All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk... See more...
Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Control_workflow_action_appearance_in_field_and_event_menus for more information. That said, workflow actions are not applicable to reports. If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.
Estimados. donde podría encontrar la métrica Availability Trend de un job, para usarla en un dashboard. seria para hacerlo tal cual como esta en la imagen , pero en un dash. Translated version De... See more...
Estimados. donde podría encontrar la métrica Availability Trend de un job, para usarla en un dashboard. seria para hacerlo tal cual como esta en la imagen , pero en un dash. Translated version Dear all, where could I find the Availability Trend metric for a job to use it in a dashboard? I want to replicate it exactly as it appears in the image but in a dashboard. ^Post edited by @Ryan.Paredez to translate the post. 
Hello, I am having issues configuring the HTTP Event Collector on my organizations Splunk cloud instance. I have set up a token, and have been trying to test using the example curl commands. However... See more...
Hello, I am having issues configuring the HTTP Event Collector on my organizations Splunk cloud instance. I have set up a token, and have been trying to test using the example curl commands. However, I am having issues discerning which endpoint is the correct one. I have tested out several endpoint formats: - https://<org>.splunkcloud.com:8088/services/collector - https://<org>.splunkcloud.com:8088/services/collector/event - https://http-inputs-<org>.splunkcloud.com:8088/services/collector... - several other that I have forgotten.  For context, I do receive a response when I get from https://<org>.splunkcloud.com/services/server/info From what I understand, you cannot change the port from 8088 on a cloud instance, so I do not think it is a port error.  Can anyone point me to any resources that would be able to help me determine the correct endpoint? (Not this: Set up and use HTTP Event Collector in Splunk Web - Splunk Documentation. I've browsed for hours trying to find a more comprehensive resource.)   Thank you!  
Hi @roopeshetty , Can you elaborate more about what did you try already when you mentioned " We tried many options using proxy settings but none of them are working."?   Also, it is not sure if yo... See more...
Hi @roopeshetty , Can you elaborate more about what did you try already when you mentioned " We tried many options using proxy settings but none of them are working."?   Also, it is not sure if you are running in a standalone environment or a clustered one, and if the proxy configs you tried were in conf files or added via REST. Check this documentation about some good example on how to configure proxy and non-proxy addresses, and make sure that you define the http/https_proxy correctly (use the same config mentioned in your browser for reference if that is using a direct proxy address instead of a auto-discovery script.) Configure splunkd to use your HTTP Proxy Server - Splunk Documentation Notice that you must pass the authentication in the URL if your proxy requires it. ( like http://user:pass@myproxy.com:80)
>>> Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue. Precisely @dural_yyz .  Giving the easy and quick installation methods, p... See more...
>>> Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue. Precisely @dural_yyz .  Giving the easy and quick installation methods, proving direct options to upload a log file, assigning default indexes options are too good. The first timers will really like these features. But, for the "email" functionality with the "default settings" such as "send anything anywhere"... looks bit odd. It should be like, by default, you can not send anything to any domain.  The informational note should say that, if you like to send email alerts to outside domain, pls request the Splunk Admins/power users to update the config file abcd.conf thru x y z methods. Thanks for reading, have a great day
My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from Abus... See more...
My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from AbuseIPDB as a CSV and my report using the CSV lookup works.  I'm trying to get data on IPs, blacklist or not, leveraging the API. I want a report that looks like the one I have for blacklisted IPs.  
Hi @Utkc137 , sorry, but you're receiving logs from BlueCoat using syslog or from another Splunk Forwarder? usually BlueCoat uses syslogs not a Splunk Forwarder. splunktcp inputs is for log forward... See more...
Hi @Utkc137 , sorry, but you're receiving logs from BlueCoat using syslog or from another Splunk Forwarder? usually BlueCoat uses syslogs not a Splunk Forwarder. splunktcp inputs is for log forwarding from another Splunk system not using syslogs! Ciao. Giuseppe
we run in an issue with the Indexer ... if there are 5 Times an drop of the max day volume .. the indexer will be disable ... what is the case now with our installation  Error in tsats command: your... See more...
we run in an issue with the Indexer ... if there are 5 Times an drop of the max day volume .. the indexer will be disable ... what is the case now with our installation  Error in tsats command: your Splunk license expired or you have exceeded license limit too many times.  Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK The license is now free and no way back to Enterprise trial , there is no way back  when the license is expired.
Here my workflow action:   This is the search I created for my report: index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb" I get 0 results.  When I take off the workflow a... See more...
Here my workflow action:   This is the search I created for my report: index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb" I get 0 results.  When I take off the workflow action piece, I get 635 results in 15 minutes.
Interesting, I am seeing the same behavior as Merter above with jdk 1.8 and AppD 24.7.  Curious there are no errors in the logs and metrics are hitting the controller.  Only indicator is that the ins... See more...
Interesting, I am seeing the same behavior as Merter above with jdk 1.8 and AppD 24.7.  Curious there are no errors in the logs and metrics are hitting the controller.  Only indicator is that the instrumentation status is Failed, and the DC shows Pending.  Also, due to the limit on number of concurrent services to instrument and the fact that the 2 services never fully succeed, no other services will be instrumented.
This the configuration I have as of now .. I am out of reasons on why this would not work.  Am I missing something very basic here? Inputs:   ./splunk btool inputs list --debug splunktcp://2514 /o... See more...
This the configuration I have as of now .. I am out of reasons on why this would not work.  Am I missing something very basic here? Inputs:   ./splunk btool inputs list --debug splunktcp://2514 /opt/splunk/etc/system/local/inputs.conf [splunktcp://2514] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/local/inputs.conf disabled = false /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/local/inputs.conf index = mmsproxy /opt/splunk/etc/system/local/inputs.conf source = tcp.bluecoat /opt/splunk/etc/system/local/inputs.conf sourcetype = bluecoat:proxysg:access:syslog   Props:   ./splunk btool props list --debug bluecoat | grep -ie local /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf [bluecoat] /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_PREFIX = ^ /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf rename = bluecoat:proxysg:access:syslog /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf [bluecoat:proxysg:access:syslog] /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf EVENT_BREAKER_ENABLE = true /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf KV_MODE = none /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf MAX_DAYS_AGO = 10951 /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf SHOULD_LINEMERGE = false /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_PREFIX = ^ /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TRUNCATE = 64000 /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf category = Network & Security /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf pulldown_type = true        
https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Define_an_email_notification_action_for_an_alert_or_scheduled_report Right now the domain setting is still listed at 'Optio... See more...
https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Define_an_email_notification_action_for_an_alert_or_scheduled_report Right now the domain setting is still listed at 'Optional' for the documentation which obviously hasn't caught up with the default install health checks.  So you wont find the supporting information you are requesting just yet.  But I have been in the security side of corporate life for some time.  Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue.
Switched the inputs to 2154 .. still no luck.
Port 9997 is a reserved port for splunk - if this is an external stream from syslog or any other source please select a different port. Example port=2514 I selected that as 514 is syslog reserved ... See more...
Port 9997 is a reserved port for splunk - if this is an external stream from syslog or any other source please select a different port. Example port=2514 I selected that as 514 is syslog reserved and 1514 I have seen for TCP encrypted syslog so best to just get up and away from that.  But by keeping the *514 format it will be easier for others who may inherit your setup to know instinctively that it's a syslog source.
For testing, I tied the props you provided along with these inputs.conf Test 1: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = fals... See more...
For testing, I tied the props you provided along with these inputs.conf Test 1: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = false Test 2: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat disabled = false   Restarted Splunk on both these tests. Still no luck.
I deleted my custom dashboard from the dashboard list on my AppDynamics SaaS Controller, is there a way I can recover a deleted dashboard?
Yes, I did restart splunk after each conf change Here's the inputs.conf [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = false   ... See more...
Yes, I did restart splunk after each conf change Here's the inputs.conf [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = false   Will check you props too and respond back in a few min
Hi @Ben , you should change the grants in the apps containing the other dashboards. Then, how do you created the new role? did you created by scratch or cloning another one or did you used an inher... See more...
Hi @Ben , you should change the grants in the apps containing the other dashboards. Then, how do you created the new role? did you created by scratch or cloning another one or did you used an inheritance? Don't use inheritance. Ciao. Giuseppe
Hi @rahusri2 , as I said,you can install a Splunk Heavy Forwarder and configure it exactly as the on-premise receiver. Then, to forward data to Splunk Cloud, you have to download from your Splunk C... See more...
Hi @rahusri2 , as I said,you can install a Splunk Heavy Forwarder and configure it exactly as the on-premise receiver. Then, to forward data to Splunk Cloud, you have to download from your Splunk Cloud instance the Forwarders app and install it on the Heavy Forwarder, otherwise it cannot send logs to Splunk Cloud. Ciao. Giuseppe
The default one "mscs:azure:eventhub" doesn't work at all. For some other Inputs i used "ms:o365:management" which extracts for some Inputs. But we have several sources like AzureAD,Exchange and ... See more...
The default one "mscs:azure:eventhub" doesn't work at all. For some other Inputs i used "ms:o365:management" which extracts for some Inputs. But we have several sources like AzureAD,Exchange and all the other MS products and it's not to clear to me which sourcetype I should use.