of the search. For example what I have now is the following including three columns: | table ResultHL HeightAvg LengthAvg What I want is the following: | table ResultHL HeightAvg LengthAvg LowLength UppLength LowHeight UppHeight Where LowLength UppLength LowHeight UppHeight are indicated by IV, III, II and I, respectively, in the last figure. The yellow lines should be based upon the result of the search and put into tokens. Many thanks in advance! Happy Splunking!  
Hi @moriteza  are you facing this issuse after updating deployment server to 9.2 and above? if yes.  follow thses steps.  there is known issue in Splunk 9.2.x deployment clients will not sho... See more...
Hi @moriteza  are you facing this issuse after updating deployment server to 9.2 and above? if yes.  follow thses steps.  there is known issue in Splunk 9.2.x deployment clients will not show in forwarder managment apps. you need to add following config in deployment server outputs.conf and restart deployment server [indexAndForward] index = true selectiveIndexing = true full link to issue  https://help.splunk.com/en/splunk-enterprise/administer/manage-and-update-deployment-servers/9.2/configure-the-deployment-system/upgrade-pre-9.2-deployment-servers#ariaid-title1 
Hi, thank you for replies. To clarify, which path should I place the add-on file?It comes as .tgz, to where should i extract it? @livehybrid  @kiran_panchavat 
Hi, thank you for reply. To clarify, which path should I place the add-on file?It comes as .tgz, to where should i extract it?    
Hi @nopera  Please can you confirm if you have downloaded and installed the Splunk Add-on for Microsoft Exchange app from Splunkbase on your forwarder?  Ensure that the folder listed in monitor:// ... See more...
Hi @nopera  Please can you confirm if you have downloaded and installed the Splunk Add-on for Microsoft Exchange app from Splunkbase on your forwarder?  Ensure that the folder listed in monitor:// exists on your filesystem and that the Splunk service can read the files.  Are you able to see other logs (such as _internal logs) on your Splunk instance from the Forwarder with this config on? Are there are any error logs in $SPLUNK_HOME/var/log/splunk/splunkd.log regarding these inputs/monitor configs?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
@nopera  The props.conf configuration is specific to the sourcetype MSExchange:2013:MessageTracking. Please ensure that the corresponding add-on is installed on your heavy forwarder to enable proper... See more...
@nopera  The props.conf configuration is specific to the sourcetype MSExchange:2013:MessageTracking. Please ensure that the corresponding add-on is installed on your heavy forwarder to enable proper parsing of the data.  [MSExchange:2013:MessageTracking] CHARSET = UTF-8 SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false REPORT-fields = msexchange2013msgtrack-fields, msgtrack-extract-psender, msgtrack-psender, msgtrack-sender, msgtrack-recipients, msgtrack-recipient TRANSFORMS-comments = ignore-comments FIELDALIAS-server_hostname_as_dest = server_hostname AS dest FIELDALIAS-host_as_dvc = host AS dvc EVAL-src=coalesce(original_client_ip,cs_ip) EVAL-product = "Exchange" EVAL-vendor = "Microsoft" EVAL-sender = coalesce(PurportedSender,sender) EVAL-src_user = coalesce(PurportedSender,sender) EVAL-sender_username = coalesce(psender_username,sender_username) EVAL-sender_domain = coalesce(psender_domain,sender_domain) LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action TIME_PREFIX = ^\d\d MAX_TIMESTAMP_LOOKAHEAD = 24 TIME_FORMAT = %y-%m-%dT%H:%M:%S.%QZ   
@nopera  You have to install this add-on https://splunkbase.splunk.com/app/3225 and match the exact sourcetype for the parsing.  Example:  [monitor://C:\Program Files\Microsoft\Exchange Server\V15... See more...
@nopera  You have to install this add-on https://splunkbase.splunk.com/app/3225 and match the exact sourcetype for the parsing.  Example:  [monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking] whitelist=\.log$|\.LOG$ time_before_close = 0 sourcetype=MSExchange:2013:MessageTracking queue=parsingQueue index=msexchange disabled=false  
This is a new installation. So, no, no Windows Security events onboarded in the past. Thank you.
I appreciate the help, but this is not what I'm looking to do. I want to create the new fields so they could be used for searching. I already have a field using the mvzip command. Thanks again.
@tsocyberoperati  Has this forwarder ever successfully onboarded Windows Security events into Splunk in the past?    
Hi, Could you help me retrieve message-tracking logs from our on-premises Exchange server? I added the following lines to inputs.conf, but the data still isn’t being parsed. I guess smt is missing o... See more...
Hi, Could you help me retrieve message-tracking logs from our on-premises Exchange server? I added the following lines to inputs.conf, but the data still isn’t being parsed. I guess smt is missing or incorrect. I’m also unsure how to set up the Exchange add-on and haven’t found clear documentation. Any guidance would be greatly appreciated   [monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\] disabled = false sourcetype = exchange_messagetracking index = exchange host_segment = 4 [monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.log] disabled = false sourcetype = exchange_messagetracking index = exchange    
Hello All, We have a Splunk Universal Forwarder 9.4.0 (then 9.4.3) installed on a Windows 2022 box to which we don't have direct access. We have deployed some apps and the forwarder manages to se... See more...
Hello All, We have a Splunk Universal Forwarder 9.4.0 (then 9.4.3) installed on a Windows 2022 box to which we don't have direct access. We have deployed some apps and the forwarder manages to send us its splunkd.log and some other monitor inputs but we are not able to get the WinEvents (Applications/System/Security) using the specific stanzas.  The host is more hardened that usual,  but the Admins managed to configure what they believe are the EventLog permissions, to no avail. Something like this, never happened to us. We tried updating the agent version and configuring the installation both with LOCAL System permissions and Virtual Account permissions, but still no success. We don't see any relevant internal info regarding some problem with Permissions or EventLog access.  - is there any event we should look for on Windows Logs or UFW logs to undertand this problem? - Is there anything we can activate in the UFW to get more info about this limitation?  Thank you
I have a field called key. key has multivalues that are also dynamic. I have another field called values, that is also multivalued and dynamic. The values in "values" line-up with the values in "key"... See more...
I have a field called key. key has multivalues that are also dynamic. I have another field called values, that is also multivalued and dynamic. The values in "values" line-up with the values in "key". Example: key values AdditionalInfo user has removed device with id alpha_numeric_field" in area "alpha_numeric_field" for user "alpha_numeric_field". DeviceID alpha_numeric_field DeviceType mobile_device OS Windows   Thanks in advance and I hope this makes sense. I want to create a new field using the values from the field "key" and have the values be the values from "values". The oucome would be: AdditionalInfo user has removed device with id alpha_numeric_field" in area "alpha_numeric_field" for user "alpha_numeric_field". DeviceID alpha_numeric_field DeviceType mobile_device OS Windows
Hello folks,  thanks for all of the feedback!!  When I tried the offered suggestion, I got results that included Started and Success, but I still didn't get results from Blocked.  index=security act... See more...
Hello folks,  thanks for all of the feedback!!  When I tried the offered suggestion, I got results that included Started and Success, but I still didn't get results from Blocked.  index=security action IN ("Blocked", "Started", "Success") Splunk for Unix and Linux add-on will not load. I get an error stating the system it is trying to load does not run on either of the OS's.  It makes sense that I don't have the proper Add-on loaded but I am unable to figure which it is. I appreciate all of your help, folks. I am trying to learn this tool and am in training. This is not a job related query. I do not want to waste your time. Thanks again!  
Hello @EdgarF, The link you have shared ends up in 404. I assume that's because Splunk might have intended to release it earlier, but it seems to have been pushed back. Currently, there's no option ... See more...
Hello @EdgarF, The link you have shared ends up in 404. I assume that's because Splunk might have intended to release it earlier, but it seems to have been pushed back. Currently, there's no option such as custom button. However, you can work with icons as custom buttons and use drilldown links for interaction if it satisfies your use case. Thanks, Tejas. 
    I want to show the hyper link in the error message instead of showing the actual link. How to acheive it. im using splunk ucc framework in the confiugration page.
Hey @moriteza, I've seen this happen generally when there's a large deployment and the DS is unable to handle the load. I've come across one of the apps that we have developed which is quite fast an... See more...
Hey @moriteza, I've seen this happen generally when there's a large deployment and the DS is unable to handle the load. I've come across one of the apps that we have developed which is quite fast and easy to manage the deployment clients - https://splunkbase.splunk.com/app/7731. Please give it a try and let us know the feedback. Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! 
Hello @Nawab, You might want to raise this as a new feature on ideas.splunk.com  Thanks, Tejas. 
Hey @AsmaF2025, Try using another name for the time token instead of global_time. And use the new name as a token to be passed to the other dashboard. I believe there's a conflict since both of the ... See more...
Hey @AsmaF2025, Try using another name for the time token instead of global_time. And use the new name as a token to be passed to the other dashboard. I believe there's a conflict since both of the dashboards have global_time present as a token already. Let us know if it works or not and we can troubleshoot further. Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.