All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

How can I get a list of all libraries included in this app? I will need that to get this through our security review.
Hi, it should work, and it’s working fine on my end. Try upgrading your browser if you have any pending updates.   ------ If you find this solution helpful, please consider accepting it and aw... See more...
Hi, it should work, and it’s working fine on my end. Try upgrading your browser if you have any pending updates.   ------ If you find this solution helpful, please consider accepting it and awarding karma points !!
Hello, Splunk doesn't display extra spaces on variables that I assigned. Please see below example I used Google Chrome and Microsoft Edge, it gave me same results.  If I exported the CSV, the data ... See more...
Hello, Splunk doesn't display extra spaces on variables that I assigned. Please see below example I used Google Chrome and Microsoft Edge, it gave me same results.  If I exported the CSV, the data have correct number of spaces. Please suggest. Thank you   | makeresults | fields - _time | eval One Space = "One space Test" | eval Two Spaces = "Two spaces Test" | eval Three Spaces = "Three spaces Test"        
Thanks!  
Hi there, Take a look at this https://community.splunk.com/t5/Splunk-Search/How-to-compare-fields-over-multiple-sourcetypes-without-join/m-p/113477  Basically, what you need to do is use an eval to... See more...
Hi there, Take a look at this https://community.splunk.com/t5/Splunk-Search/How-to-compare-fields-over-multiple-sourcetypes-without-join/m-p/113477  Basically, what you need to do is use an eval to normalise the client IP: | eval clientIp = coalesce(vpn.client_ip,matches event.src_ip) and use a 'stats ... by clientIp' Hope this helps ... cheers, MuS
@best-west basically we need to package an new app  that has props.conf for the SEDCMD, referencing your sourcetype for the data needing to transform and deploy from UI from uploaded apps.  I think t... See more...
@best-west basically we need to package an new app  that has props.conf for the SEDCMD, referencing your sourcetype for the data needing to transform and deploy from UI from uploaded apps.  I think the issue might be because of 000-self-service-app . You can also ask splunk support to make this update for you.  Is this Classic or Victoria stack? If you want to create props/transforms as mentioned try using ingest actions and see as an example. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Using_ingest_actions_to_filter_AWS_CloudTrail_logs If my reply helps, please upvote.
I have an index with events containing a src_ip but not a username for the event.   I have another index of VPN auth logs that has the assigned IP and username.  But the VPN IPs are randomly assigned... See more...
I have an index with events containing a src_ip but not a username for the event.   I have another index of VPN auth logs that has the assigned IP and username.  But the VPN IPs are randomly assigned. I need to get the username from the VPN logs where vpn.client_ip matches event.src_ip.  But I need to make sure that the returned username is the one that was assigned during the event.  In short, I need to get the last vpn client_ip assignment to match the event.src_ip BEFORE the event so the vpn.username would be the correct one for event.src_ip. Here's a generic representation of my current query but I get nothing back. index=event ... | join left=event right=vpn where event.src_ip=vpn.client_ip max=1 usetime=true earlier=true [search index=vpn]   
Please advise as to whether a specific license is needed to support indexing on a heavy forwarder; Like an indexing license?
Thank you for responding! Yes, it's coming from syslog server with UF installed going to Cloud. I unfortunately don't have any HFs available for use and setting up another one at this time is not an ... See more...
Thank you for responding! Yes, it's coming from syslog server with UF installed going to Cloud. I unfortunately don't have any HFs available for use and setting up another one at this time is not an option for me.
Hi! Thank you so much for your response and explanation. It seems like maybe I have not properly deployed these to the indexing tier. Forgive me for the beginner question, but I think the sourcetype... See more...
Hi! Thank you so much for your response and explanation. It seems like maybe I have not properly deployed these to the indexing tier. Forgive me for the beginner question, but I think the sourcetype I created already belongs to the 000-self-service app - is this what you meant by deploying the config using self service? Screenshot below (I didn't capture the full sourcetype name):     
Key question here is, since you're saying it's syslog and you definitely not sending syslog straight to Cloud, what your ingestion process look like? Do you have any HFs on-prem?
This is likely what you were/are looking for.   https://cloud.google.com/chronicle/docs/install/install-forwarder
It looks like you have the right steps. I would download the splunkclouduf app to my workstation and then install it on the Deployment Server (DS) using the GUI (Install app from file).  After that,... See more...
It looks like you have the right steps. I would download the splunkclouduf app to my workstation and then install it on the Deployment Server (DS) using the GUI (Install app from file).  After that, copy the /opt/splunk/etc/apps/100_splunkcloud directory to /opt/splunk/etc/deployment-app.  DO NOT RENAME the 100_splunkcloud app.
Replied to my own post. Derp. Hi! Thank you so much for your response and explanation. It seems like maybe I have not properly deployed these to the indexing tier. Forgive me for the beginner ... See more...
Replied to my own post. Derp. Hi! Thank you so much for your response and explanation. It seems like maybe I have not properly deployed these to the indexing tier. Forgive me for the beginner question, but I think the sourcetype I created already belongs to the 000-self-service app - is this what you meant by deploying the config using self service? Screenshot below (I didn't capture the full sourcetype name):  
The key insight is that KV_MODE=json is applied at search-time on the Search Head, while SEDCMDs are part of the parsing pipeline (Typing / Regexreplacement) that must occur during indexing. In Splu... See more...
The key insight is that KV_MODE=json is applied at search-time on the Search Head, while SEDCMDs are part of the parsing pipeline (Typing / Regexreplacement) that must occur during indexing. In Splunk Cloud, that should've done it we need make sure your sourcetype configuration with these SEDCMDs is properly deployed to the indexing tier, not just the search head (could use SEDCMDs on sh), since that's where the actual parsing/transformation of the data needs to happen. Try to deploy your SEDCMD config using self service app and see if that makes difference.  Also if you don't want to write props and transforms. checkout: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/DataIngest#Create_a_ruleset_with_the_Ingest_Actions_page https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/IngestProcessor/AboutIngestProcessorSolution If my reply helps, please upvote.
After  Splunk forwarder version got upgrade from 9.0.5.0 to 9.3.1.0 windows server are having issue in forwarding the data to Splunk. Splunkd is stopping often in different server after restarting... See more...
After  Splunk forwarder version got upgrade from 9.0.5.0 to 9.3.1.0 windows server are having issue in forwarding the data to Splunk. Splunkd is stopping often in different server after restarting splund it start forwarding the data but issue comes again after 2,3 days  what actions to be taken to make the logs flow easily to Splunk  
Yes, the LM can be on a CM.  See https://docs.splunk.com/Documentation/Splunk/9.3.1/Indexer/Systemrequirements#Additional_roles_for_the_manager_node Which instance is reporting that error?  Have you... See more...
Yes, the LM can be on a CM.  See https://docs.splunk.com/Documentation/Splunk/9.3.1/Indexer/Systemrequirements#Additional_roles_for_the_manager_node Which instance is reporting that error?  Have you checked the firewalls to confirm access to port 8089 is permitted?
Hi All, Our current setup involves Splunk Search Heads hosted in Splunk Cloud and managed by Support. The existing Deployment Master server is hosted on Azure, where it has been operating smoothly, ... See more...
Hi All, Our current setup involves Splunk Search Heads hosted in Splunk Cloud and managed by Support. The existing Deployment Master server is hosted on Azure, where it has been operating smoothly, supporting around 900+ clients that send logs to Splunk through it. Now, we’re planning to migrate the Deployment Master from Azure to an on-premises Nutanix environment. We’ve built a new server on-premises with the necessary hardware specifications and are preparing to install the latest Splunk Enterprise package (version 9.3.1) downloaded from the Splunk website. We’ll place this package in the `/tmp` directory on the new server, extract it in the `/opt` directory, accept the license agreement, and start Splunk services. Once up, we’ll access the GUI to import the Enterprise licenses. Next, I’ll download the Splunk Universal Forwarder Credential package (Splunkclouduf app) from the Splunk Cloud Search Head. Could you confirm whether this downloaded app should be placed in the `/opt/splunk/etc/apps`, `/opt/splunk/etc/deployment-apps`, or `/tmp` directory on the new server? From there, we can proceed with the installation. Please confirm. Once installed, the Splunkclouduf app will create a `100_splunkcloud` folder in the `/opt/splunk/etc/apps` directory. Should I then copy the `100_splunkcloud` folder to the `/opt/splunk/etc/deployment-apps` directory? Also can we rename the folder name from "100_splunkcloud" to some custom name  Additionally, the next step will involve transferring all deployment apps from the `deployment-apps` directory on the old server (`/opt/splunk/etc/deployment-apps`) to the new server in the same location—please confirm if this is correct. Finally: - Update the `deploymentclient` app on both the old and new Deployment Master servers with the new server name. - Reload the server class on the old Deployment Master server. - Verify that all clients are reporting to the new Deployment Master server.   Want to get it clarified whether these steps are correct or if i missed out anything kindly let me know. So that my new DM server should be running fine post migration.
Can someone suggest if we can configure Cluster Master to work as License Master also ?   I tried to configure but it's throwing error   reason='Unable to connect to license manager=https://xx.xx... See more...
Can someone suggest if we can configure Cluster Master to work as License Master also ?   I tried to configure but it's throwing error   reason='Unable to connect to license manager=https://xx.xx.xx.xx:8089 Read Timeout'
  We have plan to migrate the old physical server to new physical server and the server is a Search Head component in Splunk Environment. for the new physical server we will be receiving new IP add... See more...
  We have plan to migrate the old physical server to new physical server and the server is a Search Head component in Splunk Environment. for the new physical server we will be receiving new IP address, my query is how to configure new IP to the existing Splunk Server Environment Our Splunk Environment has 1 - Cluster master 4 - indexer 1 - deployment server 1- Search Head 1- monitoring console 1- License Master DR Servers 1 - Search Head 1- Indexer