All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, The issues got resolved. The port 8088 was used by other services causing that issue, had to kill that service to resolve that issue. Now working as expected. Thank you so much all.
Hey @isoutamo  Thank you for letting me know. But the token and the host URL provided are not the actual, I changed them a little. We should be fine. Thank you so much again.
Hi @majilan1  1) may i know if you understood the searchtime vs indextime 2) Indextime  - while indexing the data itself you can "catch" the required fields (this is called as index time) . 3) sea... See more...
Hi @majilan1  1) may i know if you understood the searchtime vs indextime 2) Indextime  - while indexing the data itself you can "catch" the required fields (this is called as index time) . 3) searchtime - if you didnt configure "indextime", then sometimes the fields may not be indexed(not catch'ed / caught when data onboarding). then we need to write the rex to catch the fields at search time. this is acceptable, but it if we use tooo many rex, splunk will struggle.  4) searchtime is always preferred over indextime - (this is a debatable topic), but as far as i remember, the splunk docs suggest us to use the search time instead of indextime.  5) situation like yours... complex list of field extractions... can be prepared and planned thru indextime. so splunk will not ask you its own limitations   thanks and best regards. (PS - my karma stats - given 2000 and received 500. thanks for reading )
PS - 2 karma points were given and i got notified and read and wanted to edit my answer to these questions,... and sorry for my wrong answer last time, hope nobody followed it even if somebody fol... See more...
PS - 2 karma points were given and i got notified and read and wanted to edit my answer to these questions,... and sorry for my wrong answer last time, hope nobody followed it even if somebody followed it, no harm done, the system will not work "workable splunk" )   >>>is it really necessary to run the splunk intsall on the new server , even when i detach and attach the disk... Yes, it is necessary to install Splunk once again(when u install the splunk, if the instance is already having the splunk, then, the installer script will detect the existing install and will ask you - do u really want to install or upgrade, etc) >>>the disk with /opt/splunk has the full setup. the installer script "intelligently" will take care this situation and ask your confirmation. >>>i understand to change the server.conf and inputs.conf, which ill take care.. but wanted to know if the splunk install was necessary in this case... it is suggested to add the drive from old system to the new system and then install the splunk on new system. the installer script will "understand" the existing data, version, etc.  EDIT - (PS - my karma stats - given 2000 and received 500. thanks for reading )
@christophecris This looks like python core functionality is broken? any details about your instance? what version? This might be a bug or incompatible OS package. Did this happen  after a change?... See more...
@christophecris This looks like python core functionality is broken? any details about your instance? what version? This might be a bug or incompatible OS package. Did this happen  after a change? or an upgrade? If this Helps, Please Upvote.
You could try using split to break up the field | eval fields=split(_raw, ";") | eval h_db_host=mvindex(fields,1) etc.
As @sainag_splunk says, use of unlimited wildcards (+, *) are usually the cause.  For others to help, you will need to post sample data that trigger these errors.  Usually the remedy is to analyze yo... See more...
As @sainag_splunk says, use of unlimited wildcards (+, *) are usually the cause.  For others to help, you will need to post sample data that trigger these errors.  Usually the remedy is to analyze your data boundaries and find more restrictive regex. 
It appears to me that you are overthinking the search language.  Assuming that RenderedMessage is already extracted (as is implied in your illustrated code), you can use roperties.application="xyz.a... See more...
It appears to me that you are overthinking the search language.  Assuming that RenderedMessage is already extracted (as is implied in your illustrated code), you can use roperties.application="xyz.api" (RenderedMessage="*$text_fnum$*" AND RenderedMessage="*$text_fdate$*") | spath Level | search Level!=Verbose AND Level!=Debug | eval combined_search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") If you run this on paper, you will see that the wildcards will cause the search to behave as you described.
I am trying to create a dashboard. It has two input text fields. I want to run a search query based on these two inputs. If input A is null AND input B is null then no search results If input A ... See more...
I am trying to create a dashboard. It has two input text fields. I want to run a search query based on these two inputs. If input A is null AND input B is null then no search results If input A is not null AND input B is null then search using only A If input A is null AND input B is not null then search using only B If input A is null AND input B is not null then search using both A and B Following is my query. It returns no results    Properties.application="xyz.api" | spath Level | search Level!=Verbose AND Level!=Debug | eval search_condition_fnum=if(len(trim("$text_fnum$"))=0 OR isnull("$text_fnum$"), "", "RenderedMessage=\"*$text_fnum$*\"") | eval search_condition_fdate=if(len(trim("$text_fdate$"))=0 OR isnull("$text_fdate$"), "", "RenderedMessage=\"*$text_fdate$*\"") | eval combined_search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | table search_condition_fnum, search_condition_fdate, combined_search_condition | search [| makeresults | eval search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | fields search_condition]  
@majilan1 the rex timeout typically  happens with complex events/data, or lot of wild cards in your regex. Refer: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Limitsconf#.5Brex.5D Try ... See more...
@majilan1 the rex timeout typically  happens with complex events/data, or lot of wild cards in your regex. Refer: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Limitsconf#.5Brex.5D Try using that with  max_match option. | rex max_match=0 If this Helps, Please Upvote
Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf. My search looks like this: | index=abc index=def process=jkl | rex field=_raw ";(?<h... See more...
Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf. My search looks like this: | index=abc index=def process=jkl | rex field=_raw ";(?<h_db_host>\w+);(?<h_instance_name>\w+);\d+;\d+;(?<h_db_name>\w+);(?<user_computer_ip>\d{1,3}(?:\.\d{1,3}){3})?;(?<user_computer_name>[^;]*)?;[-\d]+;[-\d]+;(?<audit_policy_name>[^;]+);(?<audit_policy_severity>\w+);(?<user_activity>[^;]+);(SUCCESSFUL|UNSUCCESSFUL);(?<activity_details>[^;]+);(?<application_username>[^;]*)?;{5}(?<db_user_id>\w+)?;(?<user_application>[^;]+)?;(?<db_schema>\w+)?;" | rex field=user_activity "(?<user_activity_event>.+?)\;" | fillnull value="null" | search h_db_name IN("srp1", "brp1") audit_policy_severity="CRITICAL" db_user_id=SYSTEM | table _time, env, host, h_db_host, h_instance_name, h_db_name, user_computer_ip user_computer_name audit_policy_name audit_policy_severity user_activity_event Any help will be appreciated.
You may have better results by un-checking the "Global account settings" in Add-on setup parameters in the Add-On Builder and then adding your own Add-on Setup Components like a Text field for Client... See more...
You may have better results by un-checking the "Global account settings" in Add-on setup parameters in the Add-On Builder and then adding your own Add-on Setup Components like a Text field for Client ID and a Password field for Client Secret, rather than attempting to re-name the account username and password.
Create a multi-value field using mvappend (there are other ways, too). | eval mitre_category=mvappend("persistence","Defense_Evasion") | eval apt=mvappend("apt1","apt2","apt3") The search command, ... See more...
Create a multi-value field using mvappend (there are other ways, too). | eval mitre_category=mvappend("persistence","Defense_Evasion") | eval apt=mvappend("apt1","apt2","apt3") The search command, however, doesn't work well with multi-value fields so this probably will not solve your problem.  What problem are you trying to solve, exactly?  Tell us about the root problem so we can offer other possible answers.
I think @gcusello 's answer is the best scalable approach. If it's something quick and small, you could do something like this to keep it all in the SPL without needing a lookup:   index=brandprote... See more...
I think @gcusello 's answer is the best scalable approach. If it's something quick and small, you could do something like this to keep it all in the SPL without needing a lookup:   index=brandprotection name IN (ali, ahmad, elias, moayad) | stats count BY name | append [| makeresults | eval name="ali, ahmad, elias, moayad" | eval name=split(name, ", ") | mvexpand name | eval count=0 | fields name count] | stats sum(count) AS count BY name  
Hi On GUI there are separate tabs for alerts and reports, but when you are querying those with rest, then you got those both at the same time. Here is old post which tell how you could try to identi... See more...
Hi On GUI there are separate tabs for alerts and reports, but when you are querying those with rest, then you got those both at the same time. Here is old post which tell how you could try to identify which is alert and which is report. https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-export-all-alerts-to-csv-or-pdf/m-p/629226#M9319 r. Ismo
It is not clear what you are trying to do. Are you trying to search for events where the field may have one of a number of different values? | search apt IN ("apt1","apt2","apt3")
After you have pasted whole url and token, please remove that token and generate a new one. Otherwise you could surprise how many will try it! It’s best to anonymous both url (host part) and token be... See more...
After you have pasted whole url and token, please remove that token and generate a new one. Otherwise you could surprise how many will try it! It’s best to anonymous both url (host part) and token before you post those to community.
The easiest way is setup HF on your own site to do it.
Currently trying to get eval to give multiple returns     | eval mitre_category="persistence,Defense_Evasion" | eval apt="apt1,apt2,apt3"   I would like the values to be listed as OR. that way i... See more...
Currently trying to get eval to give multiple returns     | eval mitre_category="persistence,Defense_Evasion" | eval apt="apt1,apt2,apt3"   I would like the values to be listed as OR. that way i get `apt2` or `apt3` instead of searching for `apt1,apt2,apt3`. I would like to know if there is a way to do this via one query instead of several if at all possible.
@Karthikeya Index peers are simply indexers that work together in a Splunk cluster environment. They are responsible for receiving, processing, and storing data while maintaining copies across multip... See more...
@Karthikeya Index peers are simply indexers that work together in a Splunk cluster environment. They are responsible for receiving, processing, and storing data while maintaining copies across multiple indexers for redundancy and high availability. When a Cluster Master pushes configuration changes through an index cluster bundle, all index peers receive the same settings to ensure consistent operation across the cluster. Refer: https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Basicclusterarchitecture https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Howclusteredindexingworks If this Helps, Please Upvote and Mark as solved.