All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @kiran_panchavat can you please guide me where to add your stanza? Indexers or Search heads??
We have an environment where Splunk UF sends logs to HF and mostly UFs are stuck even HF and indexers are up, we need to restart the UFs to again send logs. Why uf are stuck even if indexer or HF is ... See more...
We have an environment where Splunk UF sends logs to HF and mostly UFs are stuck even HF and indexers are up, we need to restart the UFs to again send logs. Why uf are stuck even if indexer or HF is not available. CPU and RAM utilization is normal on server.
So should I give the following stanza in Deployer or cluster manager?
@splunklearner Yes, KV_MODE is for search time field extractions.  KV_MODE = [none|auto|auto_escaped|multi|multi:<multikv.conf_stanza_name>|json|xml] * Used for search-time field extractions only. *... See more...
@splunklearner Yes, KV_MODE is for search time field extractions.  KV_MODE = [none|auto|auto_escaped|multi|multi:<multikv.conf_stanza_name>|json|xml] * Used for search-time field extractions only. * Specifies the field/value extraction mode for the data. * Set KV_MODE to one of the following: * none - Disables field extraction for the host, source, or source type. * auto_escaped - Extracts fields/value pairs separated by equal signs and honors \" and \\ as escaped sequences within quoted values. For example: field="value with \"nested\" quotes" * multi - Invokes the 'multikv' search command, which extracts fields from table-formatted events. * multi:<multikv.conf_stanza_name> - Invokes a custom multikv.conf configuration to extract fields from a specific type of table-formatted event. Use this option in situations where the default behavior of the 'multikv' search command is not meeting your needs. * xml - Automatically extracts fields from XML data. * json - Automatically extracts fields from JSON data. * Setting to 'none' can ensure that one or more custom field extractions are not overridden by automatic field/value extraction for a particular host, source, or source type. You can also use 'none' to increase search performance by disabling extraction for common but nonessential fields. * The 'xml' and 'json' modes do not extract any fields when used on data that isn't of the correct format (JSON or XML). * If you set 'KV_MODE = json' for a source type, do not also set 'INDEXED_EXTRACTIONS = JSON' for the same source type. This causes the Splunk software to extract the json fields twice: once at index time and again at search time. * When KV_MODE is set to 'auto' or 'auto_escaped', automatic JSON field extraction can take place alongside other automatic field/value extractions. To disable JSON field extraction when 'KV_MODE' is set to 'auto' or 'auto_escaped', add 'AUTO_KV_JSON = false' to the stanza. * Default: auto
I don't have access to UI. I need to do it from backend only. Where I can give this props.conf? In cluster master or deployer? Is it index time extraction or search time?
Hi @kiran_panchavat , Thanks for the answer. But I read that kv_mode = json needs to be given on search time extraction i.e on search heads... But you are saying to give this on indexers or heavy f... See more...
Hi @kiran_panchavat , Thanks for the answer. But I read that kv_mode = json needs to be given on search time extraction i.e on search heads... But you are saying to give this on indexers or heavy forwarders... Will it help.. please clarify?
Hi @splunklearner  To have this processed at ingest time you can do a simple INGEST_EVAL on your indexers.   == props.conf == [yourStanzaName] TRANSFORMS = stripNonJSON == transforms.conf == [str... See more...
Hi @splunklearner  To have this processed at ingest time you can do a simple INGEST_EVAL on your indexers.   == props.conf == [yourStanzaName] TRANSFORMS = stripNonJSON == transforms.conf == [stripNonJSON] INGEST_EVAL = _raw:=replace(_raw, ".*- ({.*})", "\1")   Please let me know how you get on and consider upvoting/karma this answer if it has helped. Regards Will  
Did you go through the above response and have follow-up questions?
@AShwin1119 Did you went through the response and have any further questions?
The question seems not to provide all the information (or at least I am unable to understand). Would you please elaborate more?
@splunklearner I have standalone server, so you can try this settings on your heavy forwarder or indexers. 
@splunklearner   
@splunklearner I tried this using your sample data; please have a look.    [syslogtest] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 category=Cust... See more...
@splunklearner I tried this using your sample data; please have a look.    [syslogtest] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 category=Custom pulldown_type=true SEDCMD-removeheader=s/^[^\{]*//g KV_MODE=json AUTO_KV_JSON=true  
Hello all, Currently we have following event which contains both json and non json data. Please help me in removing this non-json part and where I need to give indexed_extractuons or KV_mode effecti... See more...
Hello all, Currently we have following event which contains both json and non json data. Please help me in removing this non-json part and where I need to give indexed_extractuons or KV_mode effectively to auto extract all json fields. Nov 9 17:34:28 128.160.82.28 [local0.warning] <132>1 2024-11-09T17:34:28.436542Z AviVantage v-epswafhic2-wdc.hc.cloud.uk.hc-443 NILVALUE NILVALUE - {"adf":true,"significant":0,"udf":false,"virtualservice":"virtualservice-4583863f-48a3-42b9-8115-252a7fb487f5","report_timestamp":"2024-11-09T17:34:28.436542Z","service_engine":"GB-DRN-AB-Tier2-se-vxeuz","vcpu_id":0,"log_id":10181,"client_ip":"128.12.73.92","client_src_port":44908,"client_dest_port":443,"client_rtt":1,"http_version":"1.1","method":"HEAD","uri_path":"/path/to/monitor/page/","host":"udg1704n01.hc.cloud.uk.hc","response_content_type":"text/html","request_length":93,"response_length":94,"response_code":400,"response_time_first_byte":1,"response_time_last_byte":1,"compression_percentage":0,"compression":"","client_insights":"","request_headers":3,"response_headers":12,"request_state":"AVI_HTTP_REQUEST_STATE_READ_CLIENT_REQ_HDR","significant_log":["ADF_HTTP_BAD_REQUEST_PLAIN_HTTP_REQUEST_SENT_ON_HTTPS_PORT","ADF_RESPONSE_CODE_4XX"],"vs_ip":"128.160.71.14","request_id":"61e-RDl6-OZgZ","max_ingress_latency_fe":0,"avg_ingress_latency_fe":0,"conn_est_time_fe":1,"source_ip":"128.12.73.92","vs_name":"v-epswafhic2-wdc.hc.cloud.uk.hc-443","tenant_name":"admin"} And where I need to give these configurations?  We have syslog servers with UF installed and that send data to our deployment server. DS will push apps to master and deployer from there pushing will be done.  As of now we have props.conf in master which will push to indexers.
Hi @erick4x4 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
@azer271 Check the internal logs: index=_internal *sentinelone*
@azer271  To verify, you can test the API connection by using Postman or curl curl -X GET "https://xxx-xxx-xxx.sentinelone.net/web/api/v2.1/info" -H "Authorization: APIToken" If you get a successf... See more...
@azer271  To verify, you can test the API connection by using Postman or curl curl -X GET "https://xxx-xxx-xxx.sentinelone.net/web/api/v2.1/info" -H "Authorization: APIToken" If you get a successful response, the API token is valid. If logs are missing, check API permissions,  and any firewall restrictions.
Try not using the special characters - . in Names ?
Is there any solution to this? We are encountering the similar issue. Everything looks fine, we used latest agent now but not reporting / not generating the logs as well.