All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@SreejithDas- You need to either increase the UI upload limit in web.conf or just install the ES from backend/SSH. https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity ... See more...
@SreejithDas- You need to either increase the UI upload limit in web.conf or just install the ES from backend/SSH. https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity  
Hello Experts, I am Getting Error while importing splunk-enterprise-security_732.spl Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description ... See more...
Hello Experts, I am Getting Error while importing splunk-enterprise-security_732.spl Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description This XML file does not appear to have any style information associated with it. The document tree is shown below. <response> <messages> <msg type="ERROR">Content-Length of 920287904 too large (maximum is 524288000)</msg> </messages> </response>   need help on this   #SplunkError #ContentLengthExceeded #EnterpriseSecurity  #UploadIssue #LargeAppFileError  
Hi, I have a python script that requires a hostname as input and then runs an Ansible job via AWX. Is there a way to install this cleanly via a dashboard or in a menu in ES? I actually just want t... See more...
Hi, I have a python script that requires a hostname as input and then runs an Ansible job via AWX. Is there a way to install this cleanly via a dashboard or in a menu in ES? I actually just want to enter the hostname and use it to start the script. Regards, David
Hello Experts, I am Getting Error while importing splunk-it-service-intelligence_4191.spl. Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error descri... See more...
Hello Experts, I am Getting Error while importing splunk-it-service-intelligence_4191.spl. Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description "There was an error processing the upload.Invalid app contents: archive contains more than one immediate subdirectory: and DA-ITSI-DATABASE" Please help on this  #SplunkError #InvalidAppContents #AppUploadIssue #SplunkDebugging #ITSIError
Hi @PickleRick , I agree to a certain extend. The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is prese... See more...
Hi @PickleRick , I agree to a certain extend. The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is presented, unless they are sitting on the same network. But as many (most I suppose) are more or less distributed, you'll not be able to get the internal ip this way - right?
To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxi... See more...
To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxies and so on. Only then one can start digging into available data.
I hade the same issue.  For me upgrading to Es7.3.2 did solve the issue.    Br 
Just because the issuer is "Splunk something", doesn't mean the file itself couldn't have been - for example - manually renamed from the original file which was created by some built-in scripts. Unf... See more...
Just because the issuer is "Splunk something", doesn't mean the file itself couldn't have been - for example - manually renamed from the original file which was created by some built-in scripts. Unfortunately you're using windows so I won't give you a find | grep oneliner to find whether it's referenced anywhere. You have to check for yourself if any *.conf file calls out to it.
Hi @yeahnah, Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what ... See more...
Hi @yeahnah, Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what I'd rather call the Private IP. The reason I know this is because I'm sitting with a bunch of external UF calling home to a DPL outside the network to all UF's, and I need to get the same information - the internal (private) IP, but it's not available. Till now I only see one way, which is scripted input and/or an existing app that collects this info. Your search is still good    it just don't provide what's requested.
Your description is still way incomplete. But whatever your exact use case is, I agree with @gcusello that it's something that you should work with your local Splunk Partner on - have an experienced ... See more...
Your description is still way incomplete. But whatever your exact use case is, I agree with @gcusello that it's something that you should work with your local Splunk Partner on - have an experienced Architect or Consultant go through your use case and see what can be done and how.
There is a fat chance that the links as well as the content itself aren't manually created but rather generated from some external tool. You might want to ask on Slack (on #docs or "the other channel... See more...
There is a fat chance that the links as well as the content itself aren't manually created but rather generated from some external tool. You might want to ask on Slack (on #docs or "the other channel" ) if there is someone having more insight on this
Hi @marnall ,  We are using Splunk python sdk in our App to configured custom data inputs. Please check below link for reference. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/h... See more...
Hi @marnall ,  We are using Splunk python sdk in our App to configured custom data inputs. Please check below link for reference. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtocreatemodpy/ Issue here is during creation or editing data input Stream_event function is called and it called after specific interval of time as well like each 15 min. We need to identify in Stream_event function from where it gets called, so accordingly we have 2 different algorithm to execute.
Hi all I have 2 scenarios: We ingest logs (windows, linux) using the Splunk agent. Ingest logs from flat files using the Splunk agent   I've been asked to check whether the Splunk agent has an... See more...
Hi all I have 2 scenarios: We ingest logs (windows, linux) using the Splunk agent. Ingest logs from flat files using the Splunk agent   I've been asked to check whether the Splunk agent has any log integrity checking feature. Does the Splunk agent (or any other component in Splunk ES) check that the logs have not been tampered with in transit?  Thanks J  
Hi @arjun , multi tenency  implementation isn't a Community job and it requires an analysis and a design by a Splunk Architect. You should define rules to identify customers and assign to each of t... See more...
Hi @arjun , multi tenency  implementation isn't a Community job and it requires an analysis and a design by a Splunk Architect. You should define rules to identify customers and assign to each of them an index overriding the default. So first job is to identify rules (regexes) and then apply on your Heavy Forwarders (if present) or on your Indexers something like this: # transforms.conf [overrideindex_customer1] DEST_KEY =_MetaData:Index REGEX = . FORMAT = customer1_index # props.conf [host::customer1_host] TRANSFORMS-index = overrideindex_customer1 Ciao. Giuseppe
Give it the permissions you want for its visibility
Hi @gcusello , We have many client who uses splunk and we need to get some data from those splunk server I am trying to get a way with SPL to get those data.  Basic Data that we need from those spl... See more...
Hi @gcusello , We have many client who uses splunk and we need to get some data from those splunk server I am trying to get a way with SPL to get those data.  Basic Data that we need from those splunk system are  1 )  detailed information about resources, their usage, and associated costs. But i am not sure which index will have this data ? does _telemetry index will have all required data to know how much utilisation has been done day by day ?   I hope this define my requirement clearly.    
Hi @Rak , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points ... See more...
Hi @Rak , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @SamYap , you have to see in one props.conf and transforms.conf what you are forwarding. You can recognize the tranformation because it will contain the option: DEST_KEY = _SYSLOG_ROUTING as y... See more...
Hi @SamYap , you have to see in one props.conf and transforms.conf what you are forwarding. You can recognize the tranformation because it will contain the option: DEST_KEY = _SYSLOG_ROUTING as you can see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Forwarddatatothird-partysystemsd?_gl=1*1rvxpty*_gcl_au*MjEyMTY3MjIyOC4xNzMwMTI3ODI0*FPAU*MjEyMTY3MjIyOC4xNzMwMTI3ODI0*_ga*MTg5Nzg2MDQyNS4xNzMwMTI3ODI1*_ga_5EPM2P39FV*MTczMzIxMTcyOC4xNjguMS4xNzMzMjExODY0LjAuMC43Mjg5Nzc5NTA.*_fplc*dmw3anNTNFVJVHlscHljOG9URVFjZEtrUU5henVOdjhIeHdYN3ltcVd3WkR4em9WbWNOcFYzZEs2d3clMkZHZGkwTkpSNkVmOFBCb3IycVVVQXpvallUWWFkSUslMkY1UkZ6NEtvQkRHZ21yTSUyRmIwOWl4cXVCR1BlZlRzbmJQYzFRJTNEJTNE#Syslog_data Ciao. Giuseppe
Thank you very much for your answer and help, I will try today. And I will come back with feedback  
Im trying to create a role for a developer in our organization where the developer is only allowed to view the dashboard which is created by the admin or the person who has edit_own_objects capablity... See more...
Im trying to create a role for a developer in our organization where the developer is only allowed to view the dashboard which is created by the admin or the person who has edit_own_objects capablity attached to his role.... when I created a role for developer which has the below capablities attached to its role: capabilities = [   "search",   "list_all_objects",   "rest_properties_get",   "embed_report" ] Now when I login as a developer and when I try viewing the dashboards its visible and its in read mode only but the developer can create new dashboards also which shouldnt be allowed. How can i restrict developer from creating a new dashboard? And also automatically the below capablities gets added to the role along with the ones which ive specified above: run_collect run_mcollect schedule_rtsearch edit_own_objects Ive also given read access in the specific dashboard permissions setting for the developers role only..