All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi it's possible to log on Splunk using Laminas\Log\Writer? ...I'll try to do but with some problem...do you have any esemple of how to do it?
\"webaclId\":\s\"[^:]+:[^:]+:[^:]+:[^:]+:[^:]+:regional\/webacl\/([^\/]+)\/ Your example data has a space "webaclId": " Verified from regex101  
Sorry about the delay. Unfortunately this does not seem to be the problem I have changed the local.meta to # simquery command [commands/simquery] access = read : [ * ], write : [ admin ] And resta... See more...
Sorry about the delay. Unfortunately this does not seem to be the problem I have changed the local.meta to # simquery command [commands/simquery] access = read : [ * ], write : [ admin ] And restartet - that why it took so long - but I still get the same error
The current universal forwarder 9.0.9 included in SOAR 6.2.2 is being flagged for an openssl vulnerability. Does anyone know what version UF is packaged in the 6.3.1 SOAR release?
Why is that? Serious question. I've never tried to do so but it shouldn't need to index anything locally.
Ok that's way too much logic for me to follow on a Monday morning before I have even had coffee.  I would split the fields into mv unique options.  Then start evaluating a new field based upon your l... See more...
Ok that's way too much logic for me to follow on a Monday morning before I have even had coffee.  I would split the fields into mv unique options.  Then start evaluating a new field based upon your logic flow.  Anything with a TRUE outcome can be your final results.
Can you provide an anonymized sample of what this search displays and an example record of what you want the final output to be?
Contact Methods for US/CAN https://www.splunk.com/en_us/about-splunk/contact-us.html?locale=en_us Non US/CAN locations https://www.splunk.com/en_us/about-splunk/contact-us.html?locale=en_us#custom... See more...
Contact Methods for US/CAN https://www.splunk.com/en_us/about-splunk/contact-us.html?locale=en_us Non US/CAN locations https://www.splunk.com/en_us/about-splunk/contact-us.html?locale=en_us#customer-support  
Hi @Sabahat - apologies for very late repsonse , I hope this has been already resolved but if not, this is visible for sc_admin role, I am not sure about Power User. Thank you.
That was just a friendly reminder that while "tools" like yours can find some typical cases there might be a lot of them which you might miss with them. As long as you are aware of it and you're usin... See more...
That was just a friendly reminder that while "tools" like yours can find some typical cases there might be a lot of them which you might miss with them. As long as you are aware of it and you're using it only as means of a quick help, that's fine and dandy. But there are often questions around here "how to find all XXX defined/used by ...". For which the usual answer is - there is no 100% sure way to do so.
What do you mean with that? i didnt meant to ask my question in a way that i would want to replace docs and management with tools.
I believe so but I've never tested and I don't have a dev environment to verify.  You can try inside your regex to create an unnamed capture group.  Inside the FORMAT tag replace <new-value> with "$1".
Same here, i'm using my business email and no activation email. Can't also create support tickets, that's really not a great way to welcome new customers
I'm not able to even open a support ticket as there's a required field i can't fill in. tried with both gmail and my company account, there's no email/domain filtering in our domain.  
Dear Splunkers, running version 9.3.1 and I would like to perform a search in which I would like to identify what are the most common hours trucks have been visiting my site location. My search que... See more...
Dear Splunkers, running version 9.3.1 and I would like to perform a search in which I would like to identify what are the most common hours trucks have been visiting my site location. My search query is following: | addinfo | eval _time = strptime(Start_time,"%m/%d/%Y %H:%M") | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | search Plate!=0 | search Location="*" | timechart span=1h count by Plate limit=50 Like this Im able see trucks visiting location by time in a span. How to continue to display what are the most common hours during which my trucks visiting locations. Thank you
Splunk does _not_ handle frozen storage. It's up to you. As soon as splunkd pushes a bucket out to frozen it loses all interest in further well-being of that bucket and/or storage it's on.
That means exactly what it says - you have some searches defined (most probably because you distribute the same apps to several different kinds of splunk components) which normally should run as sche... See more...
That means exactly what it says - you have some searches defined (most probably because you distribute the same apps to several different kinds of splunk components) which normally should run as scheduled searches but will not because you're using a forwarder license.
That is very strange. I'd try restarting splunkd and if the problem persists I'd raise a support case because a non-existent input should definitely _not_ run,
Hi @AliMaher , which kind of license did you have on your HF? to use DB-Connect, also without local indexing, you cannot use the Forwarder License, but you must configure the HF as a license client... See more...
Hi @AliMaher , which kind of license did you have on your HF? to use DB-Connect, also without local indexing, you cannot use the Forwarder License, but you must configure the HF as a license client, connecting it to the License Master. Ciao. Giuseppe
I see those error in both web ui and _internal