All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm having a similar problem. the SentinelOne recording when Kyle shows how easy it is to set up was missing something. because I the video he pretty much just drops the API token in there and  BAM! ... See more...
I'm having a similar problem. the SentinelOne recording when Kyle shows how easy it is to set up was missing something. because I the video he pretty much just drops the API token in there and  BAM! everything works.  I wish there was some setup documentation or guides that show you how to configure these integrations. 
And how is this supposed to work? There is no property called splunk_forwarder in any props stanza. Also, Splunk does variable expansion on a very limited set of settings.
Thanks for your feedback. The Dashboards team continuously seeks to simplify the admin experience for managing dashboards. This is as intended. Dashboards are a bit different than most other webpa... See more...
Thanks for your feedback. The Dashboards team continuously seeks to simplify the admin experience for managing dashboards. This is as intended. Dashboards are a bit different than most other webpages because they are specifically configured by a dashboard builder to look a certain way. So allowing end users to change the theme conflicts with the idea that a dashboard builder can build a dashboard to be viewed they way they built it. On top of that, due to the high level of customization and specific color settings, we can't guarantee that bulk theme changes will maintain readability or visual consistency across all dashboards. 
For anyone else that stumbles upon this, I ended up working with infoblox support on this. The issue was in the way the Infoblox Data Connector was writing the timestamp in the logs prior to sending... See more...
For anyone else that stumbles upon this, I ended up working with infoblox support on this. The issue was in the way the Infoblox Data Connector was writing the timestamp in the logs prior to sending to Splunk. Depending on your grid timezone settings, the IB Data Connector was actually offsetting the epoch time... instead of leaving it epoch. (don't ask me why). They pushed a patch down a few days ago that fixed it for us.
Hello Team, I have forwarded syslogs to Splunk Enterprise, I am trying to find a way to create props.conf and transforms.conf such a way that Splunk ingests all the messages which matches the keywor... See more...
Hello Team, I have forwarded syslogs to Splunk Enterprise, I am trying to find a way to create props.conf and transforms.conf such a way that Splunk ingests all the messages which matches the keywords that I have defined in a regex in transforms.conf and drop all the non matching messages however I am not able to do the same. Is there a way to do that or does transforms and props.conf only work to drop the messages which are defined in the regex as currently if I try to that Splunk is dropping only the keywords that I defined and ingesting everything else. I am new to splunk so requesting some inputs for the same. Thanks in advance!!
What have you tried so far?  Was it anything like this? | rex "\}\s*-\s*(?<field>.*)"
I'm trying to regex the field that has "REPLY" CommonEndpointLoggingAspect {requestId=94f2a697-3c0d-4835-b96a-42be3d2426e2, serviceName=getCart} - REPLY 
curl command :  curl -k -u  admin:Password -X POST http://127.0.0.1:8000/en-US/services/authorization/tokens?output_mode=json --data name=admin  --data audience=Users --data-urlencode expires_on=+3... See more...
curl command :  curl -k -u  admin:Password -X POST http://127.0.0.1:8000/en-US/services/authorization/tokens?output_mode=json --data name=admin  --data audience=Users --data-urlencode expires_on=+30d   But I am able to login via UI and create an access token.   If I try to do the same using curl command, I am getting the below response. Note: The response has been trimmed.     <div class="error-message"> <h1 data-role="error-title">Oops.</h1> <p data-role="error-message">Page not found! Click <a href="/" data-role="return-to-splunk-home">here</a> to return to Splunk homepage.</p> </div> </div> </div> <div class="message-wrapper"> <div class="message-container fixed-width" data-role="more-results"><a href="/en-US/app/search/search?q=index%3D_internal%20host%3D%22f6xffpvw93.corp.com%2A%22%20source%3D%2Aweb_service.log%20log_level%3DERROR%20requestid%3D6740cfffb611125b5e0" target="_blank">View more information about your request (request ID = 6740cfffb611125b5e0) in Search</a></div> <div class="message-container fixed-width" data-role="crashes"></div> <div class="message-container fixed-width" data-role="refferer"></div> <div class="message-container fixed-width" data-role="debug"></div> <div class="message-container fixed-width" data-role="byline"> <p class="byline">.</p> </div> </div> </body>
I had done something like this in a previous life.  Each HF should get an app which has a props definition under the default stanza.  For a small number of HF's you can do this manually, for a large ... See more...
I had done something like this in a previous life.  Each HF should get an app which has a props definition under the default stanza.  For a small number of HF's you can do this manually, for a large group to manage from like a DS reference the Splunk environment variables. props.conf [default] splunk_forwarder = <HOSTNAME> It has been a while so play around with this.  I seem to remember it was a props.conf mapped to transforms.conf which inserted the hostname so find what works the best for you. 
Try my revised answer.
That seems to work however it is capturing the "\" in the string at the end. I want the value to stop after Ops in the string and not include the "\" 
would windows systems also listen or show connected on these ports?    port 9997 or 9998
The default installation directory for Splunk Enterprise is /opt/splunk and for the Universal Forwarder it's /opt/splunkforwarder.  Both can be changed during installation so those are not 100% relia... See more...
The default installation directory for Splunk Enterprise is /opt/splunk and for the Universal Forwarder it's /opt/splunkforwarder.  Both can be changed during installation so those are not 100% reliable. The Splunk process name is 'splunkd'. As for whether it is forwarding to Splunk, that's a bit trickier.  You could issue a splunk list forward-server command, but you'd need execute access on the splunk binary and a Splunk account. Another option is to use the splunk btool outputs list command to see if there is a server setting.  There may be more than one, however, and zero or more may be in effect. Consider using network tools to see if splunk has an open connection to port 9997 or 9998.  That's a good test for forwarding.
Hi @dural_yyz, Thanks for your response. I'm not sure if we can do btool as this is in Splunk Cloud ES.    
This should get you started.   | rex "sn_grp:(?<sn_grp>[^\\]+)"  
Need help to extract a field that comes after a certain word in a event.  I am looking to extract a field called "sn_grp" with the value of "M2 Infra Ops". So for every event that has sn_grp:  i w... See more...
Need help to extract a field that comes after a certain word in a event.  I am looking to extract a field called "sn_grp" with the value of "M2 Infra Ops". So for every event that has sn_grp:  i would like to extract the string that follows of "M2 Infra Ops". This string value will be the same name for every event. Below is an example data set i am using to write the regex to  \"sn_grp:M2 Infra Ops\"},{\"context\":\"CONTEXTLESS\",\"key\":\"Correspondence Routing Engine\
You could find them by trial and error process. | tstats values(<field1>) as <field1> values(<field2>) as <field2> values(<field3>) as <field3> WHERE index=<index> sourcetype=<sourcetype> by so... See more...
You could find them by trial and error process. | tstats values(<field1>) as <field1> values(<field2>) as <field2> values(<field3>) as <field3> WHERE index=<index> sourcetype=<sourcetype> by sourcetype Fields that have data in the results means it is a useable field.
Hi there,  Not sure If you already did but the Monitoring Console could give you some insight. Mainly volume per token and activity by your HEC instances aka HFs. Take a look under Indexing > Input... See more...
Hi there,  Not sure If you already did but the Monitoring Console could give you some insight. Mainly volume per token and activity by your HEC instances aka HFs. Take a look under Indexing > Inputs > HTTP Event Collector: Instance    
Here we go.  So this could be network transmissions so check for firewall blocks and any routing issues first.  Then look into SSL connection issues last.