All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Hemant_h  To extract only HIGCommercialAuto from the logs in Splunk, use the following Splunk query  
@splunklearner Please check this | makeresults count=2 | eval vs_name1="/f5-tenant-01/DUSTER-GBM-FR-DEV/v-dusteruat.systems.uk.fed-443" | eval vs_name2="/f5-tenant-01/JUNIPER-GBM-FR-DEV/v-juniper... See more...
@splunklearner Please check this | makeresults count=2 | eval vs_name1="/f5-tenant-01/DUSTER-GBM-FR-DEV/v-dusteruat.systems.uk.fed-443" | eval vs_name2="/f5-tenant-01/JUNIPER-GBM-FR-DEV/v-juniperuat.systems.uk.fed-443" | eval vs_name=mvappend(vs_name1, vs_name2) | mvexpand vs_name | rex field=vs_name "\/[^\/]+\/(?<app_name>[^\/\-]+)" | table vs_name, app_name  
Below are the steps which need to perform for this password update; To update newer credentials in Qualys TA for Spunk, follow the below steps: Performed from Splunk Support side- =Click Setting... See more...
Below are the steps which need to perform for this password update; To update newer credentials in Qualys TA for Spunk, follow the below steps: Performed from Splunk Support side- =Click Settings> DATA> Data inputs. =On the Data inputs screen, click TA-QualysCloudPlatform. =On the Qualys screen, disable all the listed data inputs. =Open Linux console terminal. =Delete passwords.conf file (/opt/splunk/etc/apps/TA-QualysCloudPlatform/local/passwords.conf). =Reboot the idm splunk instance. (This can be done anytime, please dont ask for maintenance window - Just inform us once this completed so we can performed from our end) Performed from customer side- =Go to the Splunk UI, click Apps > Manage Apps. =Click Setup against the Qualys Technology Add-on for Splunk option. =On the TA-QualysCloudPlatform screen, enter new credentials under Qualys Credentials. =Click Save. Performed from Splunk side- =Open Linux console terminal. =Navigate through the path: /opt/splunk/etc/apps/TA-QualysCloudPlatform/local/ and check if the passwords.conf file created. =On the Qualys screen, enable all the listed data inputs.
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercial... See more...
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 [ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 [ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 [ERROR] 2025-02-05 08:08:33.464 [http-nio-8080-exec-12] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 [ERROR] 2025-02-05 08:04:21.339 [http-nio-8080-exec-73] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/b75f6bcde90f4aceaf9edbbeb13c5e58 These are the logs and i want to extract string for example   HIGCommercialAuto  just before the higawsaccountid string     
@Raja1Can you clarify further? What exactly are you looking for ?
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercial... See more...
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 [ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 [ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 [ERROR] 2025-02-05 08:08:33.464 [http-nio-8080-exec-12] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 [ERROR] 2025-02-05 08:04:21.339 [http-nio-8080-exec-73] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/b75f6bcde90f4aceaf9edbbeb13c5e58
Unfortunately there's no way right now to do this. Seems to be a feature.
It looks like you want the first set of non-space characters, so try something like this | rex "^(?<product>\S+)"
hi @z_diddy    There doesn't seem to be a way to remove this dot. Even looking through the source code documentation there are no properties for it https://docs.splunk.com/Documentation/SplunkCloud... See more...
hi @z_diddy    There doesn't seem to be a way to remove this dot. Even looking through the source code documentation there are no properties for it https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/DashStudio/dashDef There doesn't seem to be a constant CSS class either to override styles with. Perhaps you could suggest styling this dot at https://ideas.splunk.com/  
HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-RS-H higawsaccountid: 463251740121 higawslogstream: app-5091... See more...
HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-RS-H higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-R3-N higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 These are basically 3 different logs and the highlighted one needs to extarcted in filed product_name
Regular expressions work on pattern matching and two examples is not many to secure a reliable pattern, that being said, if your data has already been extracted into the vs_name field, you could try ... See more...
Regular expressions work on pattern matching and two examples is not many to secure a reliable pattern, that being said, if your data has already been extracted into the vs_name field, you could try something like this | rex field=vs_name "^\/[^\/]+\/(?<app_name>\w+)\-"
KV Store maintenance mode change can only be done on static captain.
Hi @wadekuhl , as also @richgalloway said, you have to download the add-on from your Splunk Cloud instance. One addition hint: if you have many on premise systems (devices, pcs, servers, etc...), i... See more...
Hi @wadekuhl , as also @richgalloway said, you have to download the add-on from your Splunk Cloud instance. One addition hint: if you have many on premise systems (devices, pcs, servers, etc...), it's a best practice to have two Heavy Forwarders as concentrators of all the on-premise systems; in this way, you must open only the connections between these two systems and Splunk Cloud, instead of all systems. In this case, you have to install the add-on only on these two systems and not on all systems. Ciao. Giuseppe
Hi @splunklearner , maybe you should redesign your indexes because hundreds of indexes are really too many! About the dashboard, you could configure your input to not automatically run the searches... See more...
Hi @splunklearner , maybe you should redesign your indexes because hundreds of indexes are really too many! About the dashboard, you could configure your input to not automatically run the searches (no defaut value) so all the users (also admins) must choose the indexes to use in the search. Or for admins, create a different search with an additional panel (with a fast search) to select only one or few indexes to display. Last choose (the most structured): put your data in a custom Data Model and use it in the dashboard searches. Ciao. Giuseppe
Hi @Andre_ , this is the mechanism used by the Deployment Server, so you can apply it, but it requires a restart of the local Splunk every time. Are you sure that my hint isn't applicable? Ciao. ... See more...
Hi @Andre_ , this is the mechanism used by the Deployment Server, so you can apply it, but it requires a restart of the local Splunk every time. Are you sure that my hint isn't applicable? Ciao. Giuseppe
@Dk123 Run the btool, /opt/splunk/bin/splunk btool indexes list --debug Verify your index name and provide the location here.
@Dk123 Can you verify the location where the "indexes.conf" file is created? Also, is the architecture standalone, distributed, or clustered?     
Hi,  Please extract DUSTER and JUNIPER as app_name from following sample events -  1. unit_hostname="GBWDC111AD011HMA.systems.uk.fed" support_id="16675049156208762610" vs_name="/f5-tenant-01/DUS... See more...
Hi,  Please extract DUSTER and JUNIPER as app_name from following sample events -  1. unit_hostname="GBWDC111AD011HMA.systems.uk.fed" support_id="16675049156208762610" vs_name="/f5-tenant-01/DUSTER-GBM-FR-DEV/v-dusteruat.systems.uk.fed-443" policy_name="/Common/waf-fed-transparent"    2. unit_hostname="GBWDC111AD011HMA.systems.uk.fed" support_id="16675049156208762610" vs_name="/f5-tenant-01/JUNIPER-GBM-FR-DEV/v-juniperuat.systems.uk.fed-443" policy_name="/Common/waf-fed-transparent"    The app_names will be dynamic and there is no gurantee that everytime GBM will not be coming beside app_names. I tried this - vs_name=\"\/.*\/(?<app_name>.*)\-GBM but as I told everytime GBM will not same in all events. Please make it generic and give the regex for me. Thanks
@Cartoon520  Enable SSL: Select this check box to enable Secure Sockets Layer (SSL) encryption for the connection. SSL support is not available for all connection types. For further information, see... See more...
@Cartoon520  Enable SSL: Select this check box to enable Secure Sockets Layer (SSL) encryption for the connection. SSL support is not available for all connection types. For further information, see http://docs.splunk.com/Documentation/DBX/3.18.1/DeployDBX/Installdatabasedrivers  and http://docs.splunk.com/Documentation/DBX/3.18.1/DeployDBX/Installdatabasedrivers#Enable_SSL_for_your_database_connection  https://docs.splunk.com/Documentation/DBX/3.18.1/DeployDBX/Installdatabasedrivers#Enable_SSL_for_your_database_connection 
@alin  You can refer to below video for the instructions. https://www.youtube.com/watch?v=pJferqpXcsc&t=16s