All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@gcusello @kiran_panchavat  thanks for your help but unfortunately, I can't share any files, sorry. I am in a air-gapped environment. I have already run splunk btool inputs list --debug | grep index ... See more...
@gcusello @kiran_panchavat  thanks for your help but unfortunately, I can't share any files, sorry. I am in a air-gapped environment. I have already run splunk btool inputs list --debug | grep index . but I will try without using "grep index" and see if I can find anything weird. I haven't checked props.conf but I will check it now. As far as I know, I haven't made any change in the props.conf. 
Have you checked splunkbase for an add-on for the product you are using?
What specifically do you plan to do to harden the server?  Once we know that, we can tell what effect it will have.
Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.436109+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_from value=sender@company.com size= smtputf8= qid=... See more...
Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.436109+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_from value=sender@company.com size= smtputf8= qid=44pnhtdtkf-1 tls= routes= notroutes=tls_fallback host=host123.company.com ip=10.10.10.10 Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.438453+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_rcpt r=1 value=recipient.two@DifferentCompany.net orcpt=recipient.two@DifferentCompany.NET verified= routes= notroutes=RightFax,default_inbound,journal Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.440714+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_rcpt r=2 value=recipient.one@company.com orcpt=recipient.one@company.com verified= routes=default_inbound notroutes=RightFax,journal Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446326+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data from=sender@company.com suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446383+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt=recipient.two@DifferentCompany.net suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446405+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt=recipient.one@company.com suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446639+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt_routes= rcpt_notroutes=RightFax,journal data_routes= data_notroutes= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.450566+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=headers hfrom=sender@company.com routes= notroutes= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455141+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint lint= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455182+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint mime=1 score=0 threshold=100 duration=0.000 Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455201+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint warn=0
Thanks a lot!
Hello, Below is a sample for a single message from Proofpoint log. It looks simple, but I am struggling to write a query to pull sender (env_from value), recipient(s) (env_rcpt values) and IP addres... See more...
Hello, Below is a sample for a single message from Proofpoint log. It looks simple, but I am struggling to write a query to pull sender (env_from value), recipient(s) (env_rcpt values) and IP address. As far as I understand X and S have the same values for given single message in the logs and will change from message to message. Any help will be greatly appreciated. Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.436109+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_from value=sender@company.com size= smtputf8= qid=44pnhtdtkf-1 tls= routes= notroutes=tls_fallback host=host123.company.com ip=10.10.10.10 Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.438453+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_rcpt r=1 value=recipient.two@DifferentCompany.net orcpt=recipient.two@DifferentCompany.NET verified= routes= notroutes=RightFax,default_inbound,journal Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.440714+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_rcpt r=2 value=recipient.one@company.com orcpt=recipient.one@company.com verified= routes=default_inbound notroutes=RightFax,journal Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446326+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data from=sender@company.com suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446383+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt=recipient.two@DifferentCompany.net suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446405+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt=recipient.one@company.com suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446639+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt_routes= rcpt_notroutes=RightFax,journal data_routes= data_notroutes= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.450566+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=headers hfrom=sender@company.com routes= notroutes= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455141+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint lint= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455182+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint mime=1 score=0 threshold=100 duration=0.000 Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455201+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint warn=0
Thank you Rick for the information!
i finally fixed this, had to check to make sure the sample folder was in the correct parent folder "destinations". i then went and copied all the sample files over to the  splunk/etc/apps/destination... See more...
i finally fixed this, had to check to make sure the sample folder was in the correct parent folder "destinations". i then went and copied all the sample files over to the  splunk/etc/apps/destinations/samples folder (pulled from splunkbase website) then copied the eventgen.conf file over to the correct "local" folder in "Destinations folder"  and restarted splunk, pulled up index="main" and it populated data. Hope this helps. took me a while to get this right.    
@sankaraniyan1  Check this https://docs.splunk.com/observability/en/gdi/monitors-messaging/apache-kafka.html 
@jkamdar  Can you send the inputs.conf and props.conf files? Also, please use the btool command to check if there are any duplicate inputs.conf configurations. To check for duplicate inputs.conf co... See more...
@jkamdar  Can you send the inputs.conf and props.conf files? Also, please use the btool command to check if there are any duplicate inputs.conf configurations. To check for duplicate inputs.conf configurations using the btool command, you can run the following: /opt/splunk/bin/splunk btool inputs list --debug This command will display the full path to each inputs.conf file that Splunk is reading from, making it easier to identify any duplicates.
Hi @jkamdar , it's really difficoult to debug your issue without accessing your conf files and your data! could you share your inputs.conf and props.conf? Ciao. Giuseppe
@gcusello  I tried btool commands on my rsyslog server: splunk btool inputs list and splunk btool inputs list --debug | grep index  and the files I found are configured properly.  Not sure where ... See more...
@gcusello  I tried btool commands on my rsyslog server: splunk btool inputs list and splunk btool inputs list --debug | grep index  and the files I found are configured properly.  Not sure where to look next. 
How can i gather application data streamed via Kafka to Splunk Observability ?
Continuing to get this error on Palo Alto Networks application v. 8.1.3. TypeError: mvc.createService is not a function at eval (eval at _runScript (dashboard_1.1.js), <anonymous>:40:21) I rem... See more...
Continuing to get this error on Palo Alto Networks application v. 8.1.3. TypeError: mvc.createService is not a function at eval (eval at _runScript (dashboard_1.1.js), <anonymous>:40:21) I removed the dashboards.js file and still experiencing. Any ideas?
Yes i wanted to be able to upload a conf file from search head into the Deployment Server which would results it being pulled by UFs but as you said it's not possible through the rest api and the GUI... See more...
Yes i wanted to be able to upload a conf file from search head into the Deployment Server which would results it being pulled by UFs but as you said it's not possible through the rest api and the GUI. Can you provide any references on how to safely use credentials using splunk encryption so i don't leave credentials unprotected ?
Not seeing the fields will stop your filter from working, but why is the question.
Hi @smanojkumar  Sorry, I got my wires crossed. It doesnt look like this is possible with XML Dashboards, however you can probably achieve this design much easier with Dashboard Studio dashboard. Is... See more...
Hi @smanojkumar  Sorry, I got my wires crossed. It doesnt look like this is possible with XML Dashboards, however you can probably achieve this design much easier with Dashboard Studio dashboard. Is there anything preventing you switching to a Dashboard Studio dashboard for this? Thanks Will
Thanks for the detailed response.   To clarify, this is meant as an audit trail for a few users with very limited technical expertise, and I agree with your sentiments.   I'm doing this as an explora... See more...
Thanks for the detailed response.   To clarify, this is meant as an audit trail for a few users with very limited technical expertise, and I agree with your sentiments.   I'm doing this as an exploratory exercise, although I'm leaning towards this being a maintenance nightmare and am exploring other solutions for providing data.   I'll play around with the json string and/or lookups as in your examples.  thanks!
Hello M2024X_Ray, Did you get an answer from Splunk staff about the Windows Server 2025 compatibility by any chance?
Hi. A little late but you should try to go to Settings/User interface/Views, find your dashboard and click on its name. It will open the XML version of it with the header. version="2" tells that is a... See more...
Hi. A little late but you should try to go to Settings/User interface/Views, find your dashboard and click on its name. It will open the XML version of it with the header. version="2" tells that is a Dashboard Studio version. Try to add your call to script there : <dashboard script="App_Name:script_name.js" version="2" theme="dark">