All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @roopeshetty , Can you elaborate more about what did you try already when you mentioned " We tried many options using proxy settings but none of them are working."?   Also, it is not sure if yo... See more...
Hi @roopeshetty , Can you elaborate more about what did you try already when you mentioned " We tried many options using proxy settings but none of them are working."?   Also, it is not sure if you are running in a standalone environment or a clustered one, and if the proxy configs you tried were in conf files or added via REST. Check this documentation about some good example on how to configure proxy and non-proxy addresses, and make sure that you define the http/https_proxy correctly (use the same config mentioned in your browser for reference if that is using a direct proxy address instead of a auto-discovery script.) Configure splunkd to use your HTTP Proxy Server - Splunk Documentation Notice that you must pass the authentication in the URL if your proxy requires it. ( like http://user:pass@myproxy.com:80)
>>> Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue. Precisely @dural_yyz .  Giving the easy and quick installation methods, p... See more...
>>> Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue. Precisely @dural_yyz .  Giving the easy and quick installation methods, proving direct options to upload a log file, assigning default indexes options are too good. The first timers will really like these features. But, for the "email" functionality with the "default settings" such as "send anything anywhere"... looks bit odd. It should be like, by default, you can not send anything to any domain.  The informational note should say that, if you like to send email alerts to outside domain, pls request the Splunk Admins/power users to update the config file abcd.conf thru x y z methods. Thanks for reading, have a great day
My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from Abus... See more...
My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from AbuseIPDB as a CSV and my report using the CSV lookup works.  I'm trying to get data on IPs, blacklist or not, leveraging the API. I want a report that looks like the one I have for blacklisted IPs.  
Hi @Utkc137 , sorry, but you're receiving logs from BlueCoat using syslog or from another Splunk Forwarder? usually BlueCoat uses syslogs not a Splunk Forwarder. splunktcp inputs is for log forward... See more...
Hi @Utkc137 , sorry, but you're receiving logs from BlueCoat using syslog or from another Splunk Forwarder? usually BlueCoat uses syslogs not a Splunk Forwarder. splunktcp inputs is for log forwarding from another Splunk system not using syslogs! Ciao. Giuseppe
we run in an issue with the Indexer ... if there are 5 Times an drop of the max day volume .. the indexer will be disable ... what is the case now with our installation  Error in tsats command: your... See more...
we run in an issue with the Indexer ... if there are 5 Times an drop of the max day volume .. the indexer will be disable ... what is the case now with our installation  Error in tsats command: your Splunk license expired or you have exceeded license limit too many times.  Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK The license is now free and no way back to Enterprise trial , there is no way back  when the license is expired.
Here my workflow action:   This is the search I created for my report: index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb" I get 0 results.  When I take off the workflow a... See more...
Here my workflow action:   This is the search I created for my report: index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb" I get 0 results.  When I take off the workflow action piece, I get 635 results in 15 minutes.
Interesting, I am seeing the same behavior as Merter above with jdk 1.8 and AppD 24.7.  Curious there are no errors in the logs and metrics are hitting the controller.  Only indicator is that the ins... See more...
Interesting, I am seeing the same behavior as Merter above with jdk 1.8 and AppD 24.7.  Curious there are no errors in the logs and metrics are hitting the controller.  Only indicator is that the instrumentation status is Failed, and the DC shows Pending.  Also, due to the limit on number of concurrent services to instrument and the fact that the 2 services never fully succeed, no other services will be instrumented.
This the configuration I have as of now .. I am out of reasons on why this would not work.  Am I missing something very basic here? Inputs:   ./splunk btool inputs list --debug splunktcp://2514 /o... See more...
This the configuration I have as of now .. I am out of reasons on why this would not work.  Am I missing something very basic here? Inputs:   ./splunk btool inputs list --debug splunktcp://2514 /opt/splunk/etc/system/local/inputs.conf [splunktcp://2514] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/local/inputs.conf disabled = false /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/local/inputs.conf index = mmsproxy /opt/splunk/etc/system/local/inputs.conf source = tcp.bluecoat /opt/splunk/etc/system/local/inputs.conf sourcetype = bluecoat:proxysg:access:syslog   Props:   ./splunk btool props list --debug bluecoat | grep -ie local /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf [bluecoat] /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_PREFIX = ^ /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf rename = bluecoat:proxysg:access:syslog /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf [bluecoat:proxysg:access:syslog] /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf EVENT_BREAKER_ENABLE = true /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf KV_MODE = none /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf MAX_DAYS_AGO = 10951 /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf SHOULD_LINEMERGE = false /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_PREFIX = ^ /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TRUNCATE = 64000 /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf category = Network & Security /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf pulldown_type = true        
https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Define_an_email_notification_action_for_an_alert_or_scheduled_report Right now the domain setting is still listed at 'Optio... See more...
https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Define_an_email_notification_action_for_an_alert_or_scheduled_report Right now the domain setting is still listed at 'Optional' for the documentation which obviously hasn't caught up with the default install health checks.  So you wont find the supporting information you are requesting just yet.  But I have been in the security side of corporate life for some time.  Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue.
Switched the inputs to 2154 .. still no luck.
Port 9997 is a reserved port for splunk - if this is an external stream from syslog or any other source please select a different port. Example port=2514 I selected that as 514 is syslog reserved ... See more...
Port 9997 is a reserved port for splunk - if this is an external stream from syslog or any other source please select a different port. Example port=2514 I selected that as 514 is syslog reserved and 1514 I have seen for TCP encrypted syslog so best to just get up and away from that.  But by keeping the *514 format it will be easier for others who may inherit your setup to know instinctively that it's a syslog source.
For testing, I tied the props you provided along with these inputs.conf Test 1: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = fals... See more...
For testing, I tied the props you provided along with these inputs.conf Test 1: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = false Test 2: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat disabled = false   Restarted Splunk on both these tests. Still no luck.
I deleted my custom dashboard from the dashboard list on my AppDynamics SaaS Controller, is there a way I can recover a deleted dashboard?
Yes, I did restart splunk after each conf change Here's the inputs.conf [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = false   ... See more...
Yes, I did restart splunk after each conf change Here's the inputs.conf [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = false   Will check you props too and respond back in a few min
Hi @Ben , you should change the grants in the apps containing the other dashboards. Then, how do you created the new role? did you created by scratch or cloning another one or did you used an inher... See more...
Hi @Ben , you should change the grants in the apps containing the other dashboards. Then, how do you created the new role? did you created by scratch or cloning another one or did you used an inheritance? Don't use inheritance. Ciao. Giuseppe
Hi @rahusri2 , as I said,you can install a Splunk Heavy Forwarder and configure it exactly as the on-premise receiver. Then, to forward data to Splunk Cloud, you have to download from your Splunk C... See more...
Hi @rahusri2 , as I said,you can install a Splunk Heavy Forwarder and configure it exactly as the on-premise receiver. Then, to forward data to Splunk Cloud, you have to download from your Splunk Cloud instance the Forwarders app and install it on the Heavy Forwarder, otherwise it cannot send logs to Splunk Cloud. Ciao. Giuseppe
The default one "mscs:azure:eventhub" doesn't work at all. For some other Inputs i used "ms:o365:management" which extracts for some Inputs. But we have several sources like AzureAD,Exchange and ... See more...
The default one "mscs:azure:eventhub" doesn't work at all. For some other Inputs i used "ms:o365:management" which extracts for some Inputs. But we have several sources like AzureAD,Exchange and all the other MS products and it's not to clear to me which sourcetype I should use.
Hi @Utkc137 , sorry for the very stupid question: did you restarted your Splunk server after conf update? Could you share the inputs.conf you are using? Please thy this: [bluecoat] TIME_FORMAT=%Y... See more...
Hi @Utkc137 , sorry for the very stupid question: did you restarted your Splunk server after conf update? Could you share the inputs.conf you are using? Please thy this: [bluecoat] TIME_FORMAT=%Y-%m-%d %H:%M:%S TIME_PREFIX=^ rename=bluecoat:proxysg:access:syslog [bluecoat:proxysg:access:syslog] TIME_FORMAT=%Y-%m-%d %H:%M:%S TIME_PREFIX=^ pulldown_type = true category = Network & Security description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog KV_MODE = none SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE=true MAX_DAYS_AGO = 10951 TRUNCATE = 64000 in local/props.conf Ciao. Giuseppe
Can you share the inputs stanza you have for listening to the TCP stream? Inside the default application props is: [bluecoat] rename=bluecoat:proxysg:access:syslog This occurs at search time only ... See more...
Can you share the inputs stanza you have for listening to the TCP stream? Inside the default application props is: [bluecoat] rename=bluecoat:proxysg:access:syslog This occurs at search time only per the instructions at: https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/Propsconf#Sourcetype_configuration rename = <string> * Renames [<sourcetype>] as <string> at search time * With renaming, you can search for the [<sourcetype>] with sourcetype=<string> * To search for the original source type without renaming it, use the field _sourcetype. * Data from a renamed sourcetype only uses the search-time configuration for the target sourcetype. Field extractions (REPORTS/EXTRACT) for this stanza sourcetype are ignored. * Default: empty string This leaves any _time extraction issues with the source type identified in the inputs.conf stanza.
Hello @gcusello, Thanks for your reply, really appreciated. let m,e understand: you have a Forwarder (UF or HF) using the outputs.conf you shared to forward logs to Splunk C loud that receives s... See more...
Hello @gcusello, Thanks for your reply, really appreciated. let m,e understand: you have a Forwarder (UF or HF) using the outputs.conf you shared to forward logs to Splunk C loud that receives syslogs (using UDP on port 8125), is it correct? I have a StatsD server configured on my local, running on port 8125 (UDP), and it generates some metric data. Currently, this application using statsd server is sending metrics to Splunk Enterprise (running locally). I can view all the metrics from the Splunk analytics workspace without any issues. Now, I want to forward all application metrics from the StatsD server (running on port 8125 UDP) to Splunk Cloud instead Splunk Enterprise. I have read in couple of document, for this use case we have to use heavy fordwarder. To achieve this, I added the Splunk Cloud address "prd-p-7mh2z.splunkcloud.com:9997" in "Forwarding and receiving → Configure forwarding" but encountering the following error:   The TCP output processor has paused the data flow. Forwarding to host_dest=prd-p-7mh2z.splunkcloud.com inside output group default-autolb-group from host_src=rahusri2s-MacBook-Pro.local has been blocked for blocked_seconds=10. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.   # cat /Applications/splunk/etc/system/local/outputs.conf [tcpout] defaultGroup = default-autolb-group indexAndForward = 1 [tcpout:default-autolb-group] server = prd-p-7mh2z.splunkcloud.com:9997 # cat /Applications/splunk/etc/apps/search/local/inputs.conf [splunktcp://9997] connection_host = ip [udp://8125] connection_host = dns host = rahusri2s-MacBook-Pro.local index = 4_dec_8125_udp sourcetype = statsd Thank You.