All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm quite sure that then it helps to update empty DM quicker than looking through all indexes. Also can also update times for looking updates into it and one optimization could be to update update fre... See more...
I'm quite sure that then it helps to update empty DM quicker than looking through all indexes. Also can also update times for looking updates into it and one optimization could be to update update frequency, but as you haven't data and just add individual empty index there those are not needed to get DM updated enough quickly. You should also check from MC that you haven't any skipped searches due to this DM update. MC -> Search -> Scheduler (or something similar, couldn't remember those exact names)
The format of a .pem file is as follows:  -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
Hi Have you tried something like this? index="*wfd-rpt-app*" ("*504 Gateway Time-out*" AND "*Error code: 6039*") OR "*ExecuteFactoryJob: Caught soap exception*" | rex field=_raw "\*{4}(?<thread_id>... See more...
Hi Have you tried something like this? index="*wfd-rpt-app*" ("*504 Gateway Time-out*" AND "*Error code: 6039*") OR "*ExecuteFactoryJob: Caught soap exception*" | rex field=_raw "\*{4}(?<thread_id>\d+)\*" | stats values(_raw) as raw_messages by _time, thread_id | table _time, thread_id, raw_messages Are you sure that you want/can use _time inside by? This means that those events must have exactly same time even into ms level or deeper level?  If this didn't work for you then you should give some sample data which we can use to get better understanding for your case. Also giving example output from that data is valuable for us. r. Ismo
Thank you for your reply. I am doing what you mentioned: "You can restrict basic searches by whitelisting individual indices. This makes updating DM more efficient as there is no need to look thro... See more...
Thank you for your reply. I am doing what you mentioned: "You can restrict basic searches by whitelisting individual indices. This makes updating DM more efficient as there is no need to look through all indices to find the desired events". I've added index whitelists for some of the data models. However, for some of them, I have no data ingested, so I thought maybe I should use dummy index for those data models that I don't have data for, so that splunkd doesn't need to search all indexes with certain tags and return nothing.
Wait a minute, are we talking about server side not UF side? And you have several server roles in one splunk instance? If then you must read this https://docs.splunk.com/Documentation/Splunk/latest/De... See more...
Wait a minute, are we talking about server side not UF side? And you have several server roles in one splunk instance? If then you must read this https://docs.splunk.com/Documentation/Splunk/latest/Deploy/Manageyourdeployment and follow those restrictions what it has!
Below are 2 queries which returns different events but have a common field thread_id which can be taken by using below rex.  raw message logs are different for both queries. I want events list with... See more...
Below are 2 queries which returns different events but have a common field thread_id which can be taken by using below rex.  raw message logs are different for both queries. I want events list with raw message logs from both query but only if each raw message has this common thread_id I have tried multiple things like join, append, map and github copilot as well but not getting the desired results. Can somebody please help on how to achieve this.    rex field=_raw "\*{4}(?<thread_id>\d+)\*" index="*sample-app*" ("*504 Gateway Time-out*" AND "*Error code: 6039*") index="*sample-app*" "*ExecuteFactoryJob: Caught soap exception*"     index="*wfd-rpt-app*" ("*504 Gateway Time-out*" AND "*Error code: 6039*") | rex field=_raw "\*{4}(?<thread_id>\d+)\*" | append [ search index="*wfd-rpt-app*" "*ExecuteFactoryJob: Caught soap exception*" | rex field=_raw "\*{4}(?<thread_id>\d+)\*" ] | stats values(_raw) as raw_messages by _time, thread_id | table _time, thread_id, raw_messages     I tried above query but it is returning some results which is correct which contains raw message from both the queries, but some results are there which contains thread id and only the 504 gateway message even though the thread_id has both type of message when I checked separately. I'm new to splunk, any help is really appreciated.
I'm not sure what caused it. Normally, it shouldn't be caused by the inputs.cof file. The previous MC/DS was a distributed indexer cluster management node, and after the restart, it became a single d... See more...
I'm not sure what caused it. Normally, it shouldn't be caused by the inputs.cof file. The previous MC/DS was a distributed indexer cluster management node, and after the restart, it became a single deployment server.
Hi @Naa_Win , in all my projects I create a custom app containing dashboards to monitor infrastrcuture, with special attention to: fissing data sources, missing hosts, queues issues. Ciao. Gi... See more...
Hi @Naa_Win , in all my projects I create a custom app containing dashboards to monitor infrastrcuture, with special attention to: fissing data sources, missing hosts, queues issues. Ciao. Giuseppe
If you are taking about CIM DMs, then there are tags which it’s using to select events into specific DM. You could restrict the base search by separate white list of indexes. This makes updating the D... See more...
If you are taking about CIM DMs, then there are tags which it’s using to select events into specific DM. You could restrict the base search by separate white list of indexes. This makes updating the DM more efficient as it’s not need to look all indexes to find needed events. Usually there is no need / sense to create empty / dummy index fort that, you should just add your current indexes where that data is, into this field.
This is interesting! There should be $decideOnStartup$ (or something similar) as default, which gives you the current hostname when node / UF service has started. Is this multi interface node or any ... See more...
This is interesting! There should be $decideOnStartup$ (or something similar) as default, which gives you the current hostname when node / UF service has started. Is this multi interface node or any issues with hostname or is there any inputs which set host name / ip?
This should works correctly. When you are saying “restart UF”, are you meaning splunk UF process or whole windows node? Any reason why you are using separate ntpd instead of domain time? Have you ch... See more...
This should works correctly. When you are saying “restart UF”, are you meaning splunk UF process or whole windows node? Any reason why you are using separate ntpd instead of domain time? Have you checked how big time difference is after hibernation? You are aware that there are limits how big time difference ntpd can manage by itself without additional synchronization?
Hello Everyone, I'm trying to add index filtering for the datamodels in my setup. I found for some datamodels such as Vulnerabilities, there's no matching data at all.  In this case, should I create... See more...
Hello Everyone, I'm trying to add index filtering for the datamodels in my setup. I found for some datamodels such as Vulnerabilities, there's no matching data at all.  In this case, should I create an empty index for these datamodels? so that splunk won't do useless search for them. Please also know me if there are better solution for this case. Thanks & Regards, Iris
@jagannathbhatbb- This settings should be present there, I'm not sure if it is not present for trial Splunk Cloud instance.
There are few stuff that will be useful: You can use Monitoring Console's alert and dashboard Dashboard -> Splunk Settings > Monitoring Console > Forwarders: Deployment If setup has not don... See more...
There are few stuff that will be useful: You can use Monitoring Console's alert and dashboard Dashboard -> Splunk Settings > Monitoring Console > Forwarders: Deployment If setup has not done, then do the setup first (it will give you link to setup) Alert -> Splunk Settings > Searches Reports & Alerts Select App as Monitoring Console Select Owner as All And search for Missing Forwarder Enable the alert -> "DMC Alert - Missing forwarders" and add your email to receive alerts on the email There is one more search you can run to see what data forwarder is sending: | tstats count where index=* host="<forwarder-host-name>" by index, sourcetype I hope this helps!!! Kindly upvote!!!
Map is generally NOT a solution to searches. This is a potential use of a subsearch, i.e. index="<indexname>" source = "user1" OR source = "user2" [ search index="<indexname>" source = "user1" OR ... See more...
Map is generally NOT a solution to searches. This is a potential use of a subsearch, i.e. index="<indexname>" source = "user1" OR source = "user2" [ search index="<indexname>" source = "user1" OR source = "user2" "<ProcessName>" "Exception occurred" | rex field=message "(?<dynamic_text>jobId:\s*\w+)" | search dynamic_text!=null | stats values(dynamic_text) AS dynamic_text ] So here you are using a subsearch to get all the dynamic_text values you want and then that is passed as a constraint to the outer search.  
Can you describe your intended output - it's challenging to reverse engineer SPL to understand what you are trying to do - if you can say from your data what you would like to see from that output, i... See more...
Can you describe your intended output - it's challenging to reverse engineer SPL to understand what you are trying to do - if you can say from your data what you would like to see from that output, it would be helpful. Did you try the SPL I posted and if so, did it give you a starting point to produce your results?
Hello, I’m working on creating a Splunk troubleshooting Dashboard for our internal team, who we are new to Splunk, to troubleshoot forwarder issues—specifically cases where no data is being received... See more...
Hello, I’m working on creating a Splunk troubleshooting Dashboard for our internal team, who we are new to Splunk, to troubleshoot forwarder issues—specifically cases where no data is being received. I’d like to know the possible ways to troubleshoot forwarders when data is missing or for other related issues. Are there any existing dashboards I could use as a reference? also, what are the key metrics and internal index REST calls that I should focus on to cover all aspects of forwarder troubleshooting?  #forwarder #troubleshoot #dashboard
I found the problem, I needed to add the following to the inputs.conf file of UF, I don't know if this is a problem after the update or if it was also needed before, obviously when I typed it they sh... See more...
I found the problem, I needed to add the following to the inputs.conf file of UF, I don't know if this is a problem after the update or if it was also needed before, obviously when I typed it they showed [default] host = 192.168.90.233    
this is unfortunately.. not fixed 
Hi All, I am searching UiPath Orchestrator Logs in Splunk as following:   index="<indexname>" source = "user1" OR source = "user2" "<ProcessName>" "Exception occurred" | rex field=message "(?<dyna... See more...
Hi All, I am searching UiPath Orchestrator Logs in Splunk as following:   index="<indexname>" source = "user1" OR source = "user2" "<ProcessName>" "Exception occurred" | rex field=message "(?<dynamic_text>jobId:\s*\w+)" | search dynamic_text!=null | stats values(dynamic_text) AS extracted_texts | map search="index="<indexname>" source = "user1" OR source = "user2" dynamic_text=\"$extracted_texts$\""   with my above search, I'll have to reference the jobId matched field from the first search to get other matching records to process transaction details Thanks a lot in advance!