All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello,  I am just trying to do a regex to split a single field into two new fields. The original field is: alert.alias = STORE_176_RSO_AP_176_10 I need to split this out to 2 new fields. First fi... See more...
Hello,  I am just trying to do a regex to split a single field into two new fields. The original field is: alert.alias = STORE_176_RSO_AP_176_10 I need to split this out to 2 new fields. First field = STORE_176_RSO Second field = AP_176_10 I am horrific at regex and am not sure how I can pull this off.  Any help would be awesome.   Thank you for your help, Tom
By default the Splunk server receiving HEC is set to only log INFO and above.  If you have a very limited number of receiving end points you can temporarily increase to DEBUG and above for logging.  ... See more...
By default the Splunk server receiving HEC is set to only log INFO and above.  If you have a very limited number of receiving end points you can temporarily increase to DEBUG and above for logging.  If you have a small number of HF's or IDX tier then this is feasible, if you have a large IDX tier then it's not so easy. The debug will be specifically helpful in identifying the source of bad connection attempts.  I don't recall the token being visible and since any invalid token has no categorization with internal input configurations some real advanced answers are unlikely.  I also don't recall any capability to receive and process data without a valid token as it would create data poisoning issues along with license capacity issues to do so. UPDATE Sorry, it just dawned on me this was for OTEL not Splunk receiving. 
Hello, I am following document: https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/ConfigureandinstallcertificatesforLogObserver?ref=hk to configure and install certificates in Splunk Enter... See more...
Hello, I am following document: https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/ConfigureandinstallcertificatesforLogObserver?ref=hk to configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect but getting some error mentioned below. I have generated myFinalCert.pem as per the document mentioned above, below are the server.conf and web.conf configuration. # cat ../etc/system/local/server.conf [general] serverName = ip-xxxx.us-west-2.compute.internal pass4SymmKey = $7$IHXMpPIvtTGnxEusRYk62AjBIizAQosZq0YXtUg== [sslConfig] serverCert = /opt/splunk/etc/auth/sloccerts/myFinalCert.pem requireClientCert = false sslPassword = $7$vboieDG2v4YFg8FbYxW8jDji6woyDylOKWLe8Ow== [lmpool:auto_generated_pool_download-trial] description = auto_generated_pool_download-trial peers = * quota = MAX stack_id = download-trial [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free # cat ../etc/system/local/web.conf [expose:tlPackage-scimGroup] methods = GET pattern = /identity/provisioning/v1/scim/v2/Groups/* [expose:tlPackage-scimGroups] methods = GET pattern = /identity/provisioning/v1/scim/v2/Groups [expose:tlPackage-scimUser] methods = GET,PUT,PATCH,DELETE pattern = /identity/provisioning/v1/scim/v2/Users/* [expose:tlPackage-scimUsers] methods = GET pattern = /identity/provisioning/v1/scim/v2/Users [settings] enableSplunkWebSSL = true serverCert = /opt/splunk/etc/auth/sloccerts/myFinalCert.pem # After making changes to server.conf, I am able to restart the splunkd service but after making changes to the web.conf, restarting the splunkd service gets stuck, below are logs related to it: # ./splunk restart splunkd is not running. [FAILED] Splunk> The IT Search Engine. Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _configtracker _dsappevent _dsclient _dsphonehome _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main sim_metrics statsd_udp_8125_5_dec summary Done Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunk/splunk-9.3.2-d8bb32809498-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security Done [ OK ] Waiting for web server at https://127.0.0.1:8000 to be available...............................WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Please let me know if I am missing some thing. Thanks
Hi, The Mimecast App gets events for most of the activity that occurs in the solution but does not give the option to get archive events. Does anybody know if they plan to add that functionality soo... See more...
Hi, The Mimecast App gets events for most of the activity that occurs in the solution but does not give the option to get archive events. Does anybody know if they plan to add that functionality soon? Just in case so I do not have to develop that part on my own. I refer to those two API calls: https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-archive-message-view-logs/ https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-archive-search-logs/ The rest of the things are included in the current version 5.2.0: And no, the events generated when someone reads the content of an email are not stored with the Audit events. Thanks!
Hi I need help I have just updated my indexer cluster composed of 4 windows 2022 servers, to the new version of Splunk 9.4.0. As always I follow the update procedure, but this time one of my 4 serv... See more...
Hi I need help I have just updated my indexer cluster composed of 4 windows 2022 servers, to the new version of Splunk 9.4.0. As always I follow the update procedure, but this time one of my 4 servers refuses to update, it makes a rollback each time. I check the installations failed logs and noticed that the KVstrore was failing to update! Can anyone help me fix this problem? Thanks for your help.
I've been researching this for the last 30 minutes and can't find anything to let you read that file.  Everything is around the conf files only, so not even scripts or such.  You could look into a da... See more...
I've been researching this for the last 30 minutes and can't find anything to let you read that file.  Everything is around the conf files only, so not even scripts or such.  You could look into a dashboard with a custom javascript call maybe but that is outside my wheelhouse to even know if that is possible.
Hello, We have a lookup csv file: 1 million records (data1); and a kvstore: 3 million records (data2). We need to compare a street address in data2 with a fuzzy match of the street address in data1 ... See more...
Hello, We have a lookup csv file: 1 million records (data1); and a kvstore: 3 million records (data2). We need to compare a street address in data2 with a fuzzy match of the street address in data1 - the bold red text below -returning the property owner. Ex" data2 street address:    123 main street  data1 street address:    123 main street apt 13 We ran a regular lookup command and this took well over 7 hours. We have tried creating a sub-address (data1a) removing the apt/unit numbers, but still a 7 hour search. Plus if there is more than one apt/unit at the address, there might be more than one property owner. This is why a fuzzy-type compare is what we are looking for. Hope my explanation is clear. Ask if not. Thanks and God bless, Genesius (Merry Christmas and Happy Holidays)
I have a client who wants to share the Readme file in their app with end users so that they can reference this in the UI. Seems reasonable and prevents them having to duplicate content into a view. O... See more...
I have a client who wants to share the Readme file in their app with end users so that they can reference this in the UI. Seems reasonable and prevents them having to duplicate content into a view. Otherwise the readme file is only available to admins who have CLI access. I have tried using the REST endpoint to locate the file, I have checked that the metadata allows read, it is just the path and actual capability I am unclear on. https://<splunk-instance>/en-GB/manager/<redacted>/apps/README.md Thanks  
Hi @Dawoo, how are you? You can follow the documentation steps to install UF on MacOS
Hi @inventsekar, thanks for the reply, I just entered one site. On the other hand I would be pleased to share the error logs but none are showing. I configured logging level on the app as "ERROR" a... See more...
Hi @inventsekar, thanks for the reply, I just entered one site. On the other hand I would be pleased to share the error logs but none are showing. I configured logging level on the app as "ERROR" and "DEBUG" but no logs appear when I run: index=_internal source="/opt/splunk/var/log/splunk/python.log" level!=INFO Regards, PB
@user487596, an easier way to manipulate passwords is by using the Splunkbase app: https://splunkbase.splunk.com/app/4013
Thank you. It's worked for me.
@isoutamo Thanks for the reply, I'm afraid to go with the scripts route, but I'll still check if there is any other solution I can find as I'm looking to move the existing users from the old applicat... See more...
@isoutamo Thanks for the reply, I'm afraid to go with the scripts route, but I'll still check if there is any other solution I can find as I'm looking to move the existing users from the old application to the renamed one without much effort.
@PickleRick Thanks for the reply,  Yes I meant the same; i.e. Splunkbase is a channel for application distribution. I agree that we can release a new app along with migration steps. Still, I'm loo... See more...
@PickleRick Thanks for the reply,  Yes I meant the same; i.e. Splunkbase is a channel for application distribution. I agree that we can release a new app along with migration steps. Still, I'm looking for a solution where the existing application user can seamlessly move to the newly renamed application without having to worry about replicating the same saved searches as well as the app setup to the newer app.
Hi  @inventsekar  thanks for responding I have user gatelogs .  my logs look something like this user=john gate=gate1 action="IN"  use_id=12345 i am trying to visualise this in such a way that i... See more...
Hi  @inventsekar  thanks for responding I have user gatelogs .  my logs look something like this user=john gate=gate1 action="IN"  use_id=12345 i am trying to visualise this in such a way that i have a live dashboard which shows me which users are passing through which gate 
Hi First of all, I'm a total beginner to Splunk. I just started my free trial of Splunk Cloud and want to install the UF on my MacBook. I don't know how to install the credential file, splunkclouduf... See more...
Hi First of all, I'm a total beginner to Splunk. I just started my free trial of Splunk Cloud and want to install the UF on my MacBook. I don't know how to install the credential file, splunkclouduf.spl. I have unpacked that file but in what directory should I move them to?  You can also see the directory of SplunkForwarder.          
Hi @BRFZ  (As others have not mentioned it yet) maybe pls have a look at this doc,.. it got pretty good details: https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/WhatyoucansecurewithSplu... See more...
Hi @BRFZ  (As others have not mentioned it yet) maybe pls have a look at this doc,.. it got pretty good details: https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/WhatyoucansecurewithSplunk  
Hi @arunkuriakose  Good day to you. may I ask you to provide more details pls.  1) what kinds of data you have ingested into Splunk so far 2) what details about the employees are already available... See more...
Hi @arunkuriakose  Good day to you. may I ask you to provide more details pls.  1) what kinds of data you have ingested into Splunk so far 2) what details about the employees are already available inside the Splunk? 3) is it the employee id card login and logout details are already available inside the Splunk?
Hi @PolarBear01 i am not sure how to help on this, but thought to ask you: 1) did you enter only one site or multiple sites? 2) as shown on that error text, may i know, if had a chance to check the... See more...
Hi @PolarBear01 i am not sure how to help on this, but thought to ask you: 1) did you enter only one site or multiple sites? 2) as shown on that error text, may i know, if had a chance to check the python.log for more details
Thank you so much, the eval command is magical !!!