All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxi... See more...
To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxies and so on. Only then one can start digging into available data.
I hade the same issue.  For me upgrading to Es7.3.2 did solve the issue.    Br 
Just because the issuer is "Splunk something", doesn't mean the file itself couldn't have been - for example - manually renamed from the original file which was created by some built-in scripts. Unf... See more...
Just because the issuer is "Splunk something", doesn't mean the file itself couldn't have been - for example - manually renamed from the original file which was created by some built-in scripts. Unfortunately you're using windows so I won't give you a find | grep oneliner to find whether it's referenced anywhere. You have to check for yourself if any *.conf file calls out to it.
Hi @yeahnah, Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what ... See more...
Hi @yeahnah, Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what I'd rather call the Private IP. The reason I know this is because I'm sitting with a bunch of external UF calling home to a DPL outside the network to all UF's, and I need to get the same information - the internal (private) IP, but it's not available. Till now I only see one way, which is scripted input and/or an existing app that collects this info. Your search is still good    it just don't provide what's requested.
Your description is still way incomplete. But whatever your exact use case is, I agree with @gcusello that it's something that you should work with your local Splunk Partner on - have an experienced ... See more...
Your description is still way incomplete. But whatever your exact use case is, I agree with @gcusello that it's something that you should work with your local Splunk Partner on - have an experienced Architect or Consultant go through your use case and see what can be done and how.
There is a fat chance that the links as well as the content itself aren't manually created but rather generated from some external tool. You might want to ask on Slack (on #docs or "the other channel... See more...
There is a fat chance that the links as well as the content itself aren't manually created but rather generated from some external tool. You might want to ask on Slack (on #docs or "the other channel" ) if there is someone having more insight on this
Hi @marnall ,  We are using Splunk python sdk in our App to configured custom data inputs. Please check below link for reference. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/h... See more...
Hi @marnall ,  We are using Splunk python sdk in our App to configured custom data inputs. Please check below link for reference. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtocreatemodpy/ Issue here is during creation or editing data input Stream_event function is called and it called after specific interval of time as well like each 15 min. We need to identify in Stream_event function from where it gets called, so accordingly we have 2 different algorithm to execute.
Hi all I have 2 scenarios: We ingest logs (windows, linux) using the Splunk agent. Ingest logs from flat files using the Splunk agent   I've been asked to check whether the Splunk agent has an... See more...
Hi all I have 2 scenarios: We ingest logs (windows, linux) using the Splunk agent. Ingest logs from flat files using the Splunk agent   I've been asked to check whether the Splunk agent has any log integrity checking feature. Does the Splunk agent (or any other component in Splunk ES) check that the logs have not been tampered with in transit?  Thanks J  
Hi @arjun , multi tenency  implementation isn't a Community job and it requires an analysis and a design by a Splunk Architect. You should define rules to identify customers and assign to each of t... See more...
Hi @arjun , multi tenency  implementation isn't a Community job and it requires an analysis and a design by a Splunk Architect. You should define rules to identify customers and assign to each of them an index overriding the default. So first job is to identify rules (regexes) and then apply on your Heavy Forwarders (if present) or on your Indexers something like this: # transforms.conf [overrideindex_customer1] DEST_KEY =_MetaData:Index REGEX = . FORMAT = customer1_index # props.conf [host::customer1_host] TRANSFORMS-index = overrideindex_customer1 Ciao. Giuseppe
Give it the permissions you want for its visibility
Hi @gcusello , We have many client who uses splunk and we need to get some data from those splunk server I am trying to get a way with SPL to get those data.  Basic Data that we need from those spl... See more...
Hi @gcusello , We have many client who uses splunk and we need to get some data from those splunk server I am trying to get a way with SPL to get those data.  Basic Data that we need from those splunk system are  1 )  detailed information about resources, their usage, and associated costs. But i am not sure which index will have this data ? does _telemetry index will have all required data to know how much utilisation has been done day by day ?   I hope this define my requirement clearly.    
Hi @Rak , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points ... See more...
Hi @Rak , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @SamYap , you have to see in one props.conf and transforms.conf what you are forwarding. You can recognize the tranformation because it will contain the option: DEST_KEY = _SYSLOG_ROUTING as y... See more...
Hi @SamYap , you have to see in one props.conf and transforms.conf what you are forwarding. You can recognize the tranformation because it will contain the option: DEST_KEY = _SYSLOG_ROUTING as you can see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Forwarddatatothird-partysystemsd?_gl=1*1rvxpty*_gcl_au*MjEyMTY3MjIyOC4xNzMwMTI3ODI0*FPAU*MjEyMTY3MjIyOC4xNzMwMTI3ODI0*_ga*MTg5Nzg2MDQyNS4xNzMwMTI3ODI1*_ga_5EPM2P39FV*MTczMzIxMTcyOC4xNjguMS4xNzMzMjExODY0LjAuMC43Mjg5Nzc5NTA.*_fplc*dmw3anNTNFVJVHlscHljOG9URVFjZEtrUU5henVOdjhIeHdYN3ltcVd3WkR4em9WbWNOcFYzZEs2d3clMkZHZGkwTkpSNkVmOFBCb3IycVVVQXpvallUWWFkSUslMkY1UkZ6NEtvQkRHZ21yTSUyRmIwOWl4cXVCR1BlZlRzbmJQYzFRJTNEJTNE#Syslog_data Ciao. Giuseppe
Thank you very much for your answer and help, I will try today. And I will come back with feedback  
Im trying to create a role for a developer in our organization where the developer is only allowed to view the dashboard which is created by the admin or the person who has edit_own_objects capablity... See more...
Im trying to create a role for a developer in our organization where the developer is only allowed to view the dashboard which is created by the admin or the person who has edit_own_objects capablity attached to his role.... when I created a role for developer which has the below capablities attached to its role: capabilities = [   "search",   "list_all_objects",   "rest_properties_get",   "embed_report" ] Now when I login as a developer and when I try viewing the dashboards its visible and its in read mode only but the developer can create new dashboards also which shouldnt be allowed. How can i restrict developer from creating a new dashboard? And also automatically the below capablities gets added to the role along with the ones which ive specified above: run_collect run_mcollect schedule_rtsearch edit_own_objects Ive also given read access in the specific dashboard permissions setting for the developers role only..
thanks, the definition need global permission?
Relanto@DESKTOP-FRSRLVP MINGW64 ~ $ curl -k -u admin:adminadmin https://localhost:8089/servicesNS/admin/search/data/ui/panels -d "name=user_login_panel&eai:data=<panel><label>User Login Stats</l... See more...
Relanto@DESKTOP-FRSRLVP MINGW64 ~ $ curl -k -u admin:adminadmin https://localhost:8089/servicesNS/admin/search/data/ui/panels -d "name=user_login_panel&eai:data=<panel><label>User Login Stats</label></panel>" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3990 100 3913 100 77 12955 254 --:--:-- --:--:-- --:--:-- 13255<?xml version="1.0" encoding="UTF-8"?> <!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .--> <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?> <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>panels</title> <id>https://localhost:8089/servicesNS/admin/search/data/ui/panels</id> <updated>2024-12-03T12:27:38+05:30</updated> <generator build="0b8d769cb912" version="9.3.1"/> <author> <name>Splunk</name> </author> <link href="/servicesNS/admin/search/data/ui/panels/_new" rel="create"/> <link href="/servicesNS/admin/search/data/ui/panels/_reload" rel="_reload"/> <link href="/servicesNS/admin/search/data/ui/panels/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>user_login_panel</title> <id>https://localhost:8089/servicesNS/admin/search/data/ui/panels/user_login_panel</id> <updated>2024-12-03T12:27:38+05:30</updated> <link href="/servicesNS/admin/search/data/ui/panels/user_login_panel" rel="alternate"/> <author> <name>admin</name> </author> <link href="/servicesNS/admin/search/data/ui/panels/user_login_panel" rel="list"/> <link href="/servicesNS/admin/search/data/ui/panels/user_login_panel/_reload" rel="_reload"/> <link href="/servicesNS/admin/search/data/ui/panels/user_login_panel" rel="edit"/> <link href="/servicesNS/admin/search/data/ui/panels/user_login_panel" rel="remove"/> <link href="/servicesNS/admin/search/data/ui/panels/user_login_panel/move" rel="move"/> <content type="text/xml"> <s:dict> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">admin</s:key> <s:key name="perms"/> <s:key name="removable">1</s:key> <s:key name="sharing">user</s:key> </s:dict> </s:key> <s:key name="eai:appName">search</s:key> <s:key name="eai:data"><![CDATA[<panel><label>User Login Stats</label></panel>]]></s:key> <s:key name="eai:digest">6ad60f5607b5d1dd50044816b18d139b</s:key> <s:key name="eai:userName">admin</s:key> <s:key name="label">User Login Stats</s:key> <s:key name="panel.title">user_login_panel</s:key> <s:key name="rootNode">panel</s:key> </s:dict> </content> </entry> </feed> Relanto@DESKTOP-FRSRLVP MINGW64 ~ $ I have created the panel using the Rest api splunk doccumentation.. https://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTknowledge?_gl=1*5lyxk4*_gcl_au*MTY2MTE2NDE1Ni4xNzI4ODI5MDM1*FPAU*MTY2MTE2NDE1Ni4xNzI4ODI5MDM1*_ga*NDU2NzA4MDU0LjE3Mjg4MjkwMzU.*_ga_5EPM2P39FV*MTczMTMxNDgwOC42OC4xLjE3MzEzMTQ4MjIuNDYuMC45MjMyNTUzMTE.*_fplc*ZDZBQlJUQXM5UjkzY3lLQTMlMkZyZjdBNnlmMUE1bzg2TEc1JTJGc1hMbWc5RUFYMjR1V2lLdDBabjJzUmlYZzJSZXp4VkhzRU8wOUg4OVJKb1JFbWtMMnloYnR4NGRzJTJGVjR3NkdyJTJGeUl5SlBLejJyMWo3RE8lMkJhT0R0a3B1cjRIdyUzRCUzRA..#data.2Fui.2Fpanels) After creating the panel its not showing in my Splunk enterprises UI. What is the actual use of this????
@PickleRick Thanks for highlighting the limitation of the amount of rows be returned by a sub search. This explains why one of my other Dashboards won't provide trustful values at the moment. Looks l... See more...
@PickleRick Thanks for highlighting the limitation of the amount of rows be returned by a sub search. This explains why one of my other Dashboards won't provide trustful values at the moment. Looks like I need to review and update some of my searches.....
Is this what you're after | makeresults format=csv data="Day,Percent 2024-11-01,100 2024-11-02,99.6 2024-11-03,94.2 2024-12-01,22.1 2024-12-02,19.0" | eval _time=strptime(Day, "%F") | foreach 50 80 ... See more...
Is this what you're after | makeresults format=csv data="Day,Percent 2024-11-01,100 2024-11-02,99.6 2024-11-03,94.2 2024-12-01,22.1 2024-12-02,19.0" | eval _time=strptime(Day, "%F") | foreach 50 80 100 [ eval REMEDIATION_<<FIELD>> = if(Percent <= <<FIELD>>, 1,null())] | stats earliest_time(_time) as Start earliest_time(REMEDIATION_*) as r_* | foreach r_* [ eval <<MATCHSTR>>%=<<FIELD>> | fields - <<FIELD>> ] | foreach * [ eval "<<FIELD>>"=strftime('<<FIELD>>', "%F") ]
You cannot use regex matching in lookups. Lookup wildcards only support * and that is when you create a lookup definition and use the advanced options to set WILDCARD(Regex_Path). You are using a loo... See more...
You cannot use regex matching in lookups. Lookup wildcards only support * and that is when you create a lookup definition and use the advanced options to set WILDCARD(Regex_Path). You are using a lookup file, not the definition. So the lookup must match exactly or when you have a * e.g. /home/ubuntu/* for a wildcarded version but then you would have to have another column with the real regex, note that c:\boot.ini is not valid regex, due to the \ which needs to be escaped.