All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Please help me in configuring rsyslog to Splunk. Our rsyslog server will receive the logs from network devices and our rsyslog has UF installed.  I have no idea of how to configure this and what rsy... See more...
Please help me in configuring rsyslog to Splunk. Our rsyslog server will receive the logs from network devices and our rsyslog has UF installed.  I have no idea of how to configure this and what rsyslog means? Please help me with step by step procedure of how to configure this to our deployment server or indexer?  Documentation will be highly appreciated.
Thanks for the response. The thing is this alert should trigger every day once and it should be dynamic as the result keeps changing. Based on your comment it looks like I need to redo every time I h... See more...
Thanks for the response. The thing is this alert should trigger every day once and it should be dynamic as the result keeps changing. Based on your comment it looks like I need to redo every time I have to send the reports 'Once the done_sending_email.csv and list_all_emails.csv lookup tables are almost the same size, (done_sending_email.csv will be +1 bigger if it has the filler value) then the emails are all sent out. You can then disable the alert, or you can empty the done_sending_email.csv file if you'd like to send another wave of emails.'
Hello Richgalloway, thank you for feedback. I´ve managed to set my time window with Uptime results. Now I got issue using my span so that I could see _time and Uptime in seconds in one row only. Thi... See more...
Hello Richgalloway, thank you for feedback. I´ve managed to set my time window with Uptime results. Now I got issue using my span so that I could see _time and Uptime in seconds in one row only. This I would like to achieve by setting Time picker to last 3 days and I set my span to 72 hours so that Im having one row with all the results. | bin span=72h _time My most oldest time should be then always 3 days backwards.  But when I do this my results display also time which is outside of 3 days (see attachement). My oldest results should have end 18.11.24 in the morning but instead it also shows results for 17.11.24. In this case instead of one row I will have 2 rows which will crash my search idea as I need to have one row with the results only.  Why is that can you suggest ? How exactly does span function work ?
Sorry, I have access to the files.
It's under my username, with Admin privileges.
Which user does the scheduled search run as and do they have access to the lookup files?
| eventstats values(eval(if(match="ok",match,null()))) as match by Hostname
Updated the accepted solution with the actual solution 
Try something like this | rex "Total number of records[^:]+\s*(?<records>\d+)" | rex "(?<closing>ClosingBal=[^,]+)" | rex "(?<opening>openingBal\s\S+)"
 I have a splunk query that does some comparisons and the output is as follows.  If any of the row below for the given hostname has "OK", that host should be marked as "OK" ( irrespective of IP addre... See more...
 I have a splunk query that does some comparisons and the output is as follows.  If any of the row below for the given hostname has "OK", that host should be marked as "OK" ( irrespective of IP addresses it has).  can you help me with the right query pls ?   Hostname IP_Address match esx24 1.14.40.1 missing esx24 1.14.20.1 ok ctx-01 1.9.2.4 missing ctx-01 1.2.1.5 missing ctx-01 1.2.5.26 missing ctx-01 1.2.1.27 missing ctx-01 1.1.5.7 ok ctx-01 1.2.3.1 missing ctx-01 1.2.6.1 missing ctx-01 1.2.1.1 missing w122 1.2.5.15 ok
1] Tried using Until since to pull the no of days between the expirationDateTime and system date, based on token name as we have many token names expirationDateTime eventTimestamp pickupTimesta... See more...
1] Tried using Until since to pull the no of days between the expirationDateTime and system date, based on token name as we have many token names expirationDateTime eventTimestamp pickupTimestamp 2025-07-26T23:00:03+05:30 2024-11-21T17:06:33+05:30 2024-11-21T17:06:33+05:30 Token name AppD can you suggest the query to be used such that we get value in no of days the certificate gets expired
yes that's the case "to differentiate between different inputs would be if you had clients authenticating with certs issued by different CAs to different inputs." thanks
As a general rule - the settings from server.conf are applied if they are not overwritten at inputs.conf/outputs.conf level. So if you specify a cert/CAcert or any other parameters at the particular ... See more...
As a general rule - the settings from server.conf are applied if they are not overwritten at inputs.conf/outputs.conf level. So if you specify a cert/CAcert or any other parameters at the particular input/output level, you will have those settings in force at that point. So yes, you can have separate certs on each "endpoint" but honestly, I don't see much gain in this. The only use case I could think of to differentiate between different inputs would be if you had clients authenticating with certs issued by different CAs to different inputs.
I created a scheduled search that reads 2 input lookup csv files. It returns zero results when I look at the "View Recent"/Job Manager. When I run it by clicking the "Run" selection, I get the result... See more...
I created a scheduled search that reads 2 input lookup csv files. It returns zero results when I look at the "View Recent"/Job Manager. When I run it by clicking the "Run" selection, I get the results that I'm looking for. What am I overlooking? 
Hi @PickleRick  we have already tested it's ok with 100 gb/day. Do you have sample configurations (inputs.conf / server.conf) to receive syslog over TLS?   I found this doc : https://support.check... See more...
Hi @PickleRick  we have already tested it's ok with 100 gb/day. Do you have sample configurations (inputs.conf / server.conf) to receive syslog over TLS?   I found this doc : https://support.checkpoint.com/results/sk/sk122323     Thanks for your help.  
That's what I feared. You might run into performance issues. You've been warned. Also - it's not a best idea to receive syslog (or pseudo-syslog like raw TCP-TLS stream) directly on the forwarder. I... See more...
That's what I feared. You might run into performance issues. You've been warned. Also - it's not a best idea to receive syslog (or pseudo-syslog like raw TCP-TLS stream) directly on the forwarder. If you have the option, I'd advise to set up a separate syslog collector (rsyslog/vanilla syslog-ng/SC4S - in no particular preference order) and either write to files and read from them with a UF or send via HEC to downstream. But then again - you might not have the possibility here if you have compliance requirements.
  I'm aware about the fact to remove the inputs.conf before installing the TAs collecting the logs on the SHC but if the inputs are still present in the disabled state I'm getting errors like "Unabl... See more...
  I'm aware about the fact to remove the inputs.conf before installing the TAs collecting the logs on the SHC but if the inputs are still present in the disabled state I'm getting errors like "Unable to initialize modular input". Hence, want to understand if the scripts continues running in the backend even if the inputs are in disabled state and throws error or is it something else I'm not aware about?
Hello @PickleRick  yes there are compliance rules in our case. Thanks for your help.
Hi Team, Can someone guide me how to fetch a word(highlighted ) from below logs AccountMonthendReset - Total number of records reset after monthend:111439411 AccountBalanceMonthendSnapshot - Total... See more...
Hi Team, Can someone guide me how to fetch a word(highlighted ) from below logs AccountMonthendReset - Total number of records reset after monthend:111439411 AccountBalanceMonthendSnapshot - Total number of records in Monthend Cache:111439411 MonthlyCollateralProcessor - compareCollateralStatsData :  statisticData: StatisticData [selectedDataSet=0, rejectedDataSet=0, totalOutputRecords=0, totalInputRecords=0, fileSequenceNum=0, fileHeaderBusDt=null, busD t=10/31/2024, fileName=SETTLEMENT_MONTHEND_COLLATERAL_CONSUMER_CHARGE, totalAchCurrOutstBalAmt=4.57373200875E9, totalAchBalLastStmtAmt=4.57373200875E9, total ClosingBal=4.57373200875E9, sourceName=null, version=1, associationStats={}]  with collateralSum 4.57373200875E9 openingBal 4.53003366393E9 ageBalTot 4.57373200875E9 busDt 10/31/2024 Can someone please guide how to fetch highlighted words
Great thanks @dural_yyz I'll try that.