All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What have you tried so far?  Was it anything like this? | rex "\}\s*-\s*(?<field>.*)"
I'm trying to regex the field that has "REPLY" CommonEndpointLoggingAspect {requestId=94f2a697-3c0d-4835-b96a-42be3d2426e2, serviceName=getCart} - REPLY 
curl command :  curl -k -u  admin:Password -X POST http://127.0.0.1:8000/en-US/services/authorization/tokens?output_mode=json --data name=admin  --data audience=Users --data-urlencode expires_on=+3... See more...
curl command :  curl -k -u  admin:Password -X POST http://127.0.0.1:8000/en-US/services/authorization/tokens?output_mode=json --data name=admin  --data audience=Users --data-urlencode expires_on=+30d   But I am able to login via UI and create an access token.   If I try to do the same using curl command, I am getting the below response. Note: The response has been trimmed.     <div class="error-message"> <h1 data-role="error-title">Oops.</h1> <p data-role="error-message">Page not found! Click <a href="/" data-role="return-to-splunk-home">here</a> to return to Splunk homepage.</p> </div> </div> </div> <div class="message-wrapper"> <div class="message-container fixed-width" data-role="more-results"><a href="/en-US/app/search/search?q=index%3D_internal%20host%3D%22f6xffpvw93.corp.com%2A%22%20source%3D%2Aweb_service.log%20log_level%3DERROR%20requestid%3D6740cfffb611125b5e0" target="_blank">View more information about your request (request ID = 6740cfffb611125b5e0) in Search</a></div> <div class="message-container fixed-width" data-role="crashes"></div> <div class="message-container fixed-width" data-role="refferer"></div> <div class="message-container fixed-width" data-role="debug"></div> <div class="message-container fixed-width" data-role="byline"> <p class="byline">.</p> </div> </div> </body>
I had done something like this in a previous life.  Each HF should get an app which has a props definition under the default stanza.  For a small number of HF's you can do this manually, for a large ... See more...
I had done something like this in a previous life.  Each HF should get an app which has a props definition under the default stanza.  For a small number of HF's you can do this manually, for a large group to manage from like a DS reference the Splunk environment variables. props.conf [default] splunk_forwarder = <HOSTNAME> It has been a while so play around with this.  I seem to remember it was a props.conf mapped to transforms.conf which inserted the hostname so find what works the best for you. 
Try my revised answer.
That seems to work however it is capturing the "\" in the string at the end. I want the value to stop after Ops in the string and not include the "\" 
would windows systems also listen or show connected on these ports?    port 9997 or 9998
The default installation directory for Splunk Enterprise is /opt/splunk and for the Universal Forwarder it's /opt/splunkforwarder.  Both can be changed during installation so those are not 100% relia... See more...
The default installation directory for Splunk Enterprise is /opt/splunk and for the Universal Forwarder it's /opt/splunkforwarder.  Both can be changed during installation so those are not 100% reliable. The Splunk process name is 'splunkd'. As for whether it is forwarding to Splunk, that's a bit trickier.  You could issue a splunk list forward-server command, but you'd need execute access on the splunk binary and a Splunk account. Another option is to use the splunk btool outputs list command to see if there is a server setting.  There may be more than one, however, and zero or more may be in effect. Consider using network tools to see if splunk has an open connection to port 9997 or 9998.  That's a good test for forwarding.
Hi @dural_yyz, Thanks for your response. I'm not sure if we can do btool as this is in Splunk Cloud ES.    
This should get you started.   | rex "sn_grp:(?<sn_grp>[^\\]+)"  
Need help to extract a field that comes after a certain word in a event.  I am looking to extract a field called "sn_grp" with the value of "M2 Infra Ops". So for every event that has sn_grp:  i w... See more...
Need help to extract a field that comes after a certain word in a event.  I am looking to extract a field called "sn_grp" with the value of "M2 Infra Ops". So for every event that has sn_grp:  i would like to extract the string that follows of "M2 Infra Ops". This string value will be the same name for every event. Below is an example data set i am using to write the regex to  \"sn_grp:M2 Infra Ops\"},{\"context\":\"CONTEXTLESS\",\"key\":\"Correspondence Routing Engine\
You could find them by trial and error process. | tstats values(<field1>) as <field1> values(<field2>) as <field2> values(<field3>) as <field3> WHERE index=<index> sourcetype=<sourcetype> by so... See more...
You could find them by trial and error process. | tstats values(<field1>) as <field1> values(<field2>) as <field2> values(<field3>) as <field3> WHERE index=<index> sourcetype=<sourcetype> by sourcetype Fields that have data in the results means it is a useable field.
Hi there,  Not sure If you already did but the Monitoring Console could give you some insight. Mainly volume per token and activity by your HEC instances aka HFs. Take a look under Indexing > Input... See more...
Hi there,  Not sure If you already did but the Monitoring Console could give you some insight. Mainly volume per token and activity by your HEC instances aka HFs. Take a look under Indexing > Inputs > HTTP Event Collector: Instance    
Here we go.  So this could be network transmissions so check for firewall blocks and any routing issues first.  Then look into SSL connection issues last.
(just to add though, I can't figure out how to have html style apply to standard child-of-form Splunk input objects)
As an outsider with no real knowledge of it I would say it's likely coming soon. Since AWS is their testing ground for all cloud items first they are likely aware of the need to support kernel 6.x. ... See more...
As an outsider with no real knowledge of it I would say it's likely coming soon. Since AWS is their testing ground for all cloud items first they are likely aware of the need to support kernel 6.x.  Also reviewing the link you provided the UF already supports that kernel release. Contact your Sales team or an assigned TSE to your account to see if they can get you this information for tentative release date.
Hi @PickleRick In this case, can I skip to use TIME_FORMAT? Is TIME_PREFIX and linebreaker attributes is enough here ?
You need a btool debug output for macros.conf on the ES SHC.  The app is reading the proper file but it appears you have some override of that stanza coming from and outside file.
Hi, Here are a couple of ideas for quick checks: 1. Did you restart the collector after changing agent_config.yaml? 2. Did you add the new apache receiver to the metrics pipeline? 3. Did you chec... See more...
Hi, Here are a couple of ideas for quick checks: 1. Did you restart the collector after changing agent_config.yaml? 2. Did you add the new apache receiver to the metrics pipeline? 3. Did you check for apache.* metrics using the metric finder? Or check for data in the apache built-in dashboard?