All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Please share some raw anonymised events so we can see what you are dealing with so we can try and help you further. Please use the code block </> above to preserve the format of the events so that we... See more...
Please share some raw anonymised events so we can see what you are dealing with so we can try and help you further. Please use the code block </> above to preserve the format of the events so that we can suggest the correct field extractions for you.
I am trying to write an spl query to detect an event of a single source IP address  or a user fails multiple time to login to multiple accounts. can anyone help me write it.
@corti77 Just curious, have you set up the API calls to Netapp using the Splunk_TA_ontap and SA-Hydra app? We are setting it up currently and have been running into an issue we can't resolve and can ... See more...
@corti77 Just curious, have you set up the API calls to Netapp using the Splunk_TA_ontap and SA-Hydra app? We are setting it up currently and have been running into an issue we can't resolve and can not find much help online.
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping. ... See more...
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping.
I am trying to write an spl query to detect an event of a single source IP address  or user a fail multiple time to login to mutiple account. can anyone help me write it.
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restar... See more...
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restarting service does not recreate it.  How do you renew this certificate?
this is awesome, but is there a way to make the results columns (additional fields on my results)
This is better option. You should remember that when you configure two outputs on splunk and when one of them stalls then also other stops quite soon.
If you want it, you can vote up my proposal on Splunk Ideas. https://ideas.splunk.com/ideas/EID-I-2441
This is a very large limitation.  Know that we would like to see more ways to customize Markdown content as well. Thanks!
There are no timestamps in the lookup table. When I plug one in, I get the desired results.   
Assuming your data is in the _raw field | eval parts=split(_raw, " ") | mvexpand parts | eval name=mvindex(split(parts,":"),0) | eval value=mvjoin(mvindex(split(parts,":"),1,2),":") | eval {name}=va... See more...
Assuming your data is in the _raw field | eval parts=split(_raw, " ") | mvexpand parts | eval name=mvindex(split(parts,":"),0) | eval value=mvjoin(mvindex(split(parts,":"),1,2),":") | eval {name}=value
https://docs.splunk.com/Documentation/CIM/6.0.0/User/Install There is still one outstanding index defined in the app as of the most recent install version.  You will need the index defined on the in... See more...
https://docs.splunk.com/Documentation/CIM/6.0.0/User/Install There is still one outstanding index defined in the app as of the most recent install version.  You will need the index defined on the indexes, you can do this full app or custom app to the indexers.
Do you mean? fieldA fieldB fieldC 1:10 1:3 1:2 1:10   1:2 1:10   1:2     1:1
fieldA:1:10 fieldB:1:3 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldC:1:1   I want to end up with a field called fieldA, fieldb, and fieldC where the field name is t... See more...
fieldA:1:10 fieldB:1:3 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldC:1:1   I want to end up with a field called fieldA, fieldb, and fieldC where the field name is the actual text found in the string as i cant predict which event will contain which combination
Yup, tried that, no joy. Same errors and the mongod.lock file just recreates itself.
Hi @corti77 , you have to configure your netapp to send syslogs using a protocolo (TCP or UDP) on a port. At the same time, on rsyslog (or syslog-ng) you have configure receiving followinf the inst... See more...
Hi @corti77 , you have to configure your netapp to send syslogs using a protocolo (TCP or UDP) on a port. At the same time, on rsyslog (or syslog-ng) you have configure receiving followinf the instructions at https://www.rsyslog.com/doc/index.html and writing logs in a file with a path (usually containing hostname) and a filename. then in the Forwarder, you have to add the add-one for Netapp ( https://splunkbase.splunk.com/app/3418 ) to the Forwarder adding an inputs.conf in local folder. In this inputs.conf, use the batch command that reads and deletes logs instead of monitor, the instructions about how to take logs, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/Usingforwardingagents Ciao. Giuseppe
I like this idea but I've always inserted an extra step.  Run a query on the data in Splunk for the Source but then used the SourceType value to search the inputs.  Helps to avoid any issues with wil... See more...
I like this idea but I've always inserted an extra step.  Run a query on the data in Splunk for the Source but then used the SourceType value to search the inputs.  Helps to avoid any issues with wildcards or regex in the log path and filename. To each their own and whatever works is always the best solution.
Thanks for your reply @gcusello , my question was more on how to build the solution.  I found some information about configuring netapp https://storageexorcist.wordpress.com/2020/06/03/ontap-native... See more...
Thanks for your reply @gcusello , my question was more on how to build the solution.  I found some information about configuring netapp https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/ So maybe it is a matter of configuring it like that and sending those logs via syslog to splunk?
@PickleRick  Ok i see, and yes currentDBSizeMB does correspond to the actual size of the index on the disk.