All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It's under my username, with Admin privileges.
Which user does the scheduled search run as and do they have access to the lookup files?
| eventstats values(eval(if(match="ok",match,null()))) as match by Hostname
Updated the accepted solution with the actual solution 
Try something like this | rex "Total number of records[^:]+\s*(?<records>\d+)" | rex "(?<closing>ClosingBal=[^,]+)" | rex "(?<opening>openingBal\s\S+)"
 I have a splunk query that does some comparisons and the output is as follows.  If any of the row below for the given hostname has "OK", that host should be marked as "OK" ( irrespective of IP addre... See more...
 I have a splunk query that does some comparisons and the output is as follows.  If any of the row below for the given hostname has "OK", that host should be marked as "OK" ( irrespective of IP addresses it has).  can you help me with the right query pls ?   Hostname IP_Address match esx24 1.14.40.1 missing esx24 1.14.20.1 ok ctx-01 1.9.2.4 missing ctx-01 1.2.1.5 missing ctx-01 1.2.5.26 missing ctx-01 1.2.1.27 missing ctx-01 1.1.5.7 ok ctx-01 1.2.3.1 missing ctx-01 1.2.6.1 missing ctx-01 1.2.1.1 missing w122 1.2.5.15 ok
1] Tried using Until since to pull the no of days between the expirationDateTime and system date, based on token name as we have many token names expirationDateTime eventTimestamp pickupTimesta... See more...
1] Tried using Until since to pull the no of days between the expirationDateTime and system date, based on token name as we have many token names expirationDateTime eventTimestamp pickupTimestamp 2025-07-26T23:00:03+05:30 2024-11-21T17:06:33+05:30 2024-11-21T17:06:33+05:30 Token name AppD can you suggest the query to be used such that we get value in no of days the certificate gets expired
yes that's the case "to differentiate between different inputs would be if you had clients authenticating with certs issued by different CAs to different inputs." thanks
As a general rule - the settings from server.conf are applied if they are not overwritten at inputs.conf/outputs.conf level. So if you specify a cert/CAcert or any other parameters at the particular ... See more...
As a general rule - the settings from server.conf are applied if they are not overwritten at inputs.conf/outputs.conf level. So if you specify a cert/CAcert or any other parameters at the particular input/output level, you will have those settings in force at that point. So yes, you can have separate certs on each "endpoint" but honestly, I don't see much gain in this. The only use case I could think of to differentiate between different inputs would be if you had clients authenticating with certs issued by different CAs to different inputs.
I created a scheduled search that reads 2 input lookup csv files. It returns zero results when I look at the "View Recent"/Job Manager. When I run it by clicking the "Run" selection, I get the result... See more...
I created a scheduled search that reads 2 input lookup csv files. It returns zero results when I look at the "View Recent"/Job Manager. When I run it by clicking the "Run" selection, I get the results that I'm looking for. What am I overlooking? 
Hi @PickleRick  we have already tested it's ok with 100 gb/day. Do you have sample configurations (inputs.conf / server.conf) to receive syslog over TLS?   I found this doc : https://support.check... See more...
Hi @PickleRick  we have already tested it's ok with 100 gb/day. Do you have sample configurations (inputs.conf / server.conf) to receive syslog over TLS?   I found this doc : https://support.checkpoint.com/results/sk/sk122323     Thanks for your help.  
That's what I feared. You might run into performance issues. You've been warned. Also - it's not a best idea to receive syslog (or pseudo-syslog like raw TCP-TLS stream) directly on the forwarder. I... See more...
That's what I feared. You might run into performance issues. You've been warned. Also - it's not a best idea to receive syslog (or pseudo-syslog like raw TCP-TLS stream) directly on the forwarder. If you have the option, I'd advise to set up a separate syslog collector (rsyslog/vanilla syslog-ng/SC4S - in no particular preference order) and either write to files and read from them with a UF or send via HEC to downstream. But then again - you might not have the possibility here if you have compliance requirements.
  I'm aware about the fact to remove the inputs.conf before installing the TAs collecting the logs on the SHC but if the inputs are still present in the disabled state I'm getting errors like "Unabl... See more...
  I'm aware about the fact to remove the inputs.conf before installing the TAs collecting the logs on the SHC but if the inputs are still present in the disabled state I'm getting errors like "Unable to initialize modular input". Hence, want to understand if the scripts continues running in the backend even if the inputs are in disabled state and throws error or is it something else I'm not aware about?
Hello @PickleRick  yes there are compliance rules in our case. Thanks for your help.
Hi Team, Can someone guide me how to fetch a word(highlighted ) from below logs AccountMonthendReset - Total number of records reset after monthend:111439411 AccountBalanceMonthendSnapshot - Total... See more...
Hi Team, Can someone guide me how to fetch a word(highlighted ) from below logs AccountMonthendReset - Total number of records reset after monthend:111439411 AccountBalanceMonthendSnapshot - Total number of records in Monthend Cache:111439411 MonthlyCollateralProcessor - compareCollateralStatsData :  statisticData: StatisticData [selectedDataSet=0, rejectedDataSet=0, totalOutputRecords=0, totalInputRecords=0, fileSequenceNum=0, fileHeaderBusDt=null, busD t=10/31/2024, fileName=SETTLEMENT_MONTHEND_COLLATERAL_CONSUMER_CHARGE, totalAchCurrOutstBalAmt=4.57373200875E9, totalAchBalLastStmtAmt=4.57373200875E9, total ClosingBal=4.57373200875E9, sourceName=null, version=1, associationStats={}]  with collateralSum 4.57373200875E9 openingBal 4.53003366393E9 ageBalTot 4.57373200875E9 busDt 10/31/2024 Can someone please guide how to fetch highlighted words
Great thanks @dural_yyz I'll try that.
First important question - why do you even want to use TLS on this communication channel? If you have some externally enforced compliance rules you have to adhere to, that's another story but be awar... See more...
First important question - why do you even want to use TLS on this communication channel? If you have some externally enforced compliance rules you have to adhere to, that's another story but be aware that sending data from Checkpoint (I assume we're talking about LogExporter) over plain TCP can lead to performance problems. Not even using TLS over that connection. Are you sure you can handle that?  
Looks like a normal line chart. What is so special about this one?
wonderful - and thanks.    
As I said before - these are your searches, your data and your environment. You have to check what searches you have, which ones of them are executed with what frequency and how long they take to run... See more...
As I said before - these are your searches, your data and your environment. You have to check what searches you have, which ones of them are executed with what frequency and how long they take to run. It's not something that can be automated. It's a tedious manual work to dig into those searches and decide whether they are needed, whether they need to run that often or on such long time range. It can easily happen if you don't manage your environment strictly enough, don't have a well-defined process for configuring your searches and if your users have too "loose" permissions and can create schedules searches on a whim (especially if they can't write them effectively).