All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

yes that's the case "to differentiate between different inputs would be if you had clients authenticating with certs issued by different CAs to different inputs." thanks
As a general rule - the settings from server.conf are applied if they are not overwritten at inputs.conf/outputs.conf level. So if you specify a cert/CAcert or any other parameters at the particular ... See more...
As a general rule - the settings from server.conf are applied if they are not overwritten at inputs.conf/outputs.conf level. So if you specify a cert/CAcert or any other parameters at the particular input/output level, you will have those settings in force at that point. So yes, you can have separate certs on each "endpoint" but honestly, I don't see much gain in this. The only use case I could think of to differentiate between different inputs would be if you had clients authenticating with certs issued by different CAs to different inputs.
I created a scheduled search that reads 2 input lookup csv files. It returns zero results when I look at the "View Recent"/Job Manager. When I run it by clicking the "Run" selection, I get the result... See more...
I created a scheduled search that reads 2 input lookup csv files. It returns zero results when I look at the "View Recent"/Job Manager. When I run it by clicking the "Run" selection, I get the results that I'm looking for. What am I overlooking? 
Hi @PickleRick  we have already tested it's ok with 100 gb/day. Do you have sample configurations (inputs.conf / server.conf) to receive syslog over TLS?   I found this doc : https://support.check... See more...
Hi @PickleRick  we have already tested it's ok with 100 gb/day. Do you have sample configurations (inputs.conf / server.conf) to receive syslog over TLS?   I found this doc : https://support.checkpoint.com/results/sk/sk122323     Thanks for your help.  
That's what I feared. You might run into performance issues. You've been warned. Also - it's not a best idea to receive syslog (or pseudo-syslog like raw TCP-TLS stream) directly on the forwarder. I... See more...
That's what I feared. You might run into performance issues. You've been warned. Also - it's not a best idea to receive syslog (or pseudo-syslog like raw TCP-TLS stream) directly on the forwarder. If you have the option, I'd advise to set up a separate syslog collector (rsyslog/vanilla syslog-ng/SC4S - in no particular preference order) and either write to files and read from them with a UF or send via HEC to downstream. But then again - you might not have the possibility here if you have compliance requirements.
  I'm aware about the fact to remove the inputs.conf before installing the TAs collecting the logs on the SHC but if the inputs are still present in the disabled state I'm getting errors like "Unabl... See more...
  I'm aware about the fact to remove the inputs.conf before installing the TAs collecting the logs on the SHC but if the inputs are still present in the disabled state I'm getting errors like "Unable to initialize modular input". Hence, want to understand if the scripts continues running in the backend even if the inputs are in disabled state and throws error or is it something else I'm not aware about?
Hello @PickleRick  yes there are compliance rules in our case. Thanks for your help.
Hi Team, Can someone guide me how to fetch a word(highlighted ) from below logs AccountMonthendReset - Total number of records reset after monthend:111439411 AccountBalanceMonthendSnapshot - Total... See more...
Hi Team, Can someone guide me how to fetch a word(highlighted ) from below logs AccountMonthendReset - Total number of records reset after monthend:111439411 AccountBalanceMonthendSnapshot - Total number of records in Monthend Cache:111439411 MonthlyCollateralProcessor - compareCollateralStatsData :  statisticData: StatisticData [selectedDataSet=0, rejectedDataSet=0, totalOutputRecords=0, totalInputRecords=0, fileSequenceNum=0, fileHeaderBusDt=null, busD t=10/31/2024, fileName=SETTLEMENT_MONTHEND_COLLATERAL_CONSUMER_CHARGE, totalAchCurrOutstBalAmt=4.57373200875E9, totalAchBalLastStmtAmt=4.57373200875E9, total ClosingBal=4.57373200875E9, sourceName=null, version=1, associationStats={}]  with collateralSum 4.57373200875E9 openingBal 4.53003366393E9 ageBalTot 4.57373200875E9 busDt 10/31/2024 Can someone please guide how to fetch highlighted words
Great thanks @dural_yyz I'll try that.
First important question - why do you even want to use TLS on this communication channel? If you have some externally enforced compliance rules you have to adhere to, that's another story but be awar... See more...
First important question - why do you even want to use TLS on this communication channel? If you have some externally enforced compliance rules you have to adhere to, that's another story but be aware that sending data from Checkpoint (I assume we're talking about LogExporter) over plain TCP can lead to performance problems. Not even using TLS over that connection. Are you sure you can handle that?  
Looks like a normal line chart. What is so special about this one?
wonderful - and thanks.    
As I said before - these are your searches, your data and your environment. You have to check what searches you have, which ones of them are executed with what frequency and how long they take to run... See more...
As I said before - these are your searches, your data and your environment. You have to check what searches you have, which ones of them are executed with what frequency and how long they take to run. It's not something that can be automated. It's a tedious manual work to dig into those searches and decide whether they are needed, whether they need to run that often or on such long time range. It can easily happen if you don't manage your environment strictly enough, don't have a well-defined process for configuring your searches and if your users have too "loose" permissions and can create schedules searches on a whim (especially if they can't write them effectively).
  want to create view like above under dashboard
Hi @uagraw01 , good for you, remember to unflag the Case sensitive match. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunk... See more...
Hi @uagraw01 , good for you, remember to unflag the Case sensitive match. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hello, could you tell me how to properly have dedicated server certificate for specific tcp-ssl in inputs.conf (Checkpoint) and have another dedicated server certificate for the hf in server.conf, b... See more...
Hello, could you tell me how to properly have dedicated server certificate for specific tcp-ssl in inputs.conf (Checkpoint) and have another dedicated server certificate for the hf in server.conf, both using different sslpassword setting? Both are from same secondary rootCA. Or should we keep single dedicated server certificate on heavyforwarder and only put dedicated Checkpoint certificate on appliance? Thanks.      
@ecnausysadm , it looks like you're trying to process EDIs.  We now have solutions accelerator for EDIs.  Would like to share what we have if you are interested.
@timothywatson @hogan24 , it looks like you both are trying to implement a solution with EDIs.  We now have a solutions accelerator for EDI documents.  Let me know if any of you is interested in shar... See more...
@timothywatson @hogan24 , it looks like you both are trying to implement a solution with EDIs.  We now have a solutions accelerator for EDI documents.  Let me know if any of you is interested in sharing some information, I can set up a call to introduce.
@gajananh999 , it looks like your processing EDI data. We do have a new solution accelerator for EDI transactions.  Love to share some content we have.   Let me know if you're interested.
@tlunruh , it looks like your processing EDI data.  We now have solution accelerator for EDI transactions, I would love to share what we have.  Let me know if you're interested.