All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you @livehybrid  I see yeah I just copied someone else post for their input.conf example https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-with-wildcards/m-p/59916 but my main focu... See more...
Thank you @livehybrid  I see yeah I just copied someone else post for their input.conf example https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-with-wildcards/m-p/59916 but my main focus was the Monitor line
Thank you @PrewinThomas  I see yeah I just copied somonelses post for thier input.conf example https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-with-wildcards/m-p/59916 but my mai... See more...
Thank you @PrewinThomas  I see yeah I just copied somonelses post for thier input.conf example https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-with-wildcards/m-p/59916 but my main focus was the Monitor line
Hello, I have this instance on my personal computer and am a little confused about how to protect myself. I do not know which (or how to determine) allowedDomainList I should use. Where do I find th... See more...
Hello, I have this instance on my personal computer and am a little confused about how to protect myself. I do not know which (or how to determine) allowedDomainList I should use. Where do I find the necessary information to fill that field in? Sorry, still a beginner..   
Is it the Splund service you restart or restart Splunk from the web console?
I had to reformat your solution and plugged it in " | appendpipe" (appended from my  main search): | appendpipe [eval vals=mvzip(card_type,card_count) | mvexpand vals | makemv vals delim="," | eval ... See more...
I had to reformat your solution and plugged it in " | appendpipe" (appended from my  main search): | appendpipe [eval vals=mvzip(card_type,card_count) | mvexpand vals | makemv vals delim="," | eval card_type=mvindex(vals,0), card_count=mvindex(vals,1) | stats sum(card_count) AS card_count BY card_type | eval company_name="TOTAL" | stats list(card_type) AS card_type, list(card_count) AS card_type BY company_name] and it seemed to work! Thank you for this
Ok. It’s better to use terminology from Splunk SVA documentation https://docs.splunk.com/Documentation/SVA/current/Architectures/TopologyGuidance. In that way we all understand better and clearly what... See more...
Ok. It’s better to use terminology from Splunk SVA documentation https://docs.splunk.com/Documentation/SVA/current/Architectures/TopologyGuidance. In that way we all understand better and clearly what others have. In this case you have single server installation (S1). When you have S1 and also DS role configured into it and you want to use IA, I’m not sure if that is valid architecture or not with IA? You cannot configure server itself with DS and when you are using IA in server with DS I’m not sure if IA part is always use DS or not in that case? Also UFs is not supported platform for IA and it could try to install also IA part to those? Can you find anything else from internal logs which can explain what has happened?
This was helpful and issue looks to be with KV Store failing to initialize due to expired server certificate. I've opened a ticket with Splunk support to get help with generating a new certificate an... See more...
This was helpful and issue looks to be with KV Store failing to initialize due to expired server certificate. I've opened a ticket with Splunk support to get help with generating a new certificate and updating our configuration. Thanks for help!
The query used to obtain the above result is something like this: [mainsearch] | stats count as card_count BY company_name, card_type | stats list(card_type) AS card_type, list(card_count) AS card... See more...
The query used to obtain the above result is something like this: [mainsearch] | stats count as card_count BY company_name, card_type | stats list(card_type) AS card_type, list(card_count) AS card_count BY company_name I'm looking to add a totals row with the details shown above  
To clarify, we’re running a single Splunk instance where the Deployment Server, Indexer, and Search head all reside on the same server so it’s a non-distributed architecture. When I mentioned “deploy... See more...
To clarify, we’re running a single Splunk instance where the Deployment Server, Indexer, and Search head all reside on the same server so it’s a non-distributed architecture. When I mentioned “deployment,” I was referring both to our overall Splunk setup and the fact that our Deployment Server shares the same host as the Indexer. We have only one indexer, no clustering, and no heavy forwarders (HFs) in use. However, we do have universal forwarders (UFs) installed on various servers, and they’re configured to send data directly to the indexer. Regarding Ingest Actions (IA), I’ve configured one rule locally on the indexer to drop data from the source type PerfmonMK:CPU. The rule uses a regex filter (^PerfmonMk:CPU$) with a drop action. IA rules are applied only on the indexer.
Hi @livehybrid , i have one query, As far as I understand, due to security restrictions, this 8089 port might be blocked or not exposed externally in the Splunk Cloud.   Thanks in Advance
Do you have any sample logs which show the expiry date of the certificates used?
Hi @raushank26  You should check out the "SSL Certificate expiry collection" app on Splunkbase, ive used this before for monitoring the SSL cert of internal and external systems. Setup instructions ... See more...
Hi @raushank26  You should check out the "SSL Certificate expiry collection" app on Splunkbase, ive used this before for monitoring the SSL cert of internal and external systems. Setup instructions are under the app on Splunkbase. This can be run on a Splunk Heavy Forwarder (HF) in a location where it can reach the target servers to conduct the checks. Once setup you can create dashboard from the collected data, the fields collected by the add-on are: date - date and time the input runs - now includes microseconds fqdn - the hostname or FQDN hosting the certificate inputstanza_name - the short name in input.conf after [fqdn_for_certificate://] port - the port of the hostname or FQDN hosting the certificate issuer - the organizationName in issuer commonName - the commonName in issuer use_proxy - if proxy was used notAfter - date in notAfter from certificate notBefore - date in netBefore from certificate expiredays - the number of days until expiry cipher - the name of the cipher being used protocol - the version of the SSL protocol that defines its use secret_bits - the number of secret bits being used  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hey @Wiessiet  I will try and screenshot this and work through it this evening and get back to you on here as I dont currently have access to the env I set it up on.  
Hi @jariw  How much time is the command.search.kv step taking? This is the field extraction phase and covers things like regex extractions which can be resource intensive.  What does you current se... See more...
Hi @jariw  How much time is the command.search.kv step taking? This is the field extraction phase and covers things like regex extractions which can be resource intensive.  What does you current setup look like? Do you have custom regex field extractions or purely from Splunkbase apps?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi All,   I am having a requirement to create a dashboard for fetching the expiry date of certificate used in Multiple Windows server. There are load balancer used for these server. and also it ... See more...
Hi All,   I am having a requirement to create a dashboard for fetching the expiry date of certificate used in Multiple Windows server. There are load balancer used for these server. and also it cant be accessed by internet. means the app URL cannot be accessed from these server. so is there any such utility in splunk or script through which we can create such dashboard.
Hi @OliverG91  You could try something like this, but its based on very little info - might work though! adjust the type,count to whatever your two fields with that data is called. | eval vals=mvz... See more...
Hi @OliverG91  You could try something like this, but its based on very little info - might work though! adjust the type,count to whatever your two fields with that data is called. | eval vals=mvzip(type,count) | mvexpand vals | makemv vals delim="," | eval cardType=mvindex(vals,0), count=mvindex(vals,1) | stats sum(count) as count by cardType    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi, Can you tell me what this looks like as events, or how you got to them? Are the card types and counts a list generated from stats?  Did this answer help you? If so, please consider: Adding ... See more...
Hi, Can you tell me what this looks like as events, or how you got to them? Are the card types and counts a list generated from stats?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Given this search result: Company A         Visa            15                                  MC                5                                  AmEx           2 Company B         Visa       ... See more...
Given this search result: Company A         Visa            15                                  MC                5                                  AmEx           2 Company B         Visa            19                                  MC                8                                  AmEx           3 How can I generate a total row like this? Total                      Visa            34                                  MC             13                                  AmEx           5
Hi, Difficult question... Whe have some problems with search performance. Looking at the job inspector i noticed within the slow jobs the command.search.kv is taking a lot of time.  What is this? ... See more...
Hi, Difficult question... Whe have some problems with search performance. Looking at the job inspector i noticed within the slow jobs the command.search.kv is taking a lot of time.  What is this? And where is this part of the search-command executed (indexer or search-head)? I notice especialy wineventlogs are taking a lot of this kv time. I created a blank SH, no apps at all, timed some searches with some different indexes and installed some different apps. I noticed when this command.search.kv takes more time. Sometimes this is correct in relation to the app/event match if looking at the props.conf.  Turning the right app  off makes this command.search.kv decrease a lot to almost zero. But with winevents.. no go.. it stays high.  Also even without the fieldextracts etc installed on this blank SH, most fields are extracted. If those field were extracted at index time.. i can imagine there wil be no command.search.kv time wasted (wild guess). does the indexer extract these fields at search time (strange strange) and wil this be the command.search.kv?? So is it possible this command.search.kv also run's on the indexers? And so.. does this lookup / field extraction cost most off the time?   Thanks in advance greets Jari    
Hi @asah  Change the port in your URL from 443 to 8089, as the Splunk REST API endpoints are served on the management port (8089) rather than the web port (443). You curl command should look like t... See more...
Hi @asah  Change the port in your URL from 443 to 8089, as the Splunk REST API endpoints are served on the management port (8089) rather than the web port (443). You curl command should look like this: curl -k -H "Authorization: Bearer <your_token>" https://<your_splunk_instance>.splunkcloud.com:8089/services/server/info This assumes your authentication token is valid and has the necessary permissions (e.g., for accessing server info). A 303 status code typically indicates a redirect, which can occur when hitting the wrong port or endpoint in Splunk Cloud.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing