All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The question was very vague and ambiguous. Let's consider a situation where you have a server hosting two interfaces - 192.168.10.23/24 and 172.17.1.10/24. It receives HEC data on the 172.17.1.10 in... See more...
The question was very vague and ambiguous. Let's consider a situation where you have a server hosting two interfaces - 192.168.10.23/24 and 172.17.1.10/24. It receives HEC data on the 172.17.1.10 interface and has a default route via 192.168.10.1. It sends its data to an indexer located at 10.1.2.3/24 but the connection is SNAT-ed so it appears to the indexer as coming from 10.20.1.1. What is internal and external in this case? It is _not_ straightforward. I could throw in an intermediate forwarder to this mix and possibly some HTTP proxy. "Internal" and "external" mean different things depending on where you look from.
@SreejithDas- You are installing Splunk IT Intelligence App which is not allowed to install from UI. You need to install it from backend/SSH only. Reference Document - https://docs.splunk.com/Docume... See more...
@SreejithDas- You are installing Splunk IT Intelligence App which is not allowed to install from UI. You need to install it from backend/SSH only. Reference Document - https://docs.splunk.com/Documentation/ITSI/4.19.1/Install/Install   I hope this helps!!! Kindly upload if it does!!!
@SreejithDas- You need to either increase the UI upload limit in web.conf or just install the ES from backend/SSH. https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity ... See more...
@SreejithDas- You need to either increase the UI upload limit in web.conf or just install the ES from backend/SSH. https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity  
Hello Experts, I am Getting Error while importing splunk-enterprise-security_732.spl Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description ... See more...
Hello Experts, I am Getting Error while importing splunk-enterprise-security_732.spl Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description This XML file does not appear to have any style information associated with it. The document tree is shown below. <response> <messages> <msg type="ERROR">Content-Length of 920287904 too large (maximum is 524288000)</msg> </messages> </response>   need help on this   #SplunkError #ContentLengthExceeded #EnterpriseSecurity  #UploadIssue #LargeAppFileError  
Hi, I have a python script that requires a hostname as input and then runs an Ansible job via AWX. Is there a way to install this cleanly via a dashboard or in a menu in ES? I actually just want t... See more...
Hi, I have a python script that requires a hostname as input and then runs an Ansible job via AWX. Is there a way to install this cleanly via a dashboard or in a menu in ES? I actually just want to enter the hostname and use it to start the script. Regards, David
Hello Experts, I am Getting Error while importing splunk-it-service-intelligence_4191.spl. Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error descri... See more...
Hello Experts, I am Getting Error while importing splunk-it-service-intelligence_4191.spl. Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description "There was an error processing the upload.Invalid app contents: archive contains more than one immediate subdirectory: and DA-ITSI-DATABASE" Please help on this  #SplunkError #InvalidAppContents #AppUploadIssue #SplunkDebugging #ITSIError
Hi @PickleRick , I agree to a certain extend. The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is prese... See more...
Hi @PickleRick , I agree to a certain extend. The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is presented, unless they are sitting on the same network. But as many (most I suppose) are more or less distributed, you'll not be able to get the internal ip this way - right?
To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxi... See more...
To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxies and so on. Only then one can start digging into available data.
I hade the same issue.  For me upgrading to Es7.3.2 did solve the issue.    Br 
Just because the issuer is "Splunk something", doesn't mean the file itself couldn't have been - for example - manually renamed from the original file which was created by some built-in scripts. Unf... See more...
Just because the issuer is "Splunk something", doesn't mean the file itself couldn't have been - for example - manually renamed from the original file which was created by some built-in scripts. Unfortunately you're using windows so I won't give you a find | grep oneliner to find whether it's referenced anywhere. You have to check for yourself if any *.conf file calls out to it.
Hi @yeahnah, Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what ... See more...
Hi @yeahnah, Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what I'd rather call the Private IP. The reason I know this is because I'm sitting with a bunch of external UF calling home to a DPL outside the network to all UF's, and I need to get the same information - the internal (private) IP, but it's not available. Till now I only see one way, which is scripted input and/or an existing app that collects this info. Your search is still good    it just don't provide what's requested.
Your description is still way incomplete. But whatever your exact use case is, I agree with @gcusello that it's something that you should work with your local Splunk Partner on - have an experienced ... See more...
Your description is still way incomplete. But whatever your exact use case is, I agree with @gcusello that it's something that you should work with your local Splunk Partner on - have an experienced Architect or Consultant go through your use case and see what can be done and how.
There is a fat chance that the links as well as the content itself aren't manually created but rather generated from some external tool. You might want to ask on Slack (on #docs or "the other channel... See more...
There is a fat chance that the links as well as the content itself aren't manually created but rather generated from some external tool. You might want to ask on Slack (on #docs or "the other channel" ) if there is someone having more insight on this
Hi @marnall ,  We are using Splunk python sdk in our App to configured custom data inputs. Please check below link for reference. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/h... See more...
Hi @marnall ,  We are using Splunk python sdk in our App to configured custom data inputs. Please check below link for reference. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtocreatemodpy/ Issue here is during creation or editing data input Stream_event function is called and it called after specific interval of time as well like each 15 min. We need to identify in Stream_event function from where it gets called, so accordingly we have 2 different algorithm to execute.
Hi all I have 2 scenarios: We ingest logs (windows, linux) using the Splunk agent. Ingest logs from flat files using the Splunk agent   I've been asked to check whether the Splunk agent has an... See more...
Hi all I have 2 scenarios: We ingest logs (windows, linux) using the Splunk agent. Ingest logs from flat files using the Splunk agent   I've been asked to check whether the Splunk agent has any log integrity checking feature. Does the Splunk agent (or any other component in Splunk ES) check that the logs have not been tampered with in transit?  Thanks J  
Hi @arjun , multi tenency  implementation isn't a Community job and it requires an analysis and a design by a Splunk Architect. You should define rules to identify customers and assign to each of t... See more...
Hi @arjun , multi tenency  implementation isn't a Community job and it requires an analysis and a design by a Splunk Architect. You should define rules to identify customers and assign to each of them an index overriding the default. So first job is to identify rules (regexes) and then apply on your Heavy Forwarders (if present) or on your Indexers something like this: # transforms.conf [overrideindex_customer1] DEST_KEY =_MetaData:Index REGEX = . FORMAT = customer1_index # props.conf [host::customer1_host] TRANSFORMS-index = overrideindex_customer1 Ciao. Giuseppe
Give it the permissions you want for its visibility
Hi @gcusello , We have many client who uses splunk and we need to get some data from those splunk server I am trying to get a way with SPL to get those data.  Basic Data that we need from those spl... See more...
Hi @gcusello , We have many client who uses splunk and we need to get some data from those splunk server I am trying to get a way with SPL to get those data.  Basic Data that we need from those splunk system are  1 )  detailed information about resources, their usage, and associated costs. But i am not sure which index will have this data ? does _telemetry index will have all required data to know how much utilisation has been done day by day ?   I hope this define my requirement clearly.    
Hi @Rak , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points ... See more...
Hi @Rak , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @SamYap , you have to see in one props.conf and transforms.conf what you are forwarding. You can recognize the tranformation because it will contain the option: DEST_KEY = _SYSLOG_ROUTING as y... See more...
Hi @SamYap , you have to see in one props.conf and transforms.conf what you are forwarding. You can recognize the tranformation because it will contain the option: DEST_KEY = _SYSLOG_ROUTING as you can see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Forwarddatatothird-partysystemsd?_gl=1*1rvxpty*_gcl_au*MjEyMTY3MjIyOC4xNzMwMTI3ODI0*FPAU*MjEyMTY3MjIyOC4xNzMwMTI3ODI0*_ga*MTg5Nzg2MDQyNS4xNzMwMTI3ODI1*_ga_5EPM2P39FV*MTczMzIxMTcyOC4xNjguMS4xNzMzMjExODY0LjAuMC43Mjg5Nzc5NTA.*_fplc*dmw3anNTNFVJVHlscHljOG9URVFjZEtrUU5henVOdjhIeHdYN3ltcVd3WkR4em9WbWNOcFYzZEs2d3clMkZHZGkwTkpSNkVmOFBCb3IycVVVQXpvallUWWFkSUslMkY1UkZ6NEtvQkRHZ21yTSUyRmIwOWl4cXVCR1BlZlRzbmJQYzFRJTNEJTNE#Syslog_data Ciao. Giuseppe