All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Nope. You're mistaking two different things. One is where the search is defined. Another is where it is visible. By calling /servicesNS/admin/myapp you're getting a list of apps _visible_ in contex... See more...
Nope. You're mistaking two different things. One is where the search is defined. Another is where it is visible. By calling /servicesNS/admin/myapp you're getting a list of apps _visible_ in context of user admin and app myapp. It might as well be defined in another app and shared globally.
It's... complicated. Splunk doesn't keep network-level metadata about its sources. So (apart from the values set in the default metadata fields by input settings) you can't - for example - tell from... See more...
It's... complicated. Splunk doesn't keep network-level metadata about its sources. So (apart from the values set in the default metadata fields by input settings) you can't - for example - tell from which IP the syslog data came or which UF sent particular event. You can set it on the source by using _meta setting per input but it has its own share of issues. 1. If you want to capture the source UF name or IP you'd need to set it to a different value for each UF. That's hard to maintain since - except for some very rare cases - splunk conf files don't use variables/templates so you need to set it explicitly per each host. 2. There is only a single _meta entry for each input so if you wanted to set two different values (for example -  one metadata field for a forwarder name and one for the network zone name), you can't set them in different places and have Splunk merge them into one combined setting. One would overwrite another. So while it is "kinda possible", it's not a very useful way to do so. You might be able to pull it off if you used an external tool to manage your forwarders' configs - one which supports templating and you could dynamically create those configs for forwarders. 3. Oh, and remember that if you specify [default] settings for inputs you still need a separate setting for [wineventlog] inputs - the default ones are not applied there.
If I remember correctly, Wazuh is based on OpenSearch. So you need to configure syslog input(s) on Wazuh's side and syslog export on your HF(s) and/or indexer(s) (depending on your particular archite... See more...
If I remember correctly, Wazuh is based on OpenSearch. So you need to configure syslog input(s) on Wazuh's side and syslog export on your HF(s) and/or indexer(s) (depending on your particular architecture and ingestion process).
OK. Several things here. 1. External lookup is not the same as external command. External lookup is a bit simpler version of an external command. 2. External lookup is _not_ the same as automatic l... See more...
OK. Several things here. 1. External lookup is not the same as external command. External lookup is a bit simpler version of an external command. 2. External lookup is _not_ the same as automatic lookup. An external lookup is a using SPL lookup command syntax to execute your external script while automatic lookup is a lookup which is automatically invoked on your data without the need of manually invoking the lookup command. The typical application of the automatic lookup is adjusting field values to CIM datamodel. 3. But still the lookup must match its definition so I pointed you to the fact that your stanza was named ucd_category_lookup but you were trying to use ucd_count_chars_lookup - these didn't match. Did you read https://dev.splunk.com/enterprise/docs/devtools/externallookups/ ?
Hi @arjun , you can calculate the License consuption per day using the [Settings > License > License Consuption > Past days > by index ]. using your search you have all the license consuption, you ... See more...
Hi @arjun , you can calculate the License consuption per day using the [Settings > License > License Consuption > Past days > by index ]. using your search you have all the license consuption, you cannot divide them for customer, as I already said: multitenency isn't a Community topic, it requires a Splunk PS or a Certified Architect that already did this job (like me). Ciao. Giuseppe
OK. Now let's back up a little. Explain in your own words, without using SPL what business problem you're trying to solve here. What are you trying to achieve? You're clearly trying to "implement n... See more...
OK. Now let's back up a little. Explain in your own words, without using SPL what business problem you're trying to solve here. What are you trying to achieve? You're clearly trying to "implement non-SPL thing in SPL" which is usually not a very good idea. Or at least not a very efficient one. And same things can often be achieved in a different way.
You can raise a case with Cloud support.
Hi @gcusello  i am trying to get data related to usage and billing from splunk, here is query i am using for that   index=_telemetry source=*license_usage_summary.log* | bin _time span=1d | stats... See more...
Hi @gcusello  i am trying to get data related to usage and billing from splunk, here is query i am using for that   index=_telemetry source=*license_usage_summary.log* | bin _time span=1d | stats sum(b) as TotalBytes by _time | eval GB=round(TotalBytes / (1024 * 1024 * 1024), 2) | timechart span=1d values(GB) as "Daily Indexed GB"   And per my research spulnk has few more such index like _internal and _audit  I just want to know if this is correct approach or not     
What is the output when you execute the curl command to test the webhook?  Have you nsured that the webhook is reachable from external?
Hi @zksvc , I never used Wazuh, but I can suppose that it's like other third party systems, so you can see at: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Forwarddatatothirdpart... See more...
Hi @zksvc , I never used Wazuh, but I can suppose that it's like other third party systems, so you can see at: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Forwarddatatothirdpartysystems https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd Ciao. Giuseppe
Could you please try: transforms.conf [add_hostname] REGEX=.* FORMAT=host::$1 $0 SOURCE_KEY=MetaData:Host DEST_KEY=_raw      
There are some limitations with what functions you can use with the analytics metrics with only aggregation queries supported min,max avg etc.. try and use this , the max value essentially will do ... See more...
There are some limitations with what functions you can use with the analytics metrics with only aggregation queries supported min,max avg etc.. try and use this , the max value essentially will do nothing and not change the value, but it allows the metric to be saved as you use an aggregation function SELECT max(toInt((toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)))) FROM intune_dep WHERE tokenName = "Wipro-EY-Intune" AND (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) >= 30 SELECT max(toInt((tokenExpirationDateTime - now()) / (24*60*60*1000)))) FROM intune_dep WHERE tokenName = "Wipro-EY-Intune" AND (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) >= 30 Let me know if this works
The REST API gives you also globally shared searches back. You could try: 1.  filter out all searches with name="sharing">global< 2. filter for name="app">MYAPP< 3. use a different user to call t... See more...
The REST API gives you also globally shared searches back. You could try: 1.  filter out all searches with name="sharing">global< 2. filter for name="app">MYAPP< 3. use a different user to call the api  
Hey Everyone,  i got information if Wazuh can send data to Splunk, i want reverse it.  Because i want to send data from Splunk to Wazuh, in my case because i have TI who have API that can be send d... See more...
Hey Everyone,  i got information if Wazuh can send data to Splunk, i want reverse it.  Because i want to send data from Splunk to Wazuh, in my case because i have TI who have API that can be send data to Splunk, then i want forward it to Wazuh.  Maybe if using third party like Logstash / Elastic / etc ?  Did anyone know about it? because i never read about it before..  Thanks    
@PaulPanther    Just side experiment & wondering if it’s possible 
Hi @M2024X_Ray , for the moment, only Splunk Support can give you an official  answer. Ciao. Giuseppe
Check out: Install on Linux - Splunk Documentation Start Splunk Enterprise for the first time - Splunk Documentation Configure Splunk Enterprise to start at boot time - Splunk Documentation
Hello, from which Splunk Universal Forwarder version is Windows Server 2025 supported? Best regards and thanks for cooperation   M2024X_Ray
Haven installed splunk to this point what do i have to do next to get it running  
Hello. I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get. I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app. For some strange ... See more...
Hello. I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get. I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app. For some strange reason, i can't locate, list gets also some other apps Here we are,   curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep 'name="app"' | sort -u   ... and here what it came from,   <s:key name="app">MYAPP</s:key> <s:key name="app">MYAPP_backup</s:key> <s:key name="app">ANOTHER_APP</s:key> <s:key name="app">search</s:key>     I expect only "<s:key name="app">MYAPP</s:key>" entries, or not? What's wrong??? Linux OS SPLUNK ENTERPRISE 8.2.12 SHC 3 Nodes (all nodes reponses the same output) Thanks.